Background: The COVID-19 pandemic is a threat to global health and requires collaborative health research efforts across organizations and countries to address it. Although routinely collected digital health data are a valuable source of information for researchers, benefiting from these data requires accessing and sharing the data. Health care organizations focusing on individual risk minimization threaten to undermine COVID-19 research efforts, and it has been argued that there is an ethical obligation to use the European Union’s General Data Protection Regulation (GDPR) scientific research exemption during the COVID-19 pandemic to support collaborative health research.
Objective: This study aims to explore the practices and attitudes of stakeholders in the German federal state of Bavaria regarding the secondary use of health data for research purposes during the COVID-19 pandemic, with a specific focus on the GDPR scientific research exemption.
Methods: Individual semistructured qualitative interviews were conducted between December 2020 and January 2021 with a purposive sample of 17 stakeholders from 3 different groups in Bavaria: researchers involved in COVID-19 research (n=5, 29%), data protection officers (n=6, 35%), and research ethics committee representatives (n=6, 35%). The transcripts were analyzed using conventional content analysis.
Results: Participants identified systemic challenges in conducting collaborative secondary-use health data research in Bavaria; secondary health data research generally only happens when patient consent has been obtained, or the data have been fully anonymized. The GDPR research exemption has not played a significant role during the pandemic and is currently seldom and restrictively used. Participants identified 3 key groups of barriers that led to difficulties: the wider ecosystem at many Bavarian health care organizations, legal uncertainty that leads to risk-adverse approaches, and ethical positions that patient consent ought to be obtained whenever possible to respect patient autonomy. To improve health data research in Bavaria and across Germany, participants wanted greater legal certainty regarding the use of pseudonymized data for research purposes without the patient’s consent.
Conclusions: The current balance between enabling the positive goals of health data research and avoiding associated data protection risks is heavily skewed toward avoiding risks; so much so that it makes reaching the goals of health data research extremely difficult. This is important, as it is widely recognized that there is an ethical imperative to use health data to improve care. The current approach also creates a problematic conflict with the ambitions of Germany, and the federal state of Bavaria, to be a leader in artificial intelligence. A recent development in the field of German public administration known as norm screening (Normenscreening) could potentially provide a systematic approach to minimize legal barriers. This approach would likely be beneficial to other countries.