Health data stored in archives, registries and data pools have long been important assets for building the modern welfare state and improving public health, social infrastructures and health care. In order to protect the individual whose data is stored in the archives, registries and data pools, specific safeguards are introduced to balance the societal interest against the interest of the individuals. This chapter analyses the efficiency of the governance structure for access of data for secondary use in the EHDS regulation8 from the perspective of protecting rights and interests of the individuals concerned via two sets of administrative tools to balance these competing interests.

The first set of tools consists of sector-­specific requirements for legal, technicaland organisational safeguards to protect the right to informational privacy under Article 8 of the European Convention on Human Rights, and more specifically data protection under Article 8 of the EU Charter of Fundamental Rights (the Charter) and the GDPR. These safeguards may consist of technical mechanisms to ensure data minimisation, such as anonymisation or pseudonymisation, or legal mechanisms, such as requirements of approvals or licenses, purpose limitations, secrecy and confidentiality. The aim is accordingly to allow for the processing of health data while minimising the risk of breaches of privacy for the natural persons concerned, i.e., the data subjects, when personal data are processed. The focus wis on the role and function of the safeguards in the assessment of applications for access to electronic health data for secondary use.

The second category consists of general administrative guarantees for protecting individual interests in the handling of their matters before a public administration, i.e., the right to good administration under the general principle of good administration that has also found expression in Article 41 of the Charter. The right to good administration includes a general right to have one’s affairs handled impartially, fairly and within a reasonable time, corresponding to the public authorities’ duty to care, and the right to be heard, the right of access to files and the right to a reasoned decision. These procedural rights aim to ensure that the interests of the individuals concerned are being handled correctly and to allow individuals to be involved in and have insight into the handling of their matters. In connection with this, the relevant interests can be identified first and foremost as data protection, but also as intellectual property (IP) and trade secrets.9 Natural and legal persons concerned in a legally relevant manner should for example be able to ensure that all relevant aspects are included in the assessment, and be given opportunities to present their views on a matter before a decision is made. If not, they should be able to initiate a review of the decision before a court, Article 47 of the Charter.