The work of the OECD to support strengthening health data infrastructure and governance and to protect privacy and data security culminated in the OECD Recommendation on Health Data Governance [OECD/LEGAL/0433], which provides guidance for building national governance frameworks that enable personal health data to be both protected and used towards public policy goals.
The Recommendation applies to the access to, and the processing of, personal health data for health-related public interest purposes, such as improving health care quality, safety and responsiveness; reducing public health risks; discovering and evaluating new diagnostic tools and treatments to improve health outcomes; managing health care resources efficiently; contributing to the progress of science and medicine; improving public policy planning and evaluation; and improving patients’ participation in and experiences of health care.
The Recommendation recommends that Adherents establish and implement a national health data governance framework to encourage the availability and use of personal health data to serve health-related public interest purposes while promoting the protection of privacy, personal health data and data security.
National health data governance frameworks should provide for:
Engagement and participation of stakeholders in the development of a national health data governance framework;
Co‑ordination within government and co‑operation among organisations processing personal health data to encourage common data-related policies and standards;
Reviews of the capacity of public sector health data systems to serve and protect public interests;
Clear provision of information to individuals about the processing of their personal health data including notification of any significant data breach or misuse;
The processing of personal health data by informed consent and appropriate alternatives;
The implementation of review and approval procedures to process personal health data for research and other health-related public interest purposes;
Transparency through public information about the purposes for processing of personal health data and approval criteria;
Maximising the development and use of technology for data processing and data protection;
Mechanisms to monitor and evaluate the impact of the national health data governance framework, including health data availability, policies and practices to manage privacy, protection of personal health data and digital security risks;
Training and skills development of personal health data processors;
Implementation of controls and safeguards within organisations processing personal health data including technological, physical and organisational measures designed to protect privacy and digital security; and
Requiring that organisations processing personal health data demonstrate that they meet the expectations set out in the national health data governance framework.
These 12 principles set the parameters to encourage greater cross-country harmonisation of data governance frameworks so that more countries can use health data for research, statistics and health care quality improvement.
The Recommendation also recommends that Adherents support trans-border co‑operation in the processing of health data for purposes that serve the public interest. It further recommends that Adherents engage with relevant experts and organisations to develop mechanisms that enable the efficient exchange and interoperability of health data.
Finally, it encourages non-governmental organisations to follow the Recommendation when processing personal health data for health-related purposes that serve the public interest and invites non-Adherents to take account and to adhere to the Recommendation.