What does informed consent mean?
Definition and legal framework
Data collected during a hospital stay or outpatient treatment is extremely useful for medical research. However, before health data can be accessed, the patient must give their written consent. This consent is also known as informed consent. The data may only be used for the medical research described therein. The provisions of the GDPR must be complied with - the abbreviation stands for General Data Protection Regulation, a European Union regulation on the processing of personal data.
Informed consent is not only a requirement under data protection law, but also an ethical obligation, enshrined in the Medicinal Products Act, among other things. The GDPR is the legal basis for the processing of health data.
Why is consent in studies so important?
The great thing is that we can learn from diseases. But how does research with data work? Large amounts of data make it possible to recognize patterns that were previously unknown. These allow conclusions to be drawn about the causes, histories and progression of diseases. The mass of data also makes it possible to compare treatment methods with each other. In this way, existing diseases and their treatment and healing processes can “feed” research through their data. This research is the prerequisite for evidence-based medicine, i.e. medicine based on scientific proof. Digital consent enables precise traceability and supports research within the framework of Good Clinical Practice (ICH-GCP) standards. It is a prerequisite for the admissibility of any clinical or epidemiological study in Europe.
Digital consent (eConsent) - opportunities and challenges
Advantages of digital consent processes
The rapid technological development of data processing is enabling the general digitization of the healthcare sector. The introduction of electronic patient files (ePA), electronic prescriptions and telemedicine services benefits from the networking of data. Digital processes are faster, easier to handle, easier to view and easier to find than conventional ones. This also applies to consent to the use of health data. Even if consent is withdrawn, the digital process is advantageous as it can be handled quickly and in a targeted manner. Modern eConsent systems can also integrate digital proof of identity (e.g. eID) and be integrated via mobile health applications. This considerably simplifies consent processes for decentralized clinical trials (DCT).
Increasing transparency and traceability
Patients must give their digital consent (eConsent) before their data can be used for health research. With the declaration of consent, patients receive information that points out the benefits and risks of using data and thus makes the process transparent and comprehensible. These forms should be read carefully before providing data for medical studies. The transparency of data use is a central element of consent.
Innovative solutions rely on multimedia content (videos, infographics) and interactive knowledge checks to ensure that participants understand the content - a key point of the quality standards for informed consent.
Technical implementation: digital signature and audit trail
The digital signature replaces the handwritten signature in a legally secure manner - it can be combined with two-factor authentication, for example. The audit trail is crucial for studies: every change to consent is documented with a time stamp. This ensures that the consent process remains traceable, audit-proof and GDPR-compliant. An audit trail in accordance with ICH-GCP is also mandatory: all changes, revocations and accesses must be documented in a tamper-proof manner. Software solutions must be validated in accordance with the MDR (medical device law) if they are classified as a medical device.
Data protection & GDPR for consent
Requirements of the GDPR
The declaration of consent is subject to European data protection law and must therefore comply with the provisions of the GDPR. This includes the so-called accountability of research that works with patient data. This means that consent has to be verifiable. The processing of personal data must therefore be documented. It also has to contain a clear purpose limitation; it must not be a blanket consent. Studies must also provide the contact details of the data protection officer. And users are obliged to design eConsent systems in a data protection-friendly way.
At the request of the supervisory authority, the responsible organization must be able to prove that the requirements of the GDPR have been met. A declaration of consent should be clearly formulated and concluded before the data is used.
Dealing with sensitive health data
Health data is subject to personal rights, which is why this sensitive data is subject to special protection. In accordance with the provisions of the GDPR, it must be handled with great care in order to protect the privacy of the persons concerned.
To this end, the GDPR has established protection mechanisms that regulate the processing of this information. These include strict rules for the storage and transmission of data. A central aspect is the pseudonymization or anonymization of data to prevent the identification of individuals. In addition, organizations must implement security measures to protect data from unauthorized access or misuse.
For secondary use and big data research, the EU is increasingly calling for Trusted Research Environments (TRE) or data trustees to ensure anonymization and access control. This is part of the European Health Data Space (EHDS), which will be implemented from 2025.
Rights of the participants: Revocation and deletion
Consent is voluntary and has no influence on the treatment. Participants who have given their consent can withdraw it at any time. The stored data will then be automatically deleted immediately.
Best practices for digital consent processes
Digital consent forms should have a modular structure: with interactive elements, clear navigation, multilingual content and an integrated revocation function. Tools such as D4L Collect make this possible in a legally compliant manner.
What should be included in a declaration of consent?
Consent must be given expressly for one or more purposes, i.e. for a specific purpose. The data subject must be told what their personal data could be used for. The voluntary nature of the signature must be emphasized and the right to withdraw consent must be explicitly mentioned. There must be no disadvantage for the person to be treated as a result of the withdrawal.
Fulfilling information obligations in an ethically correct manner
The research projects that use data are each reviewed by an independent ethics committee. Following an approving assessment by this committee, the data may only be used for medical research within the scope of consent. The research projects must be explained to patients in a comprehensible manner. The possibility of withdrawing consent at any time is part of the obligation to provide information and must be adequately described.
As soon as consent has been given in accordance with medical ethics law, the patient's data is anonymized and their name and place of residence are encrypted, i.e. replaced by codes to protect their privacy. This makes it impossible to draw any conclusions about the person. The coded data is then forwarded to universities, research companies and institutes.
Practical examples and formulation aids
For example, researchers can examine a blood sample in a variety of ways: Laboratory values can be measured, pathogens detected and genetic data analyzed. Indications of additional diseases could also be discovered. Medical research can use the data to develop new therapies.
There are good online formulation aids for companies, institutes and universities that want to formulate declarations of consent. For example, the Medical Informatics Initiative offers sample texts on its website - in Turkish, English and German. EU guidelines such as “Guidelines on consent for scientific research under GDPR” provide additional guidance.
Future outlook: eConsent in healthcare research
Wearables and mobile health apps continuously generate health data. The integration of eConsent into such digital ecosystems is becoming increasingly important. Platforms must be interoperable in order to merge data sets from different sources - for example from hospital systems, patient apps or biobanks.
Interoperability
In practice, it is clear that interoperability is of crucial importance. Standards are the be-all and end-all when it comes to data collection as well as data processing and analysis in order to make it possible to work with them. The FHIR standard is suitable for data collection, while the OMOP standard is successfully used in research. And the two can be merged - which is a key requirement. Based on the FAIR principles (Findable, Accessible, Interoperable, Reusable), health data can then be collected in multiple languages for diverse study populations.
Sustainability and trust through digital solutions
Digital solutions for collecting and analyzing data and meeting legal requirements open up countless new possibilities. Speed, accuracy and unbureaucratic working methods promise that new medical findings can be obtained much more quickly. The short and resource-scarce paths are also more sustainable. The direct verifiability for both providers and patients also promotes trust in the collaboration.
For cross-border data exchange in Europe, the implementation of the EHDS (European Health Data Space) and blockchain technology is decidedly helpful in ensuring tamper-proof traceability.
Data4Life's digital solutions make health data researchable and promote evidence-based medicine.
The contents of this article reflect the current scientific status at the time of publication and were written to the best of our knowledge. Nevertheless, the article does not replace medical advice and diagnosis. If you have any questions, consult your general practitioner.
Originally published on
