GDPR Framework for Health Data

• Health data is classified as sensitive personal data under GDPR
• Any AI processing patient information must ensure GDPR compliance through:
  • Robust anonymization/pseudonymization techniques
  • Obtaining patient consent where required
  • Having specific legal basis for data processing

Key GDPR Provisions for AI

• Data minimization and purpose limitation principles apply to AI training
• Article 22 gives individuals the right not to be subject to solely automated decisions
• This is interpreted as requiring a human-in-the-loop for clinical decisions
• AI should provide decision support while the clinician makes the ultimate call

Implementation in German Hospitals

• Data protection commissioners (Datenschutzbeauftragte) supervise hospital data practices
• Any AI deployment handling patient data undergoes privacy assessment
• Many hospitals require data to remain on-premises or in certified EU clouds
• German hospitals often avoid using identifiable data to train AI unless absolutely necessary

Beyond GDPR: Data Quality Issues

• Accuracy is not the same as fairness or representativeness
• An AI model trained on limited populations may be accurate for that group but biased for others
• Additional guidelines from the European Data Protection Board address these concerns