TEHDAS2 publishes guidance on applying privacy safeguards under the EHDS
A new TEHDAS2 guideline explains how health data can be safely accessed and used under the European Health Data Space (EHDS). It provides practical guidance on data minimisation and privacy-preserving methods throughout the data access process for those involved in the secondary use of sensitive health data.
Intended for health data access bodies (HDABs), data holders and data users, the document explains at what level of detail and under which safeguards data can be accessed under the EHDS.
It supports decision-making across the full user journey, from data access applications to analysis and the export of results. At the same time, it enables research, innovation and policymaking while helping to ensure that access decisions remain proportionate, and privacy risks are controlled.
Data minimisation throughout the process
The guideline stresses that only the data needed for a specific purpose should be accessed and processed at every stage of data use. Data users must justify the data they apply for, while HDABs assess whether data applied for are necessary and proportionate to the intended use, considering risks such as re-identification and inference.
To support that process, the guideline introduces a structured way to define data needs across key dimensions, including study population, variables, timeframes and geographic scope. This helps ensure that only necessary data is included.
Choosing the right privacy safeguards
The document also explains how different privacy-preserving approaches can be used. Pseudonymisation can support detailed analysis in secure environments, while anonymisation can enable results to be shared more widely. In some cases, synthetic data may offer an alternative, provided that privacy risks are properly assessed. The right approach depends on the intended use and the level of risk.
“This document establishes a standardised methodological framework for implementing data minimisation, pseudonymisation and anonymisation, including the use of synthetic data, in the EHDS context,” said Pia Brinkmann, lead author of the guideline and Data Scientist at BfArM. “It helps actors involved in secondary use apply these concepts in a structured and consistent way.”
By bringing these elements together, the guideline supports more uniform decision-making across Member States. It also identifies open challenges, including the need for further harmonisation of privacy criteria and tools to support decision-making on data granularity and risk assessment.
The non-binding expert guideline forms part of a wider set of TEHDAS2 guidance on the safe and secure processing of health data, aimed at supporting the practical, early-stage implementation of the EHDS.
Download the guideline: Guideline on data minimisation, pseudonymisation, anonymisation and synthetic data
A summary of the comments received during the public consultation and how they were addressed is available in the annex.
View published TEHDAS2 results
Key recommendations stemming from the work
For Member States:
- Ensure that HDABs limit the scope and granularity of data to what is necessary and adequate for the application.
- Use reversible pseudonymisation where possible to facilitate data subject rights, such as opt-out processes and the communication of significant health findings back to individuals.
- Ensure that HDABs carry out privacy risk assessment and disclosure control, using the proposed high-level architecture for the secure disclosure of anonymised and synthetic data and of results generated under a data permit.
- Ensure adequate protection against re-identification as a shared responsibility between the HDAB and the health data user, while the HDAB retains primary responsibility for oversight and final decisions.
For the European Commission:
- Use these guidelines as technical expert input to inform EHDS implementation and help safeguard privacy in the secondary use of health data.
- Build on the deliverable’s common principles for data minimisation and the application of privacy-enhancing technologies to support a trusted and interoperable EHDS.
- Focus future work on privacy criteria and metadata formats for anonymised and synthetic data, as well as improved data minimisation methods.
Share away!