Surveillance and Data Privacy: Frequently Asked Questions

This FAQ page is designed to offer some background information on surveillance of hospital-acquired infections and data privacy in the European Union, which is governed by the General Data Protection Regulation (GDPR).

This information is intended for healthcare professionals, hospital directors, legal advisors, ethics advisors, and parents who may want to learn more about the use of patient data during the performance of hospital-acquired infection surveillance in neonatal units.

Please note that the information provided on this webpage is based on the experience of the NeoIPC Consortium and is for general informational purposes only. It does not, and is not intended to, constitute legal advice.

Before we start…

What is GDPR?

The General Data Protection Regulation (GDPR) has formed the common data protection framework in the European Union (EU) since 25th of May 2018. It lays down rules relating to the protection of natural persons with regard to the processing of personal data, and the free movement of personal data in the EU [1].

While it is perceived as a barrier for legitimate data management by some, it is, as a matter of fact, a major achievement which balances the interests of individuals and society, facilitates cross-country data management within the EU, and provides legal security to people and organisations who must work with personal data to perform their duties and to serve the interests of various different stakeholders.

As such, it is a major factor contributing to the fact that international cooperation in projects like NeoIPC can happen with reduced risk of incurring in legal issues.

That being said, personal data processing is still among the most important challenges in international public health and scientific cooperation. It should not only be understood and justified in the legal context of GDPR but also in a broader ethical context that can be applied beyond the European Union and across different legal frameworks [2].

When talking about (data) privacy, the term “surveillance” may sound ominous. However, since the surveillance of hospital-acquired infections is not about observing people, but rather about protecting them from hospital infections by monitoring numbers, rates, and trends of these outcomes and taking action whenever there are abnormalities, it is important to avoid misunderstandings and explain the legitimacy of its goals.

Frequently Asked Questions

What does “Surveillance” mean in epidemiology?

When epidemiologists talk about surveillance, they usually mean what Alexander D. Langmuir established as a definition in 1963:

The term surveillance has been chosen advisedly to describe this program. The term is not new to public health, but its usual connotation has had application to individuals rather than to diseases. Surveillance, when applied to a person, means close observation to detect the early signs of infection without restricting his freedom of movement. It implies maintaining a responsible alertness, making systematic observations, and taking appropriate action when indicated. It does not involve the restrictions of either isolation or quarantine.

Surveillance, when applied to a disease, means the continued watchfulness over the distribution and trends of incidence through the systematic collection consolidation and evaluation of morbidity and mortality reports and other relevant data. Intrinsic in the concept is the regular dissemination of the basic data and interpretations to all who have contributed and to all others who need to know. The concept, however, does not encompass direct responsibility for control activities. These traditionally have been and still remain with the state and local health authorities.[1]

Surveillance in relation to a disease therefore means the continuous observation of the distribution and trends of its occurrence through the systematic collection, consolidation, and evaluation of relevant data.

What do we mean by nosocomial (or hospital-acquired) infections?

The term “nosocomial” is derived from the ancient Greek term “nosokomeîon” (νοσοκομεῖον) for hospital. While the term “nosocomial infections” has been used in different contexts, sometimes including all kinds of healthcare-associated infections (including infections associated to non-hospital healthcare), the traditional definition comprises infections that occur during hospitalisation without being the actual reason for admission to hospital. For this reason, they are also called hospital-acquired infections (HAI).

These are complications of treatment whose occurrence depends on a range of factors, such as age, the underlying illness, or invasive measures. Given that nosocomial infections can be partially prevented by infection prevention and control measures, their consistent implementation is therefore an important goal from a patient safety perspective.

What are the objectives of surveillance of nosocomial infections?

While the overarching objective is prevention of nosocomial infections, the frequency of their occurrence in a unit, hospital, or country, as well as the trend over time, is often unknown due to a lack of measurement. This makes it hard to identify risk factors, plan and evaluate interventions, educate students, staff, and parents, inform public health agencies and policymakers, and perform scientific research in that field.

Surveillance approaches these problems by continuously providing accurate, quality information on nosocomial infections by pragmatically collecting the relevant data from patient records and healthcare workers, and interpreting and consolidating it to make it useable for further evaluation and quality improvement on the local level and, after anonymisation, also at the national, and even global level.

Why is surveillance of nosocomial infections in the patient and public interest?

The data collected through a surveillance system helps all stakeholders understand the risk factors for healthcare-associated infections and to develop effective strategies to prevent them. This means that all patients will receive care that is informed by research and best practices.

Backed by a wealth of evidence, surveillance is the groundwork for any attempt to reduce the burden of hospital-acquired infections and improve the patients’ short-term and long-term outcomes.

How does surveillance of Multidrug-Resistant Organisms and antibiotic use relate to nosocomial infections?
Antimicrobial resistance (AMR) occurs when microorganisms evolve and adapt to survive exposure to antimicrobial drugs, rendering these drugs less effective or completely ineffective. Multidrug-resistant organisms (MDROs) are mostly bacteria, but potentially also viruses or other microorganisms that have developed resistance to multiple antimicrobial agents, making them challenging to treat and increasing the risk of unfavourable outcomes for patients with infections.

The use of antibiotics in hospitals is a significant factor contributing to the development and spread of antibiotic resistance and MDROs by increasing the selective pressure and the risk of transmission of resistant strains. While any use of antimicrobial substances contributes to the development of antimicrobial resistance, overuse and misuse, especially of broad-spectrum antibiotics, are modifiable targets for antibiotic stewardship programmes. These programmes aim to optimise the use of antibiotics to improve patient outcomes and reduce the development of antibiotic resistance, and monitoring antibiotic use is one of their key components.

Why is data privacy an issue when performing surveillance of hospital-acquired infections or antibiotic use?

When looking at typical epidemiological information from HAI surveillance, such as 2.99 bloodstream infections per 1000 patient days or 22.21 antibiotic treatment days per 100 patient days, we tend to forget that each of these infections does not just happen, but affects an individual patient, and that antibiotics are not simply used in a hospital but are used to treat individual patients.

It may not be obvious to everyone that all the data needed to calculate these rates is usually collected from health records of individual patients that have been treated in hospitals. This means that staff (typically healthcare professionals with special training in surveillance) and/or computer programmes need to access these patient records, extract, and interpret the relevant information and consolidate it so that it can be interpreted in a meaningful way. The consolidation, as well as additional validation, aggregation and report generation typically happens in a surveillance database that can either be maintained locally or by a larger surveillance network that supports the hospital with tools and methods to perform surveillance, and generates reference information that can be used for benchmarking local infection rates.

While the information in surveillance databases does not contain information that is typically used to identify a person (like names) it may still need to contain information (e.g. age or body measures) that could at least potentially be used to identify a patient and therefore could be subject to data privacy rules that require specific documentation and the maintenance of technical and organisational measures to ensure data security and guarantee anonymity of patients in public reports and data sets.

How does surveillance of nosocomial infections fit into the rules that govern data protection?

One of the most fundamental principles of data protection is that personal data shall only be collected for specified, explicit and legitimate purposes and may only be further processed in a manner that is compatible with those purposes [1]. In some circumstances, this happens with explicit consent from the individual involved, but it may also happen with implicit consent or even without any consent if certain very special prerequisites, like the protection of the vital interests of the data subject or of another natural person, are met [2].

When patients are treated in hospitals, they (or their legal guardians) give explicit or implicit consent to the collection of data related to their health and other information that is typically considered as confidential and they generally expect data to be processed under the obligation of professional secrecy.

While the exact purposes of this data collection may not always be specified explicitly, they regularly cover medical diagnosis, the provision of health care and treatment, the management of health systems as well as the establishment, exercise, or defence of legal claims.

When patients are physically or legally incapable of giving consent, the collection and processing of data may occur to protect their vital interest of receiving adequate health care.

As a well-established means of ensuring high standards of treatment quality and patient safety, surveillance of nosocomial infections is considered a fundamental component of routine patient care and as such would be compatible with the purposes of data collection in hospitals as mentioned above.

When healthcare data are processed in a surveillance network for reasons of public interest in the area of public health (such as protecting against the serious cross-border threat to health that multidrug-resistant organisms pose or ensuring high standards of quality and safety of health care by making the occurrence of hospital-acquired infections measurable),  the rules of professional secrecy apply in the same way as the hospital initially treating the patient [3] [4].

How can patients exercise their rights regarding data protection?

Patients in a hospital, like everybody else, have rights regarding data protection (e. g., right of access [1], right to rectification [2], right to erasure [3], right to restriction of processing [4], right to data portability [5], right to object [6]), and they can exercise those rights.

The primary controller of the data being processed in the context of hospital treatment is the company or organisation operating the hospital and there is no difference when it comes to surveillance data, with the addition that there may be another controller responsible for the generation of benchmarking information and quality assurance within the surveillance network. Hospitals often have designated privacy officers or compliance officers responsible for handling data protection matters. Patients can reach out to these individuals to address their concerns or seek clarification about data protection practices.

May personal data leave the hospital or even the country in the context of surveillance?

Although many people do not know or care about the physical location of the servers they use, and terms like “the cloud” intentionally blur out the problem of data location, it still has a high relevance regarding legal matters since the laws governing data privacy are ultimately country specific.

When the legislators of the EU member states conceived the rules for the GDPR, it was an explicit goal to harmonise the data processing legislation and to remove any restrictions of the free movement of personal data within the Union for reasons connected with the protection of natural persons with regard to the processing of personal data [1].

Because of this, the exact location of a hospital’s or a surveillance network’s data centre within the European Union is typically of subordinate importance but this does not automatically apply to countries that do not belong to the Union (so called third countries) for which cross-border transmission of personal data may be restricted or need explicit international agreements.

For this reason, surveillance data that has been collected within the European Union usually cannot leave the Union unless it has been fully anonymised and hospitals participating in surveillance networks will typically ensure this via bilateral contracts. Similar rules typically also apply to other countries and may affect data being sent to the EU.

Last updated: 26th January 2024.