Legal and ethical considerations in the use of emergency department Electronic Health Records for research and quality improvement in emergency care: an EU project perspective

The eCREAM project seeks to enhance emergency department (ED) care quality and research capacity by developing tools to extract and analyse electronic health record (EHR) data using artificial intelligence-based natural language processing. This involves creating interoperable databases for research and quality-of-care improvements across multiple European countries, which presents significant legal and ethical challenges due to the cross-jurisdictional processing of sensitive health information. A dedicated legal and regulatory task force was established to address these challenges. The methodological approach included the development of an ethical, legal, and social implications (ELSI) document, a legal and operational survey to map data flows and identify regulatory requirements, the creation of template documents for regulatory submissions, and multidisciplinary consultations with national experts. The main challenge was the legal classification of studies that did not fit the conventional clinical study categories. The data reuse was confirmed to rely on consent, but obtaining fresh consent was impracticable and incompatible with the study design. Varying national interpretations of the GDPR necessitated case-by-case analyses. Regulatory pathways primarily involved submissions to local ethics committees, which subsequently approved the approach under strict safeguards. This experience demonstrates that multinational ED research using EHR data can be conducted in a legally and ethically compliant manner through a proactive, tailored strategy to navigate the legal and regulatory landscape. Early engagement of a multidisciplinary legal and regulatory task force is critical. The framework developed provides a replicable model for future large-scale emergency care research initiatives within the EU while respecting patient privacy and regulatory requirements.

Introduction

Research conducted in Emergency Departments (EDs) is fundamental to advancing the quality and efficiency of emergency care across the European Union and internationally. The eCREAM (enabling Clinical Research in Emergency and Acute care Medicine through automated data extraction) project exemplifies this effort, seeking to strengthen ED research capacity by developing software tools to extract and analyze structured and unstructured data from Electronic Health Records (EHRs) using Artificial Intelligence-based Natural Language Processing (AI-NLP). These tools facilitate the creation of interoperable databases designed to support clinical research and inform patients, healthcare providers, and policymakers (1, 2).

However, such innovation introduces complex legal and ethical challenges, particularly when it involves reusing routinely collected clinical data and cross-border data sharing. These challenges are exacerbated by the inherent nature of emergency care: high patient volume, urgent interventions, limited staff, and the frequent inability to obtain informed consent due to patient acuity (3, 4).

The eCREAM project includes three studies, detailed in Box 1, all presenting several core challenges from the regulatory perspective. First, legally classifying the planned studies was non-trivial, as they did not clearly fit established categories like clinical trials. This classification dictates the applicable regulatory framework, including oversight, legal bases for data processing, and consent requirements. Second, the multinational nature of the project (involving Italy, the UK, Greece, Poland, and Slovenia) required navigating fragmented national laws, differing interpretations of the General Data Protection Regulation (GDPR), and diverse data governance structures (5).

Box 1. Key information on the eCREAM studies.

NLP-DeVal: Retrospective cohort study for the development and validation of a natural language processing tool (NLP-DeVal) to enable clinical research in emergency and acute care medicine. Participating hospitals retrospectively collect clinical data, which is anonymised locally using the eCREAM NLP platform. Once anonymised, the data is transferred to the Central eCREAM server, where it may be made accessible beyond the project consortium or through open access repositories (6).

Use case 1: observational retrospective quality-of-care study to develop two statistical models to estimate the propensity to hospitalize patients arriving at the ED with dyspnoea or after transient loss of consciousness (TLoC). Hospitals collect retrospective clinical data, pseudonymise it locally, and process it via the eCREAM-UC1 platform. The resulting datasets are then transferred to the Central eCREAM server, where they are aggregated to form the UC1 study database. After curation, the database will be made available through the Medical Informatics Platform (MIP), a collaborative tool that federates access to patient data across multiple hospitals (7, 8).

Use case 2: observational retrospective study to develop dashboards for monitoring emergency department operations and emerging epidemiological trends. Retrospective data is extracted and processed within each hospital's information system using the local eCREAM UC2 platform. After anonymization at the local level, the data is securely transferred to the Central eCREAM server for further analysis (9).

This manuscript details the steps taken to ensure the eCREAM project's compliance with applicable legal, regulatory, and ethical frameworks. We present a tailored approach that can be adapted to different national contexts, providing a framework for future multinational emergency care research initiatives.

Methods

To ensure robust compliance with legal and regulatory requirements, the eCREAM consortium implemented a structured, multi-step methodological approach:

1. Establishment of a Legal and Regulatory Task Force. A task force comprising national experts (data protection officers, legal managers, regulatory affairs personnel) from participating countries was formed. This group was tasked with guiding the consortium through the complex regulatory landscape.

2. Development of an ELSI Document. The task force prepared a comprehensive Ethical, Legal, and Social Implications (ELSI) document. This foundational document identified all necessary legal and regulatory steps required to perform the project's activities and served as the basis for all subsequent regulatory submissions and contractual agreements (10).

3. Legal and Operational Survey. An ad-hoc Legal and Operational Survey was developed and distributed to all partners. This survey was based on the specific characteristics of each study: categories of data collected, purposes of processing, and detailed data flows (10). The responses were crucial for:

a. Qualifying the studies from a legal perspective.

b. Developing the project's data-sharing management plan.

c. Enabling partners to identify their specific obligations under the GDPR and national laws.

4. Creation of Template Documents. Based on the survey results, standardized template documents were created to support the preparation of consistent submission dossiers across all countries. A key output was a “Breakdown of Personal and Health-Related Data Processing for Each Use Case Study” (see Table 1), which detailed processing activities, purposes, and data types.

5. Expert Consultation. The project engaged in ongoing individual consultations with experts and held multidisciplinary meetings. Furthermore, an independent Ethics Advisory Board was appointed to provide guidance on the ethical and legal aspects of the project.

Table 1

Table 1. Categories of personal data involved in the three eCREAM studies and approaches to their processing (10, 20).

Results

Legal classification of studies

The initial and primary challenge was the accurate legal qualification of the eCREAM studies. From a clinical and methodological perspective, they were classified as observational studies, as they involved no intervention on patients and relied solely on the retrospective analysis of routinely collected clinical data.

However, the critical legal question was whether this automatically qualified them as clinical studies in the regulatory sense. Under established EU legislation and associated doctrine, the term “clinical study” carries a specific meaning, often closely associated with research assessing medicinal products or medical devices on human participants. For instance, the EU Clinical Trials Regulation (536/2014) (11) and guidance from bodies like the European Medicines Agency (EMA) define observational studies as a subset of non-interventional clinical studies on medicines, typically describing them as “studies looking at the effects of medicines as they are used by patients in a real-life setting” (12).

The eCREAM studies did not assess any medicinal product, device or other health intervention. Their purpose was to develop software tools and improve ED organization and quality of care. Consequently, they did not fall neatly within the standard definition of a clinical study governed by pharmaceutical regulations. This created significant ambiguity. If classified as clinical studies, a specific regulatory pathway would apply; if not, they would be governed primarily by the GDPR and national health data laws, which present a different set of requirements.

The solution was found by pivoting to a GDPR-centric qualification. We argued that while the studies might not fit the narrow definition of a “clinical study” under pharmaceutical regulations, they unequivocally constituted scientific research in the health field under the broader scope of the GDPR (Recital 159) (13). This was further supported by Recital 53 (14), which emphasizes that processing special category data for “health-related purposes” includes the “management, supervision, and quality control of healthcare services.” This framework provided a more appropriate and flexible legal basis for our data processing activities than the stricter clinical trial regulations.

Data anonymization and pseudonymization strategy

NLP-DeVal and Use Case 2: Data were anonymized at the source hospital level before any transfer or analysis. Once truly anonymized, the data fell outside the scope of the GDPR. The process of anonymization itself, however, required specific permissions from hospital Data protection officers (DPOs) and ethics committees in some countries (e.g., Greece, Italy).

Use Case 1: Full anonymization was not feasible for scientific reasons (e.g., need to request data clarification from source sites and to preserve data utility). Therefore, data were pseudonymized prior to transfer, remaining under GDPR protection but with reduced identifiability risk.

Identification of the legal basis

Data for the studies NLP-DeVal and Use Case 2 were no longer subject to the scope of the GDPR. For Use Case 1, the legal basis for processing personal data for the core research activities was eventually consent (GDPR Article 6(1)(a) read in conjunction with Article 9(2)(a) (15, 16). Under the GDPR, the processing of special categories of personal data, such as health-related data, is generally prohibited unless specific conditions are met. Article 9 allows processing of special categories of personal data when the data subject has given explicit consent for one or more specified purposes [GDPR, Art. 9(2)(a)]. However, obtaining retrospective individual consent from patients for the use of their data collected previously during their passage through the Emergency department was recognized as impracticable. Moreover, this would have severely compromised the scientific validity and feasibility of the studies, as it would have introduced significant selection bias and resulted in incomplete data sets. These legal and practical arguments were detailed in the studies protocols and proposed to the overseeing ethics committees as justification for the derogation from consent.

In addition, robust technical and organizational measures (including pseudonymization and strict data access protocols) have been implemented to safeguard the rights and freedoms of data subjects. For example, eCREAM's tools have be developed considering the following technical aspects: Full encryption; -Business level security model based on roles and centers.- Daily backup.- Data hosted on dedicated servers; -History tracked for user login/logout; -History tracked for patient creation/update/deletion; Journal of modifications by user/center/patient/date., etc.

Regulatory authorizations required

These studies did not require approval from the competent national data supervisory authorities. On the other hand, obtaining an ethical opinion from the competent ethics committees or Institutional Review Boards (IRBs) was requested in each participating country.

It should be noted that, before the studies were submitted, a lengthy evaluation process was carried out in each of the participating hospitals. Each study was handled by offices dedicated to clinical studies, which always forwarded the documentation to their Data protection officer (DPO) for verification of the lawfulness of data processing. For example, in Italy, from the very first DPO we met, at the Italian coordinating center it became clear how much effort we would have to put in to obtain approval. Every aspect of data processing was thoroughly examined, especially to better understand the anonymization processes described in the protocol of NLP-DeVal and, more generally, the technical implications of the data extraction tool. Exchanges with the various DPOs were challenging and involved multiple stakeholders, including the Principal Investigators from the clinical centers. In some cases, a positive conclusion has not yet been reached, as certain DPOs have not granted approval to proceed with submission to the ethics committee.

A specific example is the UK which has a special Group called CAG (Confidentiality Advisory Group-Health Research Authority) (17). The Study protocols have been submitted to ethics committee and CAG. CAG advised us that no CAG approval was needed if the data was fully anonymised. Before submission to Ethics Committee and CAG, clinical studies must be approved by the Hospital Research and Development Committee and Information Governance Manager and Data Protection officer for Data protection Impact Assessment (DPIA) which take into consideration anonymous and pseudo anonymous data.

In Slovenia, after consultation with the hospital's DPO and Ethics committee, further authorization from the national Ethics medical committee was required. The protocols were accordingly submitted to the National Medical Ethics Committee for review, and all studies (NLP-DeVal, Use Case 1, and Use Case 2) were approved.

The status of these submissions is summarized in Table 2.

Table 2

Table 2. Protocol submission and assessment outcomes (last update September 2025).

Discussion

The eCREAM project highlights the intricate legal and ethical landscape confronting multinational ED research, reaffirming the necessity of clinical research in EDs while simultaneously highlighting the urgent need to advance the legal frameworks that enable it (10). Our experience demonstrates that the traditional, often binary, classifications of clinical research (such as the historical distinction between therapeutic and non-therapeutic research or the current EU CTR's interventional vs. non-interventional categories) are inadequate for modern, data-centric quality improvement studies (11). These studies, though vital for the ongoing evaluation and advancement of (emergency) care, operate in a legal and regulatory “gray area,” as they involve data collected routinely during usual care but for purposes far from research.

The core challenge has been to navigate a complex landscape of national and European legislation to correctly apply the appropriate rules without compromising the scientific scope of each study. The GDPR, while complex and subject to national variation, ultimately provided a viable pathway through the overarching concepts of scientific research and public interest. For example, the GDPR explicitly states (see Recital 53) (14) that processing special category data for “health-related purposes” includes the “management, supervision, and quality control of healthcare services.” Such categories of data “which merit higher protection should be processed for health-related purposes […] as well as for studies conducted in the public interest in the area of public health” (14). Our successful qualification of the studies under this framework helps to carve out a more defined space for essential public health research within the EU legal landscape.

A key success factor was the early establishment of a multidisciplinary legal and regulatory task force. This approach, which included national experts, was critical for identifying and harmonizing common best practices. It allowed for the development of a common strategy and tailored solutions for each jurisdiction. The legal and operational survey was a valuable tool for bridging the terminology gap between operational teams and legal experts, aligning the operational reality with legal requirements, and providing the clarity needed to develop the Data-Sharing Management Plan (10).

The main limitation encountered was the fragmentation in national interpretations of the GDPR and the diversity of local data governance structures. This fragmentation meant that a clear and compliant legal framework had to be carefully built from the ground up in each country. A key challenge was achieving consensus across countries on the legal basis for processing patients' personal data. While consent was regarded as the most appropriate legal basis from a legal and ethical perspective, the obligation to obtain it was ultimately exempted due to impracticability and the risk of introducing significant bias into the research. This process highlighted the persistent tension between regulatory compliance and operational feasibility in clinical care research. The rationale that seeking consent would have severely compromised the scientific validity and feasibility of the studies was a key part of our ethical and legal submission. This justification was ultimately validated by the approvals received.

The challenges outlined above are further compounded by the risks associated with the use of artificial intelligence (AI). In projects such as eCREAM, which leverage AI in health data research, several AI-specific risks must be carefully considered. Data privacy and security are paramount when handling sensitive health information. Algorithmic bias and fairness also require attention, as unrepresentative or imbalanced training data can produce inaccurate or inequitable outcomes—particularly given the complexity and heterogeneity of emergency department data. Transparency and explainability are therefore essential to maintain clinician and patient trust, as black-box models may undermine accountability and hinder clinical adoption.

Furthermore, compliance with the EU AI Act (18) imposes strict requirements for risk management, technical documentation, transparency, and appropriate human oversight for high-risk AI systems in healthcare. Implementing these safeguards is vital to responsibly harness AI's potential to advance emergency medicine research and enhance patient care.

Conclusion

Conducting multinational emergency care research using EHR data is legally challenging but feasible. Success depends on a proactive, structured, and collaborative approach to navigate the complex interplay between the GDPR and national regulations. The Regulation (EU) 2025/327 of the European Parliament and of the Council of 11 February 2025 on the European Health Data Space (the “EHDS Regulation”), to be implemented by March 2029, is expected to clarify and harmonize the rules on the secondary use of EHRs within the EU (19).

The European Health Data Space (EHDS) is a landmark initiative and regulatory framework established by the European Union to create a harmonized, secure, and interoperable data ecosystem for the use and exchange of electronic health data across Member States. The EHDS aims to change the way health data is shared and reused in Europe and empower individuals with control over their personal health data while enabling healthcare providers and researchers to access and share health information more efficiently across borders. This framework supports two main types of data use: primary use for direct healthcare delivery and secondary use for purposes such as scientific research, innovation, policy-making, and public health monitoring. The EHDS officially entered into force on 26 March 2025, but its implementation will be gradual, with full rollout expected by 2034.

A central component of the EHDS is the European Electronic Health Record Exchange Format (EEHRxF), which establishes both technical and semantic interoperability between healthcare systems, allowing secure sharing of electronic health data across EU Member States. In the context of emergency medicine, this interoperability will allow real-time access to patient information, improving decision-making and safety. Importantly, the EHDS also supports the secondary use of routine clinical data for research purposes, potentially reducing the traditional barriers to data collection in emergency settings. This will transform EHRs into a core resource for large-scale, data-driven ED research and innovation across Europe.

The findings and tools developed by the eCREAM project, which support multicentre AI-based studies to enhance emergency and acute care across Europe, closely align with the objectives of the EHDS by promoting the safe, compliant, and effective use of health data at scale.

Findings that have the potential to inform initiatives like the EHDS are for example:

• Data Integration and Interoperability: By working with EHR data across multiple countries and emergency departments, eCREAM will develop and validate methods for harmonizing and integrating diverse healthcare data sources. This experience aligns with EHDS goals to create a common framework for sharing and reusing health data across the EU, facilitating cross-border data flows for research and healthcare improvement.

• Ethical, Legal, and Governance Frameworks: eCREAM emphasizes user empowerment and ethical safeguards, including patient-centric perspectives. Lessons learned on data governance, privacy, and consent waivers will inform EHDS governance models and help shape robust, trustworthy data stewardship rules that comply with GDPR and build public trust.

• Enabling Real-time and Retrospective Research: The tools and methodologies created by eCREAM for extracting and analyse EHR data in emergency care could serve as models for EHDS-enabled infrastructures (e.g., HDABs, authorized participants).

• AI in Clinical Decision Support: eCREAM's focus on acute medicine and emergency care provides critical data and contexts for developing and validating AI algorithms. These models can be scaled up in multicentre studies supported by EHDS, accelerating innovation and deployment of AI tools in diverse clinical settings across Europe.

• Policy and Practice Impact: By demonstrating practical solutions and governance approaches, eCREAM provides evidence and frameworks that will guide future EU health data initiatives, striking a balance between data sharing for public health research and citizen rights.

This could help shape both policy frameworks and technical standards within the evolving European health data ecosystem. eCREAM user-centric approach will further ensure these initiatives remain grounded in patient empowerment and trust.

Overall, the eCREAM project demonstrates that a well-designed regulatory and legal compliance strategy can bridge the gap between strict legal requirements and practical feasibility, such as when obtaining consent for processing health data is impracticable. This approach, coupled with the implementation of robust data protection measures like pseudonymization, strict governance and appropriate safeguards, allows projects to achieve full regulatory compliance without compromising their scientific validity or objectives. The eCREAM project's journey (from navigating initial legal ambiguity to securing approvals) provides a practical blueprint for achieving this balance. It underscores that advancing (emergency) care in the EU requires parallel progress in both technical innovation and the nuanced application of legal frameworks, thereby paving the way for much-needed future research initiatives that are both ethical and operationally realistic.

Data availability statement

Publicly available datasets were analyzed in this study. This data can be found here: https://doi.org/10.5281/zenodo.17017850; https://doi.org/10.5281/zenodo.10996699; https://doi.org/10.5281/zenodo.10996665; https://doi.org/10.5281/zenodo.10996542; https://doi.org/10.5281/zenodo.10853659.

Ethics statement

Studies involving EHR data were approved by the relevant ethics committees. Written informed consent to participate in this study was not required from the participants or the participants' legal guardians/next of kin in accordance with the national legislation and the institutional requirements.

Author contributions

MM: Writing – original draft, Conceptualization, Investigation, Methodology. RB: Conceptualization, Investigation, Methodology, Writing – review & editing. MR: Visualization, Writing – review & editing. SC: Writing – review & editing. GG: Project administration, Writing – review & editing. CP: Project administration, Writing – review & editing. SC: Writing – review & editing. KM: Writing – review & editing. IJ: Writing – review & editing. JD: Writing – review & editing. GB: Writing – review & editing, Conceptualization, Funding acquisition, Methodology, Project administration, Supervision.

Funding

The author(s) declare that financial support was received for the research and/or publication of this article. This study was supported by the European Commission (Grant Agreement No. 101057726), UKRI (UK Research and Innovation), and SERI (Swiss State Secretariat for Education, Research and Innovation, Contract Number 22.00347).

Acknowledgments

The authors would like to thank all members of the eCREAM consortium, as well as the DPOs and lawyers involved, for their contributions to the project.

Conflict of interest

The authors declare that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.

Generative AI statement

The author(s) declare that Gen AI was used in the creation of this manuscript. Generative AI tools (e.g., ChatGPT) were used exclusively for language editing, including revision of sentence structure, grammar, and clarity. No generative AI was used for the design, analysis, interpretation, or intellectual content of the study, which were entirely the work of the author(s).

Any alternative text (alt text) provided alongside figures in this article has been generated by Frontiers with the support of artificial intelligence and reasonable efforts have been made to ensure accuracy, including review by the authors wherever possible. If you identify any issues, please contact us.

Publisher's note

All claims expressed in this article are solely those of the authors and do not necessarily represent those of their affiliated organizations, or those of the publisher, the editors and the reviewers. Any product that may be evaluated in this article, or claim that may be made by its manufacturer, is not guaranteed or endorsed by the publisher.

References

1. Bertolini G, Ghilardi GI, Pandolfini C, Bacchiega A, Catania F, Magnini B, et al. Format of emergency department electronic health records in Europe. The European initiative and the eCREAM proposal. Front Disaster Emerg Med. (2025) 3:1558208. doi: 10.3389/femer.2025.1558208

Crossref Full Text | Google Scholar

2. eCream. Available online at: https://ecreamproject.eu/ (Accessed September 30, 2025).

Google Scholar

3. Shepherd V. Advances and challenges in conducting ethical trials involving populations lacking capacity to consent: a decade in review. Contemp Clin Trials. (2020) 95:106054. doi: 10.1016/j.cct.2020.106054

PubMed Abstract | Crossref Full Text | Google Scholar

4. Dickert NW, Brown J, Cairns CB, Eaves-Leanos A, Goldkind SF, Kim SYH, et al. Confronting ethical and regulatory challenges of emergency care research with conscious patients. Ann Emerg Med. (2016) 67:538–45. doi: 10.1016/j.annemergmed.2015.10.026

PubMed Abstract | Crossref Full Text | Google Scholar

5. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data and Repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). OJ L. Available online at: http://data.europa.eu/eli/reg/2016/679/oj/eng (Accessed April 27, 2016).

Google Scholar

6. Bertolini G, Ghilardi GI, Pandolfini C, Nattino G, Lavelli A, Moretti F. Study Protocol - NLP-DeVal: Development and Validation of a Natural Language Processing Tool to Enable Clinical Research in Emergency and Acute Care Medicine: Retrospective Cohort Study (2024). Available online at: https://zenodo.org/records/10996542 (Accessed August 25, 2024).

Google Scholar

7. Bertolini G, Banzi R, Catania F, Lavelli A, Ghilardi GI, Pandolfini C, et al. Study Protocol - Propensity to Hospitalize Patients from the ED in European Centers: An Observational Retrospective Quality-of-Care Study (2024). Available online at: https://zenodo.org/records/10996665 (Accessed August 25, 2024).

Google Scholar

8. Rubini V, Aprà F, Ghilardi GI, Górka J, Hricova K, John I, et al. Exploiting EHRs using natural language processing to enable research in emergency medicine: a protocol for a study on hospitalization rates. Front Disaster Emerg Med. (2025) 3:1558444. doi: 10.3389/femer.2025.1558444

Crossref Full Text | Google Scholar

9. Bertolini G, Ghilardi GI, Pandolfini C, Nattino G, Catania F, Banzi R. Study Protocol - Development of a Multipurpose Dashboard to Monitor the Situation of Emergency Departments (2024). Available online at: https://zenodo.org/records/10996699 (Accessed August 25, 2024).

Google Scholar

10. Banzi R, Contrino S, Guilardi GI, Matei M, Rujano MA, Schaffhauser B. eCREAM Draft Data-Sharing Management Plan (2024). Available online at: https://zenodo.org/records/10853659 (Accessed September 30, 2025).

Google Scholar

11. Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on Clinical Trials on Medicinal Products for Human Use and Repealing Directive 2001/20/EC Text with EEA Relevance. OJ L. Available online at: http://data.europa.eu/eli/reg/2014/536/oj/eng (Accessed April 16, 2014).

Google Scholar

12. Medical terms simplifier | European Medicines Agency (EMA) (2023). Available online at: https://www.ema.europa.eu/en/about-us/glossaries/medical-terms-simplifier (Accessed September 30, 2025).

Google Scholar

13. Recital 159 - Processing for Scientific Research Purposes. General Data Protection Regulation (GDPR). Available online at: https://gdpr-info.eu/recitals/no-159/ (Accessed September 30, 2025).

Google Scholar

14. Recital 53 - Processing of Sensitive Data in Health and Social Sector. General Data Protection Regulation (GDPR). Available online at: https://gdpr-info.eu/recitals/no-53/ (Accessed September 30, 2025).

Google Scholar

15. Art. 6 GDPR – Lawfulness of Processing. General Data Protection Regulation (GDPR). Available online at: https://gdpr-info.eu/art-6-gdpr/ (Accessed September 30, 2025).

Google Scholar

16. Art. 9 GDPR – Processing of Special Categories of Personal Data. General Data Protection Regulation (GDPR). Available online at: https://gdpr-info.eu/art-9-gdpr/ (Accessed September 30, 2025).

Google Scholar

17. Health Research Authority. Confidentiality Advisory Group. Available online at: https://www.hra.nhs.uk/about-us/what-we-do/our-performance/confidentiality-advisory-group/ (Accessed October 1, 2025).

Google Scholar

18. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 Laying Down Harmonised Rules on Artificial Intelligence and Amending Regulations (EC) No 300/2008 (EU) No 167/2013 (EU) No 168/2013 (EU) 2018/858 (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (Text with EEA relevance). OJ L, 2024/1689. Available online at: http://data.europa.eu/eli/reg/2024/1689/oj (Accessed December7, 2024).

Google Scholar

19. Regulation (EU) 2025/327 of the European Parliament and of the Council of 11 February 2025 on the European Health Data Space and amending Directive 2011/24/EU and Regulation (EU) 2024/2847 (Text with EEA Relevance). Available online at: http://data.europa.eu/eli/reg/2025/327/oj/eng (Accessed February 11, 2025).

Google Scholar

20. Rujano MA, Matei M. Approval of Ethical and Legal Conformance of eCREAM Tools (2025). Available online at: https://zenodo.org/records/17017850 (Accessed September 30, 2025).

Google Scholar