Patients' knowledge, preferences, and perspectives about data protection and data control: an exploratory survey.

In the European Union, the General Data Protection Regulation (GDPR) plays a central role in the complex health research legal framework. It aims to protect the fundamental right to the protection of individuals' personal data, while allowing the free movement of such data. However, it has been criticized for challenging the conduct of research. Existing scholarship has paid little attention to the experiences and views of the patient community. The aim of the study was to investigate 1) the awareness and knowledge of patients, carers, and members of patient organizations about the General Data Protection Regulation, 2) their experience with exercising data subject rights, and 3) their understanding of the notion of "data control" and preferences towards various data control tools. An online survey was disseminated between December 2022 and March 2023. Quantitative data was analyzed descriptively and inferentially. Answers to open-ended questions were analyzed using the thematic analysis method. In total, 220 individuals from 28 European countries participated. The majority were patients (77%). Most participants had previously heard about the GDPR (90%) but had not exercised any of their data subject rights. Individual data control tools appeared to be marginally more important than collective tools. The willingness of participants to share personal data with data altruism organizations increased if patient representatives would be involved in the decision-making processes of such organizations. The results highlighted the importance of providing in-depth education about data protection. Although participants showed a slight preference towards individual control tools, the reflection based on existing scholarship identified that individual control holds risks that could be mitigated through carefully operationalized collective tools. The discussion of results was used to provide a critical view into the proposed European Health Data Space, which has yet to find a productive balance between individual control and allowing the reuse of personal data for research.