健康資料在AI運算下二次利用——探究隱私權與數據保護之規範平衡

The Reuse of Health Data in AI Computation: Exploring the Regulatory Balance between Privacy Protection and Data Innovation

本文探討健康資料於人工智慧運算下之二次利用，分析其在隱私權與數據創新間的法律平衡挑戰。文章從我國法制現況切入，聚焦於健保資料庫的治理模式，檢視111年憲判字第13號判決對個人資料保護法規範的影響，並對歐盟健康資料空間規則（EHDS）與芬蘭Findata模式等國際案例進行比較分析。
首先，健保資料的公益性與敏感性兼具，但現行法將二次利用侷限於學術機構與政府機關，未能充分回應智慧醫療發展對數據需求的現實挑戰。憲法法院指出，現行法缺乏當事人資訊退出權及監督機制，導致資料濫用風險與信任危機。本文認為，應以專法建立健康資料中介機構，完善退出權與監督機制，並探索商業利益回饋制度。其次，國際比較揭示多國在健康資料治理上強調透明性與信任建立。歐盟EHDS要求建立獨立機構以監管數據使用，並限制其商業化目的；芬蘭Findata則以中介機構強化資料流通的安全性與正當性；英國生物銀行則透過詳盡的知情同意與監督機制，實現公共與商業目的的平衡。這些經驗為我國立法提供參考。
最後，本文建議，以專法完善健保資料的商業化利用規範，包括建立健康資料中介機構、商業回饋機制及分層退出權，並以此增強民眾對生醫研究的信任與參與，實現隱私保護與數據創新的雙贏。

This paper examines the reuse of health data in artificial intelligence (AI) computation and analyzes the legal challenges in balancing privacy protection and data innovation. Starting from the current legal framework in Taiwan, it focuses on the governance model of the National Health Insurance (NHI) database and reviews the impact of the Constitutional Interpretation No. 13 (2022) on the Personal Data Protection Act (PDPA). Additionally, it compares international cases, including the European Health Data Space (EHDS) regulation and Finland’s Findata model.
First, while the NHI data has both public value and sensitivity, the current law restricts its reuse to academic institutions and government agencies, failing to address the growing data demands of smart healthcare development. The Constitutional Court highlighted the lack of mechanisms for individuals to withdraw their data and inadequate supervisory frameworks, leading to risks of data misuse and a trust crisis. This paper argues for a specialized legal framework to establish health data intermediary organizations, enhance withdrawal mechanisms, and explore commercial benefit-sharing models. Second, international comparisons reveal that many countries emphasize transparency and trust-building in health data governance. The EHDS requires independent bodies to supervise data usage and limits commercialization. Finland’s Findata strengthens data flow security and legitimacy through intermediary organizations. The UK Biobank achieves a balance between public and commercial interests through detailed informed consent and robust oversight mechanisms. These experiences provide valuable references for Taiwan’s legislation.
Finally, this paper proposes a specialized legal framework to regulate the commercial reuse of NHI data, including the establishment of health data intermediaries, commercial benefit-sharing mechanisms, and tiered withdrawal rights. By strengthening public trust in biomedical research, this framework aims to achieve a dual objective: protecting privacy while fostering data innovation.