On May 4th 2016, the official text of Regulation 2016/679 “on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC” (General Data Protection Regulation) has been published in the EU Official Journal. The Regulation entered into force on May 24th 2016 but it shall apply from May 25th 2018.
Μedical research inevitably involves processing of personal data, mainly data concerning health. There are, certainly, many kinds of medical research, each of which has various elements that imply different risks and interactions with participants’ privacy and personal data protection and, consequently, require different approaches for their regulation. Specifically, there are types of medical research, namely clinical trials, in which the study object is the natural person itself. To such type of research, not only the General Data Protection Regulation (GDPR) will apply but the Clinical Trials Regulation 536/2014, as well.
On the other hand, there are types of research, such as epidemiological research (either retrospective research involving collecting data from existing records or prospective one), in which the study object is data generated by the person such as data from health (e-health) records, registries of specific diseases (e.g. cancer), pharmacovigilance data, biobank data resulted from study and analysis of human genome (“genetic data”).
However, all types of health research as described above fall within the term of “scientific research” found in the GDPR, and as such, are regulated by this Regulation. In order to establish the legal provisions on personal data processing in the context of medical research, the European legislator took into account the Union’s objective, under Article 179(1) TFEU, to achieve “a European Research Area, in which researchers, scientific knowledge and technology circulate freely”.
According therefore to the GDPR, what are the requirements for the lawful processing of health data in the context of medical research?
First of all, personal data processing for health research purposes is subject to the following general principles for lawful processing (Article 5 of the GDPR):
- Principle of lawfulness, fairness and transparency
- Principle of purpose limitation: which means that personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. However, the Regulation foresees that further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes, given that requirements of Article 89 are fulfilled. Furthermore, in these cases, Article 89, imposes technical and organizational measures, which may include pseudonymisation provided that purposes of the processing can be fulfilled in that manner. However, where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects processing shall be conducted without identification. As a result of this interpretative rule, researchers, will not be obliged, under the above conditions, to obtain consent for every use in research (“one-time consent”)
- Principle of data minimization: implying that only data that are necessary in relation to the purposes for which they are processed shall be used.
- Principle of accuracy: This principle imposes adoption of all reasonable steps to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Principle of storage limitation: According to this principle, data should not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data are processed. However, in the field of health research, derogation from this principle can be justified. Accordingly, the GDPR explicitly excludes from the principle and permits the storage for longer periods in case the personal data are processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1).
- Principle of integrity and confidentiality implying that data shall be processed in a manner that ensures appropriate security of the personal data by using appropriate technical or organizational measures.
- Principle of accountability: According to this principle, the controller, who is the person who determines the purposes and means of the processing of personal data, shall be responsible for and be able to demonstrate compliance with the above principles.
Moreover, Article 9 of the GDPR establishes a special framework for specific categories of data including genetic data, biometric data for the purpose of uniquely identifying a natural person as well as data concerning health. Processing of these types of data is prohibited. However, the text foresees several exceptions. Namely, derogation from the general prohibition can be justified:
- provided that the data subject has given explicit consent to the processing of those personal data for one or more specified purposes.
- when processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
- when processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy
- when processing is necessary for archiving purposes in compliance with public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
However, Article 9§4 stipulates that Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. This provision may lead to fragmentation since varied measures taken by member states and varied interpretations may hinder the harmonization and the homogeneity targeted.
Our law firm’s comment
A person’s privacy constitutes a globally recognized fundamental right; its protection must be guaranteed. On the other hand, sharing health data can facilitate medical research, contribute to better medical treatment, provide solutions to public health problems (such as cancer) and improve the sustainability of health care systems. The European legislator managed to balance the conflicting rights and interests as well as to adapt the rules to the developments and new ways of data processing that have been rendered possible, as a result of the high technological advancements in computer and information science.
In our view, a unified set of rules on personal data protection which provides the necessary safeguards, will enhance the competitiveness of EU medical research, release the inherent promise in digital health applications and ensure better and safer results for all.