Rubrique “Recherche”: Rubrique sous la responsabilité du Dr Manon Gantenbein, PhD, Responsable du Clinical and
Epidemiological Investigation Center du LIH
Article paru dans le magazine Semper – édition septembre 2018 – www.dsb.lu
A new European regulation on data protection is currently keeping organisations across Europe busy in adapting their procedures, policies and documentation to meet the new requirements. For research, this regulation will have considerable consequences as well. An important aspect is the transparency of the processing of personal data in research.
Dr Regina Becker, Strategy Development Bioinformatics Core, Luxembourg Centre for Systems Biomedicine (LCSB), University of Luxembourg
On 25th May 2018, the new European General Data Protection Regulation (GDPR) came into force.
It was created with the aim of harmonising data protection legislation across the European Union (EU) and allowing seamless cross-border processing of personal data. For health and genetics data, however, this harmonisation has not been achieved as each country is free to introduce its own limitations on the processing of these data types.
Therefore, it is also important to be aware of the national implementations of the GDPR in the different countries.
Most of the implementation is done in national data protection legislation but sectorial law, in particular for health and social security, research, genomics and biobanking, can include relevant provisions as well.
|The GDPR has attracted much attention because of the rules of enforcement that foresee draconian fines of up to 20 Mio Euro in cases of non-compliance. This has created an unprecedented interest in data protection measures and activities, even though the basic rules for processing data remain unchanged. New elements of the GDPR include principles such as “responsibility”, “accountability” and “data protection by design and default”. Transparency is part of the accountability principle, which is introduced in Article 5 and further specified in Articles 12 to 15 of the Regulation.|
The requirement for transparency in data processing is now harmonised across the EU. This transparency includes the way the data controller communicates with the data subjects, the information that should be provided on the processing, as well as on the rights of the data subjects towards the controller and the processing of their data. Here a controller is the initiator of the research project, the data subjects are the study participants. The leading principle is that the participants should never be surprised about how or where their data are processed.
Already under the previous Directive (EU) 2016/6802 the advance information provided to the data subject about the data processing was a prerequisite for processing the data. In clinical research this was always implemented in the data information sheet. The information provided to the study participants for compliance with the Directive used to comprise the identity of the con troller, the purpose of the processing (i.e. the research project) as well as, where applicable, the right to withdraw consent, to access the data or to rectify them. In accordance with ethical principles, the provision of this information should always be phrased in a way that is easily understandable by the study participants.
|The requirement for transparency in data processing is now harmonised across the EU.|
The GDPR now requires in addition the provision of the retention time of the data, the contact details of the data protection officer of the controller’s institution, the explicit institutions with whom the data will be shared or, if this is not possible, the category of recipients, and in particular any intention to share the data outside the EU as well as the corresponding safeguards that will be in place to protect the rights of the study participants. The rights of the data subject are also now extended, including the right to restrict the processing or at least object to it, to request data be deleted, the right to request transfer of the data to a different controller, as well as the right to lodge a complaint to the data protection authorities. Where these rights are restricted in the interest of research, this needs to be explained. Furthermore, the legal basis for the processing now needs to be mentioned, such as consent or public interest. Where “legitimate interest” is used as a legal basis, this interest needs to be explained.
A challenge is posed by the provision in the GDPR that the data subjects also need to be informed about any changes to the purpose of the processing for which the data were collected. In research this means that any data that were collected for a defined study, without an indication of the use of the data in further research projects, cannot readily be used in any other way. Even with the approval of an ethics committee and even though a consent of the study participants may not be needed, the participants nevertheless need to be informed about this new purpose.
The previous Directive did not explicitly request information on further processing to be given to data subjects and it remains unclear how the controller can comply with this requirement if the study participants are no longer reachable. It may be sufficient to announce such information publicly such as in relevant newspapers, but confirmation that this is sufficient should be sought with the respective data protection authorities.
Another challenge is that data subjects need to be informed by the controller if the data are being obtained from a source other than the data subject directly. This could be e.g. a public registry, other people or publicly available sources such as the internet. Such information has to be provided within a maximum period of one month. A derogation from this requirement for scientific research is possible, however, in case the information obligation is impossible to comply with or involves a disproportionate effort – proof of these pre-conditions should be kept by the controller. The arguments on which the decision is based need to be documented, but there is currently no clear guidance on what are sufficient arguments.
The preamble of the GDPR refers to the age of the data and the number of data subjects, but the European Data Protection Board (previously called the “Article 29 Working Party” under the Directive) currently gives conflicting information when such disproportionate effort can be relied upon.
A fairly clear situation for such derogation is given though, when the data is pseudonymised – as is often the case in research – and the key to the identity and contacts of the data subjects is not available to the controller. However, in such cases, the controller is still required to make the information publicly available, for example on the institutional website and potentially also through the written press.
Last but not least, the information obligation on the controller does not end with the provision of information before the research project commences. At any time during the data processing, the data subjects have the right to get access to the data and receive precise information such as about the purposes of the processing, the data categories, the envisaged retention time, the recipients of the data (including processors), and, where applicable, the sources of the data.
While in focussed projects with a defined research question all this information is provided in advance of the study, this right of access becomes more relevant where a broad consent was obtained to use the data for a wider purpose such as research on a certain disease or health in general. All projects using the data must be described then as well as all collaboration partners or processors, including e.g. laboratories that provide analysis data from biosamples. Where data were shared outside the EU, relevant safeguards under which the sharing took place are also to be provided.
|A challenge is posed by the provision in the GDPR that the data subjects also need to be informed about any changes to the purpose of the processing for which the data were collected.|
The ELIXIR-Luxembourg Node is hosted by the Luxembourg Centre for Systems Biomedicine (LCSB) at the University of Luxembourg. It is focussed on supporting research on translational medicine data, i.e. clinical, molecular and experimental data and supports among other biomedical research activities the electronic data capture and management of clinical studies. The ELIXIR-Luxembourg Node also hosts translational medicine data free of charge to make them accessible to the scientific community. A data catalogue makes these data findable. As such, tools to implement data protection in research are of central importance and are not only used for the activities of ELIXIR but are also available for other research stakeholders.
The GDPR requires most of this information to be part of the records of the processing institution anyway. Article 30 of the regulation requires that processing records which document most of these aspects are kept either on paper or electronically.
The Luxembourgish Node of the European bioinformatics infrastructure ELIXIR4 has developed a data information system named DAISY that stores all this information linked to the clinical research data and makes it easily available, both for study participants was well as for audits by the data protection authorities.
The articles can be sorted by therapeutic area or disease, but may also deal with more general topics not specifically related to a disease. These articles can be sorted as "other".