Medical research provides unique and critical public benefits but also necessarily involves the processing of some of the most sensitive and private data - which European Data Protection is rightly concerned with safeguarding. Looking at the law across all European Economic Area (EEA) jurisdictions, this presentation outlines the barriers which application of default European data protection norms can pose to such work from requirements to obtain consent for sensitive personal data processing, to data subject notification rules and subject access. Drawing on a survey of Data Protection Authorities it also indicates that regulators are inclined to interpret the law strictly here although enforcement is often rather limited. The presentation then looks forward to the future under the General Data Protection Regulation (GDPR) arguing that the obstacles in the way of getting the law right here remain formidable and, in addition, there is a need for much greater engagement between DPAs and those involved in medical research. (N.B. These slides are based on talk given to the PHG Foundation at Hughes Hall on 13 October 2015 but have been updated in light of the finalization of the GDPR).
2. Overview
Tension between Data Protection & Medical Research
Current Pan-European Provisions
Aims and Methodology of the Study
Findings: Formal law and regulatory interpretations
Regulatory Enforcement
Future European Regime
Conclusions
3. The Basic Tension
The EU Data Protection Directive aims to
so enabling the free flow of data within EU/EEA (A. 1).
Predicated on ensuring “high level of protection”.
Especially stringent as regards sensitive personal data
preeminent amongst which is data “concerning health”.
(Epidemiological) medical research will often need to use
such private sensitive data.
“protect the fundamental rights and freedoms of natural persons,
and in particular their right to privacy with respect to the
processing of personal data.”
4. Wide (& Often Onerous)Default Standards
“Personal
data”
processing
DP Principles &
Legitimation
• Fair and lawful
• Legitimate basis
• Purpose quality and
compatibility
• Information quality
and limits esp. re:
time
Transparency
• Notification
• Subject Access
Sensitive Data
• Categorical
definition
• Default ban
(absent waiver)
Control
• Registration
• Permit
• Export control
• Security
Enforcement
• DPA
• Judicial Remedy
• Subject Rights
5. The Threat to Research from DP Default
Informed consent or even notification may not even be
reasonably possible.
Informed consent may in any case skew samples.
Many other requirements may impose at least a
disproportionate resource burden.
Requirement to obtain a permit may be considered
intrusive and even substantively problematic.
6. DP Directive : Research/Science Clauses
Smattering of express derogations in DP Directive:
Re-purposing if appropriate safeguards in national law
Longer retention OK with national law safeguards
Optional subject access/individual participation
derogation with conditions
At other points Directive simply flags up a potential
discretionary use of general derogations:
Recital 34: Derogation from ban on processing sensitive data may
be used in areas such as “scientific research”
7. DP Directive: General Derogations
Article 8: Sensitive Data
Substantial public interest
Suitable safeguards
Notification to Commission
Article 13: Wide range of other provisions
Via legislation
Necessity
Safeguarding of inter alia rights and freedoms of others
8. Study: Aims and Methodology
Explore EEA Member State approaches along three
dimensions:
1. Formal Law
2. Regulatory/DPA Interpretation
3. Regulatory/DPA Enforcement
Data gathered through:
English translations of national DP Law
2013 survey of regulators – answered by +70% national
plus 6 sub-national DPAs.
Analysis of material gathered from DPA websites (in 2013)
N.B. Study is still ongoing and so results presented
are only provisional.
9. Study: Aims and Methodology
Following hypothetical example used to structure the analysis
(as regards dimensions 1 and 2):
Explored vis-à-vis five different aspects of DP.
Only going to present results where DPA provided a
standardized response to the survey.
“A medical scientist wishes to use the medical records of patients
… All identifiable data would be kept confidential within the
research team and only anonymous results published. Alongside
satisfying him/herself that the scientific benefits of the study
outweigh any privacy infringement involve, which obligations
would apply under Data Protection law in your country?”
10. Study: Five Key Aspects of DP for Research
Default
Duties
Informed
Consent (for
Sensitive
Data)
Subject
Notification
Purpose
Specification
Subject
Access
Rectifying
Inaccuracy
11. Informed Consent: Formal Law
13/46%
7/25%
8/29%
0
2
4
6
8
10
12
14
16
18
20
22
24
No/Conditions only No/Conditions plus permit Consent required
NumberofJurisdictions
13. Need for Subject Notification: Formal Law
Local law (& the Directive) generally very unclear here.
Three different situations need to be considered:
Controller obtained data indirectly: most jurisdictions
provide “disproportionate effort” exemption (usually subject
to conditions and perhaps even DPA permit).
Controller doing the disclosing: May still have notification
duty (but Recital 40 of Directive suggests that might apply
“disproportionate effort” exemption if originally unanticipated).
Controller obtained data directly: Situation generally even
more unclear here (even if reuse not originally anticipated).
14. Need for Notification: DPA Interpretation
5/18%
1/3.5%
22/78.5%
0
2
4
6
8
10
12
14
16
18
20
22
24
No Possibly Yes
NumberofDPAs
15. Purpose Specification: Formal Law
Clear that if notification necessary, purpose of
processing must be given to data subject.
Granularity of such purpose, however, generally remains
opaque in both Directive and in local law.
In medical research may remain unclear whether can
simply notify generally re: research processing or must
notify regarding each specific study.
16. Purpose Specification: DPA Interpretation
Two DPAs said no to informed consent but yes to specific notification.
Six DPAs said yes to informed consent but no to specific notification.
8/36%
14/64%
0
2
4
6
8
10
12
14
16
18
20
22
24
Research Specific Study
NumberofDPAs
18. Subject Access: EU Directive (A. 13 (2))
“Subject to adequate legal safeguards, in particular that the data are
not used for taking measures or decisions regarding any particular
individual, Member States may, where there is a clearly no risk of
breaching the privacy of the data subject, restrict by a legislative
measure the rights provided for in Article 12 when data are processed
solely for the purposes of scientific research”
20. Rectifying Inaccuracy: Formal Law
Right of individual to rectify inaccuracy part of A. 12.
Relates to the duty of Controllers to ensure accuracy of
personal data (A. 6 (1) (d))
Only one jurisdiction (Latvia) has formally limited
this aspect of individual participation under A. 12.
However, it is arguably intrinsically tied to subject
access part of A. 12 (limited by 10 jurisdictions).
22. DPA Permit: Formal Law
Local legal provisions present a complex picture.
17 (60%) jurisdictions: No permit required.
3 (11%) jurisdictions: Permit only if unable to notify.
1 (4%) jurisdiction: Permit only if unable to get consent
but REC permission may act in lieu.
4 (14%) jurisdictions: Permit only if unable to get consent.
3 (11%) jurisdictions: Permit generally always required.
24. Research Ethics Committee Findings
Formal DP: Only c. 5 (18%) local laws specify this.
But area may well be regulated by other law.
DPAs responded as follows:
10/36%
4/14%
14/50%
0
2
4
6
8
10
12
14
16
18
20
22
24
No permission Consult etc. only Permission required
NumberofDPAs
26. Direct Enforcement: Published Examples
Catalan DPA (2011):
Hospital sent University-affiliated researchers patient data for project
Neither “dissociation” nor consent nor legal authorization
Action: Resolution declaring illegal data transfer offence.
Swedish DPA (2011)
University engaged in research on causes of allergy and diabetes
Collects data (and hair) from children w/out parent consent or notice
Complaint received
Action: Decision issued stating that University would have to
notify and obtain consent if wanted to us this data.
27. General DP Regulation: Research Clause (A. 89)
Derogations brought together in one article stipulating
need for “appropriate safeguards” ensuring in particular
“data minimization” (A. 89 (1)).
Subject to this are common provisions for:
Re-purposing of data (A. 5 (1) (b))
Longer retention (A. 5 (1) (c)) (cf. also A 17 (3) (d))
Lifting of most of sensitive data ban where necessary
& proportionate etc. State or Union law (A. 9 (2) (j))
Purely optional derogations subject to further
conditions from subject access and right to object (A.
89 (2)).
28. General DP Regulation: Other Aspects
Default provisions in Regulation (e.g. subject
notification (A. 12-14)) much more onerous than
present.
General derogations (A. 23 & 10) e.g. for “rights &
freedoms of others” remain but are tighter and narrower
as exclude DP principles in and of themselves.
Social and humanities research now protected as
“academic expression” alongside journalism in free
expression clause (A. 85).
29. Conclusions
Clear tension between medical law and data protection
Formal law is quite onerous and very confused.
Many DPAs tend to interpret the law here even more
stringently than its wording would imply.
This may fuel uncertainty and the chilling effect.
However, enforcement appears limited.
Getting law right under Regulation clearly a challenge.
More proportionate and effective regime also requires
more DPA-medical research dialogue.