Practical implications for data sharing under the new EU GDPRold.iss.it/binary/cnmr4/cont/Data_sharing_under... · Practical implications for data sharing under the new EU GDPR ...

Practical implications for data sharing under the new EU GDPR

Marta Tomasi, PhD

5th International Summer School Rare Disease &

Orphan Drug Registries and Bring Your Own Data

“

Ethics: moral judgement, what ought to be done

Law: codified rule,

what must be done

Data protection

Data Protection

PAST destroy data after a certain

period as an ethical commitment to protect individuals from harm

Recent developments:

o Research with a central commitment to secondary analysis

o Grants that promote re-using data that already exists

o ‘New data’ types (objective rather than self-reported)

o New approaches to analysis e.g. big data analysis, meta analysis and data mining

oOpen data and data democracy

o Digital dissemination platforms

oData sharing required for obtaining funds or publishing research results

Data Protection in the EU

Directive 95/46/EC

Regulation 2016/679

The Directive 95/46/EC is repealed with effect from 25 May 2018. Member States will have a great role in revising their legislations on health research in order to comply with the GDPR

Data Protection in the EU

Directive 95/46/EC

Regulation 2016/679

Regulation

◎Harmonisation and reduce fragmentation ◎No fundamental change:

◉ applies to the data controllers and processors acting in the public and private sectors for profitable and not-profitable purposes

◉ differentiates between 2 types of data (personal and sensitive)

◉ scientific research activities as a specific context

INDIVIDUAL

FREEDOM FREEDOM OF

RESEARCH

Regulation

◎Harmonisation and reduce fragmentation ◎No fundamental change:

◉ applies to the data controllers and processors acting in the public and private sectors for profitable and not-profitable purposes

◉ differentiates between 2 types of data (personal and sensitive)

◉ scientific research activities as a specific context

INDIVIDUAL

FREEDOMz FREEDOM OF

RESEARCH

The legislation explains it is lawful to process data for

registries (under the scientific research ground)

provided researchers or anyone who is running such

registries follow the rules and safeguards established by

Member States. (Recital 157).

“ INCOMPLETE HARMONISATION

“Member States may maintain or introduce further conditions,

including limitations, with regard to the processing of genetic data,

biometric data or data concerning health”

(article 9(4))

General principles – PERSONAL DATA

Lawfulness, fairness,

transparency

Purpose limitation

Data minimisation

Accuracy

Limited storage

Ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage Requires the controller and the processor to organise and maintain clear and secured records of any data processing activities performed

2 new principles

Integrity and confidentiality

Accountability

Exemptions for scientific research

Purpose limitation

Limited storage

Secondary uses

The processing of personal data for purposes other than those for which the personal data were initially collected

GDPR Only be allowed where the new

purpose of the processing is

compatible with

the purposes for which the personal

data were initially collected.

further processing for (…) scientific

(…) research purposes (…) shall, in

accordance with Article 89(1), not be

considered to be incompatible with

the initial purposes.

Check feasibility to fulfil those

purposes by processing data which

do not permit or no longer permit

the identification of data subjects,

pseudonymisation of the data, and

provided that appropriate safeguards exist.’

ITALIAN AUTHORIZATION n. 8/2016

…if the scientific and statistical

purposes are related directly to those

for which the data subjects' informed

consent had been obtained initially

OR reasonable efforts + a research for

similar purposes cannot be performed

by processing other data +

anonymization & no dissent OR

approval by a EC and by the Privacy

Authority

Patients’ rights in research

To access one’s own

personal data

Right to data portability

Right to object the

processing of your data

Right to erasure

Rights in case of breach

Right to remedy

Right to be informed/transparency

Data sharing

User authentic

ation

Suitable for widely publicising data

Open access

Special licence

Suitable for controlling the type of user /

use of data

Special conditions

Limited to specified

group Suitable for reduced

datasets

Controlled

on-site

The wider circulation, the harder to monitor data’s

position and use

To access one’s own personal data

Rights in case of breach

Right to remedy

Right to be informed/transparency

Where personal data are processed for scientific research purposes or archiving purposes in the public interest Union or Member State law may provide for derogations from the rights to rectification, to erasure, to be forgotten, to restriction of processing, to data portability and to object in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.

Exemptions to patients’ rights in research

To access one’s own personal data

Rights in case of breach

Right to remedy

Right to be informed/transparency

Where personal data are processed for scientific research purposes or archiving purposes in the public interest Union or Member State law may provide for derogations from the rights to rectification, to erasure, to be forgotten, to restriction of processing, to data portability and to object in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.

Exemptions to patients’ rights in research

Lack of conferred competence

-

support competence

Sensitive data

General prohibition

Informed consent Scientific research

purposes

Processing of (…) genetic data and data concerning health (…) shall be prohibited.

the data subject has given

explicit consent to the

processing of those

personal data for one or

more specified purposes

processing is necessary for

archiving purposes in the

public interest, scientific or

historical research purposes

or statistical purposes in

accordance with Article 89(1)

Sensitive data

General prohibition

Informed consent Scientific research

purposes

Processing of (…) genetic data and data concerning health (…) shall be prohibited.

the data subject has given

explicit consent to the

processing of those

personal data for one or

more specified purposes

processing is necessary for

archiving purposes in the

public interest, scientific or

historical research purposes

or statistical purposes in

accordance with Article 89(1)

Consent specificity

GDPR It is often not possible to fully identify

the purpose of personal data

processing for scientific research

purposes at the time of data

collection. Therefore,

data subjects should be allowed to

give their consent to certain areas of

scientific research when in keeping

with recognised ethical standards for scientific research.

the processing

of special categories of personal data

may be necessary for reasons of

public interest in the areas of public

health without consent of the data

subject.

ITALIAN AUTHORIZATION n. 8/2016

Genetic data may be processed and

biological samples used exclusively for

the purposes specified herein, on

condition the person concerned has

provided his/her written informed

consent thereto

Information notices shall include (…) a

detailed list of all the specific purposes to be achieved

BROAD

CONSENT

SPECIFC

CONSENT

Deposit in public research databases

Data sharing is necessary to provide greater access to research data and bio-

specimen collections to optimize their long-term value and exploit their potential

GDPR Indirect challenges:

GDPR mandates a greater emphasis

on the principle of data minimisation

(only data that is directly relevant and

necessary for a specified purpose is

collected, and it is only processed for

as long as necessary to fulfil the

purpose) loosing control over the further

processing of the data incompatible

with some provisions of the

Regulation (withdrawal, duty to notify

data breaches, accountability

issues...) + problems about jurisdiction

ITALIAN AUTHORIZATION n. 8/2016

No genetic data may be disseminated.

Research findings may only be

disseminated as aggregated

information, or else in accordance with

such arrangements as can prevent data

subjects from being identified also by

way of indirect identification data; this shall also apply to publications.

Tying up loose ends...

GDPR: Creating a more integrated EU data protection system

Privileged position of research

o possibility for Member States to introduce further conditions, including

limitations, with regard to the processing of genetic data, biometric data or

data concerning health AND to introduce derogations to patients’ rights in

research

The increasing focus no data sharing brings tensions with the demands of data

protection

Reinforce cooperation duties and transparency

o Accountability

o Data Protection impact assessment – risk-based approach

Reference to the respect of ethical standards as being part of the lawfulness of

the processing in research (effort for sector-specific consistency)

Thanks! Find me @: [email protected] [email protected] [email protected]