Practical implications for data sharing under the new EU GDPR
Marta Tomasi, PhD
5th International Summer School Rare Disease &
Orphan Drug Registries and Bring Your Own Data
“
Ethics: moral judgement, what ought to be done
Law: codified rule,
what must be done
Data protection
Data Protection
PAST destroy data after a certain
period as an ethical commitment to protect individuals from harm
Recent developments:
o Research with a central commitment to secondary analysis
o Grants that promote re-using data that already exists
o ‘New data’ types (objective rather than self-reported)
o New approaches to analysis e.g. big data analysis, meta analysis and data mining
oOpen data and data democracy
o Digital dissemination platforms
oData sharing required for obtaining funds or publishing research results
Data Protection in the EU
Directive 95/46/EC
Regulation 2016/679
The Directive 95/46/EC is repealed with effect from 25 May 2018. Member States will have a great role in revising their legislations on health research in order to comply with the GDPR
Data Protection in the EU
Directive 95/46/EC
Regulation 2016/679
Regulation
◎Harmonisation and reduce fragmentation ◎No fundamental change:
◉ applies to the data controllers and processors acting in the public and private sectors for profitable and not-profitable purposes
◉ differentiates between 2 types of data (personal and sensitive)
◉ scientific research activities as a specific context
INDIVIDUAL
FREEDOM FREEDOM OF
RESEARCH
Regulation
◎Harmonisation and reduce fragmentation ◎No fundamental change:
◉ applies to the data controllers and processors acting in the public and private sectors for profitable and not-profitable purposes
◉ differentiates between 2 types of data (personal and sensitive)
◉ scientific research activities as a specific context
INDIVIDUAL
FREEDOMz FREEDOM OF
RESEARCH
The legislation explains it is lawful to process data for
registries (under the scientific research ground)
provided researchers or anyone who is running such
registries follow the rules and safeguards established by
Member States. (Recital 157).
“ INCOMPLETE HARMONISATION
“Member States may maintain or introduce further conditions,
including limitations, with regard to the processing of genetic data,
biometric data or data concerning health”
(article 9(4))
General principles – PERSONAL DATA
Lawfulness, fairness,
transparency
Purpose limitation
Data minimisation
Accuracy
Limited storage
Ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage Requires the controller and the processor to organise and maintain clear and secured records of any data processing activities performed
2 new principles
Integrity and confidentiality
Accountability
Exemptions for scientific research
Purpose limitation
Limited storage
Secondary uses
The processing of personal data for purposes other than those for which the personal data were initially collected
GDPR Only be allowed where the new
purpose of the processing is
compatible with
the purposes for which the personal
data were initially collected.
further processing for (…) scientific
(…) research purposes (…) shall, in
accordance with Article 89(1), not be
considered to be incompatible with
the initial purposes.
Check feasibility to fulfil those
purposes by processing data which
do not permit or no longer permit
the identification of data subjects,
pseudonymisation of the data, and
provided that appropriate safeguards exist.’
ITALIAN AUTHORIZATION n. 8/2016
…if the scientific and statistical
purposes are related directly to those
for which the data subjects' informed
consent had been obtained initially
OR reasonable efforts + a research for
similar purposes cannot be performed
by processing other data +
anonymization & no dissent OR
approval by a EC and by the Privacy
Authority
Patients’ rights in research
To access one’s own
personal data
Right to data portability
Right to object the
processing of your data
Right to erasure
Rights in case of breach
Right to remedy
Right to be informed/transparency
Data sharing
User authentic
ation
Suitable for widely publicising data
Open access
Special licence
Suitable for controlling the type of user /
use of data
Special conditions
Limited to specified
group Suitable for reduced
datasets
Controlled
on-site
The wider circulation, the harder to monitor data’s
position and use
To access one’s own personal data
Rights in case of breach
Right to remedy
Right to be informed/transparency
Where personal data are processed for scientific research purposes or archiving purposes in the public interest Union or Member State law may provide for derogations from the rights to rectification, to erasure, to be forgotten, to restriction of processing, to data portability and to object in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.
Exemptions to patients’ rights in research
To access one’s own personal data
Rights in case of breach
Right to remedy
Right to be informed/transparency
Where personal data are processed for scientific research purposes or archiving purposes in the public interest Union or Member State law may provide for derogations from the rights to rectification, to erasure, to be forgotten, to restriction of processing, to data portability and to object in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.
Exemptions to patients’ rights in research
Lack of conferred competence
-
support competence
Sensitive data
General prohibition
Informed consent Scientific research
purposes
Processing of (…) genetic data and data concerning health (…) shall be prohibited.
the data subject has given
explicit consent to the
processing of those
personal data for one or
more specified purposes
processing is necessary for
archiving purposes in the
public interest, scientific or
historical research purposes
or statistical purposes in
accordance with Article 89(1)
Sensitive data
General prohibition
Informed consent Scientific research
purposes
Processing of (…) genetic data and data concerning health (…) shall be prohibited.
the data subject has given
explicit consent to the
processing of those
personal data for one or
more specified purposes
processing is necessary for
archiving purposes in the
public interest, scientific or
historical research purposes
or statistical purposes in
accordance with Article 89(1)
Consent specificity
GDPR It is often not possible to fully identify
the purpose of personal data
processing for scientific research
purposes at the time of data
collection. Therefore,
data subjects should be allowed to
give their consent to certain areas of
scientific research when in keeping
with recognised ethical standards for scientific research.
the processing
of special categories of personal data
may be necessary for reasons of
public interest in the areas of public
health without consent of the data
subject.
ITALIAN AUTHORIZATION n. 8/2016
Genetic data may be processed and
biological samples used exclusively for
the purposes specified herein, on
condition the person concerned has
provided his/her written informed
consent thereto
Information notices shall include (…) a
detailed list of all the specific purposes to be achieved
BROAD
CONSENT
SPECIFC
CONSENT
Deposit in public research databases
Data sharing is necessary to provide greater access to research data and bio-
specimen collections to optimize their long-term value and exploit their potential
GDPR Indirect challenges:
GDPR mandates a greater emphasis
on the principle of data minimisation
(only data that is directly relevant and
necessary for a specified purpose is
collected, and it is only processed for
as long as necessary to fulfil the
purpose) loosing control over the further
processing of the data incompatible
with some provisions of the
Regulation (withdrawal, duty to notify
data breaches, accountability
issues...) + problems about jurisdiction
ITALIAN AUTHORIZATION n. 8/2016
No genetic data may be disseminated.
Research findings may only be
disseminated as aggregated
information, or else in accordance with
such arrangements as can prevent data
subjects from being identified also by
way of indirect identification data; this shall also apply to publications.
Tying up loose ends...
GDPR: Creating a more integrated EU data protection system
Privileged position of research
o possibility for Member States to introduce further conditions, including
limitations, with regard to the processing of genetic data, biometric data or
data concerning health AND to introduce derogations to patients’ rights in
research
The increasing focus no data sharing brings tensions with the demands of data
protection
Reinforce cooperation duties and transparency
o Accountability
o Data Protection impact assessment – risk-based approach
Reference to the respect of ethical standards as being part of the lawfulness of
the processing in research (effort for sector-specific consistency)