Full article title The effect of the General Data Protection Regulation on medical research
Journal Journal of Medical Internet Research
Author(s) Rumbold, John Mark Michael; Pierscionek, Barbara
Author affiliation(s) Kingston University London, Nottingham Trent University
Primary contact Email: J dot Rumbold [at] Kingston dot ac dot uk
Editors Eysenbach, G.
Year published 2017
Volume and issue 19 (2)
Page(s) e47
DOI 10.2196/jmir.7108
ISSN 1438-8871
Distribution license Creative Commons Attribution 2.0
Website http://www.jmir.org/2017/2/e47/
Download http://www.jmir.org/2017/2/e47/pdf (PDF)

Abstract

Background: The enactment of the General Data Protection Regulation (GDPR) will impact on European data science. Particular concerns relating to consent requirements that would severely restrict medical data research have been raised.

Objective: Our objective is to explain the changes in data protection laws that apply to medical research and to discuss their potential impact.

Methods: Analysis of ethicolegal requirements imposed by the GDPR

Results: The GDPR makes the classification of pseudonymised data as personal data clearer, although it has not been entirely resolved. Biomedical research on personal data where consent has not been obtained must be of substantial public interest.

Conclusions: The GDPR introduces protections for data subjects that aim for consistency across the E.U. The proposed changes will make little impact on biomedical data research.

Keywords: pseudonymity, anonymity, untraceability, privacy-preserving protocols, informatics, data reporting, data protection, research ethics

Overview

There have been significant developments in European Union (E.U.) data protection law recently that will have an impact on health care professionals, particularly those engaged in research and audit. The General Data Protection Regulation (GDPR) has replaced the current legislation and comes into full effect in 2018.[1] The implications for the handling of health care data of the GDPR will be discussed in this paper. Despite the recent referendum vote in the United Kingdom to leave the E.U., the GDPR will continue to be relevant to the United Kingdom, whether this is due to cooperation in European projects or because the United Kingdom continues to be a member of the European Economic Area (EEA).

The Data Protection Directive

Currently the relevant law in the United Kingdom is the Data Protection Act 1998, which is the United Kingdom’s transposition of the Data Protection Directive (DPD). European directives are not directly enforceable, requiring member states to pass legislation to comply with their requirements. There are derogations (legal exemptions) for research, which in the case of the United Kingdom have been criticized for being too broad. The LRDP Kantor report for the European Commission criticizes the United Kingdom for disregard of the limitations, stating that the Data Protection Act blatantly violates the Directive by adding "medical research" to the list of medical purposes.[2] The DPD requires a "substantial public interest" for member states to add to the derogations for processing of sensitive personal data (Article 8.4).

Differences between E.U. member states can result in research ethics committees in United Kingdom denying permission for National Health Service (NHS) data to be transferred to other E.U. countries (the opposite might also be the case in some circumstances).[3] These differences have also contributed to the passage of the GDPR as part of the Digital Single Market strategy.[4]

The law as it will be from 2018: The General Data Protection Regulation

The text of the GDPR has recently been agreed after a prolonged trilogue between the European Commission, Parliament, and the Council of Ministers.[5] This legislation will replace the national transpositions of the DPD. Regulations are directly enforceable across the E.U. The GDPR comes into full effect on May 25, 2018, although member states are permitted minor differences in interpretation (the European Court of Justice is the ultimate arbiter). This legislation has the potential to affect projects using research data banks and Big Data.[6][7] There had been concerns that a clause inserted by the European Parliament requiring specific consent would prevent significant long-term epidemiological research taking place in the future[8], but this was rejected and the agreed text permits broad consent to "certain areas of research when in keeping with recognized ethical standards" (Recital 33).[9] Broad consent is not blanket or open consent[10] although some commentators argue that blanket or open consent is acceptable for biobank and databank research as the risks are minimal and do not vary for different projects.[11] Another possibility is consent to a form of governance.[12] Open consent without any ongoing regulation or communication about proposed projects would be potentially problematic. Dynamic consent offers advantages for an engaged community of participants but might not be considered beneficial by some individuals.[13]

The derogations for research without consent have been expanded to specifically include medical research where "in the public interest" (Recital 51). How public interest will be defined has not been elaborated, but European jurisprudence demands member states satisfy a high threshold where human rights are involved (e.g., a "pressing social need"[14]). This standard would not be required for the conduct of medical research using databanks, but it might exclude all commercial research for "me too" drug development (drugs that offer no advantages over drugs already on the market), arrangements that have no evidence of benefit sharing, or simply require that projects address issues of public importance regardless of the profits made.[15] This requirement reflects public attitudes in the United Kingdom to the use of health care data, where there is resistance to use of public data for commercial ventures unless the research could not happen without commercial involvement.[16][17]

Anonymization

Data protection law only applies to personal data — that is, data that does directly or can indirectly identify an individual.[18][19][20] The simple deletion of name and address is usually insufficient to constitute anonymization (it has been demonstrated that the combination of three pieces of data could identify 87 percent of U.S. residents: 5-digit zip code, birth date, and sex).[21] The United Kingdom Information Commissioner’s Office currently treats pseudonymized data as anonymous where it is used by a third party who does not possess the requisite key code. Truly anonymized data cannot be linked back to an individual (which means that verification of data is not possible by any means). Pseudonymized data typically has identifiers removed and replaced with a unique key code (there is also two-way cryptography; one-way cryptography is considered anonymized). This key code can be used to trace the data back to an individual, enabling any safety concerns to be acted upon and for data to be verified. This is the approach that the United Kingdom's care.data project on the use of NHS electronic health records for data research has been taking.[22] The GDPR will require changes in practice, as it confirms in Recital 26 that pseudonymized data must be treated as personal data (in line with the previous Article 29 Working Party opinion).[18] That position results from the increased vulnerability of data subjects who could potentially be identified compared to the protection afforded them with true anonymisation — if the key code is hacked, then all the data can be linked to an individual once more.

Consent

Consent presumed by failure to opt-out, or change preticked boxes, will no longer be permitted (unless covered by the derogations) — consent will need to be by a "clear, affirmative action" (Article 4.11). These changes would have arguably made the abandoned care.data project[23] illegal, despite the passage of enabling legislation that exempted general practitioners from the common law duty of confidentiality when fulfilling their contractual duties to pass on health care data. The care.data program relied on an opt-out for legitimacy.[22] The exercise of this opt-out was not straightforward. The numbers opting out far exceeded the estimates and the capacity for the Health and Social Care Information Centre (now NHS Digital) to process in a timely manner. The problems included omission of those who opted out from calls for NHS screening programs, even though this was not the intention of those exercising this right. NHS Digital currently relies on pseudonymization, which the GDPR states is categorized as a matter of law as personal data. It is not entirely clear whether or not third parties without access to the key code could treat pseudonymized data as anonymized (as is currently the case in the United Kingdom). Key codes are a potential vulnerability due to accidental or malicious disclosure, which is one of the justifications for pseudonymized data being classified as personal data. There are no clear indications that there are no future plans to use NHS patient data for research.

Dame Fiona Caldicott reviewed arrangements because of the widespread concerns related to consent[22], and her report led to the cancellation of the Care.data project.[23] The particular issues that were identified include the lack of information about care.data that made exercising an opt-out an opaque process, the inadequate mechanisms for opting, and the failure of protection for rights and access to the NHS for those who opt out.

The risk of re-identification in the future is impossible to quantify precisely because it cannot be predicted what information will become public.[24] However, as with biobanks, the risks to individuals are lesser compared with studies of medical interventions.[25] Therefore authorization by research ethics committees is acceptable practice, with the requirement that opt-outs be respected unless there are exceptional circumstances.

Although the GDPR comes into force in mid-2018, researchers need to prepare now for the changes it will bring to long-term epidemiological studies. In particular, the categorization of pseudonymized data as personal will require action in some jurisdictions such as the United Kingdom and Greece.[26] The necessary accommodations will require an investment of resources, but this will hopefully ensure that subjects continue to have trust in the integrity of their health care data and the medical research community.[27] The GDPR may still apply should the United Kingdom cease to become a member state of the E.U. either because the United Kingdom is a member of the EEA or because the United Kingdom retains these instruments as law at least for the short term.[28]

Although audit and research are treated differently in law, the boundaries between the two activities are blurred.[29] Audit is directly relevant to the monitoring and improvement of quality of health care; therefore, it is included as a primary use of data—Recitals 52-54 and Article 9.2 (h) and (i) of the GDPR make this clear. Audit and health care management are a primary use of health care data, and research is a secondary use — that is, it is a use different from the originally declared purpose (although it is designated a compatible purpose within the GDPR but only for nonsensitive data). If an audit compares health care systems to discover which is most effective, this can also be categorized as research as the practices are not compared to a gold standard, and there is a hypothesis being generated or even tested by finding associations. The recent furor surrounding the Royal Free Trust project in conjunction with Google DeepMind illustrates the debate over the distinction of audit from research.[30][31][32]

Data sharing

Dame Fiona Caldicott affirmed in her 2013 report on information governance that "The duty to share can be as important as the duty to protect patient confidentiality."[33] Data sharing within the E.U. should not be obstructed because of differences in data protection law under the principles of the Digital Single Market and Article 1(2) of the Data Protection Directive. Data portability and data sharing is an issue with health care data[34], which the European Patients Smart Open Services (epSOS) project attempted to address.[35] The GDPR addresses data portability under Article 20, stating that the data subject has the right to receive their data in an appropriate format without hindrance and for data to be transferred between data controllers where technically feasible. The Bundestag is currently considering an eHealth bill with the same aim of improving portability of data.[36] This will facilitate the ability of patients to move between health care providers without unnecessary duplication of tests.

Conclusions

The Digital Single Market aims for improved data sharing across the E.U., which will facilitate cross-border health care and research. Harmonization will be improved under the GDPR with a concomitant raising of standards for some countries, although there is still room for national differences according to the reasonable expectations of different publics. This advance makes cross-border projects more easily ethically justifiable and more feasible.[37] The requirements for anonymization have not been changed, except to clarify that pseudonymized data must still be considered as personal data. The GDPR will facilitate medical research, except where it is research not considered in the public interest. In that case, more demanding requirements for anonymization will entail either true anonymization or consent. It is likely there will be more projects that require either consent or authorization, since many projects currently use pseudonymization. There is still an unresolved issue over third parties with access to pseudonymized data.

Acknowledgements

This work has been funded by AEGLE project, Horizon 2020 ICT/2014/1 grant.

Authors' contributions

Both authors contributed to the analysis of legal issues and the writing of the manuscript.

Conflicts of interest

None declared.

Abbreviations

DPD: Data Protection Directive

EEA: European Economic Area

epSOS: European Patients Smart Open Services

E.U.: European Union

GDPR: General Data Protection Regulation

NHS: National Health Service

References

  1. "EUR-Lex - 32016R0679 - EN". EUR-Lex. European Union. 27 April 2016. http://eur-lex.europa.eu/eli/reg/2016/679/oj. Retrieved 04 February 2017. 
  2. LRDP Kantor (20 January 2010). "Comparative study on different approaches to new privacy challenges in particular in the light of technology developments" (PDF). European Commission. http://ec.europa.eu/justice/policies/privacy/docs/studies/new_privacy_challenges/final_report_en.pdf. Retrieved 04 February 2017. 
  3. Veerus, P.; Lexchin, J.; Hemminki, E. (2014). "Legislative regulation and ethical governance of medical research in different European Union countries". Journal of Medical Ethics 40 (6): 409-413. doi:10.1136/medethics-2012-101282. 
  4. DG Justice (18 January 2016). "Reform of EU data protection rules". European Commission. http://ec.europa.eu/justice/data-protection/reform/index_en.htm. Retrieved 04 February 2017. 
  5. Ansip, A. (6 May 2015). "Statement by Vice-President Andrus Ansip at the press conference on the adoption of the Digital Single Market Strategy". European Commission. http://europa.eu/rapid/press-release_SPEECH-15-4926_en.htm. Retrieved 04 February 2017. 
  6. Marr, B. (9 April 2015). "The 5 V's of Big Data by Bernard Marr". Data Science Central. http://www.datasciencecentral.com/profiles/blogs/the-5-v-s-of-big-data-by-bernard-marr. Retrieved 04 February 2017. 
  7. Thompson, B. (July 2016). "Analysis: Research and the General Data Protection Regulation - 2012/0011(COD)" (PDF). Wellcome Trust. https://wellcome.ac.uk/sites/default/files/new-data-protection-regulation-key-clauses-wellcome-jul16.pdf. Retrieved 04 February 2017. 
  8. Stevens, L. (2015). "The Proposed Data Protection Regulation and Its Potential Impact on Social Sciences Research in the UK". European Data Protection Law Review 1 (2): 97–112. doi:10.21552/EDPL/2015/2/4. 
  9. Simon, C.M.; L'heureux, J.; Murray, J.C. (2011). "Active choice but not too active: Public perspectives on biobank consent models". Genetics in Medicine 13 (9): 821–31. doi:10.1097/GIM.0b013e31821d2f88. PMC PMC3658114. PMID 21555942. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3658114. 
  10. Hofmann, B. (2009). "Broadening consent—and diluting ethics?". Journal of Medical Ethics 35 (2): 125–129. doi:10.1136/jme.2008.024851. 
  11. Sheehan, M. (2011). "Can broad consent be informed consent?". Public Health Ethics 4 (3): 226–235. doi:10.1093/phe/phr020. 
  12. Laurie, G. (2013). "Governing the spaces in-between: Law and legitimacy in new health technologies". In Flear, M.L.; Farrell, A.; Hervey, T.K.; Murphy, T.. European Law and New Health Technologies. Oxford University Press. pp. 193. ISBN 9780199659210. 
  13. Steinsbekk, K.S.; Kåre Myskja, B.; Solberg, B. (2013). "Broad consent versus dynamic consent in biobank research: is passive participation an ethical problem?". European Journal of Human Genetics 21 (9): 897-902. doi:10.1038/ejhg.2012.282. PMC PMC3746258. PMID 23299918. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3746258. 
  14. "Case of Handyside v. The United Kingdom". European Court of Human Rights. 7 December 1976. http://hudoc.echr.coe.int/eng?i=001-57499. Retrieved 15 February 2017. 
  15. Haddow, G.; Laurie, G.; Cunningham-Burley, S.; Hunter, K.G. (2007). "Tackling community concerns about commercialisation and genetic research: A modest interdisciplinary proposal". Social Science & Medicine 64 (2): 272–82. doi:10.1016/j.socscimed.2006.08.028. PMID 17050056. 
  16. Aiken, M. (3 August 2011). "SHIP Public Engagement: Summary of Focus Group Findings". Wellcome Trust. http://www.academia.edu/2702142/SHIP_Public_Engagement_Summary_of_Focus_Groups. Retrieved 04 February 2017. 
  17. Ipsos MORI (9 March 2016). "The One-Way Mirror: Public attitudes to commercial access to health data". pp. 154. https://www.ipsos-mori.com/researchpublications/publications/1803/Commercial-access-to-health-data.aspx. Retrieved 04 February 2017. 
  18. 18.0 18.1 Data Protection Working Party (April 2007). "Opinion 4/2007 on the concept of personal data" (PDF). European Commission. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf. Retrieved 04 February 2017. 
  19. Grubb, A. (2000). "Breach of confidence: Anonymised information. R. v. Department of Health ex parte Source Informatics Ltd.". Medical Law Review 8 (1): 115–20. PMID 11787501. 
  20. House of Lords (9 July 2008). "Judgments - Common Services Agency (Appellants) v Scottish Information Commissioner (Respondent) (Scotland)". www.parliament.uk. https://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm. Retrieved 04 February 2017. 
  21. Sweeney, L. (2000). "Simple Demographics Often Identify People Uniquely" (PDF). pp. 34. http://dataprivacylab.org/projects/identifiability/paper1.pdf. Retrieved 04 February 2017. 
  22. 22.0 22.1 22.2 Meek, T. (28 October 2015). "Caldicott: care.data hangs on engagement". Digital Health. Digital Health Intelligence Limited. http://www.digitalhealth.net/2015/10/caldicott-care-data-hangs-on-engagement/. Retrieved 04 February 2017. 
  23. 23.0 23.1 "NHS England to close care.data programme following Caldicott Review". Nathional Health Executive. Cognitive Publishing Ltd. 7 July 2016. http://www.nationalhealthexecutive.com/Health-Care-News/nhs-england-to-close-caredata-programme-following-caldicott-review. Retrieved 04 February 2017. 
  24. "What is anonymisation?". Guide to Data Protection. Information Commissioner’s Office. https://ico.org.uk/for-organisations/guide-to-data-protection/anonymisation/. Retrieved 05 February 2017. 
  25. Laurie, G.; Stevens, L.; Jones, K.H.; Dobbs, C. (30 June 2014). "A Review of Evidence Relating to Harm Resulting from Uses of Health and Biomedical Data" (PDF). Nuffield Council on Bioethics. http://nuffieldbioethics.org/wp-content/uploads/A-Review-of-Evidence-Relating-to-Harms-Resulting-from-Uses-of-Health-and-Biomedical-Data-FINAL.pdf. Retrieved 05 February 2017. 
  26. "Data protection and research in the European Union" (PDF). European Forum for Good Clinical Practice. 6 October 2015. http://www.efgcp.eu/downloads/DP%20and%20Research%20in%20EU_HD_Final_06%2010%2015.pdf. Retrieved 05 February 2017. 
  27. Carter, P.; Laurie, G.T.; Dixon-Woods, M. (2015). "The social licence for research: why care.data ran into trouble". Journal of Medical Ethics 41 (5): 404-409. doi:10.1136/medethics-2014-102374. 
  28. Mason, R. (2 October 2016). "Theresa May's 'great repeal bill': What's going to happen and when?". The Guardian. Guardian News & Media Limited. https://www.theguardian.com/politics/2016/oct/02/theresa-may-great-repeal-bill-eu-british-law. Retrieved 05 February 2017. 
  29. Wade, D.T. (2005). "Ethics, audit, and research: All shades of grey". BMJ 330 (7489): 468–71. doi:10.1136/bmj.330.7489.468. PMC PMC549663. PMID 15731146. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC549663. 
  30. Hodson, H. (2016). "Google knows your ills". New Scientist 230 (3072): 22–23. doi:10.1016/S0262-4079(16)30809-0. 
  31. Shah, N.R.; Seger, A.C.; Seger, D.L. et al. (2006). "Improving acceptance of computerized prescribing alerts in ambulatory care". JAMIA 13 (1): 5–11. doi:10.1197/jamia.M1868. PMC PMC1380196. PMID 16221941. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC1380196. 
  32. Donnelly, C. (12 May 2016). "ICO probes Google DeepMind patient data-sharing deal with NHS Hospital Trust". Computer Weekly. TechTarget, Inc. http://www.computerweekly.com/news/450296175/ICO-probes-Google-DeepMind-patient-data-sharing-deal-with-NHS-Hospital-Trust. Retrieved 05 February 2017. 
  33. Caldicott, F. (March 2013). "Information to Share or Note to Share: The Information Governance Review" (PDF). National Information Governance Board. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/192572/2900774_InfoGovernance_accv2.pdf. Retrieved 05 February 2017. 
  34. Kish, L.J.; Topol, E.J. (2015). "Unpatients: Why patients should own their medical data". Nature Biotechnology 33 (9): 921–4. doi:10.1038/nbt.3340. PMID 26348958. 
  35. "Cross-border health project epSOS: What has it achieved?". Digital Single Market. European Commission. 7 July 2014. https://ec.europa.eu/digital-single-market/en/news/cross-border-health-project-epsos-what-has-it-achieved. Retrieved 05 February 2017. 
  36. "Act on secure digital communication and applications in the health care system (E-Health Act)". Federal Ministry of Health. 29 September 2015. http://www.bundesgesundheitsministerium.de/en/health/e-health-act.html. Retrieved 05 February 2017. 
  37. Dove, E.S.; Townend, D.; Meslin, E.M. et al. (2016). "Research Ethics: Ethics review for international data-intensive research". Science 351 (6280): 1399–400. doi:10.1126/science.aad5269. PMC PMC4838154. PMID 27013718. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4838154. 

Notes

This presentation is faithful to the original, with only a few minor changes to presentation. In several cases the PubMed ID was missing and was added to make the reference more useful.

Per the distribution agreement, the following copyright information is also being added:

©John Mark Michael Rumbold, Barbara Pierscionek. Originally published in the Journal of Medical Internet Research (http://www.jmir.org), 24.02.2017.

source: https://www.limswiki.org/index.php/Journal:The_effect_of_the_General_Data_Protection_Regulation_on_medical_research