News

Ten Ways the GDPR Impacts International Health-Related Data Sharing


September 4th 2018
data sharing, GDPR, governance, guest post, policy, privacy and security, regulatory and ethics, work streams

The General Data Protection Regulation
(GDPR), which took full legal effect across the European Union (EU) on 25 May 2018, has a number of implications for international health research involving
the collection, use, and cross-border sharing of people’s personal data. Such research includes genomics research.

The GDPR seeks to change the ways in which organizations both within and outside Europe collect, use, and share personal data. The GDPR is drafted in a way
that recognizes that rapid developments in digital technology have increased the scale, scope, and speed at which personal data are collected, used, analyzed, and distributed, thereby necessitating a stronger legal framework that enhances the rights of “data subjects.”

The GDPR regulates the processing activities of two key actors – (i) data controllers, meaning persons or entities that determine the purposes and means of processing personal data, e.g. companies, researchers, universities, and (ii) data processors, which refers to persons or entities that process personal data on behalf of a data controller, e.g. cloud providers and research collaborators, in many circumstances. The GDPR
defends the data protection rights of data subjects, who in the health research context are most likely to be research participants.

This introductory primer highlights ten key areas of the GDPR that affect international health research and data sharing:

  1. Territorial scope. There is expanded territorial scope of the GDPR: under Article 3,
    the law applies to establishments of controllers or processors in the EU, and to non-EU established organizations which monitor behavior of individuals in the
    EU or
    where it is apparent that such organizations intend to offer goods or services to individuals in the EU.
  2. Transparency and accountability. Requirements for demonstrating transparency and accountability have increased. Accountability is
    one of the core
    principles relating to processing of personal data under the GDPR in Article 5,
    and data controllers must, among other things, be able to demonstrate that they have a lawful basis for each processing operation. Likewise,
    enhanced transparency
    provisions require that controllers inform data subjects, in advance of processing and in clear language, that they a) intend to process the
    subject’s personal
    data and b) identify which of the lawful bases under Article 6
    allows that processing. For special category data, they must identify which exception under Article 9(2) permits processing such data.
  3. “Data protection by design” and data protection impact assessments. Under Article 25, the GDPR requires data controllers, both at the time of the determination of the means for processing and at the time of the processing itself, to implement appropriate technical and organisational measures that implement data protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects. This is known as “data protection by design.”
  4. Data protection impact assessments. Under Article 35, where a type of
    processing, in particular one using new technologies, is likely to result in a high risk to the rights and freedoms of data subjects (taking into account
    the nature, scope, context, and purposes of the processing), the controller must, prior to the processing, carry out an assessment of the impact of the
    envisaged processing operations on the protection of personal data.
  5. Data Protection Officers. Under Article 37, Data Protection Officer (DPO)
    appointment will be mandatory for controllers and processors which are public authorities or whose core activities consist of processing on a “large scale”
    of special categories of data (e.g. health-related data or genetic data). As the UK’s Information Commissioner’s Office (ICO) points out, a DPO will be necessary for hospitals that process patient data; it will also likely be necessary for many universities and scientific research and medical organizations.
  6. Consent. The conditions for consent have been strengthened to facilitate data subjects’ comprehension of what they are consenting to
    with regard to data processing. The conditions for consent also enhance individuals’ rights; for example, separate consent must be given for different
    purposes of processing in some situations, and consent will only be valid if it can be revoked without detriment. Under Article 7, a “request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language,” and under Article 6, the “specific purpose” for processing (including sharing) data should be clearly explained. Recital 33 of the GDPR suggests that broad consent nonetheless may be possible in the scientific research context. Importantly for the research context, consent is only one of several lawful bases for processing personal data.
  7. Processing special categories of data. Processing special (i.e. sensitive) categories of data such as health-related data and genetic
    data is prohibited under the GDPR unless the processor meets a special category condition listed in Article 9. Among these are conditions specific to the health context, such as processing for medical diagnosis, for the provision of health or social care, for treatment, for management of health or social care systems in accordance with EU or Member State law or professional obligations, or for public health and public interest purposes on the basis of EU or Member State law. When processing special categories of data for scientific research, the most likely relevant exception will be Article 9(2)(j): that such processing is necessary for scientific research in accordance with Article 89(1) and that appropriate safeguards are provided for. The processing must also be consistent with EU or Member State law (such as laws relating to clinical trials). These safeguards require that technical and organizational measures be in place, in particular, to ensure that processing complies with the principle of data minimization (limiting personal data collection, storage, and usage to data that are relevant, adequate, and absolutely necessary for carrying out the purpose for which the data are processed). This means that anonymization or pseudonymization (including key-coding) should be used wherever possible.
  8. Data subject rights derogations. Article 89(2) allows member countries
    to create derogations from (i.e. exceptions to) the otherwise core data subject rights of data access, to rectification, to erasure, to be forgotten,
    to restriction of processing, and to object, whenever these data subject rights “are likely to render impossible or seriously impair the achievement”
    of scientific research purposes. Such a derogation must be essential for the fulfillment of these purposes. These derogations are subject to the conditions
    and safeguards laid out in Article 89(1), such as
    data minimization and pseudonymization. Additionally, under Article 21(6), where personal data are processed for scientific research purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, has a “right to object” to processing of personal data concerning him or her, unless “the processing is necessary for the performance of a task carried out for reasons of public interest.”
  9. Secondary use. According to Recital 50, the processing of personal
    data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with
    the purposes for which the personal data were initially collected. However, Article 5(1)(b) states that further processing for scientific research purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial data processing purposes. If the same or another organization were conducting the further processing (i.e. secondary use) of the data, then there is a rebuttable presumption that further processing for the purpose of scientific research is compatible with the original stated purpose of the processing. The derogations from data subject rights that the scientific research exception permits under Article 89(2) would apply in such a scenario, as permitted by applicable Member State law.
  10. International data transfer. International scientific research collaboration is affected by the GDPR rules on transferring personal
    data from the EU to a non-EU country, known as a “third country.” Data controllers that plan to transfer Europeans’ personal data to a third country
    or international organization, be it for
    cloud computing purposes
    or otherwise, must be mindful of the GDPR’s provisions on international data transfers. There are four basic avenues for lawful transfer of
    personal data outside the EU: 1) an adequacy decision; 2) appropriate safeguards, as described in Article 46,
    or binding corporate rules, as described in Article 47; 3) specific derogations; and 4)
    exceptions for
    one-off (or infrequent) transfers. A controller must inform data subjects, at the time that personal data are collected from them, that the controller intends
    to transfer this personal data to a third country or to international organization, and that either a) an adequacy decision either exists or is absent, or b)
    in the case of transfers referred to in Article 46
    or 47, or one-off (or infrequent) transfers, reference to the appropriate or suitable
    safeguards and the means by which to obtain a copy of them or where they have been made available.

Further Resources to Consult

  • Kärt Pormeister, “Genetic data and the research exemption: is the GDPR going too far?” (2017) 7 International Data Privacy Law 137–146 (open access)
  • Mahsa Shabani and Pascal Borry, “Rules for processing genetic data for research purposes in view of the new EU General Data Protection Regulation” (2018) 26 European Journal of Human Genetics 149–156 (commercial access)
  • Miranda Mourby et al., “Are ‘pseudonymised’ data always personal data? Implications of the GDPR for administrative data research in the UK” (2018) 34 Computer Law & Security Review 222233 (open access)
  • Mark Phillips, “International data-sharing norms: from the OECD to the General Data Protection Regulation (GDPR)” (2018) Human Genetics, doi.org/10.1007/s00439-018-1919-7 (open access)

Subscribe to Our Monthly GDPR Briefs!

Beginning in October 2018, the GDPR and International Health Data Sharing Forum will publish monthly “GDPR Briefs” that answer important questions about the GDPR’s impact on various aspects of international health research and genomic and health-related data sharing, and that further explore the various issues raised in the GDPR Primer.

If you have further questions about this Primer or the GDPR, please email the Forum’s Editor, Edward Dove (University of Edinburgh) at edward.dove@ed.ac.uk, and/or Co-Editor, Mark Phillips (McGill University) at mark.phillips2@mcgill.ca.

This GDPR Primer was published by the GA4GHGDPR and International Health Data Sharing Forum, which is hosted and supported by the
GA4GH Regulatory and Ethics Work Stream (REWS).