News

GDPR Brief: What information can research participants demand under the GDPR?


Flickr

 

Research participants enjoy the same rights under the GDPR, generally speaking, as do other individuals whose personal data are processed (collectively known as “data subjects”). The right of access to one’s personal data is the first among a constellation of data-subject rights guaranteed by the GDPR, along with a right to rectification and erasure, among others.

The right of access extends to all personal data which have been collected concerning the data subject who exercises it. It also includes information about the processing, including the purposes for which the data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Access should be available through remote access to a secure system, where possible.

But the right of access is limited in several situations. First, if data have been sufficiently de-identified so that the entity holding them is not in a position to identify the participant, no right of access exists. This is true even if third parties can identify the participant, and the data thus remains personal data. Second, in the context of processing for scientific research purposes, the GDPR also allows the EU or its member states to limit the right of access, among other data subject rights, through legislation when this is necessary to achieve the scientific research purposes. Third, if the entity holding the data is a processor rather than a controller under the GDPR, their duties are oriented more toward assisting the controller in responding to access requests as necessary. Finally, the right of access may be limited if it adversely affects the rights or freedoms of others, including if it would compromise intellectual property rights.

Unless such exceptions eliminate the right of access altogether, an entity subject to the GDPR should have mechanisms in place allowing it to respond appropriately to access requests.

The GDPR’s new right to data portability is closely tied to access. This right will be the subject of a future brief, but in the narrower situations where it applies, it entitles data subjects to receive their data in a structured, commonly used and machine-readable format. For sequencing data, a paper printout of base pairs would likely not meet this standard, whereas a .vcf or .bam file likely would.

Further reading

  • UK Information Commissioner’s Office, Right of access
  • Adrian Thorogood et al., “APPLaUD: access for patients and participants to individual level uninterpreted genomic data” (2018) 12:7 Human Genomics

Relevant GDPR Provisions

  • Article 15 & Recital 63  – Right of access by the data subject
  • Article 20 – Right to data portability
  • Article 12 & Recitals 58 through 71 – Modalities of data subject rights, including a general one-month delay in which to provide information
  • Article 89(2) – Derogations for scientific research purposes set out in member state law
  • Article 11(2) – If the controller is not in a position to identify the data subject, some data subject rights are curtailed
  • Recital 73 – Restrictions of data subject rights

 

Mark Phillips is a lawyer with a background in computer science, and an Academic Associate at McGill University. He advises clients on and writes about various data protection issues.