Regulation of Medical Research under European Data Protection

Dr. David ErdosFaculty of Law

University of Cambridge

Image Welcome Images

Overview

Tension between Data Protection & Medical Research

Current Pan-European ProvisionsAims and Methodology of the StudyFindings: Formal law and regulatory

interpretationsRegulatory EnforcementFuture European RegimeConclusions

The Basic TensionThe EU Data Protection Directive aims to

so enabling the free flow of data within EU/EEA (A. 1).Predicated on ensuring “high level of protection”.Especially stringent as regards sensitive personal

data preeminent amongst which is data “concerning health”.

(Epidemiological) medical research will often need to use such private sensitive data.

“protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy

with respect to the processing of personal data.”

Wide (& Often Onerous)Default Standards

“Personal data”

processing

DP Principles &

Legitimation• Fair and lawful• Legitimate basis• Purpose quality

and compatibility• Information quality and limits

esp. re: time

Transparency

• Notification• Subject

Access

Sensitive Data

• Categorical definition

• Default ban (absent waiver)

Control• Registration• Permit• Export

control• Security

Enforcement• DPA• Judicial

Remedy• Subject

Rights

The Threat to Research from DP DefaultInformed consent or even notification may

not even be reasonably possible.

Informed consent may in any case skew samples.

Many other requirements may impose at least a disproportionate resource burden.

Requirement to obtain a permit may be considered intrusive and even substantively problematic.

DP Directive : Research/Science ClausesSmattering of express derogations in DP

Directive:Re-purposing if appropriate safeguards in

national lawLonger retention OK with national law

safeguardsOptional subject access/individual

participation derogation with conditionsAt other points Directive simply flags up a

potential discretionary use of general derogations:

Recital 34: Derogation from ban on processing sensitive data may be used in areas such as “scientific research”

DP Directive: General DerogationsArticle 8: Sensitive Data

Substantial public interestSuitable safeguardsNotification to Commission

Article 13: Wide range of other provisionsVia legislationNecessitySafeguarding of inter alia rights and freedoms of

others

Study: Aims and MethodologyExplore EEA Member State approaches

along three dimensions:1. Formal Law2. Regulatory/DPA Interpretation3. Regulatory/DPA Enforcement

Data gathered through: English translations of national DP Law 2013 survey of regulators – answered by +70%

national plus 6 sub-national DPAs. Analysis of material gathered from DPA websites

(in 2013)N.B. Study is still ongoing and so results

presented are only provisional.

Study: Aims and MethodologyFollowing hypothetical example used to structure

the analysis (as regards dimensions 1 and 2):

Explored vis-à-vis five different aspects of DP.Only going to present results where DPA provided a

standardized response to the survey.

“A medical scientist wishes to use the medical records of patients … All identifiable data would be kept

confidential within the research team and only anonymous results published. Alongside satisfying him/herself that the scientific benefits of the study outweigh any privacy infringement involve, which

obligations would apply under Data Protection law in your country?”

Study: Five Key Aspects of DP for Research

Default

Duties

Informed Consent

(for Sensitive

Data)

Subject Notificatio

n

Purpose Specificati

onSubject Access

Rectifying Inaccuracy

Informed Consent: Formal Law

No/Conditions only No/Conditions plus permit Consent required0

2

4

6

8

10

12

14

16

18

20

22

24

13/46%

7/25%8/29%

Num

ber

of Ju

risd

ictio

ns

Informed Consent: DPA Interpretation

No/conditions only Consent required0

2

4

6

8

10

12

14

16

18

20

22

24

9/32%

19/68%

Num

ber

of D

PAs

Need for Subject Notification: Formal LawLocal law (& the Directive) generally very unclear

here.

Three different situations need to be considered:Controller obtained data indirectly: most

jurisdictions provide “disproportionate effort” exemption (usually subject to conditions and perhaps even DPA permit).

Controller doing the disclosing: May still have notification duty (but Recital 40 of Directive suggests that might apply “disproportionate effort” exemption if originally unanticipated).

Controller obtained data directly: Situation generally even more unclear here (even if reuse not originally anticipated).

Need for Notification: DPA Interpretation

No Possibly Yes0

2

4

6

8

10

12

14

16

18

20

22

24

5/18%

1/3.5%

22/78.5%

Num

ber

of D

PAs

Purpose Specification: Formal LawClear that if notification necessary, purpose of

processing must be given to data subject.

Granularity of such purpose, however, generally remains opaque in both Directive and in local law.

In medical research may remain unclear whether can simply notify generally re: research processing or must notify regarding each specific study.

Purpose Specification: DPA Interpretation

Two DPAs said no to informed consent but yes to specific notification. Six DPAs said yes to informed consent but no to specific notification.

Research Specific Study0

2

4

6

8

10

12

14

16

18

20

22

24

8/36%

14/64%

Num

ber

of D

PAs

Subject Access: Formal Law

(Probable) exemption No exemption0

2

4

6

8

10

12

14

16

18

20

22

24

10/36%

18/64%

Num

ber

of Ju

risd

ictio

ns

Subject Access: EU Directive (A. 13 (2))

“Subject to adequate legal safeguards, in particular that the data are not used for taking measures or decisions

regarding any particular individual, Member States may, where there is a clearly no risk of breaching the privacy of

the data subject, restrict by a legislative measure the rights provided for in Article 12 when data are processed

solely for the purposes of scientific research”

Subject Access: DPA Interpretation

Exception No exemption0

2

4

6

8

10

12

14

16

18

20

22

24

5/18%

23/82%

Num

ber

of D

PAs

Rectifying Inaccuracy: Formal LawRight of individual to rectify inaccuracy part

of A. 12.

Relates to the duty of Controllers to ensure accuracy of personal data (A. 6 (1) (d))

Only one jurisdiction (Latvia) has formally limited this aspect of individual participation under A. 12.

However, it is arguably intrinsically tied to subject access part of A. 12 (limited by 10 jurisdictions).

Rectifying Inaccuracy: DPA Interpretation

Exception No exemption0

2

4

6

8

10

12

14

16

18

20

22

24

5/18%

23/82%

Num

ber

of D

PAs

DPA Permit: Formal LawLocal legal provisions present a complex

picture.17 (60%) jurisdictions: No permit required.

3 (11%) jurisdictions: Permit only if unable to notify.

1 (4%) jurisdiction: Permit only if unable to get consent but REC permission may act in lieu.

4 (14%) jurisdictions: Permit only if unable to get consent.

3 (11%) jurisdictions: Permit generally always required.

DPA Permit: DPA Interpretation

Don't need permit Need permit0

2

4

6

8

10

12

14

16

18

20

22

24

16/57%

12/43%

Num

ber

of D

PAs

Research Ethics Committee FindingsFormal DP: Only c. 5 (18%) local laws specify

this.But area may well be regulated by other law.DPAs responded as follows:

No permission Consult etc. only Permission required

02468

1012141618202224

10/36%

4/14%

14/50%

Num

ber

of D

PAs

(Direct) Enforcement: DPA Self Reports

No enforcement Enforcement0

2

4

6

8

10

12

14

16

18

20

22

24

19/68%

9/32%

Num

ber

of D

PAs

Direct Enforcement: Published ExamplesCatalan DPA (2011):Hospital sent University-affiliated researchers patient

data for projectNeither “dissociation” nor consent nor legal authorizationAction: Resolution declaring illegal data transfer

offence.Swedish DPA (2011)University engaged in research on causes of allergy and

diabetesCollects data (and hair) from children w/out parent

consent or noticeComplaint receivedAction: Decision issued stating that University

would have to notify and obtain consent if wanted to us this data.

General DP Regulation: Research Clause (A. 89) Derogations brought together in one article

stipulating need for “appropriate safeguards” ensuring in particular “data minimization” (A. 89 (1)).

Subject to this are common provisions for:Re-purposing of data (A. 5 (1) (b))Longer retention (A. 5 (1) (c)) (cf. also A 17 (3)

(d))Lifting of most of sensitive data ban where

necessary & proportionate etc. State or Union law (A. 9 (2) (j))

Purely optional derogations subject to further conditions from subject access and right to object (A. 89 (2)).

General DP Regulation: Other AspectsDefault provisions in Regulation (e.g. subject

notification (A. 12-14)) much more onerous than present.

General derogations (A. 23 & 10) e.g. for “rights & freedoms of others” remain but are tighter and narrower as exclude DP principles in and of themselves.

Social and humanities research now protected as “academic expression” alongside journalism in free expression clause (A. 85).

ConclusionsClear tension between medical law and data

protectionFormal law is quite onerous and very

confused.Many DPAs tend to interpret the law here even

more stringently than its wording would imply.This may fuel uncertainty and the chilling

effect.However, enforcement appears limited.Getting law right under Regulation clearly a

challenge.More proportionate and effective regime also

requires more DPA-medical research dialogue.