Upload
david-erdos
View
182
Download
0
Embed Size (px)
Citation preview
Regulation of Medical Research under European Data Protection
Dr. David ErdosFaculty of Law
University of Cambridge
Image Welcome Images
Overview
Tension between Data Protection & Medical Research
Current Pan-European ProvisionsAims and Methodology of the StudyFindings: Formal law and regulatory
interpretationsRegulatory EnforcementFuture European RegimeConclusions
The Basic TensionThe EU Data Protection Directive aims to
so enabling the free flow of data within EU/EEA (A. 1).Predicated on ensuring “high level of protection”.Especially stringent as regards sensitive personal
data preeminent amongst which is data “concerning health”.
(Epidemiological) medical research will often need to use such private sensitive data.
“protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy
with respect to the processing of personal data.”
Wide (& Often Onerous)Default Standards
“Personal data”
processing
DP Principles &
Legitimation• Fair and lawful• Legitimate basis• Purpose quality
and compatibility• Information quality and limits
esp. re: time
Transparency
• Notification• Subject
Access
Sensitive Data
• Categorical definition
• Default ban (absent waiver)
Control• Registration• Permit• Export
control• Security
Enforcement• DPA• Judicial
Remedy• Subject
Rights
The Threat to Research from DP DefaultInformed consent or even notification may
not even be reasonably possible.
Informed consent may in any case skew samples.
Many other requirements may impose at least a disproportionate resource burden.
Requirement to obtain a permit may be considered intrusive and even substantively problematic.
DP Directive : Research/Science ClausesSmattering of express derogations in DP
Directive:Re-purposing if appropriate safeguards in
national lawLonger retention OK with national law
safeguardsOptional subject access/individual
participation derogation with conditionsAt other points Directive simply flags up a
potential discretionary use of general derogations:
Recital 34: Derogation from ban on processing sensitive data may be used in areas such as “scientific research”
DP Directive: General DerogationsArticle 8: Sensitive Data
Substantial public interestSuitable safeguardsNotification to Commission
Article 13: Wide range of other provisionsVia legislationNecessitySafeguarding of inter alia rights and freedoms of
others
Study: Aims and MethodologyExplore EEA Member State approaches
along three dimensions:1. Formal Law2. Regulatory/DPA Interpretation3. Regulatory/DPA Enforcement
Data gathered through: English translations of national DP Law 2013 survey of regulators – answered by +70%
national plus 6 sub-national DPAs. Analysis of material gathered from DPA websites
(in 2013)N.B. Study is still ongoing and so results
presented are only provisional.
Study: Aims and MethodologyFollowing hypothetical example used to structure
the analysis (as regards dimensions 1 and 2):
Explored vis-à-vis five different aspects of DP.Only going to present results where DPA provided a
standardized response to the survey.
“A medical scientist wishes to use the medical records of patients … All identifiable data would be kept
confidential within the research team and only anonymous results published. Alongside satisfying him/herself that the scientific benefits of the study outweigh any privacy infringement involve, which
obligations would apply under Data Protection law in your country?”
Study: Five Key Aspects of DP for Research
Default
Duties
Informed Consent
(for Sensitive
Data)
Subject Notificatio
n
Purpose Specificati
onSubject Access
Rectifying Inaccuracy
Informed Consent: Formal Law
No/Conditions only No/Conditions plus permit Consent required0
2
4
6
8
10
12
14
16
18
20
22
24
13/46%
7/25%8/29%
Num
ber
of Ju
risd
ictio
ns
Informed Consent: DPA Interpretation
No/conditions only Consent required0
2
4
6
8
10
12
14
16
18
20
22
24
9/32%
19/68%
Num
ber
of D
PAs
Need for Subject Notification: Formal LawLocal law (& the Directive) generally very unclear
here.
Three different situations need to be considered:Controller obtained data indirectly: most
jurisdictions provide “disproportionate effort” exemption (usually subject to conditions and perhaps even DPA permit).
Controller doing the disclosing: May still have notification duty (but Recital 40 of Directive suggests that might apply “disproportionate effort” exemption if originally unanticipated).
Controller obtained data directly: Situation generally even more unclear here (even if reuse not originally anticipated).
Need for Notification: DPA Interpretation
No Possibly Yes0
2
4
6
8
10
12
14
16
18
20
22
24
5/18%
1/3.5%
22/78.5%
Num
ber
of D
PAs
Purpose Specification: Formal LawClear that if notification necessary, purpose of
processing must be given to data subject.
Granularity of such purpose, however, generally remains opaque in both Directive and in local law.
In medical research may remain unclear whether can simply notify generally re: research processing or must notify regarding each specific study.
Purpose Specification: DPA Interpretation
Two DPAs said no to informed consent but yes to specific notification. Six DPAs said yes to informed consent but no to specific notification.
Research Specific Study0
2
4
6
8
10
12
14
16
18
20
22
24
8/36%
14/64%
Num
ber
of D
PAs
Subject Access: Formal Law
(Probable) exemption No exemption0
2
4
6
8
10
12
14
16
18
20
22
24
10/36%
18/64%
Num
ber
of Ju
risd
ictio
ns
Subject Access: EU Directive (A. 13 (2))
“Subject to adequate legal safeguards, in particular that the data are not used for taking measures or decisions
regarding any particular individual, Member States may, where there is a clearly no risk of breaching the privacy of
the data subject, restrict by a legislative measure the rights provided for in Article 12 when data are processed
solely for the purposes of scientific research”
Subject Access: DPA Interpretation
Exception No exemption0
2
4
6
8
10
12
14
16
18
20
22
24
5/18%
23/82%
Num
ber
of D
PAs
Rectifying Inaccuracy: Formal LawRight of individual to rectify inaccuracy part
of A. 12.
Relates to the duty of Controllers to ensure accuracy of personal data (A. 6 (1) (d))
Only one jurisdiction (Latvia) has formally limited this aspect of individual participation under A. 12.
However, it is arguably intrinsically tied to subject access part of A. 12 (limited by 10 jurisdictions).
Rectifying Inaccuracy: DPA Interpretation
Exception No exemption0
2
4
6
8
10
12
14
16
18
20
22
24
5/18%
23/82%
Num
ber
of D
PAs
DPA Permit: Formal LawLocal legal provisions present a complex
picture.17 (60%) jurisdictions: No permit required.
3 (11%) jurisdictions: Permit only if unable to notify.
1 (4%) jurisdiction: Permit only if unable to get consent but REC permission may act in lieu.
4 (14%) jurisdictions: Permit only if unable to get consent.
3 (11%) jurisdictions: Permit generally always required.
DPA Permit: DPA Interpretation
Don't need permit Need permit0
2
4
6
8
10
12
14
16
18
20
22
24
16/57%
12/43%
Num
ber
of D
PAs
Research Ethics Committee FindingsFormal DP: Only c. 5 (18%) local laws specify
this.But area may well be regulated by other law.DPAs responded as follows:
No permission Consult etc. only Permission required
02468
1012141618202224
10/36%
4/14%
14/50%
Num
ber
of D
PAs
(Direct) Enforcement: DPA Self Reports
No enforcement Enforcement0
2
4
6
8
10
12
14
16
18
20
22
24
19/68%
9/32%
Num
ber
of D
PAs
Direct Enforcement: Published ExamplesCatalan DPA (2011):Hospital sent University-affiliated researchers patient
data for projectNeither “dissociation” nor consent nor legal authorizationAction: Resolution declaring illegal data transfer
offence.Swedish DPA (2011)University engaged in research on causes of allergy and
diabetesCollects data (and hair) from children w/out parent
consent or noticeComplaint receivedAction: Decision issued stating that University
would have to notify and obtain consent if wanted to us this data.
General DP Regulation: Research Clause (A. 89) Derogations brought together in one article
stipulating need for “appropriate safeguards” ensuring in particular “data minimization” (A. 89 (1)).
Subject to this are common provisions for:Re-purposing of data (A. 5 (1) (b))Longer retention (A. 5 (1) (c)) (cf. also A 17 (3)
(d))Lifting of most of sensitive data ban where
necessary & proportionate etc. State or Union law (A. 9 (2) (j))
Purely optional derogations subject to further conditions from subject access and right to object (A. 89 (2)).
General DP Regulation: Other AspectsDefault provisions in Regulation (e.g. subject
notification (A. 12-14)) much more onerous than present.
General derogations (A. 23 & 10) e.g. for “rights & freedoms of others” remain but are tighter and narrower as exclude DP principles in and of themselves.
Social and humanities research now protected as “academic expression” alongside journalism in free expression clause (A. 85).
ConclusionsClear tension between medical law and data
protectionFormal law is quite onerous and very
confused.Many DPAs tend to interpret the law here even
more stringently than its wording would imply.This may fuel uncertainty and the chilling
effect.However, enforcement appears limited.Getting law right under Regulation clearly a
challenge.More proportionate and effective regime also
requires more DPA-medical research dialogue.