Beverley Flynn, head of data protection comments on The European Data Protection Board (EDPB) recently issued response to the questions raised by the European Commission (EC) clarifying the application of the GDPR in respect of processing personal data for health-related research.
In July 2020, the EC submitted 21 questions to the EDPB to assist with obtaining clarity surrounding the consistent application of the GDPR in relation to data processing for health-related research.
The questions posed by the EC follow a number of concerns, including the interplay between the GDPR and other healthcare-related regulatory frameworks (including the Clinical Trials Regulation), but also how member states proceed with ensuring “appropriate safeguards” in respect of the derogations.
The EDPB has now responded to these questions through its response, making clear in parts that it is still developing further detailed guidelines on the same subject areas. The response, therefore, should be understood as “a first attempt to take away some of the misunderstandings and misinterpretations as to the application of the GDPR”.
The EDPB’s response
The response issued by the EDPB forms a series of Q&A style answers across six key themes of the GDPR including:
- Legal basis for processing health-related data during research projects - The EDPB reiterates the importance of distinguishing the requirement of informed consent for participation in a scientific research project and explicit consent as a possibility to legitimise the processing of personal data for scientific research purposes. The response later confirms that controllers are required to process personal data lawfully and that it is recommended to use, whenever possible, the same legal basis in the project when conducting health-related research.
- Broad consent - the EDPB note that the GDPR allows for data subjects to consent for data processing within a scientific research project that cannot be specified at the outset, otherwise regarded as “broad consent”. In allowing this, such approach will be subject to a stricter interpretation and a controller would be expected to do more to ensure that the data subject’s rights to valid consent are served.
- Further processing of previously collected personal data - the EDPB explain that it will provide further clarification on the requirement of a legal basis for further processing for health-related purposes. In the meantime, further processing for health-related research will likely be deemed compatible with the initial purposes for which the data was collected under the GDPR, so long as the appropriate safeguards are put in place by the researchers.
- Anonymisation, pseudonymisation and other safeguards - the response makes clear that health-related researchers should distinguish the concepts of anonymisation and pseudonymisation. Anonymised data is considered not to fall within the the scope of the GDPR. With that said, the EDPB make clear that the anonymisation of personal data should be approached with caution in the context of health-related research and researchers who consider that they are using anonymous information in research should be in a position to satisfy themselves on an ongoing basis.
- Transparency of data processing - the EDPB clarifies that the GDPR offers an exception to the general obligation to provide data subjects with a privacy notice (as set out under Article 14 GDPR) in healthcare-releated research where data subjects are no longer reachable, very difficult to reach and/or when this will require disproportionate effort.
- Processing of special categories of data on a large scale - the response from the EDPB makes clear that the fundamental aspect of consideration when undertaking a Data Protection Impact Assessment (DPIA) is to assess whether or not there is a high likelihood of risk to the rights and freedoms of the data subjects.
Whilst the EDPB’s response offer a useful overview of the challenges faced when undertaking health-related research under the GDPR, it notes in a number of its answers to the questions raised that further analysis and discussion is required. The EDPB recognises the inclusion and the development of additional examples and best practices where relevant.
We can expect further clarity from the EDPB on these points later this year.