EDBP Guidelines shed light on the use of health data to aid research efforts
On 21 April 2020 the European Data Protection Board (EDPB) published Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak. Its aim is to “shed light” on some of the key issues concerning the use of health data to aid research efforts in the fight against the virus, such as legal basis for processing, implementation of adequate safeguards for processing of health data in this context and the exercise by individuals of their rights under the European General Data Protection Regulation (GDPR).
Application of the GDPR
The EDPB begins by stressing that data protection rules including the GDPR do not prohibit or even hinder measures taken in the fight against the COVID-19 pandemic. The GDPR contains provisions that permit the processing of personal data for scientific research purposes connected to the pandemic in compliance with the fundamental rights to privacy and personal data protection. In particular, Article 9(2)(j) contains a specific exemption from the prohibition on the processing of certain special categories of personal data, such as “data concerning health”, where necessary “for the purpose of scientific research”.
“Data concerning health” is defined in Article 4(15) GDPR as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”. As the EDPB observes, this can be derived from different sources, such as:
- Information collected by a health care provider (such as medical history and results of examinations and treatments);
- Information that becomes health data by cross referencing with other data thus revealing the state of health or health risks;
- Information from a “self-check” survey;
- Information that becomes health data because of its usage in a specific context (such as information regarding a recent trip to or presence in a region affected with COVID-19 processed by a medical professional to make a diagnosis).
While the GDPR does not define “processing for the purpose of scientific research”, Recital 159 indicates that the term should be interpreted broadly to include for example “technological development and demonstration, fundamental research, applied research and privately funded research”. However, as the EDPB’s predecessor, the Article 29 Working-Party (WP29), has observed, the term should not be extended beyond its common meaning. According to the WP29 Guidelines on Consent “scientific research” in this context means “a research project set up in accordance with relevant sector-related methodological and ethical standards, in conformity with good practice”.
The EDPB also stresses the importance of the distinction between scientific research based on primary and secondary usage of health data, in relation to the legal basis for processing, information obligations and the purpose limitation principle set out in Article 5(1)(b) GDPR. “Primary use”, in this context, involves research on personal (health) data comprising the use of data directly collected for scientific studies; “secondary use”, on the other hand, involves research on personal (health) data which consists of the further processing of data initially collected for another purpose, such as the use of data relating to an individual who has presented with coronavirus symptoms later being used for scientific research.
Legal basis for processing
All processing of health-related personal data must comply with the processing principles in Article 5 GDPR and also with one of the legal grounds and the specific derogations listed respectively in Articles 6 and 9 GDPR for the lawful processing of this type of personal data.
While consent (pursuant to Article 6(1)(a) and Article 9(2)(a) GDPR) may provide a legal basis for the processing of health-related data in the context of the current pandemic, the EDPB recognises that this must be freely given, specific, informed, and unambiguous, and made by way of a statement or “clear affirmative action”. As stated in Recital 43, consent cannot be considered freely given if there is a clear imbalance between the individual and the controller, so individuals cannot be pressured and/or disadvantaged if they do not wish to consent. Further, individuals must be able to withdraw consent at any time with the consequence that all processing based on the relevant consent must cease and the data deleted, unless there is a lawful basis justifying the retention for further processing.
However, the public interest and legitimate interests bases for lawful processing under Articles 6(1)(e) and (f), in combination with the public interest and scientific research derogations under Articles 9(2)(i) and (j) GDPR, can provide a legal basis for the processing of personal (health) data for scientific research. Such processing must nevertheless comply with the principles relating to the fair and lawful processing of personal data in Article 5 GDPR, including data minimisation, and processing for scientific research purposes must also comply with the safeguards and restrictions set out in Article 89(1) GDPR.
Data protection principles
Regarding the principles under Article 5 relating to the processing of personal data, the EDPB identifies key points of relevance. In particular, the transparency principle means that data subjects must be individually informed of the existence of the processing operation and that personal (health) data is being processed for scientific purposes. Since researchers often process health data that they have not obtained directly from individuals, for example using data from patient records, the EDPB focuses on Article 14 GDPR, which covers information obligations where personal data is not collected directly from the individual.
Article 14(3)(a) GDPR, for example, stipulates that the controller must provide the information “within a reasonable period after obtaining the personal data, but at the latest within one month…”. The EDPB also highlights Article 14(4) GDPR, which provides that where “the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose”.
Regarding further processing of data for scientific purposes, the EDPB notes that an appropriate safeguard according to Article 89(1) GDPR is to deliver the information to individuals within a reasonable period before implementation of a new research project to inform individuals about the project and allow them to exercise their rights beforehand.
The information obligation is, however, subject to various exemptions, under Article 14(5) GDPR, the most relevant in the current circumstances being: (i) where providing the information proves impossible or would involve a disproportionate effort (Article 14(5)(b)); and (ii) where obtaining or disclosure is expressly laid down by EU or Member State law (Article 14(5)(c)).
In relation to Article 14(5)(b), the EDPB notes that the WP29 Guidelines on transparency have already pointed out that “the situation where it ‘proves impossible’… to provide the information is an all or nothing situation because something is either impossible or it is not; there are no degrees of impossibility… In practice, there will be very few situations in which a data controller can demonstrate that it is actually impossible to provide the information to data subjects”.
As regards disproportionate effort, the numbers of data subjects, age of the data and appropriate safeguards in place are relevant considerations. Providing the information to large numbers of data subjects where there is no available contact information, for example, could constitute a disproportionate effort. Data controllers should therefore balance the effort involved in providing the information to individuals against the impact and effects on them if they are not provided with the information.
Further, data controllers must show that providing the information per se would “render impossible or seriously impair” the achievement of the objectives of the processing. Controllers must also “take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available”.
As for Article 14(5)(c), the EDPB stresses that to rely on this exception, data controllers must be capable of showing how the law in question applies to them and requires them to either obtain or disclose the personal data in question.
Purpose limitation and presumption of compatibility
Generally, data must be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes” pursuant to Article 5(1)(b) GDPR. However, the “compatibility presumption” under Article 5(1)(b) states that “further processing for […] scientific … research purposes […] shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes”. Nevertheless, Article 89(1) states that the processing of data for research purposes “shall be subject to appropriate safeguards” and, in that respect, emphasises the importance of the principles of data minimisation, integrity, confidentiality and security and also data protection by design and default.
Data minimisation and storage limitation
The EDPB notes that in scientific research, data minimisation can be achieved through specifying the research questions and determining the type and amount of data necessary to properly answer them. Data use should always comply with the purpose limitation principle and data should be anonymised wherever possible. In addition, Article 5(1)(e) provides that “personal data may be stored for longer periods insofar as the personal data will be processed solely for … scientific … research purposes … in accordance with Article 89(1) …” In this respect the EDPB suggests that, in determining appropriate and proportionate storage periods, criteria such as the length and the purpose of the research should be considered.
Integrity and confidentiality
The EDPB notes that the principle of integrity and confidentiality must be read together with the requirements of Articles 32(1) and 89(1) GDPR. As such, appropriate up-to-date technical and organisational measures must be implemented to ensure sufficient security, and such measures should include pseudonymisation, encryption, non-disclosure agreements and access role restrictions, as well as access logs, as a minimum. Furthermore, DPIAs must be undertaken when processing is “likely to result in a high risk to the rights and freedoms of natural persons”. The EDPB also stresses the importance of data protection officers (who should be consulted on processing of health data for scientific research in the context of COVID-19) and the fact that all measures should be properly documented.
Exercise of data subjects’ rights
In principle, the current situation does not suspend or restrict the exercising of data subjects’ rights, although the EDPB notes that Member States may restrict some such rights and other restrictions can be based directly on the GDPR. Any restrictions must be limited to what is strictly necessary.
Cross-border data transfers
Recognising the need for international cooperation in the context of COVID-19 research, the EDPB notes that, in the absence of an adequacy decision pursuant to Article 45(3) GDPR or appropriate safeguards pursuant to Article 46 GDPR, public authorities and private entities may be able to rely upon the applicable derogations pursuant to Article 49 GDPR, in particular where transfer is necessary for important reasons of public interest (Article 49(1)(d)), or “explicit consent” is obtained (Article 49(1)(a)). While it stresses that the derogations set out in Article 49 GDPR “do have exceptional character only”, the EDPB acknowledges that the fight against COVID-19 is of “important public interest, which may require urgent action in the field of scientific research (for example to identify treatments and/or develop vaccines), and may also involve transfers to third countries or international organisations”.
The EDPB is clear that the battle against COVID-19 is not impeded by the GDPR. The public interest and scientific research derogations and the legal bases in Article 6(1) enable processing in this context. However, such derogations must apply only insofar as strictly necessary and the conditions for such processing may vary between EU Member States. In the UK, s-19 of the Data Protection Act 2018 reinforces the safeguards required by Article 89(1) GDPR which include, in particular, technological and organisational measures to ensure data minimisation. This means, for example, that controllers must be able to show why they cannot use anonymised data for scientific research purposes. However, the UK Information Commissioner’s guidance on Article 9(2)(j) GDPR is clear that, provided such safeguards are observed, health professionals can process health data for the purposes of a clinical trial even where the individual has withdrawn from the trial. The health professional or hospital would therefore rely upon Article 9(2)(j) – processing for scientific research purposes – as its condition for processing, while its Article 6 basis for processing would be Article 6(1)(e), i.e. the performance of a task carried out in the public interest. A general and more challenging issue, however, is the extent to which further or secondary processing of health data is permissible in different contexts. The EDPB has acknowledged the difficulties presented by the “compatibility presumption” and “due to its horizontal and complex nature”, the EDPB plans to deal with this in more detail in broader guidance on the processing of health data for the purpose of scientific research.