GDPR offers possibilities for scientific research in the context of COVID-19 (but must be observed)

Personal data, scientific research and COVID-19: a guideline

Nowadays, researchers hunt for the right vaccine for protection against the virus and/or and medication for the effective treatment of coronavirus patients. That means a lot of scientific research. And that often leads to questions about the protection of personal data. To what extent can health data be used for these purposes and how does one ensure that - even in times of crisis - the requirements of the General Data Protection Regulation (“GDPR”) are met? The European Data Protection Board (“EDPB”), in which the various European data protection authorities are united, already published a statement in mid-March 2020 that the GDPR does not stand in the way of combating the corona virus. However, it was emphasized that the requirements of the GDPR must be met. Subsequently, the EDPB drew up guidelines for this. Much of it is generally applicable; but in the present exceptional crisis situation, a number of requirements seem to be interpreted somewhat more widely. The EDPB also indicates that the development of more comprehensive guidelines for scientific research is on its agenda (!).

Can health data be used for scientific research in connection with the coronavirus (COVID-19) and if so, under what conditions?

A balance will always have to be found between privacy rights and freedom of science (Articles 7 and 13 EU Charter). Health data can be obtained from various sources. There is a difference here between primary use and second use: the latter in particular - i.e. data that was not originally collected for research purposes is now used for this purpose - is often the case in the context of scientific research. This distinction is particularly important for the legal ground for processing data and information obligation to be discussed below - bearing in mind the principle that data may only be used for the purpose for which it was obtained ("purpose limitation"). Special rules apply to scientific research. This term, as referred to in the GDPR, should not be interpreted too broadly. It must concern "a research project designed in accordance with industry-related methodological and ethical standards, in accordance with good practices". When processing personal data, one must comply with the principles of privacy law as laid down in Article 5 of the GDPR at all times (please be referred to the "seven rules of thumb" drawn up by Ploum – as yet only available in Dutch). In this context, it is of course relevant that health data are special personal data and in principle a processing prohibition applies. In addition to a ground for processing data (Article 6 GDPR), it is necessary that one can rely on a statutory exception for the use of the personal data for scientific research (Article 9 GDPR).

On what grounds can health data be processed in the context of scientific research?

A first possibility in this context is consent. As may be known to most readers, there are some legal issues relating hereto. Consent obtained from data subjects (in this context usually: patients) must meet a number of conditions. For example, there should be no consequences if a patient does not wish to grant consent for the processing of personal data for scientific research and he/she must be properly informed about what consent is actually being granted, if granted. In practical terms, however, it is often not desirable or almost impossible to have to ask every patient for permission (again). Moreover, consent can always be withdrawn. In practice, the latter is particularly relevant for the possibilities of further scientific research. In addition to consent, Article 6 and Article 9 GDPR also contain other grounds for processing and exceptions to the processing prohibition for medical data, that could provide a solution in this context. In particular, the general interest or legitimate interest and the fact that it concerns scientific research is then invoked. Now that the national legislator has left room for further elaboration on this point, it is (also) dependent on national law in the EU Member States concerned. In this context, the EDPB explicitly emphasizes that data should only be processed insofar as strictly necessary. In conclusion, the use of health data may be possible, but always requires a careful analysis and design of processing personal data.

Comply with other legal obligations

Assuming the aforementioned conditions are met, of course, the processing must also comply with the GDPR otherwise. In short (also according to the EDPB) the following is important:

• Inform data subjects (patients) that their data will be used for scientific research (pay attention to second use, and sometimes exceptions to this obligation apply)
• Only use personal data for the purpose for which it was obtained
• Pay attention to the principle of data minimization (anonymize where possible, determine which data is necessary for which research question/phase and which party – or even persons – has (or have) access to the data)
• Make sure you meet strict security requirements (think of pseudonymization, encryption, nondisclosure agreements)
• Use proportional data retention periods
• Comply with the rights of data subjects and inform them about their rights (although exceptions may be invoked, but only if necessary; also pay attention to national differences here)
• Keep a processing register (e.g. also include the protective measures taken)
• Perform – in certain cases as required – a Data Protection Impact Assessment (DPIA)
• Consult the Data Protection Officer (DPO)
• Be careful when exchanging data outside the European Economic Area in regard of the judgment in case Schrems II by which, inter alia, the Privacy Shield has been invalidated (re international cooperation: Schrems II in the context of COVID-19 may not be a problem but it should be assessed)

An additional advice: enter into sufficient agreements when collaborating with third parties, also incorporating the aforementioned principles of the GDPR and clarifying the roles of the parties involved under the GDPR (controller vs. processor). Responsibilities (and liabilities) in the context of the processing of personal data should be properly divided.

Conclusion and advice

The GDPR offers sufficient tools to use health data for scientific research in the context of COVID-19. It is important to consider which processing ground and exception can be invoked and how the process should be further structured. Certainly now that there is a higher risk of a negative impact on the privacy of patients when using health data, and various (types of) parties are involved in data processing in the context of research into COVID-19, taking into account the privacy legislation is even more important, the EDPB also emphasizes.

• Conduct a – well-documented – assessment prior to the project (examine which data is necessary, why and who should have access, identify applicable legal grounds and exceptions);
• Determine which safety measures should be and are taken (and why) to protect data subjects interests and comply with the GDPR;
• Conclude sufficient agreements including the abovementioned subjects.

"Takes too long"? In principle, this does not have to be the case at all, in our experience. Questions? Please send an e-mail to privacy@ploum.nl