John Mark Michael Rumbold,Barbara Pierscionek

DOI: https://doi.org/10.2196/jmir.7108

IF: 7.076

2017-02-24

Journal of Medical Internet Research

Abstract:BACKGROUND: The enactment of the General Data Protection Regulation (GDPR) will impact on European data science. Particular concerns relating to consent requirements that would severely restrict medical data research have been raised.OBJECTIVE: Our objective is to explain the changes in data protection laws that apply to medical research and to discuss their potential impact.METHODS: Analysis of ethicolegal requirements imposed by the GDPR.RESULTS: The GDPR makes the classification of pseudonymised data as personal data clearer, although it has not been entirely resolved. Biomedical research on personal data where consent has not been obtained must be of substantial public interest.CONCLUSIONS: The GDPR introduces protections for data subjects that aim for consistency across the EU. The proposed changes will make little impact on biomedical data research.

health care sciences & services,medical informatics

Rebecca R. Lee,Janet E. McDonagh,Albert Farre,Sarah Peters,Lis Cordingley,Tim Rapley

DOI: https://doi.org/10.1111/1467-9566.13408

2021-11-23

Abstract:With the most recent developments to the European General Data Protection Regulations (GDPR) introduced in May 2018, the resulting legislation meant a new set of considerations for study approvers and health-care researchers. Compared with previous legislation in the UK (The Data Protection Act, 1998), it introduced more extensive and directive principles, requiring anybody 'processing' personal data to specifically define how this data will be obtained, stored, used and destroyed. Importantly, it also emphasised the principle of accountability, which meant that data controllers and processors could no longer just state that they planned to adhere to lawful data protection principles, they also had to demonstrate compliance. New questions and concerns around accountability now appear to have increased levels of scrutiny in all areas of information governance (IG), especially with regards to processing confidential patient information. This article explores our experiences of gaining required ethical and regulatory approvals for an ethnographic study in a UK health-care setting, the implications that the common law duty of confidentiality had for this research, and the ways in which IG challenges were overcome. The purpose of this article was to equip researchers embarking on similar projects to be able to navigate the potentially problematic and complex journey to approval.

public, environmental & occupational health,social sciences, biomedical,sociology

Radu-Mihai Dumitrescu

2018-07-01

Abstract:The protection of patients' personal and medical data has always been an important subject for medical practice, with explicit regulations being implemented. Whether we are talking about civil and criminal codes or laws governing the medical profession, they all seek to protect fundamental human rights. The confidentiality of medical data is maintained even after the death of the patient, this aspect being governed since the profiling of the physician profession through the Hippocratic Oath. Discussions on privacy and confidentiality occupy an important place in sociological, medical, legal, ethical and anthropological literature. There are references to the benefits gained by improving accessibility to data as they migrate to computer environments. Along with the technological evolution, all of this data has been transferred to electronic systems. A major concern with the trend towards electronic health records focuses on protecting privacy and patient confidentiality (Vanderminden and Potter, 2016). Data transfer, as well as their processing through many computer systems belonging to different public and private entities, brings new challenges at the individual and social level. Under the protection afforded by the right of individuals to access to information and the current tendency to ease access to information, a number of institutions have created online portals that manage a huge amount of data. The way these data are processed in accordance with the rights of the individual remains an issue that is not fully resolved. 1 Faculty of Sociology and Social Work, University of Bucharest, Bucharest, Romania, dum_mihu@yahoo.com Journal of Comparative Research in Anthropology and Sociology, Volume 9, Number 1, Summer 2018 2 On the occasion of a doctoral research on medical malpractice, I conducted the interrogation of the portal of Romanian courts (http://portal.just.ro). A huge amount of data can be obtained easily in a short time. In the context of the expected impact of the implementation of the GDPR (General Data Protection Regulation) in relation to the functioning of the public institutions, I conducted a qualitative research looking at how medical data and personal data are managed by the courts. Decisions of the courts published in the jurisprudence section have been analyzed. The paper analyzes the compliance of the judicial public institutions with the data protection legislation considered in the paradigm of institutional logic. We can assume that the individualistic principle exercised by the professional institution (the medical profession) can conflict and require a balancing with the utilitarian, collective principle, which can explain some of the state institution's actions (courts of justice). GDPR aims to reinforce existing legal provisions. GDPR does not seem to bring about changes in the substance of laws or doctrines on data confidentiality, but appears to be a form of supra-state control. The way in which GDPR will influence policies and practices regarding the processing of personal and medical data will be analyzed with the passage of time.

Law,Business

Stacey R Slingerland,Eric Wierda,Dennis van Veghel

2024-09-26

Abstract:This study examines, from a legal standpoint, the conditions under which patient data may be shared and processed by clinical quality registries in the Netherlands and investigates the potential impact of the proposed changes of the Healthcare Quality, Complaints and Disputes Act (WKKGZ) on these practices. Healthcare providers in the Netherlands may share patient data with clinical quality registries to measure and improve care quality, provided they have explicit patient consent or a legal basis. While there is general consensus within the field, legal ambiguity remains regarding processing data without explicit consent. Proposed changes to the WKKGZ would create an explicit legal basis for clinical quality registries to collect and process patient data without explicit consent, aiming to improve to improve the quality of care for the greater public interest.

Antonia Vlahou,Dara Hallinan,Rolf Apweiler,Angel Argiles,Joachim Beige,Ariela Benigni,Rainer Bischoff,Peter C Black,Franziska Boehm,Jocelyn Céraline,George P Chrousos,Christian Delles,Pieter Evenepoel,Ivo Fridolin,Griet Glorieux,Alain J van Gool,Isabel Heidegger,John P A Ioannidis,Joachim Jankowski,Vera Jankowski,Carmen Jeronimo,Ashish M Kamat,Rosalinde Masereeuw,Gert Mayer,Harald Mischak,Alberto Ortiz,Giuseppe Remuzzi,Peter Rossing,Joost P Schanstra,Bernd J Schmitz-Dräger,Goce Spasovski,Jan A Staessen,Dimitrios Stamatialis,Peter Stenvinkel,Christoph Wanner,Stephen B Williams,Faiez Zannad,Carmine Zoccali,Raymond Vanholder

DOI: https://doi.org/10.1161/HYPERTENSIONAHA.120.16340

IF: 9.8968

Hypertension

Abstract:The General Data Protection Regulation (GDPR) became binding law in the European Union Member States in 2018, as a step toward harmonizing personal data protection legislation in the European Union. The Regulation governs almost all types of personal data processing, hence, also, those pertaining to biomedical research. The purpose of this article is to highlight the main practical issues related to data and biological sample sharing that biomedical researchers face regularly, and to specify how these are addressed in the context of GDPR, after consulting with ethics/legal experts. We identify areas in which clarifications of the GDPR are needed, particularly those related to consent requirements by study participants. Amendments should target the following: (1) restricting exceptions based on national laws and increasing harmonization, (2) confirming the concept of broad consent, and (3) defining a roadmap for secondary use of data. These changes will be achieved by acknowledged learned societies in the field taking the lead in preparing a document giving guidance for the optimal interpretation of the GDPR, which will be finalized following a period of commenting by a broad multistakeholder audience. In parallel, promoting engagement and education of the public in the relevant issues (such as different consent types or residual risk for re-identification), on both local/national and international levels, is considered critical for advancement. We hope that this article will open this broad discussion involving all major stakeholders, toward optimizing the GDPR and allowing a harmonized transnational research approach.

Iulian Nastasa,Florentina-Ligia Furtunescu,Dana-Galieta Minca

DOI: https://doi.org/10.26574/maedica.2024.19.2.2982024;

Abstract:Objective: The General Data Protection Regulation (GDPR), which became effective on May 25, 2016, underscored the significance of confidentiality across various economic and social domains. Within the medical sector, confidentiality of patient health information is meticulously governed by laws, e.g., no. 95/2006 and no. 46/2003. While these laws address numerous privacy aspects within the doctor-patient relationship, it becomes necessary to update them to align with the latest advancements in emerging technologies, particularly in the context of telemedicine. Material and methods: Upon reviewing the overview of rules pertaining to health data processing in Romania, as published by the European Data Protection Board (EDPB) in 2021, and comparing it with the current public health and research laws in Romania, it becomes apparent that there is a regulatory gap concerning the secondary use of health data. Results: This gap is particularly notable in terms of planning, managing and enhancing the healthcare system, as well as utilizing such data for scientific and historical research purposes, leading to the necessity of developing and regulating the European Health Data Space. Conclusion: Although steps have been taken to align the GDPR legislation in Romania, there is still a disproportionality in the regulation of privacy and cyber security with the implementation of new technologies that will collect, process and store sensitive medical data.

Christine M O'Keefe,Donald B Rubin,Christine M. O'Keefe,Donald B. Rubin

DOI: https://doi.org/10.1002/sim.6543

2015-06-05

Statistics in Medicine

Abstract:Health and medical data are increasingly being generated, collected, and stored in electronic form in healthcare facilities and administrative agencies. Such data hold a wealth of information vital to effective health policy development and evaluation, as well as to enhanced clinical care through evidence-based practice and safety and quality monitoring. These initiatives are aimed at improving individuals' health and well-being. Nevertheless, analyses of health data archives must be conducted in such a way that individuals' privacy is not compromised. One important aspect of protecting individuals' privacy is protecting the confidentiality of their data. It is the purpose of this paper to provide a review of a number of approaches to reducing disclosure risk when making data available for research, and to present a taxonomy for such approaches. Some of these methods are widely used, whereas others are still in development. It is important to have a range of methods available because there is also a range of data-use scenarios, and it is important to be able to choose between methods suited to differing scenarios. In practice, it is necessary to find a balance between allowing the use of health and medical data for research and protecting confidentiality. This balance is often presented as a trade-off between disclosure risk and data utility, because methods that reduce disclosure risk, in general, also reduce data utility.

public, environmental & occupational health,medicine, research & experimental,medical informatics,mathematical & computational biology,statistics & probability

Alexander Bernier,Fruzsina Molnár-Gábor,Bartha M Knoppers,Pascal Borry,Priscilla M D G Cesar,Thijs Devriendt,Melanie Goisauf,Madeleine Murtagh,Pilar Nicolás Jiménez,Mikel Recuero,Emmanuelle Rial-Sebbag,Mahsa Shabani,Rebecca C Wilson,Davide Zaccagnini,Lauren Maxwell

DOI: https://doi.org/10.1038/s41431-023-01403-y

Abstract:The coming-into-force of the EU General Data Protection Regulation (GDPR) is a watershed moment in the legal recognition of enforceable rights to informational self-determination. The rapid evolution of legal requirements applicable to data use, however, has the potential to outstrip the capabilities of networks of biomedical data users to respond to the shifting norms. It can also delegitimate established institutional bodies that are responsible for assessing and authorising the downstream use of data, including research ethics committees and institutional data custodians. These burdens are especially pronounced for clinical and research networks that are of transnational scale, because the legal compliance burden for outbound international data transfers from the EEA is especially high. Legislatures, courts, and regulators in the EU should therefore implement the following three legal changes. First, the responsibilities of particular actors in a data sharing network should be delimited through the contractual allocation of responsibilities between collaborators. Second, the use of data through secure data processing environments should not trigger the international transfer provisions of the GDPR. Third, the use of federated data analysis methodologies that do not provide analysis nodes or downstream users access to identifiable personal data as part of the outputs of those analyses should not be considered circumstances of joint controllership, nor lead to the users of non-identifiable data to be considered controllers or processors. These small clarifications of, or modifications to, the GDPR would facilitate the exchange of biomedical data amongst clinicians and researchers.

Gauthier Chassang

DOI: https://doi.org/10.3332/ecancer.2017.709

2017-01-03

ecancermedicalscience

Abstract:The use of personal data is critical to ensure quality and reliability in scientific research. The new Regulation [European Union (EU)] 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data [general data protection regulation (GDPR)], repealing Directive 95/46/EC, strengthens and harmonises the rules for protecting individuals' privacy rights and freedoms within and, under certain conditions, outside the EU territory. This new and historic legal milestone both prolongs and updates the EU acquis of the previous Data Protection Directive 95/46/EC. The GDPR fixes both general rules applying to any kind of personal data processing and specific rules applying to the processing of special categories of personal data such as health data taking place in the context of scientific research, this including clinical and translational research areas. This article aims to provide an overview of the new rules to consider where scientific projects include the processing of personal health data, genetic data or biometric data and other kinds of sensitive information whose use is strictly regulated by the GDPR in order to give the main key facts to researchers to adapt their practices and ensure compliance to the EU law to be enforced in May 2018.

Isabel Maria Lopes,Teresa Guarda,Pedro Oliveira

DOI: https://doi.org/10.1007/s10916-020-1521-0

IF: 4.92

2020-01-10

Journal of Medical Systems

Abstract:The focus on personal data has merited the EU concerns and attention, resulting in the legislative change regarding privacy and the protection of personal data. The General Data Protection Regulation (GDPR) aims to reform existing measures on the protection of personal data of European Union citizens, with a strong impact on the rights and freedoms of individuals in establishing rules for the processing of personal data. The GDPR considers a special category of personal data, the health data, being these considered as sensitive data and subject to special conditions regarding treatment and access by third parties. This work presents the evolution of the applicability of the Regulation (EU) 2016/679 six months after its application in Portuguese health clinics. The results of the present study are discussed in the light of future literature and work are identified.

health care sciences & services,medical informatics

R Verheij,E B Van Veen

DOI: https://doi.org/10.1093/eurpub/ckad160.457

2023-10-01

European Journal of Public Health

Abstract:Abstract Background Routinely recorded health data are increasingly used for research purposes and indispensable to stimulating appropriate and sustainable health care. In many countries access to data has proven to be a challenge. Trust by researchers, organisations and the general public is key, and adherence to the rule of law is one of the key elements determining that trust. We investigated the laws and regulations regarding the reuse of health data and how they work out practically for researchers. Methods Our study focuses on France, Finland, Denmark, Germany, England and The Netherlands. We investigated consent mechanisms, the possibilities of record linkage, and how the sharing of data for research purposes was organised, with a combination of desk research and interviews with researchers in these countries. Results All countries investigated except England are subject to the General Data Protection Regulation. However, explicit consent is the default in Germany and the Netherlands, while other countries maintain an opt-out system or even a system of neither consent nor opt-out. A central data access authority is in place in all countries investigated except Germany and the Netherlands. The nature and level of detail of data varies widely. Conclusions GDPR does not dictate a specific modality for the reuse of data. In terms of the reuse of health data, Germany and the Netherlands are lagging. The Netherlands seems to be the only country with continuing discussions about consent modalities. A broader societal debate about the balance between trust and the reuse of health data is needed, also against the background of a European Health Data Space. In the Netherlands, widespread government distrust is one of the challenges. Options to counteract this distrust will be discussed. Key messages • European countries vary in the way routine health data are accessible for research purposes. • This will affect the feasibility of a uniform European Health Data Space.

public, environmental & occupational health

Keren Semyonov-Tal

DOI: https://doi.org/10.1186/s13584-024-00641-9

2024-09-29

Israel Journal of Health Policy Research

Abstract:Patients expect their information to remain confidential, and physicians have a legal and ethical obligation to keep it this way. Confidentiality is not just a legal requirement but a crucial element in establishing trust between patients and healthcare providers. Patients must feel confident that their personal and medical information is kept confidential and shared only with those who need to know. Previous studies have primarily concentrated on patients' perceptions of medical confidentiality, data privacy, and data protection issues. However, research on the practical practices and perceptions of medical confidentiality among hospital physicians is scant, underscoring the need for a deeper understanding of this critical issue.

public, environmental & occupational health,health policy & services

D Y Dodek,A Dodek

1997-03-15

CMAJ

Abstract:Although patient confidentiality has been a fundamental ethical principle since the Hippocratic Oath, it is under increasing threat. The main area of confidentiality is patient records. Physicians must be able to store and dispose of medical records securely. Patients should be asked whether some information should be kept out of the record or withheld if information is released. Patient identity should be kept secret during peer review of medical records. Provincial legislation outlines circumstances in which confidential information must be divulged. Because of the "team approach" to care, hospital records may be seen by many health care and administrative personnel. All hospital workers must respect confidentiality, especially when giving out information about patients by telephone or to the media. Research based on medical-record review also creates challenges for confidentiality. Electronic technology and communications are potential major sources of breaches of confidentiality. Computer records must be carefully protected from casual browsing or from unauthorized access. Fax machines and cordless and cellular telephones can allow unauthorized people to see or overhear confidential information. Confidentiality is also a concern in clinical settings, including physicians' offices and hospitals. Conversations among hospital personnel in elevators or public cafeterias can result in breaches of confidentiality. Patient confidentiality is a right that must be safeguarded by all health care personnel.

Ingrid Ann Whiteman

DOI: https://doi.org/10.1177/1477750915591293

2015-06-17

Clinical Ethics

Abstract:It is reasonable to consider and trust that information taken from us about our medical health and history will be protected by rules on confidentiality and consent. Apart from very rare cases, perhaps of major public interest or for public health reasons, this information will not be shared with others without our consent. However, both a number of reforms in National Health Service patient data management policy (now enshrined in legislation) and developments in the general law on privacy challenge this traditional view of our control and choice over our medical information, as this article will show. In doing so, it analyses the question as to whether in spite of the rhetoric do any of us now really have choice over the access to and use of our medical data? In reality, our choices are limited and in any relationship of trust and shared decision making this ought to be transparent.

Victoria Chico

DOI: https://doi.org/10.1093/bmb/ldy038

2018-11-17

British Medical Bulletin

Abstract:Background: On the May 25, 2018 the General Data Protection Regulation (hereafter the GDPR or the Regulation) came into force, replacing the Data Protection Directive 95/46/EC (upon which the Data Protection Act 1998 is based), and imposing new responsibilities on organizations which process the data of European Union citizens.Sources of data: This piece examines the impact of the Regulation on health research.Areas of agreement: The Regulation seeks to harmonize data privacy laws across Europe, to protect and empower all EU citizen's data privacy and to reshape the way that organizations approach data privacy (See the GDPR portal at: https://www.eugdpr.org/ (accessed 8 May 2018). As a Regulation the GDPR is directly applicable in all member states as opposed to a directive which requires national implementing measures (In the UK the Data Protection Act 1998 was the implementing legislation for the Data Protection Directive 95/46/EC.).Areas of controversy: The Regulation is sector wide, but its impact on organizations us sector specific. In some sectors, the Regulation inhibits the processing of personal data, whilst in others it enables that processing. The Regulation takes the position that the 'processing of data should be designed to serve mankind' (Recital 4). Whilst it does not spell out what exactly is meant by this, it indicates that a proportionate approach will be taken to the protection of personal data, where that data can be processed for common goods such as healthcare. Thus, the protection of personal data is not absolute, but considered in relation to its function in society and balance with other fundamental rights in accordance with the principle of proportionality (Recital 4). Differing interpretations of proportionality can detract from the harmonization objective of the Regulation.Growing points: Reflecting the commitment to proportionality, scientific research holds a privileged position in the Regulation. Throughout the Regulation provision is made for organizations that process personal data for scientific research purposes to avoid restrictive measures which might impede the increase of knowledge. However, the application of the Regulation differs across health research sectors and across jurisdictions. Transparency and engagement across the health research sector is required to promote alignment.Areas timely for developing research: Research which focuses on the particular problems which arise in the context of the regulation's application to health research would be welcome. Particularly in the context of the operation of the Regulation alongside the duty of confidentiality and the variation in approaches across Member States.

medicine, general & internal

Teodora Lalova-Spinks,Robbe Saesen,Mitchell Silva,Jan Geissler,Iryna Shakhnenko,Jennifer Catherine Camaradou,Isabelle Huys

DOI: https://doi.org/10.3389/fphar.2023.1280173

IF: 5.6

2024-02-20

Frontiers in Pharmacology

Abstract:Background: In the European Union, the General Data Protection Regulation (GDPR) plays a central role in the complex health research legal framework. It aims to protect the fundamental right to the protection of individuals' personal data, while allowing the free movement of such data. However, it has been criticized for challenging the conduct of research. Existing scholarship has paid little attention to the experiences and views of the patient community. The aim of the study was to investigate 1) the awareness and knowledge of patients, carers, and members of patient organizations about the General Data Protection Regulation, 2) their experience with exercising data subject rights, and 3) their understanding of the notion of "data control" and preferences towards various data control tools. Methods: An online survey was disseminated between December 2022 and March 2023. Quantitative data was analyzed descriptively and inferentially. Answers to open-ended questions were analyzed using the thematic analysis method. Results: In total, 220 individuals from 28 European countries participated. The majority were patients (77%). Most participants had previously heard about the GDPR (90%) but had not exercised any of their data subject rights. Individual data control tools appeared to be marginally more important than collective tools. The willingness of participants to share personal data with data altruism organizations increased if patient representatives would be involved in the decision-making processes of such organizations. Conclusion: The results highlighted the importance of providing in-depth education about data protection. Although participants showed a slight preference towards individual control tools, the reflection based on existing scholarship identified that individual control holds risks that could be mitigated through carefully operationalized collective tools. The discussion of results was used to provide a critical view into the proposed European Health Data Space, which has yet to find a productive balance between individual control and allowing the reuse of personal data for research.

pharmacology & pharmacy

John M M Rumbold,Barbara K Pierscionek

DOI: https://doi.org/10.1186/s12910-017-0184-y

2017-04-08

Abstract:The EU offers a suitable milieu for the comparison and harmonisation of healthcare across different languages, cultures, and jurisdictions (albeit with a supranational legal framework), which could provide improvements in healthcare standards across the bloc. There are specific ethico-legal issues with the use of data in healthcare research that mandate a different approach from other forms of research. The use of healthcare data over a long period of time is similar to the use of tissue in biobanks. There is a low risk to subjects but it is impossible to gain specific informed consent given the future possibilities for research. Large amounts of data on a subject present a finite risk of re-identification. Consequently, there is a balancing act between this risk and retaining sufficient utility of the data. Anonymising methods need to take into account the circumstances of data sharing to enable an appropriate balance in all cases. There are ethical and policy advantages to exceeding the legal requirements and thereby securing the social licence for research. This process would require the examination and comparison of data protection laws across the trading bloc to produce an ethico-legal framework compatible with the requirements of all member states. Seven EU jurisdictions are given consideration in this critique.

Mahsa Shabani,Pascal Borry

DOI: https://doi.org/10.1038/s41431-017-0045-7

2017-11-29

European Journal of Human Genetics

Abstract:Genetic data contain sensitive health and non-health-related information about the individuals and their family members. Therefore, adopting adequate privacy safeguards is paramount when processing genetic data for research or clinical purposes. One of the major legal instruments for personal data protection in the EU is the new General Data Protection Regulation (GDPR), which has entered into force in May 2016 and repealed the Directive 95/46/EC, with an ultimate goal of enhancing effectiveness and harmonization of personal data protection in the EU. This paper explores the major provisions of the new Regulation with regard to processing genetic data, and assesses the influence of such provisions on reinforcing the legal safeguards when sharing genetic data for research purposes. The new Regulation attempts to elucidate the scope of personal data, by recognizing pseudonymized data as personal (identifiable) data, and including genetic data in the catalog of special categories of data (sensitive data). Moreover, a set of new rules is laid out in the Regulation for processing personal data under the scientific research exemption. For instance, further use of genetic data for scientific research purposes, without obtaining additional consent will be allowed, if the specific conditions is met. The new Regulation has already fueled concerns among various stakeholders, owing to the challenges that may emerge when implementing the Regulation across the countries. Notably, the provided definition for pseudonymized data has been criticized because it leaves too much room for interpretations, and it might undermine the harmonization of the data protection across the countries.

genetics & heredity,biochemistry & molecular biology

Paul Snelling,Oliver Quick

DOI: https://doi.org/10.1177/09685332221079124

2022-03-08

Medical Law International

Abstract:Confidentiality and disclosure of information in the public interest present difficult dilemmas for healthcare practitioners and call for clear legal and regulatory guidance. The common law duty of confidence, and established exceptions to it, are shaped by medical practice and detailed guidance produced by the General Medical Council. Guidance issued by other healthcare regulators in a highly fragmented environment is at best unclear and at worst inaccurate. This article assembles and justifies a framework of evaluation against which regulators’ guidance can be assessed, focussing on the specific issue of when the duty of confidentiality can be set aside in the public interest. Comparison of statutory regulators’ guidance reveals wide variation which creates uncertainty for practitioners confused by inconsistency between guidance documents. The results of this analysis raise questions about the relationship between common law and regulatory guidance, in particular, whether it is appropriate to recognize different standards for different healthcare professions. This article argues that there is an opportunity to correct this anomaly and ensure appropriate consistency as part of a wider review of healthcare professional regulation.

Eugenijus Gefenas,J. Lekstutiene,V. Lukaseviciene,M. Hartlev,M. Mourby,K.Ó Cathaoir

DOI: https://doi.org/10.1007/s11019-021-10060-1

2021-11-17

Abstract:This paper explores some key discrepancies between two sets of normative requirements applicable to the research use of personal data and human biological materials: (a) the data protection regime which follows the application of the European Union General Data Protection Regulation (GDPR), and (b) the Declaration of Helsinki, CIOMS guidelines and other research ethics regulations. One source of this controversy is that the GDPR requires consent to process personal data to be clear, concise, specific and granular, freely given and revocable and therefore has challenged the concept of ‘broad consent’, which has been widely applied in the context of biobanking. Another source of controversy is the interplay between regulations of research ethics and protection of personal data related to the secondary use of personal data and biological materials. In this case, the GDPR ‘research condition’ provides an alternative to re-consent for the use of previously collected personal data and biological materials. Although the mentioned controversies have been raised in the legal literature, they have not been explicitly addressed from the research ethics perspective. Should consent be regarded as a priority legal basis for personal data processing in health data research? Can broad consent still be a suitable legal ground for biobanking? What should be the role of research ethics provisions that differ from the GDPR standards, and what should be the role and function of research ethics committees in the changing environment of health data research? These are the ongoing controversies to be explored in the paper.