The European Data
Protection Regulation and
research
Graham Love
Chief Executive
Health Research Board
1
Background to the Regulation
• Proposal from
Commission in January
2012
• Regulation = directly
binding
• Covers use of personal
data across most sectors
except for law
enforcement
• Under Commission’s
proposal, consent is not
required to legitimise the
use of data in research –
vital exemption.
2
Legislative process
Parliament
(LIBE)
TRILOGUE
Council
(Member
States)
Commission
3
Legislative procedure for EU
Data Protection Regulation
4
The political context
5
The European Parliament’s
position
• LIBE committee agreed 91
compromise amendments
from over 3000 tabled
• European Parliament voted
on 12 March in a ‘block
vote’ all amendments.
• Almost unanimous in
favour of the amendments
because agreed by political
groups in advance.
6
Debate in the European
Parliament
We cannot allow people to
run into doctors’ offices
and take our personalised,
private profiles
It is vital that the
changes to Articles 81
and 83 are reconsidered
and that expert advice
is taken
7
Impact
• Special provisions for the use of
data concerning health in
research
• Member States able to create an
exemption from specific consent,
but very narrow. Only:
– for pseudonymous data;
– in “high public interest”; and
– where the research “cannot
possibly be carried out otherwise”
• Much research using routine
data, biobanks, registries or
cohorts could become
impossible or unworkable
8
Article 81 (2) Research using data
concerning health
Amendment outline
Analysis
Processing of personal data
concerning health which is
necessary for historical, statistical
or scientific research purposes,
such as patient registries set up
for improving diagnoses and
differentiating between similar
types of diseases and preparing
studies for therapies, is shall be
permitted only with the consent of
the data subject, and shall be
subject to the conditions and
safeguards referred to in Article 83.
This amendment makes the
exemption from consent for the
use of data concerning health in
research very narrow. This will
prevent valuable health research
that is currently legal and already
tightly regulated under European
and Member State law.
KEY
•
•
•
Text added by the LIBE committee is in bold italics
Text deleted by the LIBE committee is struck
through bold italics
Text of proposed amendments is in bold underlined
italics
9
Article 81 (2a) Research using data
concerning health
Amendment outline
Member States law may provide for
exceptions to the requirement of consent
for research, as referred to in paragraph
2, with regard to research that serves a
high public interests, if that research
cannot possibly be carried out otherwise.
The data in question shall be
anonymised, or if that is not possible for
the research purposes, pseudonymised
under the highest technical standards,
and all necessary measures shall be
taken to prevent unwarranted reidentification of the data subjects.
However, the data subject shall have the
right to object at any time in accordance
with Article 19.
Analysis
While the amendment enables
Member States to legislate for
an exemption, the permitted
exemption is very narrow:
• The exemption could only
apply to the use of
pseudonymised, not
identifiable, data.
• A very high bar is set for
research using
pseudonymised data to be
eligible for the exemption,
which lacks any
assessment of
proportionality or
reasonableness.
10
Article 81 (2a) Further Analysis
Particular concerns include:
• “High public interest” suggests the exemption is to be used only in a very limited set
of circumstances. This is likely to be problematic for many studies, particularly
because the results and impact of the study are not known at the outset.
• “Cannot possibly be carried out otherwise” creates a strict test that does not take into
account the nature of research, for example, it is not clear how one could show that a
particular research project “cannot possibly be carried out otherwise” where it is
theoretically possible, but not practicable (because of the sample size needed), to
seek consent.
• The requirement for pseudonymisation to be at “the highest technical standards”
lacks an assessment of reasonableness. This is problematic because research
resources are often used over many years. Even where a study can demonstrate
“highest technical standards” when it is first established, it would be impractical to
ensure compliance with this requirement every single time data are used in the
future, as this would require continual updating of standards and processes.
These amendments also produce an overlap between Articles 81 and 83, creating legal
uncertainty.
Research is an international activity and would benefit from clear and harmonised rules
that facilitate research across Member States. However, Member State-based
exemptions will limit the potential for harmonisation.
11
Recital 123a Processing of personal data
concerning health
Amendment outline
The processing of personal
data concerning health, as a
special category of data, may
be necessary for reasons of
historical, statistical or
scientific research. Therefore
this Regulation foresees an
exemption from the
requirement of consent in
cases of research that serves a
high public interest.
Analysis
The concept of “high public
interest” is problematic.
“High public interest” suggests the
exemption is to be used only in a
very limited set of circumstances.
This is likely to be problematic for
many studies, particularly because
the results and impact of the study
are not known at the outset.
12
Article 83 (1) Processing for historical,
statistical or scientific research purposes
Amendment outline
In accordance with the rules set out in
this Regulation, personal data may be
processed for historical, statistical or
scientific research purposes only if:
(a) these purposes cannot be otherwise
fulfilled by processing data which does
not permit or not any longer permit the
identification of the data subject;
(b) data enabling the attribution of
information to an identified or identifiable
data subject is kept separately from the
other information as long as theses
purposes can be fulfilled in this manner
under the highest technical standards, and
all necessary measures are taken to
prevent unwarranted re-identification of
the data subjects.
Analysis
This amendment makes the exemption from
consent for the use of health data in research
very narrow, which will prevent valuable
research that is currently legal.
The amendment only applies to the use of
pseudonymised, not identifiable, data.
In addition, the requirement for
pseudonymisation to be at “the highest
technical standards” lacks an assessment of
reasonableness. This is problematic because
research resources are often used over many
years. Even where a study can demonstrate
“highest technical standards” when it is first
established, it would be impractical to ensure
compliance with this requirement every single
time data are used in the future, as this would
require continual updating of standards and
processes.
13
The Council’s position
• Council of Ministers
still considering
Commission’s proposal
• Research has been
discussed in Council
working group in
January and February
• Unclear when
Council’s position
(‘general approach’)
will be agreed
14
Next steps
Impact of
elections?
Parliament
TRILOGUE
Council
Commission
15
What is being done?
16
What are we doing in Ireland ?
HRB
alignment
with the EU
Wellcome
Trust-led
approach
Engaging with
the Department
of Justice, other
government
Departments
and with Irish
MEPs
Informing
the
research
community
“Regulation should be sufficiently flexible to continue to facilitate
processing of personal data for health historical, statistical and
scientific research purposes while providing appropriate
safeguards for the protection of personal data”.
Irish Department of Justice
17
In order to protect valuable research
while protecting privacy, we urge:
• Council of Ministers to maintain the EU
Commission’s text on Articles 81 and 83 and
associated provisions when agreeing its general
approach
• MEPs to seek a more positive outcome for
research in trilogue negotiations
• Council of Ministers and EU Commission to
oppose the EU Parliament’s amendments to
Articles 81 and 83 in trilogue negotiations.
18
Further information
• www.hrb.ie/EUdataprotectionregulation
or
• http://www.hrb.ie/research-strategy-funding/policiesguidelines-and-grant-conditions/eu-data-protectionregulation/
• Any questions? Contact Dr Patricia Clarke, HRB Senior
Policy Analyst, Email: [email protected] Tel: 012345247
• Special thanks to Dr Beth Thompson, Wellcome Trust for
all of her assistance and advice.
19
Download

HRB_EU_Data_Protection_Regulation_24_June_2014