Scientific research is front and centre in innovation policies across Europe, and the European Union (EU)'s research agenda makes no exception. In April and May alone, the EU announced its plans to boost research efforts and collaborations, to facilitate access to high-quality data for innovation and to support the development of home-grown artificial intelligence (AI) models and applications. Scientific research – including in the areas of drug discovery, biotechnology and robotics – stands to benefit from access to cloud computing, computer infrastructure and large datasets. Repositories of health data will become available for research and development of AI solutions for healthcare (as we will discuss in one of our next posts).
In their essence, these initiatives involve the secondary (i.e. subsequent) use of data (including health data) initially collected and processed for other purposes. The latter might include healthcare delivery, clinical trials, scientific studies, provision of digital services, etc. Such secondary use will, however, specifically relate to scientific research. Depending on the type of data processed and its level of anonymisation, some of the information may still constitute personal information. As a result, its secondary use may implicate the privacy of the individuals from whom the data was gathered. Why might this be the case?
Privacy implications of secondary use of data
Privacy implications may arise in one of these situations:
Reversable anonymisation: Information in large datasets and repositories intended for research is typically anonymised. That means, data points that directly or indirectly identified individuals were removed or replaced (e.g. individual names with an ID code). Yet, anonymisation may not always be a silver bullet. Depending on its strength and underlying techniques, anonymisation may be reversed. I.e. anonymised data can be re-identified through reasonable technical means. In such cases, anonymised data may still qualify as personal data.
Identification through large-scale data processing: The latter may result in recombination and relinking of data from different datasets or sources. This may lead to accidental identification of individuals.
Certain types of data cannot be sufficiently anonymised: This is the case, for example, with certain categories of health information, such as genetic data.
Once unique, always identifiable: Individuals with unique characteristics or combination of personal attributes remain identifiable despite the privacy-enhancing measures taken. For example, rare disease patients are considered at greater risk of re/identification due to specificities of patients’ individual phenotypes.
The likelihood of or mere reasonable possibility of such re/identification renders the processed data personal. Its secondary use therefore represents further processing of personal information in the meaning of the EU General Data Protection Regulation (GDPR). Such processing for scientific research should therefore meet the attendant ethical and legal requirements under applicable EU legislation. What do these requirements involve?
Requirements for secondary use of personal data for scientific research
While a comprehensive analysis of these requirements is beyond the scope of this post, a brief overview follows below. These requirements relate to:
Lawful processing and adequate protection of the personal data processed during scientific research, in line with the EU GDPR. One of our next posts will discuss these requirements in more detail, yet they broadly concern:
Recourse to valid legal basis for data processing
Processing of types / amounts of data strictly necessary for the purposes of the scientific research
Respect for the rights of the individuals from whom the data was collected with regards to transparency and disclosure, withdrawal or objection to processing, rectification of data, etc.
Adequate safeguards against privacy harms during processing
Guardrails around data transfers outside the EU
Internal data and privacy governance protocols to ensure compliance with the above and other procedural requirements
Safe and secure data processing that also respects individual patients’ rights under the European Health Data Space Regulation if the research project resorts to health data. Our next post will delve into the requirements introduced and research opportunities created by this regulation.
Adequate data governance and bias and risk mitigation if the scientific research involves the development of AI models or systems that will be placed on the market in the EU. One of our next blog posts will discuss the requirements under the EU AI Act and their relevance to research.
Compliance with the established ethical, clinical and regulatory standards for medical research involving human participants if the research involves also clinical trials of investigational medicinal products or medical devices for human use under the EU Clinical Trials Regulation.
More to follow in our next blog posts.
Also, do you want to learn more about how to set up your privacy and data protection protocols with regards to scientific research with health data? Join us for our upcoming webinar Innovating with Health Data: Regulatory Opportunities and Key Requirements in the UK and the EU! Email Kate Collocott at kate@datadrivenlegal.com or register here.
