In a previous blog post, we outlined the typical privacy and data protection implications of conducting biomedical research using personal data from health databanks. These implications relate to the reliability of anonymisation, valid grounds for the reuse of health data, transparency and disclosure, data minimisation, adequate privacy safeguards for harm prevention, and the use of predictive analytics and artificial intelligence.
In this post, we illustrate the practical significance of these implications with examples from the work of UK Biobank. It stores de-indentified medical and genetic data of 500,000 research participants living in the UK and aged between 40 and 69 years old. UK Biobank initially collected from these participants physical measurements, medical history, lifestyle and environmental information, as well as biological samples (such as blood and urine), for baseline assessment. The assessment also included a week-long 24-hour activity monitoring of 100,000 participants, further repeated measurement of 20,000 participants[GU1] , and heart, brain, and abdomen imaging of 50,000 participants. In addition, all participants[GU2] regularly give blood, urine, and saliva samples, as well as further information about their current lifestyle. These data are then linked to the participants’ medical and health-related records to yield greater insights into participants’ health conditions, their causes and progression. The biological samples are reposited so that they can be used for further biochemical and genetic analyses. Research organisations may access and process this wealth of health information and biological samples following an application and legal and ethical reviews and approvals and under specific ethical and privacy requirements.
What does the privacy and data protection set-up at UK Biobank mean for research organisations willing to access and use its health data? We break this down by reference to the key implications outlined above:
Anonymisation: UK Biobank de-identifies, “wherever possible”, the collected health data by removing all direct and indirect identifiers. As noted in our previous post, however, de-identified data may still qualify as personal data if it can be re-identified with reasonably available technical means. UK Biobank tacitly recognises this possibility in its various protocols and arrangements with research organisations. In addition, UK Biobank “permit[s] third parties to use identifiable data where necessary”. Given these prospects of access to actual or re-identifiable personal data, research organisations should err on the side of caution and assume that they may be handling personal data while collaborating with UK Biobank. This means, research organisations should carefully prepare, assess and manage the potential privacy and data protection implications of their data access and processing.
The basis for ethical and lawful secondary use of the health data: UK Biobank collects and processes health data for research purposes based on participants’ explicit consent, UK Biobank’s scientific research remit and legitimate interest to enable research in public interest. Research organisations may access this heath data based on an agreement with UK Biobank and only as long as they conduct their research in accordance with the permitted project purposes and approved scope. Hence, to ethically and lawfully reuse the health data in UK Biobank, research organisations must stay within the research remit approved by UK Biobank.
Transparency and disclosure: The UK Data Protection Act 2018 exempts research organisations from the transparency and disclosure requirements under the UK GDPR as long as research organisations adequately safeguard participants’ data during access and processing. Organisations must therefore plan for and invest in data and privacy protections prior to starting their research at UK Biobank.
Data minimisation: Research organisations must access and use data in UK Biobank only to conduct the approved research for its permitted purposes and within endorsed scope. Veering off course would constitute a breach of statutory requirements under data protection regulations, as well as breach of the access terms of and the agreement with UK Biobank.
Appropriate privacy safeguards for harm prevention: Research organisations are contractually required to implement a wide range of privacy safeguards, including security policies, access controls, storage protocols, encryption, limited retention, etc. In addition, research organisations must put in place data incident mechanisms and inform UK Biobank of attempted or actual data breaches.
Use of advanced data analytics tools, such as predictive analytics and artificial intelligence would most likely necessitate a data protection impact assessment as research organisations process large sets of health data with advanced data analytics techniques and software. Research organisations must consult their data protection officer and ascertain the need for such an assessment.
Data transfer and processing terms: To receive access to data stored in UK Biobank, research organisations must sign an elaborate material transfer agreement. It details the data processing and security arrangements that research organisations must comply with to retain access to the data and avoid paying out under indemnities for breach of contract or other compensation for damages.
Designation of a data protection officer: If a research organisation is a public body or conducts research with large datasets as part of its core activities, it must retain a data protection officer. S/he must possess expert knowledge of data protection laws and practices and be able to competently and independently advise on privacy compliance. The data protection officer may be appointed in-house at the organisation or retained as an external consultant.
Do you want to learn more about how to set up your privacy and data protection protocols with regards to biomedical research with health data? Join us for our upcoming webinar Innovating with Health Data: Regulatory Opportunities and Key Requirements in the UK and the EU! Email Kate Collocott at kate@datadrivenlegal.com or register here.
