The threat to global health caused by Covid-19 has led to unprecedented collaboration from the global scientific research community to urgently develop a vaccine. Given the prevalence of data sharing and open science, combined with the sensitive nature of the data involved, data protection concerns have quickly emerged.
The GDPR provides special rules for processing health data for scientific research purposes that are also applicable in the context of the Covid-19 pandemic. The European Data Protection Board (EDPB) recently published Guidelines 03/2020 on the processing of data concerning health for scientific research purposes in the context of Covid-19. The EDPB acknowledges the challenges faced by researchers operating with urgency, and using health data that is not always obtained directly from the data subject for the specific purpose of scientific research. The guidelines provide clarity on issues such as: the legal basis for processing health data; data subjects’ rights, and how health data can be lawfully transferred to a third country outside the EEA for scientific research purposes connected to the Covid-19 pandemic.
Legal basis for processing
All processing of personal data concerning health must comply with the data protection principles set out in Article 5 GDPR, and with one of the legal grounds set out in Article 6 and Article 9 GDPR. The EDPB notes that a number of legal bases may be relied on for processing health data in the context of Covid-19. The EDPB has already addressed the use of these legal bases in the context of clinical trials (previously discussed here).
By way of example, it is possible for researchers (when acting as data controllers) to rely on the explicit consent of the data subject to process health data, collected pursuant to Article 6(1)(a) and Article 9(2)(a) GDPR. However, the EDPB encourages a cautious approach, warning that the data subject must not be pressured into providing their consent. Alternatively, researchers may rely on Article 6(1)(e) (task carried out in the public interest) or Article 6 (1)(f) (legitimate interests of the controller), in combination with Article 9(2)(j) (scientific research purposes) or Article 9 (2)(i) GDPR (reasons of public interest in the area of public health).
National legislators may enact specific laws pursuant to Article 9 (2)(j) or Article 9(2)(i) GDPR to provide a legal basis for the processing of health data for the purpose of scientific research (see for example, sections 53 and 54 of the Irish Data Protection Act (DPA) 2018, which provide such a legal basis).
In addition to having a legal basis under Article 6 and Article 9 GDPR, or the DPA 2018, researchers subject to Irish data protection laws must put in place the suitable and specific safeguards prescribed by the Irish Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (S.I. 314/2018) (previously discussed here). These Regulations, in particular, require researchers to obtain the explicit consent of data subjects to process their personal data for scientific research purposes. Where it is not feasible to obtain such explicit consent, an application may be made to the Health Research Consent Declaration Committee to obtain a declaration that explicit consent is not required.
Data subjects’ rights
The EDPB notes that the Covid-19 outbreak does not have the effect of restricting or suspending the rights of data subjects under Articles 12 to 22 GDPR. However, Article 89(2) GDPR allows the national legislator to restrict some of the data subject’s rights where personal data are processed for scientific research purposes. For example, section 61 of the DPA 2018 permits data subjects’ right of access, rectification, to restriction of processing and to object to processing, to be restricted to the extent that the exercise of any of those rights would render impossible or seriously impair processing for scientific research purposes.
In addition, some restrictions of data subjects rights can be based directly on the GDPR, such as the right to be forgotten, which is limited in the context of scientific research where the exercise of that right is likely to render impossible or seriously impair the achievement of the objectives of that processing (Article 17(3)(d) GDPR).
International data transfers
The EDPB anticipates health data being transferred cross-border both within and outside the EEA for the purposes of scientific research in the context of the Covid-19 outbreak. In the absence of an adequacy decision pursuant to Article 45(3) GDPR, or appropriate safeguards pursuant to Article 46 GDPR, public authorities and private entities may, “as a temporary measure due to the urgency of the medical situation globally“, rely on the derogations under Article 49 GDPR to legitimise non-EEA data transfers. The EDPB suggest that the derogations in Article 49(1)(d) (transfer necessary for important reasons of public interest) and (a) (explicit consent) may apply.
However, whilst the nature of the Covid-19 crisis may justify the use of these derogations for initial transfers carried out for the purpose of scientific research, appropriate safeguards pursuant to Article 46 GDPR would be required for repetitive transfers of data to third countries outside the EEA as part of a long lasting research project.
In light of the high risks posed by processing health data in the context of Covid-19, the EDPB emphasise the importance of ensuring that appropriate technical and organisational security measures are in place to protect the data. Such measures should “at least consist of pseudonymisation, encryption, non-disclosure agreements and strict access role distribution, access role restrictions as well as access logs.” In addition, there must be an assessment as to whether a data protection impact assessment is required. The EDPB note that the measures adopted to protect data should be documented in the record of processing activities. Furthermore, proportionate periods for the retention of personal data should be set, having regard to the length and purpose of the research.
The EDPB intend to issue more detailed guidance on the processing of health data for scientific research purposes as part of its annual work plan. In the meantime, this guidance provides welcome clarity on the data protection compliance issues arising for researchers when processing health data in the context of Covid-19. It is clear that the GDPR does not stand in the way of scientific research, but enables the lawful processing of health data to support the purpose of finding a vaccine or treatment for Covid-19.