We currently live in a world where the rapid spread of COVID-19 has provoked the urge to initiate the search for an effective vaccine or medicines to fight against it. In this context, the EDPB has recently published its Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (Guidelines) with the clear objective of ensuring that patients’ and trial subjects’ privacy is not disregarded while clinical trials are carried out.
This is not the first time that the EDPB has issued guidance on topics related to scientific research or clinical trials (see its analysis on the interplay between the GDPR and the Clinical Trials Regulation, which we covered, here). However, the Guidelines focus specifically on scientific researches in connection with the current enemy: COVID-19.
Below are our highlights of the Guidelines:
- Fundamental takeaway – Data protection and, specifically, the GDPR do not hinder the fight against COVID-19. As foreseen in the GDPR, there are several scenarios under which the processing of personal data for scientific research is allowed while guarantying the fundamental rights to privacy and personal data protection.
- Interpretation of key concepts:
- Broad concept of health data – Beyond the definition of article 4(15) GDPR, health data emerges from many sources: a patient’s medical history and results of examinations, cross referencing of data that reveals a person’s state of health or health risks, self-assessment apps, and other information obtained in a specific context (e.g., recent trip or presence in a region where COVID-19 is widespread).
- Scientific research – Defined as a “research project set up in accordance with relevant sector-related methodological and ethical standards, in conformity with good practice” (following the definition of Article 29 Working Group in the absence of one in the GDPR).
- Primary or secondary use of the data – The type of uses of the personal data is relevant for the purposes of identifying the appropriate legal basis, as detailed below. The primary use is the one for which the data is originally collected for a specific purpose, while the secondary use is an additional use for a different purpose (e.g., data collected and processed within the context of a medical consultation [primary use], and subsequently used for a certain scientific investigation [secondary use]).
- Legal ground (article 6 GDPR) and derogations (article 9 GDPR) for the lawful processing of health data:
- Consent – Although it does not seem to be the preferred option for the EDPB due to the difficulty of consent meeting GDPR standards, it is not ruled out as a potential legal basis and derogation for the processing of health data.
- Legitimate interest and public interest -In combination with the exceptions provided for in articles 9.2(i) and (j) GDPR (that is, and respectively, the public interest and where the data processing carried out for archival purposes in the public interest, scientific or historical research purposes, or statistical purposes). These grounds/derogations are based on national laws that will determine their scope. Note that national laws in this regard have not been fully unified within the EU.
- Data protection principles:
- Transparency and information duties – Together with article 13 GDPR, special attention should be paid to article 14 GDPR since many times: (i) the data is not obtained directly from the data subject; and (ii) it will be used for purposes different to the ones for which they were initially collected. In this regard, note that the GDPR provides for exceptions to information duties in certain scenarios under article 14(5) GDPR, and that transparency vis-à-vis trial subjects and patients remains one of the most important principles where sensitive data are to be processed.
- Purpose limitation and compatibility – Although article 5(1)(b) GDPR does not consider–as a general rule–the secondary use of data for scientific research purposes as incompatible, it is necessary to comply with article 89(1) GDPR, which, in these cases, emphasizes the importance of the data minimization.
- Data minimisation and storage limitation – To comply with these principles, there are two items that must be taken into account: (i) the envisaged purposes, to clearly assess and determine which are the personal data required (minimisation); and (ii) the duration of the scientific research and national regulations, in relation to the document retention (storage).
- Integrity and confidentiality – Taking into account the special nature of the personal data processed in this context, sufficient technical and organizational security measures must be implemented in order to guarantee its protection (e.g., pseudonymization, encryption, access control, etc.). In this regard, it is highly advisable (and even may be deemed necessary) to carry out a data protection impact assessment and to fully involve the data protection officer of the company.
- International transfers – Apart from the general rules for the international transfer of personal data to countries outside the EU, the EDPB remarks the derogation regime foreseen under article 49 GDPR under the current COVID-19 outbreak. Due to the exceptional sanitary crisis of an unprecedented nature and scale, the EDPB recognizes that during this period entities may rely their international data transfers on the public interest to carry out the same (article 49(1)(d) GDPR) or, ancillary, on the explicit consent of trial subjects or patients (article 9(1)(a) GDPR).
In addition to the above, and as it is customary, the Guidelines contain numerous examples that end up being, in many occasions, the most useful way of putting in practice the theoretical explanations provided by the EDPB.
Finally, it should be noted that the EDPB has stated that the development of a further and more detailed guidance for the processing of health data for the purpose of scientific research is part of its annual work plan. Thus, it is expected that the EDPB will issue additional guidance on this topic in the near future.
This post was originally on our Spanish-language data protection blog, available here. Hogan Lovells’ global Privacy and Cybersecurity team maintains a tracker of guidance from 30+ European data protection authorities related to data processing in the fight against coronavirus.