GDPR: an impediment to research?
The recent introduction of the General Data Protection Regulation and Health Research Regulations has been an area of significant concern for those engaged in clinical research. These European regulations, following subsequent interpretation by Ireland’s Department of Health, now place Ireland in a unique position which differs substantially from other European countries and may prove a significant impediment to Irish clinical research, depriving Irish patients of timely access to potentially life-saving treatments and making Ireland less attractive to pharmaceutical companies engaged in this area. At the very least, the regulations, as applied in Ireland, will place a significant extra burden of work on Ireland’s clinical researchers and at their worst will force individuals and institutions out of the clinical research field, which will result in significant loss to the Irish knowledge economy and lead to the detriment of patient care.
In this article, we explore what exactly is proposed by Europe’s GDPR and by Ireland’s Health Research Regulations. We look at the challenges presented to clinical researchers, and we highlight those areas, which need clarification by the Department of Health and by the Data Protection Commissioner.
We propose five recommendations, which would ameliorate some of the more restrictive impositions of these regulations. This review was commissioned by the Irish Academy of Medical Science.
KeywordsBiobanks/archival material Capacity to consent General Data Protection Regulation Health Research Regulations Retrospective chart reviews
Introduction to GDPR
The purpose of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679 of the European Parliament and of the Council) is to protect all EU citizens from privacy and data breaches in today’s data-driven world (http://eugdpr.org/the-regulation/). GDPR came into effect on May 25, 2018 following a 2-year transitional period granted by the European Parliament and repeals the Data Protection Directive 95/46/EC. In the EU, GDPR has changed the landscape of data protection from that outlined under the Directive to a setting that is protected as a fundamental right in Article 8 of the Charter of Fundamental Rights, and recognises that everyone “has the right to the protection of personal data concerning him or her”. In contrast to a Directive, a Regulation is enforceable by law. Central to data protection is the concept of personal data itself. Many of the principles that form GDPR reflect the core principles of the Directive and the definition of personal data, as outlined in Article 4(1) of GDPR, includes “any information relating to an identified or identifiable natural person (‘data subject’)”. This includes names, surnames, home address, email address, or an identifier number or data held by a hospital/doctor that could be used to identify a living individual. Furthermore, the existence of special categories of personal data, referred to as sensitive personal data, adds another layer of complexity. Sensitive personal data are outlined in Article 9(1) GDPR and include data pertaining to ethnicity, sexual orientation, religious beliefs, trade union membership, and genetic data (chromosomal/DNA) derived from biological samples.
Becoming compliant with GDPR starts with GDPR awareness, understanding data subject rights, choosing the appropriate lawful basis for data processing activities (Article 6 GDPR), and understanding the principles which are embedded in GDPR, including those relating to processing of personal data (http://eugdpr.org/the-regulation/). It is stated under Article 4(2) of GDPR that virtually any use of personal data, from collection and recording, to retrieval and dissemination, storage, and finally erasure or destruction, constitutes “processing”, with significant accountability required. An integral part of achieving compliance with these regulations requires a developed understanding of the responsibilities of the users of personal data, including “data controllers” and “data processors”. The definitions of data processors and data controllers under Article 2 of the Directive are virtually identical to the definitions now contained in Article 4 of the GDPR. A data controller is an individual or legal person(s) such as a company, department, or organisation, which under Article 4 of GDPR “determines the purposes and means of the processing of personal data”. Moreover, and perhaps one of the more significant changes from the Directive, is the allowance of more than one data controller or “joint controller” (Article 26 GDPR). Joint controllers can determine the purpose and means of data processing, although this may not imply equal responsibilities. In contrast, the data processor is a separate legal entity. The formal definition (GDPR Article 4) states that a processor means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. Unlike previous legislation, data processors now have duties and responsibilities that are directly applicable and can be directly enforced to ensure GDPR compliance. Moreover, data processors need to assist controllers in various circumstances where relevant, for example, in a potential personal data breach notification or in considering a Data Protection Impact Assessment (DPIA). The principles of GDPR Article 5, regarding personal data processing, apply to data processors just as much as they apply to data controllers. Examples of data processors in health research might include transcription services and DNA sequencing/translation services. The agency to which testing or data manipulation is outsourced becomes the data processor.
Roles and responsibilities of the data controller
The data controller must adhere to what is stipulated under Article 5 GDPR, which states that personal data must be processed lawfully, fairly, and in a transparent manner (“lawfulness, fairness and transparency”). The personal data must be collected for specified, explicit, and legitimate purposes (“purpose limitation”) and must be adequate and necessary in relation to the purposes for which it is collected (“data minimisation”). Personal data must be accurate, kept up to date (“accuracy”), and retained for no longer than is necessary (“storage limitation”). Personal data must be processed in a manner that ensures appropriate security (“integrity and confidentiality”). The data controller must also be able to demonstrate compliance (“accountability”).
With respect to data subjects, it is important that transparent information is provided to the intended subjects by the data controller on the methods by which their data will be processed. A patient/participant information leaflet (which fulfils the transparency requirement of GDPR) should be designed using easy-to-understand plain language for the intended audience and age category. The identity and contact details of the data controller must be provided, along with contact details (not necessarily the identity) of the Data Protection Officer (DPO). Transparency leads to trust, and therefore, information on the reasons and intended purposes for processing and legal basis of the same should be provided. Article 35 GDPR requires that data controllers carry out an impact assessment (DPIAs) for “high-risk processing” and implement measures to mitigate a risk. In turn, data processors are required to inform data controllers of any data breach, which must be reported to the office of the Data Protection Commissioner (DPC) within 72 hours where there is a risk to the rights of the data subject.
The data subject
GDPR has made significant advances on the rights of the data subject and includes right to rectification of inaccurate data in a timely manner (Article 16), right to be forgotten or right to erasure of personnel data (Article 17), and right to object to processing of personal data (Article 21). In addition, the rights of data subjects under GDPR extend to accessing their own personal data (Article 15). Within 1 month of receipt of such a request, the data controller must respond and upon verification of the identity of a data subject, should provide, at no cost, a copy of the requested personal data in a concise, transparent, and easily accessible form. The response time may be extended by 2 months if a request is complex, and the controller may charge a reasonable fee for further copies of personnel data that is undergoing processing. Thus, GDPR is designed to ensure actual accountability of data controllers and their responsiveness will be heightened by the possibility of levied fines. Non-compliance can result in fines up to €20 million or 4% of the total worldwide annual turnover of the preceding fiscal year. Data subjects can sue both controllers and processors for compensation for damages because of a breach of GDPR.
GDPR and Health Research Regulations
An outline of the mandatory suitable and specific measures for the processing of personal data for the purposes of health research (Regulation 3(1))
A definition of health research (http://www.irishstatutebook.ie/eli/2018/si/314/made/en/pdf) for the purposes of the regulation (Regulation 3(2))
The possibility of applying for a consent declaration for new research (Regulation 5)
Transitional arrangements (https://www.hrb.ie/funding/gdpr-guidance-for-researchers/gdpr-and-health-research/consent/transitional-arrangements/) in respect of the granting of consent declarations for health research that is already underway (Regulation 6)
Establishment and operation of a committee of persons (https://www.hrb.ie/funding/gdpr-guidance-for-researchers/gdpr-and-health-research/consent/health-research-consent-declaration-committee/) to make decisions on applications for consent declarations, including an appeals process (Regulation 7–13 and Schedule)
Inclusion of several miscellaneous provisions (Regulations 14–16)
The HRR were signed into law by Ireland’s Minister of Health on August 8, 2018 and relate to processing of personal data for health research. GDPR 2018 allows member states the freedom to legislate at national level in certain areas, one of these being the processing of personal data for scientific and research purposes. GDPR 2018 did not however provide a definition of scientific research. HRR 2018 provides for the first time a legislative definition of “health research” and its focus is on health research only. The Irish Department of Health has indicated that the HRR does not apply to clinical audit, service evaluation, or clinical practice, but further regulations may follow in these areas in due course. The HRR lists the suitable and specific safeguards required when processing personal data for health research in Ireland.
Chief among these is the requirement for explicit consent of the data subject. This is a unique Irish addition to GDPR, because the European regulation, which took effect on May 25, 2018, did not require explicit consent, and allowed for data processing without consent subject to safeguards. The subsequent Irish legislation enshrines explicit consent for data processing; and in cases where this is not possible, the researcher must apply to the National Consent Declaration Committee (CDC) (https://hrcdc.ie/). The CDC, which is currently under construction, may issue declarations stating that in certain research studies, the public interest in conducting the study outweighs the rights of data subjects to be consented. However, the CDC has yet to meet. The introduction of an Irish requirement for explicit consent is unique among member states in the EU and will inevitably lead to restrictions on health research in Ireland.
Prior to GDPR and the HRR, the capture of consent remained a widely debated issue (https://www.hrb.ie/funding/gdpr-guidance-for-researchers/gdpr-and-health-research/consent/) with the main aim to strike an appropriate balance between the patient’s right to personal data privacy and the desirability of making data available for research. Anonymisation of patient records and/or freely given and informed patient consent were (and still are) the foundation stones of how medical research should be undertaken from a privacy perspective. Where consent was not obtained in relation to historical data, it was possible for data controllers to examine other options (such as pseudonymisation of data prior to processing) having exhausted other avenues for seeking consent, in order to legitimise access to such patient records.
The HRR draws a distinction between ongoing research, as that which received research ethics committee approval before the date of enactment of the new legislation (August 8, 2018) and research approved on or after this date. In the case of the latter, explicit consent is required, while “ongoing” research has a legislative transition period within which to obtain explicit consent, and where this is not possible or attempts are unsuccessful, to apply to the Declaration Committee for a consent declaration. More recently, further guidelines have been issued by the Department of Health (https://www.hrb.ie/fileadmin/1._Non-plugin_related_files/RSF_files/GDPR_guidance_for_researchers/Health_Research_Information_Principles.pdf). These guidelines contain information which must be provided to research participants and surpass the regulatory and legislative requirements of GDPR. The Department of Health indicated that these guidelines would be considered a mandatory requirement of an “informed consent”.
Without the Irish HRR, researchers in Ireland would have processed in accordance with Article 9(2)(j) and the safeguards set out under Article 89(1) under GDPR, exactly as is the case in other European member states including the UK. These safeguards include data minimization, pseudonymisation, and anonymisation where possible (consent is not a requirement).
GDPR and HRR: the ongoing challenges for research in Ireland
The participant may not be alive or, if alive, may wish to put behind the difficulties of a previous illness. In this context, re-consenting individuals or contacting relatives for consent could be upsetting and stressful to both living participants and/or their relatives.
The time and resources needed to re-consent, depending on the size of the study involved, could prove insurmountable. According to the Department of Health, this may not be a valid reason when approaching the declaration committee, but is clearly a matter of significant concern to clinical researchers
The Department of Health anticipates that the CDC will meet once a month to deal with “exceptional” and “rare” research studies where explicit consent could not be obtained. It is not clear what is meant by the terms “exceptional” and “rare” when it is obvious that a significant number of new and ongoing studies will require to avail of this mechanism
The volume of applications which will require a consent exemption will exceed the capacity of a once monthly meeting of a single committee
There will be a wide variety of applications submitted from low- to high-risk studies, with, as it stands, no streaming or segregating plans for applications.
The transitional arrangements with respect to granting consent declarations for health research that is already underway (Regulation 6) (in addition to the logistical issues listed above) create yet another obstacle facing researchers. The transition or grace period to become GDPR/HRR compliant was 9 months from the date the HRR Bill was signed into effect on August 8, 2018 by the Minister for Health but, given that the first meeting of the CDC was planned for January 2019, and the grace period terminates on April 30, 2019, researchers have not been given sufficient time to achieve compliance nor indeed has the committee been given adequate time to meet and consider multiple applications. Establishment and operation of a committee of persons to make decisions on applications for consent declarations, including an appeals process (Regulation 7–13 and Schedule) given the inertia, which inevitably impedes any committee especially a large committee, adds further to the concerns of the research community.
Retrospective chart reviews: the latest update from the Department of Health regarding this important type of research was published on 26th November 2018 on the Health Research Board website and states:
“As regards Retrospective Chart Reviews carried out for research purposes, and having consulted with the Data Protection Commission, it has been determined that the requirement for explicit consent will commence on 1st May 2019. This is to allow hospitals and other data controllers who carry out such reviews to adapt their procedures to capture the relevant explicit consent from patients. All other suitable and specified safeguards set out in the Health Research Regulations will continue to apply in the interim period as will other requirements arising under the General Data Protection Regulation. Where a hospital or other data controller does not use this time to put a mechanism in place to capture explicit consent for retrospective chart reviews for research purposes then applications to the Consent Declaration Committee for a consent declaration for such reviews will be unlikely to succeed” (https://www.hrb.ie/funding/gdpr-guidance-for-researchers/health-research-regulations-2018-faq/).
Biobanks/archival material: In this area, re-consenting is a major issue, and not using the millions of valuable and carefully documented tissues archived in Irish Pathology Departments and in the many designated disease-specific biobanks for research poses the most serious threat to health research progression and subsequent future treatment for Irish patients affected by a wide variety of health conditions such as epilepsy, cancer, heart disease, and potentially fatal childhood skin disorders, to name but a few. The recent guideline document published by the Department of Health touched on how GDPR and the HRR might apply to biobanks. The HRR addressed the matter of broad consent in line with Recital 33 and the Article 29 Working Party Guidance on Consent (April 2018). The HRR state as follows: “explicit consent has been obtained from the data subject, prior to the commencement of the health research, for the processing of his or her personal data for the purpose of specified health research, either in relation to a particular area or more generally in that area or a related area of health research, or part thereof”.
Research with individuals who lack capacity to consent: This is an area of great concern, particularly in the fields of emergency medicine and in the treatment of those with intellectual disability. There is a significant danger that these individuals will be denied access to life-saving treatments in the event of a too draconian application of the HRR. There is uncertainty around who can give consent where capacity is lacking (e.g. patients unconscious or in severe distress in intensive care units or in emergency departments and those with intellectual disability). It is unclear at what point consent may or should be obtained or indeed from whom if lack of capacity is permanent. In addition, the Assisted Decision Making Capacity Act 2015 is up to 2 years from being finalised. The Department of Health is drafting capacity guidelines in conjunction with the DPC’s office and, in doing so, is considering the risk-benefit approach. The challenge here is that while the guidelines may cover lack of capacity, from the DPC’s perspective, this will not negate an individual’s right to take a civil action. Research ethics committees have been advised that until further guidelines are released, the evaluation of research studies involving individuals who lack capacity should involve a risk-benefit analysis to enable a decision on a case-by-case basis.
Ongoing unanswered questions
Consent declaration committee: The first meeting of this committee was scheduled for January 2019, 3 months before the “transition” period ends. This is obviously too short a time frame. Researchers have been advised by the Department of Health that they must provide evidence of their efforts to comply with GDPR since 2018 if they wish to seek an extension. It should be noted, and taken into account by the CDC, that the “Explicit Consent” requirement only came into effect since August 2018, meaning it has been impossible to prepare for this eventuality since the third quarter of 2018. It should be also noted and taken into account by the CDC that the majority of research was in fact in compliance with Article 9(2)(j) and the safeguards outlined in Article 89 of GDPR, namely pseudonymisation, minimisation, and anonymisation implemented where appropriate.
Who is responsible for ensuring compliance? Apart from the original and obvious role of the Research Ethics Committees (REC) to review ethical aspects of research applications, there seems to be some misunderstanding as to who should ensure compliance. The role of the REC is also outlined in the recently published consent guideline document issued by the Department of Health (Ref 6), but it is unclear if the information outlined in this document is required to be included in the information leaflet. The data controller and the institution which employs the researcher has overall responsibility, but accountability is inadvertently diverting to RECs to provide guidance, advice and information, a role for which they are not trained and are poorly resourced. It is the role of the DPO to advise the data controller and/or institution of their legal requirements to ensure they are GDPR and HRR compliant. Ultimately, it is the data controller who will be held accountable for any data protection breaches. Similarly, researchers need to define who the data processor is. This is not clear-cut, as the legal definitions must be clearly understood before individuals can be named.
Audit: Some confusion remains as to what constitutes audit as opposed to research with the possibility that researchers will seek to “re-name” their work so they can avoid compliance issues.
Specific Areas of confusion:
What type of research requires a DPIA and how can researcher’s access expertise to help them in this area, given the serious implications for getting it wrong.
How can personal data be anonymised. Is true anonymisation possible?
For research to be permitted, without explicit consent? Is this subject to data controllers modifying transparency statements to inform data subjects of possibility of same? If so, how is this to be done and when?
Permit chart reviews for medical research by healthcare professionals involved in the provision of clinical care for the cohort of patients under review.
Seek broad consent from patients about to undergo surgical and medical resections to give broad consent for biobanking of their tissues which are surplus to the diagnostic pathology procedures with the understanding that research conducted on these tissues will have been placed before and approved by a research ethics committee.
Triage and allocate work of the CDC to sub-committees with mandates to provide guidelines in each of these 3 areas:
Biobank/Archival Material (Pathology archives—material collected for clinical purposes in which obtaining consent for individual projects is no longer feasible, for one of the reasons set out above)
Retrospective chart reviews (low-risk huge public benefit) and provision of guidelines on the use of the electronic patient record in research.
Studies for which consent adhered to the previous legislation. A fast-track approach should be considered where all patient information leaflets, protocols, and any other relevant documentation (permissions, previous ethical approval documentation) are in place
GDPR and HRR have the potential to ensure better patient protection in our health system but the application of these processes to Ireland as set out by the Department of Health is problematic, challenging, resource-intensive, and costly. The Department of Health has taken a unique and arguably restrictive approach to data protection in Ireland which is quite at variance from our European colleagues and which if followed through as outlined will impact negatively on patient care and clinical research in Ireland. In this paper, we have outlined the potential benefits and challenges of GDPR and HRR and have suggested solutions in the Irish context which we feel would safeguard patients’ rights while at the same time protecting their access to newer treatments and diagnostics.
Compliance with ethical standards
Conflict of interest
The authors declare that they have no conflict of interest.
OpenAccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.