On October 22, 2018, the Future of Privacy Forum (FPF), the European Federation of Pharmaceutical Industries and Associations (EFPIA), and the Centre for Information Policy Leadership (CIPL) hosted a workshop in Brussels, “Can GDPR Work for Health Scientific Research?,” to discuss the processing of personal data for health scientific research purposes under the European Union’s General Data Protection Regulation (GDPR).
The use of health data in research, whether it arises in the course of hospital treatment or from personal management of care, has the potential to improve the lives of individuals, as well as transform health care systems and health-related science and innovation. Yet, at this moment, researchers and private and public stakeholders generally are facing difficulty in understanding how to comply with GDPR when processing personal data for health scientific research. Further, National Data Protection Authorities (DPAs), Health Authorities, and Ethical Committees are providing differing guidance on what should be the basis for processing special categories of personal data in scientific research, and the divergences are, if anything, widening.
The workshop highlighted multiple issues at the center of this challenge including:
- The role of consent, legitimate interest, and other legal bases in the processing of health data for clinical trials and in the secondary use of health data for health scientific research purposes;
- The relationship between the Clinical Trials Regulation and the GDPR in regards to personal data processing for clinical trials;
- The lack of clarity surrounding institutional responsibility and the role of ethical committees; and
- The wider issues of how we ensure that emerging data driven technologies like real-world evidence and artificial intelligence can be leveraged in compliance with GDPR to advance innovation and improvements in care.
Legal and regulatory harmonization of approaches to health data research will be critical to the advancement of digital health to improve care and health outcomes. The European Data Protection Board (EDPB) will play a key role in working with the privacy and public research sectors to ensure harmonized application of the GDPR and legal certainty, as well as to clarify the situation and reconcile the needs of research while maintaining the rights of individuals to exercise choice and understand how their data is being used.