Legal grounds for processing health data
The GDPR describes “health data” as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.
In the EU, in accordance with the Directive on the conduct of clinical trials, data subjects must provide informed consent before undertaking a trial. And under the current Data Protection Directive, a trial subject must be told that he or she has the right to withdraw from the trial at any time.
Under the GDPR, consent does not provide a legal basis for processing where there is a "clear imbalance" between the position of the data subject and the data controller as it is unlikely in this scenario that consent was freely given (a key requirement under the GDPR). As a “clear imbalance” is not defined, could there arguably be an imbalance between clinical trial subjects and those organisations carrying out clinical trials? Further clarification on this point needs to be provided.
However the GDPR allows sensitive personal data, such as health data, to be processed for reasons of public interest in the area of public health without the consent of the data subject. This is provided that such processing is “subject to suitable and specific measures so as to protect the rights and freedoms of natural persons”. This is helpful in respect to pharmacovigilance where it is in the public interest that the adverse effects of a drug in a trial (for example) are reported to ensure the safety of medicinal products.
Rights of data subjects
As mentioned above, a trial participant may withdraw their consent at any time. However the withdrawal of consent shall not affect the lawfulness of processing that is based on consent before its withdrawal.
Under the GDPR, a data subject has the “right to be forgotten” in some circumstances and that his or her personal data is deleted. There is an exemption from the right of erasure of personal data under the GDPR for scientific research purposes, and this could be crucial to the life science industry where the erasure of health data could have a significant effect on the validity of clinical trial data and medical research. The GDPR also states that where personal data is processed for scientific research purposes, the further retention of such data should be lawful. The right of erasure of personal data by a data subject under the GDPR therefore appears to be limited in relation to scientific research.
Practical steps for life science organisations
Life science organisations should consider the following to ensure compliance with the GDPR:
- Consider what the appropriate legal grounds are for processing personal data in relation to processing activities undertaken
- If processing of personal data relies on consent, how consent is obtained should be reviewed to ensure GDPR requirements are met
- Privacy policies should be reviewed and amended if necessary to ensure GDPR compliance
- Consider if personal data should be pseudonymised (such as by encryption) to enhance security measures
- Review all data controller/data processor contracts to ensure that appropriate obligations are placed on each party in accordance with the GDPR
The GDPR also recognises that researchers may require to process personal data for secondary purposes which may not have been specified in the consent form provided to the data subject. So the GDPR allows that further processing for scientific research purposes should be considered to be compatible with lawful processing operations.