GDPR: an impediment to research?

Abstract

Background

The recent introduction of the General Data Protection Regulation and Health Research Regulations has been an area of significant concern for those engaged in clinical research. These European regulations, following subsequent interpretation by Ireland’s Department of Health, now place Ireland in a unique position which differs substantially from other European countries and may prove a significant impediment to Irish clinical research, depriving Irish patients of timely access to potentially life-saving treatments and making Ireland less attractive to pharmaceutical companies engaged in this area. At the very least, the regulations, as applied in Ireland, will place a significant extra burden of work on Ireland’s clinical researchers and at their worst will force individuals and institutions out of the clinical research field, which will result in significant loss to the Irish knowledge economy and lead to the detriment of patient care.

Aim

In this article, we explore what exactly is proposed by Europe’s GDPR and by Ireland’s Health Research Regulations. We look at the challenges presented to clinical researchers, and we highlight those areas, which need clarification by the Department of Health and by the Data Protection Commissioner.

Conclusions

We propose five recommendations, which would ameliorate some of the more restrictive impositions of these regulations. This review was commissioned by the Irish Academy of Medical Science.

Introduction to GDPR

The purpose of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679 of the European Parliament and of the Council) is to protect all EU citizens from privacy and data breaches in today’s data-driven world (http://eugdpr.org/the-regulation/). GDPR came into effect on May 25, 2018 following a 2-year transitional period granted by the European Parliament and repeals the Data Protection Directive 95/46/EC. In the EU, GDPR has changed the landscape of data protection from that outlined under the Directive to a setting that is protected as a fundamental right in Article 8 of the Charter of Fundamental Rights, and recognises that everyone “has the right to the protection of personal data concerning him or her”. In contrast to a Directive, a Regulation is enforceable by law. Central to data protection is the concept of personal data itself. Many of the principles that form GDPR reflect the core principles of the Directive and the definition of personal data, as outlined in Article 4(1) of GDPR, includes “any information relating to an identified or identifiable natural person (‘data subject’)”. This includes names, surnames, home address, email address, or an identifier number or data held by a hospital/doctor that could be used to identify a living individual. Furthermore, the existence of special categories of personal data, referred to as sensitive personal data, adds another layer of complexity. Sensitive personal data are outlined in Article 9(1) GDPR and include data pertaining to ethnicity, sexual orientation, religious beliefs, trade union membership, and genetic data (chromosomal/DNA) derived from biological samples.

Becoming compliant with GDPR starts with GDPR awareness, understanding data subject rights, choosing the appropriate lawful basis for data processing activities (Article 6 GDPR), and understanding the principles which are embedded in GDPR, including those relating to processing of personal data (http://eugdpr.org/the-regulation/). It is stated under Article 4(2) of GDPR that virtually any use of personal data, from collection and recording, to retrieval and dissemination, storage, and finally erasure or destruction, constitutes “processing”, with significant accountability required. An integral part of achieving compliance with these regulations requires a developed understanding of the responsibilities of the users of personal data, including “data controllers” and “data processors”. The definitions of data processors and data controllers under Article 2 of the Directive are virtually identical to the definitions now contained in Article 4 of the GDPR. A data controller is an individual or legal person(s) such as a company, department, or organisation, which under Article 4 of GDPR “determines the purposes and means of the processing of personal data”. Moreover, and perhaps one of the more significant changes from the Directive, is the allowance of more than one data controller or “joint controller” (Article 26 GDPR). Joint controllers can determine the purpose and means of data processing, although this may not imply equal responsibilities. In contrast, the data processor is a separate legal entity. The formal definition (GDPR Article 4) states that a processor means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. Unlike previous legislation, data processors now have duties and responsibilities that are directly applicable and can be directly enforced to ensure GDPR compliance. Moreover, data processors need to assist controllers in various circumstances where relevant, for example, in a potential personal data breach notification or in considering a Data Protection Impact Assessment (DPIA). The principles of GDPR Article 5, regarding personal data processing, apply to data processors just as much as they apply to data controllers. Examples of data processors in health research might include transcription services and DNA sequencing/translation services. The agency to which testing or data manipulation is outsourced becomes the data processor.

Roles and responsibilities of the data controller

The data controller must adhere to what is stipulated under Article 5 GDPR, which states that personal data must be processed lawfully, fairly, and in a transparent manner (“lawfulness, fairness and transparency”). The personal data must be collected for specified, explicit, and legitimate purposes (“purpose limitation”) and must be adequate and necessary in relation to the purposes for which it is collected (“data minimisation”). Personal data must be accurate, kept up to date (“accuracy”), and retained for no longer than is necessary (“storage limitation”). Personal data must be processed in a manner that ensures appropriate security (“integrity and confidentiality”). The data controller must also be able to demonstrate compliance (“accountability”).

With respect to data subjects, it is important that transparent information is provided to the intended subjects by the data controller on the methods by which their data will be processed. A patient/participant information leaflet (which fulfils the transparency requirement of GDPR) should be designed using easy-to-understand plain language for the intended audience and age category. The identity and contact details of the data controller must be provided, along with contact details (not necessarily the identity) of the Data Protection Officer (DPO). Transparency leads to trust, and therefore, information on the reasons and intended purposes for processing and legal basis of the same should be provided. Article 35 GDPR requires that data controllers carry out an impact assessment (DPIAs) for “high-risk processing” and implement measures to mitigate a risk. In turn, data processors are required to inform data controllers of any data breach, which must be reported to the office of the Data Protection Commissioner (DPC) within 72 hours where there is a risk to the rights of the data subject.

The data subject

GDPR has made significant advances on the rights of the data subject and includes right to rectification of inaccurate data in a timely manner (Article 16), right to be forgotten or right to erasure of personnel data (Article 17), and right to object to processing of personal data (Article 21). In addition, the rights of data subjects under GDPR extend to accessing their own personal data (Article 15). Within 1 month of receipt of such a request, the data controller must respond and upon verification of the identity of a data subject, should provide, at no cost, a copy of the requested personal data in a concise, transparent, and easily accessible form. The response time may be extended by 2 months if a request is complex, and the controller may charge a reasonable fee for further copies of personnel data that is undergoing processing. Thus, GDPR is designed to ensure actual accountability of data controllers and their responsiveness will be heightened by the possibility of levied fines. Non-compliance can result in fines up to €20 million or 4% of the total worldwide annual turnover of the preceding fiscal year. Data subjects can sue both controllers and processors for compensation for damages because of a breach of GDPR.

GDPR and Health Research Regulations

The measures for data processing provided for in Section 36 of the Data Protection Act 2018 are given further and more specific effect (Fig. 1) through Ireland’s Health Research Regulations (HRR) 2018 (formally titled Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018). It is these regulations which differentiate Ireland from many of our European counterparts and which may impact most severely on medical research in Ireland.

Fig 1

How the Health Research Regulations integrate with GDPR and Irish Legislation

The HRR provide for the following six main points of information:

1. 1.

   An outline of the mandatory suitable and specific measures for the processing of personal data for the purposes of health research (Regulation 3(1))

2. 2.

   A definition of health research (http://www.irishstatutebook.ie/eli/2018/si/314/made/en/pdf) for the purposes of the regulation (Regulation 3(2))

3. 3.

   The possibility of applying for a consent declaration for new research (Regulation 5)

4. 4.

   Transitional arrangements (https://www.hrb.ie/funding/gdpr-guidance-for-researchers/gdpr-and-health-research/consent/transitional-arrangements/) in respect of the granting of consent declarations for health research that is already underway (Regulation 6)

5. 5.

   Establishment and operation of a committee of persons (https://www.hrb.ie/funding/gdpr-guidance-for-researchers/gdpr-and-health-research/consent/health-research-consent-declaration-committee/) to make decisions on applications for consent declarations, including an appeals process (Regulation 7–13 and Schedule)

6. 6.

   Inclusion of several miscellaneous provisions (Regulations 14–16)

The HRR were signed into law by Ireland’s Minister of Health on August 8, 2018 and relate to processing of personal data for health research. GDPR 2018 allows member states the freedom to legislate at national level in certain areas, one of these being the processing of personal data for scientific and research purposes. GDPR 2018 did not however provide a definition of scientific research. HRR 2018 provides for the first time a legislative definition of “health research” and its focus is on health research only. The Irish Department of Health has indicated that the HRR does not apply to clinical audit, service evaluation, or clinical practice, but further regulations may follow in these areas in due course. The HRR lists the suitable and specific safeguards required when processing personal data for health research in Ireland.

Chief among these is the requirement for explicit consent of the data subject. This is a unique Irish addition to GDPR, because the European regulation, which took effect on May 25, 2018, did not require explicit consent, and allowed for data processing without consent subject to safeguards. The subsequent Irish legislation enshrines explicit consent for data processing; and in cases where this is not possible, the researcher must apply to the National Consent Declaration Committee (CDC) (https://hrcdc.ie/). The CDC, which is currently under construction, may issue declarations stating that in certain research studies, the public interest in conducting the study outweighs the rights of data subjects to be consented. However, the CDC has yet to meet. The introduction of an Irish requirement for explicit consent is unique among member states in the EU and will inevitably lead to restrictions on health research in Ireland.

Prior to GDPR and the HRR, the capture of consent remained a widely debated issue (https://www.hrb.ie/funding/gdpr-guidance-for-researchers/gdpr-and-health-research/consent/) with the main aim to strike an appropriate balance between the patient’s right to personal data privacy and the desirability of making data available for research. Anonymisation of patient records and/or freely given and informed patient consent were (and still are) the foundation stones of how medical research should be undertaken from a privacy perspective. Where consent was not obtained in relation to historical data, it was possible for data controllers to examine other options (such as pseudonymisation of data prior to processing) having exhausted other avenues for seeking consent, in order to legitimise access to such patient records.

The HRR draws a distinction between ongoing research, as that which received research ethics committee approval before the date of enactment of the new legislation (August 8, 2018) and research approved on or after this date. In the case of the latter, explicit consent is required, while “ongoing” research has a legislative transition period within which to obtain explicit consent, and where this is not possible or attempts are unsuccessful, to apply to the Declaration Committee for a consent declaration. More recently, further guidelines have been issued by the Department of Health (https://www.hrb.ie/fileadmin/1._Non-plugin_related_files/RSF_files/GDPR_guidance_for_researchers/Health_Research_Information_Principles.pdf). These guidelines contain information which must be provided to research participants and surpass the regulatory and legislative requirements of GDPR. The Department of Health indicated that these guidelines would be considered a mandatory requirement of an “informed consent”.

Without the Irish HRR, researchers in Ireland would have processed in accordance with Article 9(2)(j) and the safeguards set out under Article 89(1) under GDPR, exactly as is the case in other European member states including the UK. These safeguards include data minimization, pseudonymisation, and anonymisation where possible (consent is not a requirement).

GDPR and HRR: the ongoing challenges for research in Ireland

Of the 6 main “suitable and specific” measures listed in the Irish Government’s HRR, “explicit” consent is one of the biggest challenges facing researchers (for both ongoing and new research). Regulation 3(1)(e) of the HRR states that explicit consent is one of the mandatory “suitable and specific measures” that must be in place for the processing of data for health research purposes unless the researcher has been granted a consent declaration under Regulation 5 or under the transitional arrangements (Regulation 6). This will be problematic for most (if not all) ongoing research where the re-consenting of participants/patients is required. Re-consenting must be balanced against other concerns, such as the need to avoid negative implications for research subjects and implementation issues, for example:

1. a.

   The participant may not be alive or, if alive, may wish to put behind the difficulties of a previous illness. In this context, re-consenting individuals or contacting relatives for consent could be upsetting and stressful to both living participants and/or their relatives.

2. b.

   The time and resources needed to re-consent, depending on the size of the study involved, could prove insurmountable. According to the Department of Health, this may not be a valid reason when approaching the declaration committee, but is clearly a matter of significant concern to clinical researchers

3. c.

   Re-consent can produce anxiety or confusion in some subjects and may make some feel that their privacy has been violated, if they did not give permission to be re-contacted [1, 2].

At this moment, there appears to be limited understanding by the Department of Health on how this specific measure could potentially result in the termination of very important research and negatively impact on the health of the nation. Where explicit consent cannot be obtained, the next option for the researcher is to apply before April 30, 2019 for a consent declaration (Regulation 5), but this too has significant challenges, just a few of which are outlined below:

1. 1.

   The Department of Health anticipates that the CDC will meet once a month to deal with “exceptional” and “rare” research studies where explicit consent could not be obtained. It is not clear what is meant by the terms “exceptional” and “rare” when it is obvious that a significant number of new and ongoing studies will require to avail of this mechanism

2. 2.

   The volume of applications which will require a consent exemption will exceed the capacity of a once monthly meeting of a single committee

3. 3.

   There will be a wide variety of applications submitted from low- to high-risk studies, with, as it stands, no streaming or segregating plans for applications.

The transitional arrangements with respect to granting consent declarations for health research that is already underway (Regulation 6) (in addition to the logistical issues listed above) create yet another obstacle facing researchers. The transition or grace period to become GDPR/HRR compliant was 9 months from the date the HRR Bill was signed into effect on August 8, 2018 by the Minister for Health but, given that the first meeting of the CDC was planned for January 2019, and the grace period terminates on April 30, 2019, researchers have not been given sufficient time to achieve compliance nor indeed has the committee been given adequate time to meet and consider multiple applications. Establishment and operation of a committee of persons to make decisions on applications for consent declarations, including an appeals process (Regulation 7–13 and Schedule) given the inertia, which inevitably impedes any committee especially a large committee, adds further to the concerns of the research community.

In relation to ongoing and new research, the three main areas of research considered to be most are as follows:

1. 1.

   Retrospective chart reviews: the latest update from the Department of Health regarding this important type of research was published on 26th November 2018 on the Health Research Board website and states:

“As regards Retrospective Chart Reviews carried out for research purposes, and having consulted with the Data Protection Commission, it has been determined that the requirement for explicit consent will commence on 1st May 2019. This is to allow hospitals and other data controllers who carry out such reviews to adapt their procedures to capture the relevant explicit consent from patients. All other suitable and specified safeguards set out in the Health Research Regulations will continue to apply in the interim period as will other requirements arising under the General Data Protection Regulation. Where a hospital or other data controller does not use this time to put a mechanism in place to capture explicit consent for retrospective chart reviews for research purposes then applications to the Consent Declaration Committee for a consent declaration for such reviews will be unlikely to succeed” (https://www.hrb.ie/funding/gdpr-guidance-for-researchers/health-research-regulations-2018-faq/).

Thus, retrospective chart reviews shall be permitted subject to data controllers finding mechanisms to capture explicit consent for chart reviews by May 1st, 2019. However, there is no guidance as to how this can be done. Clearly, a common, national approach across all hospitals is required with guidance from the DPC’s office, and possibly also with some form of HSE information campaign, but individual data protection officers/data controllers in each institution cannot be expected to resolve this problem in isolation. This area is not viewed as a priority by the Department of Health despite the significant impediments created for researchers and for those involved in clinical medicine by not being able to review patients’ charts. Chart review is one of the most widely used research methods and is often the prelude to other more interventional studies. Chart review also forms an integral part of patient care. It is also clear that the volume of retrospective chart review studies has been underestimated by the Department of Health. In the absence of a nationwide-agreed health policy, all studies involving chart reviews will have to apply to the HRR committee for a consent declaration. Workable solutions to this include dealing with this type of study in a different fashion to other studies, i.e. setting up a sub-group of the CDC to specifically deal with chart reviews and adoption of a fast-track approach by the CDC. Alternatively, the Department of Health could recognise the reality on the ground and permit chart reviews by the healthcare professionals involved in providing clinical care for the cohort of patients under review. Furthermore, the traditional paper chart is likely to be replaced by the electronic patient record within the next 5 years. Already, virtually, all of Ireland’s radiology records are digital and are centralised and accessible in a national integrated medical imaging system with Ireland’s national pathology records set to be integrated in a national laboratory information system over the next 2 years. Several disease-specific electronic patient records have already been established. As a research tool, a national, electronic patient record has the power to be transformational for Irish healthcare and requires the best efforts of all those involved in the delivery of Irish healthcare and the DPC to determine how best to deploy this resource to the benefit of all Irish citizens.

1. 2.

   Biobanks/archival material: In this area, re-consenting is a major issue, and not using the millions of valuable and carefully documented tissues archived in Irish Pathology Departments and in the many designated disease-specific biobanks for research poses the most serious threat to health research progression and subsequent future treatment for Irish patients affected by a wide variety of health conditions such as epilepsy, cancer, heart disease, and potentially fatal childhood skin disorders, to name but a few. The recent guideline document published by the Department of Health touched on how GDPR and the HRR might apply to biobanks. The HRR addressed the matter of broad consent in line with Recital 33 and the Article 29 Working Party Guidance on Consent (April 2018). The HRR state as follows: “explicit consent has been obtained from the data subject, prior to the commencement of the health research, for the processing of his or her personal data for the purpose of specified health research, either in relation to a particular area or more generally in that area or a related area of health research, or part thereof”.

Where broad consent is being sought, the information principles relevant to informed consent (set out in this guideline) apply. They state that it is for the researcher to provide such information as is necessary and appropriate so that the individual knows what he or she is consenting to in terms of the research for which and by whom his or her information may be used. That is particularly so when broad consent is being sought from the individual. According to the Department of Health guidelines, blanket consent (use of a high-level statement seeking consent for future unspecified purposes) is not an option and should not be sought. It should be noted that GDPR does not apply to biological samples, per se, but applies fully to the personal data associated with those samples. In relation to biobanks and broad consent, evolving best practice and recommendations in the field of biobanking research, even in advance of the GDPR, is for researchers to try to the greatest extent possible to describe future uses and to provide information on governance and objectives of the biobank (https://www.hrb.ie/fileadmin/1._Non-plugin_related_files/RSF_files/GDPR_guidance_for_researchers/Health_Research_Information_Principles.pdf). However, not permitting blanket consent is extraordinarily restrictive. In many jurisdictions, research is viewed as an integral part of patient care and biobanking is a major building block of that research. Patients entering a teaching hospital should expect that the hospital utilises practices which are at the cutting edge of diagnosis and treatment. In order to enable these practices, biobanking (and indeed, chart reviews) is essential and it does not seem overly intrusive to ask individual patients to give blanket consent for biobanking on entering a hospital with the understanding that their personal information will be treated with the utmost care.

1. 3.

   Research with individuals who lack capacity to consent: This is an area of great concern, particularly in the fields of emergency medicine and in the treatment of those with intellectual disability. There is a significant danger that these individuals will be denied access to life-saving treatments in the event of a too draconian application of the HRR. There is uncertainty around who can give consent where capacity is lacking (e.g. patients unconscious or in severe distress in intensive care units or in emergency departments and those with intellectual disability). It is unclear at what point consent may or should be obtained or indeed from whom if lack of capacity is permanent. In addition, the Assisted Decision Making Capacity Act 2015 is up to 2 years from being finalised. The Department of Health is drafting capacity guidelines in conjunction with the DPC’s office and, in doing so, is considering the risk-benefit approach. The challenge here is that while the guidelines may cover lack of capacity, from the DPC’s perspective, this will not negate an individual’s right to take a civil action. Research ethics committees have been advised that until further guidelines are released, the evaluation of research studies involving individuals who lack capacity should involve a risk-benefit analysis to enable a decision on a case-by-case basis.

Ongoing unanswered questions

• Consent declaration committee: The first meeting of this committee was scheduled for January 2019, 3 months before the “transition” period ends. This is obviously too short a time frame. Researchers have been advised by the Department of Health that they must provide evidence of their efforts to comply with GDPR since 2018 if they wish to seek an extension. It should be noted, and taken into account by the CDC, that the “Explicit Consent” requirement only came into effect since August 2018, meaning it has been impossible to prepare for this eventuality since the third quarter of 2018. It should be also noted and taken into account by the CDC that the majority of research was in fact in compliance with Article 9(2)(j) and the safeguards outlined in Article 89 of GDPR, namely pseudonymisation, minimisation, and anonymisation implemented where appropriate.

• Who is responsible for ensuring compliance? Apart from the original and obvious role of the Research Ethics Committees (REC) to review ethical aspects of research applications, there seems to be some misunderstanding as to who should ensure compliance. The role of the REC is also outlined in the recently published consent guideline document issued by the Department of Health (Ref 6), but it is unclear if the information outlined in this document is required to be included in the information leaflet. The data controller and the institution which employs the researcher has overall responsibility, but accountability is inadvertently diverting to RECs to provide guidance, advice and information, a role for which they are not trained and are poorly resourced. It is the role of the DPO to advise the data controller and/or institution of their legal requirements to ensure they are GDPR and HRR compliant. Ultimately, it is the data controller who will be held accountable for any data protection breaches. Similarly, researchers need to define who the data processor is. This is not clear-cut, as the legal definitions must be clearly understood before individuals can be named.

• Audit: Some confusion remains as to what constitutes audit as opposed to research with the possibility that researchers will seek to “re-name” their work so they can avoid compliance issues.

• Specific Areas of confusion:

1. 1.

   What type of research requires a DPIA and how can researcher’s access expertise to help them in this area, given the serious implications for getting it wrong.

2. 2.

   How can personal data be anonymised. Is true anonymisation possible?

3. 3.

   For research to be permitted, without explicit consent? Is this subject to data controllers modifying transparency statements to inform data subjects of possibility of same? If so, how is this to be done and when?

Recommendations

1. 1.

   Permit chart reviews for medical research by healthcare professionals involved in the provision of clinical care for the cohort of patients under review.

2. 2.

   Seek broad consent from patients about to undergo surgical and medical resections to give broad consent for biobanking of their tissues which are surplus to the diagnostic pathology procedures with the understanding that research conducted on these tissues will have been placed before and approved by a research ethics committee.

3. 3.

   Triage and allocate work of the CDC to sub-committees with mandates to provide guidelines in each of these 3 areas:

1. (a)

   Biobank/Archival Material (Pathology archives—material collected for clinical purposes in which obtaining consent for individual projects is no longer feasible, for one of the reasons set out above)

2. (b)

   Retrospective chart reviews (low-risk huge public benefit) and provision of guidelines on the use of the electronic patient record in research.

3. (c)

   Studies for which consent adhered to the previous legislation. A fast-track approach should be considered where all patient information leaflets, protocols, and any other relevant documentation (permissions, previous ethical approval documentation) are in place

Conclusion

GDPR and HRR have the potential to ensure better patient protection in our health system but the application of these processes to Ireland as set out by the Department of Health is problematic, challenging, resource-intensive, and costly. The Department of Health has taken a unique and arguably restrictive approach to data protection in Ireland which is quite at variance from our European colleagues and which if followed through as outlined will impact negatively on patient care and clinical research in Ireland. In this paper, we have outlined the potential benefits and challenges of GDPR and HRR and have suggested solutions in the Irish context which we feel would safeguard patients’ rights while at the same time protecting their access to newer treatments and diagnostics.