Our current data protection laws were created when the internet was in its infancy, before the advent of social media and when nobody had heard the term ‘big data’. The General Data Protection Regulation (GDPR), which comes into effect at the end of May, will modernise and overhaul the legal framework for privacy and the protection of personal data across the EU.
In the run-up to May, the GDPR is getting a lot of attention, not least because every organisation that processes personal data will need to comply or risk some hefty sanctions from the Information Commissioner’s Office (ICO), the UK’s data protection regulator. In this post, we’ll run through some of the key features of the GDPR that are relevant to research using patient data.
The definition of ‘personal data’ in the GDPR is more expansive and detailed than current data protection law. As well as applying to things that obviously identify an individual, such as name, address and date of birth, information such as a computer’s IP address or genetic sequence data can also be considered personal data. These definitions reflect changes in technology, the capacity to link data to identify individuals and the way organisations collect information about people.
“Processing” means doing just about anything with data – whether storing, analysing or passing it on to others.
Many researchers use data from health or clinical records, but do not want or need identifying information. In these cases, data is often “pseudonymised”, for example by replacing the person’s name with a code. Pseudonymised data is still considered personal data and falls within the scope of the GDPR.
The ICO is currently considering whether data that has been through a process of “pseudonymisation” could technically be anonymous if enough safeguards and controls are in place to prevent re-identification. This may depend on what other information the controller has access to and whether there are technical barriers to re-linking that code back to a particular individual. Guidance on this from the ICO will be extremely valuable for the health service and research community, so that they can be sure they are protecting data appropriately.
This means “pseudonymised” data is on a spectrum and the term “pseudonymised” alone doesn’t tell you what the appropriate rules are about protecting that data. You have to take into account the environment the data is held in as well. It’s not the easiest concept to explain as there is no hard and fast definition. What is clear is that the more easily identifiable a person might be from the data, the more controls, safeguards and protections need to be put in place around it, to reduce the risk of re-identifying a person from that data.
Your rights and knowing how data is used
The GDPR strengthens your rights over your personal data. There are exceptions, but broadly, you will have greater rights to be provided with information about what data about you is being processed, by whom, why and how. It’ll also be easier to object to your personal data being used where you have a right to do so. Other new rights are about correcting inaccurate data, erasing the data and moving it to another service provider.
Data controllers will be much more accountable for what they do with personal data and how they protect it. They’ll need to actively demonstrate how they comply with the legislation: this will mean clearer processes, better documentation and more transparent decision-making about how data is used.
Much bigger penalties are being introduced for breaching the new Regulation: up to €20 million or 4% of global turnover. The penalties should act as a serious deterrent against misuse. They will prompt organisations that use personal data (including researchers) to ensure they comply with the new law. This is great news for citizen’s rights.
Consent and lawful bases
The GDPR sets a high bar where consent is used as the lawful basis for processing personal data. It must be freely given, specific, informed, unambiguous and affirmative. This will mean an end to pre-ticked boxes in terms and conditions or consent forms.
Many research studies would struggle to meet the ‘specific’ requirement, as it is not always possible to anticipate how data might be used. For example, novel questions may arise as science advances, or the data could be used in a different way by another research team. For research we tend to want the data collected to be as used and useful as possible, while protecting confidentiality.
One consequence of this higher bar for consent is that consent might not be the most appropriate lawful basis when processing data for research purposes. For research studies that collect new data from participants, consent will still be very important in order to comply with fairness and transparency requirements, but it might not meet the stricter standards required to use it as a lawful basis.
It is a common misconception that consent is always needed for any processing of personal data, but there are alternative lawful bases set out in the GDPR. Academic and hospital researchers are most likely to use “task in the public interest” as a lawful basis. In general this means that the processing is not done for any commercial or private gain but rather for societal benefits. Charities and private organisations undertaking research may be able to use “legitimate interests” as their lawful basis.
Additional safeguards are required if “special categories” of data, which include health and genetic data (along with data about racial or ethnic origin, religious beliefs, and political views) are being used for research. The “special categories” of personal data are considered especially sensitive: a further condition is required and there are stricter requirements to meet if these types of data are being used. These safeguards include minimising the amount of personal data required, for example through anonymising data where possible rather than using personal data.
Fairness and transparency
In preparing for GDPR, the ICO is emphasising the importance of fairness and transparency as core principles that data controllers should always have in mind, whether they are using consent as their basis for processing or not. It’s really positive that as a result of this legislation, the NHS and academic researchers should be providing more information about how patient data is collected, stored, kept secure and used as the GDPR comes into force.
The GDPR is a piece of EU legislation, but it will still matter to the UK after Brexit. A new Data Protection Bill, which will repeal the current Data Protection Act (1998), is currently making its way through the UK Parliament. The Bill largely replicates the GDPR but makes it UK-specific. After the UK has left the EU, our data protection laws will almost mirror those of the EU. A great deal of valuable research happens across borders so it’s important that the legal frameworks for data protection stay closely aligned between the UK and EU.
Guidance and more information
The ICO has produced some great resources on GDPR, providing everything from simple overviews to more detailed guidance on implementation to help organisations prepare.
The Health Research Authority has produced guidance for health researchers on how to ensure their studies comply with the GDPR; this provides a good overview of the changes to the law relevant to how data is used in health research.
Additionally, the Information Governance Alliance will be publishing guidance soon to help clinicians, the NHS and care organisations prepare for the GDPR.