This page contains a Flash digital edition of a book.
LABORATORY INFORMATICS GUIDE 2016 | DATA PROTECTION


DATA PROTECTION: WHAT EVERY LAB MANAGER NEEDS TO KNOW


A new European law will have far-reaching consequences for laboratory information. Erik Vollebregt and Sofie van der Meulen discuss the potential impact of the proposed General Data Protection Regulation


C


hanges to key concepts in data protection law – personal data, anonymisation and the processing of


personal data for research purposes – could impact data collected and processed in the laboratory. While the General Data Protection Regulation (GDPR) has not yet been formally adopted, it is clear that this new European law will have consequences for the use of personal data in laboratories. Currently, the European Data Protection


Directive (DPD) regulates the protection of personal data within the European Union.1 Although it has been transposed into the national laws of all 28 member states, this legal framework – which dates back to 1995, is considered fragmented, outdated, and unclear. The European Commission therefore proposed the GDPR in 2012.2


The aim was to


update data protection rules and harmonise divergent approaches across the EU member states. The fact that the GDPR is a ‘regulation’ instead of a ‘directive’ means it will be directly applicable to all EU member states without the need for national implementing legislation. As of June 2015, a general approach to the GDPR has been agreed by the Council of Ministers of the European Union, creating a compromised position between the European Commission’s and the European Parliament’s draft of the GDPR. The final outcome of the current


28 | www.scientific-computing.com/lig2016


tripartite negotiations is expected by the end of 2015. The GDPR will likely enter into force two years after the date of publication.


SCOPE OF THE OLD DPD: PERSONAL DATA Collecting and processing3


of (personal)


data may give rise to obligations under data protection law. According to recital 26 of the DPD (the existing directive), the principles of protection must apply to any information concerning an identified or identifiable person. Personal data is defined as ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity’.4


To determine


whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller5


or by any other


person to identify the said person.6 The DPD does not apply to data rendered


anonymous in such a way that the data subject is no longer identifiable.7


Anonymised data would


therefore be data that previously referred to an identifiable person, but for which identification has become reasonably impossible. This concept evolves over time, because what is reasonably impossible depends on the state of the art of


SCOPE OF THE NEW GDPR: PERSONAL DATA The draft text of the proposed new GDPR introduces additional definitions for ‘genetic data’,8


‘biometric data’9 health’10 and ‘data concerning apart from a revised definition of


decryption technology. When the data that is processed does not fall within the concept of ‘personal data’, the consequence is that the DPD does not apply, pursuant to Article 3. The DPD also has a separate category of ‘sensitive personal data’. This is personal data that is given extra protection under the DPD, such as data relating to racial or ethnic origin, political opinions, and health or sex life.


RELEVANCE FOR LABORATORY DATA Data generated in an analytical laboratory will often include personally identifiable information, because the results need to be linked to an individual. For example, laboratory informatics systems may well deal with samples taken from human subjects. Depending on the measures taken, the data may fall outside the scope of data protection law as soon as the data is anonymised. Nevertheless, prior to anonymisation, the data still qualifies as personal data covered by data protection law. Software used for the management of clinical trials and biobanks will also almost always process personal data.


Maksim Kabakou/Shutterstock.com


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44