LABORATORY INFORMATICS GUIDE 2016 | DATA PROTECTION ➤
justified on the basis of (explicit) consent or another legal ground specified in Article 7 of the DPD. It should be noted that consent to inclusion in a clinical trial is not equal to the consent often required for the (further) processing of (sensitive) personal data25
, e.g. for
inclusion in an aggregated dataset that is used for other research. The GDPR introduces a specific legal ground26
for processing personal data, which is necessary for archiving purposes in the public interest, or for historical, statistical or scientific purposes. The processing of such data is lawful if the conditions and safeguards under Article 83 GDPR are also met. If research relies upon the reuse of existing data sets, data controllers would need to demonstrate that the further processing of the data for research is compatible with the original purposes for collection of the data.27
In this regard the Council’s Article
5(1)(b) of the GDPR is helpful, as it provides that further processing of personal data for scientific, statistical or historical purposes that is in accordance with Article 83 – the reuse of data for research – would automatically be
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
‘Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, COM(2012) 11 final.
Processing of personal data covers any operation or set of operations performed on personal data such as: collecting, capturing, ordering, saving, modifying, looking up, use, sending to, spreading by means of making accessible, bringing together, linking, hiding or destroying (partially) personal data. The DPD applies to both automated and manual data processing that is entered in a file or intended to be entered therein. The processing must be limited to only those activities, are necessary to fulfill the identified purposes for which the data were collected.
Article 2(a) DPD. See also Opinion 04/2007 of Article 29 Data Protection Working Party on the concept of personal data.
Definition of ‘controller’ in Article 2(d) DPD: ‘the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.’
This means that a mere hypothetical possibility to single out the individual is not enough to consider the person as ‘identifiable’. If, taking into account ‘all the means likely reasonably to be used by the controller or any other person’, that possibility does not exist or is negligible, the person should not be considered as ‘identifiable’, and the information would
considered ‘compatible’ and in compliance with the principle of purpose limitation. The problem here is that the scope of consent initially obtained from the patient does not usually permit further processing, because no consent was obtained for anything else than a specific test. If compliance with Article 83 is not possible, another legal ground for processing needs to be satisfied. In practice, this legal ground may be found in obtaining consent28
law on laboratory informatics. In the light of the upcoming changes under the GDPR, we recommend laboratories to revisit what personal data is collected and processed and to determine whether it is caught by the personal data requirements. The extended scope of sensitive data –
from the data subject. In recital 25 of
the Council’s text, the difficulty of identifying all scientific purposes at the time of data collection is acknowledged. ‘Therefore data subjects can give their consent to certain areas of scientific research when in keeping with recognized ethical standards for scientific research.’ This seems to be a valuable recognition of a broad consent in the context of research, which is crucial for longitudinal studies and the application of big data analytics in research.
RECOMMENDATIONS This article has discussed the impact of just a few key concepts of data protection
not be considered as ‘personal data’. The criterion of ‘all the means likely reasonably to be used either by the controller or by any other person’ should in particular take into account all the factors at stake.
7 Recital 26 DPD 8
Definition (Council Preparation of a General Approach 15 June 2015): ‘Genetic data’ means all personal data relating to the genetic characteristics of an individual that have been inherited or acquired, (…) which give unique information about the physiology or the health of that individual, resulting in particular from an analysis of a biological sample from the individual in question.
Definition (Council Preparation of a General Approach 15 June 2015): ‘Biometric data’ means any personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual that allows or confirms the unique identification of that individual, such as facial images, or dactyloscopic data.
Definition (Council Preparation of a General Approach 15 June 2015): ‘data concerning health’ means data related to the physical or mental health of an individual, which reveal information about his or her health status.
Personal data is defined as: ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly (…), in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.’(Council position 15 June 2015)
Recital 25a (Council Preparation of a General Approach 15 June 2015) mentions: ‘in particular by chromosomal,
30 | www.scientific-computing.com/lig2016
including genetic data – attracts a greater protection under the GDPR. As unlawful processing of personal data may give rise to penalties up to two per cent to five per cent of worldwide turnover, the risk of non-compliance under the GDPR has to be taken seriously. To ensure compliance with data protection law in the future, the appointment of a data protection officer becomes mandatory under the GDPR for data controllers and processors that employ 250 persons or more, or that process the personal data of 5,000 or more people. Also, privacy impact assessments become mandatory for processing of personal data concerning health. l
Erik Vollebregt and Sofie van der Meulen are with Axon Lawyers, Amsterdam
deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis or analysis of any other element enabling equivalent information to be obtained.’
See Recital 26 GDPR (Council Preparation of a General Approach 15 June 2015): ‘Personal data concerning health should include (…) data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health of the data subject; including information about the registration of the individual for the provision of health services (…); a number, symbol or particular assigned to an individual to uniquely identify the individual for health purposes; (…) information derived from the testing or examination of a body part or bodily substance, including genetic data and biological samples; (…) or any information on for example a disease, disability, disease risk, medical history, clinical treatment, or the actual physiological or biomedical state of the data subject independent of its source, such as for example from a physician or other health professional, a hospital, a medical device, or an in vitro diagnostic test.’
Article 9 GDPR (Council Preparation of a General Approach 15 June 2015).
Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques, WP216.
For example: further processing has to be compliant with the principle of purpose limitation. See Article 29 Data Protection Working Party Opinion 03/2013 on purpose limitation.
17 Recital 26 DPD 18
The Article 29 Data Protection Working Party was set up under the DPD. It has advisory status and acts independently. (See: http://ec.europa.eu/justice/data-
26 27 28 protection/article-29/index_en.ht
m ) 1 9
Article 29 Data Protection Working Party, Opion 05/2014 on Anonymisation Techniques, WP216.
See John Bohannon, Genealogy Databases Enable Naming of Anonymous DNA Donors, Science, Vol. 339, No. 6117 (18 January 2013), p. 262
Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques, p. 10
22 23 24
Recital 23 GDPR (Council Preparation of a General Approach 15 June 2015).
Article 4(3)(b) (Council Preparation of a General Approach 15 June 2015).
The Article 29 Data Protection Working Party 29 urges the European Commission not to define pseudonymous data as a new subset of personal data allowing for derogations from obligations under the GDPR. (Letter from the Article 29 Data Protection Working Party on Trilogue to Ms Ver Jourova, Commissioner for Justice, Consumers and Gender Equality of the European Commission, 17 June 2015.)
If consent is given in a written document, and that document also concerns other matters, the consent for the use of personal data must be presented in a form that is clearly distinguishable from the remaining contents of that document.
Article 6(2) GDPR (Council Preparation of a General Approach 15 June 2015).
According to the principle of purpose limitation.
According to Council’s Article (1)(a) GDPR unambiguous consent to the processing of personal data for one or more specific purposes is required. Furthermore, consent should be freely-given, informed and specific (for specific purposes).
| Page 2
| Page 3
| Page 4
| Page 5
| Page 6
| Page 7
| Page 8
| Page 9
| Page 10
| Page 11
| Page 12
| Page 13
| Page 14
| Page 15
| Page 16
| Page 17
| Page 18
| Page 19
| Page 20
| Page 21
| Page 22
| Page 23
| Page 24
| Page 25
| Page 26
| Page 27
| Page 28
| Page 29
| Page 30
| Page 31
| Page 32
| Page 33
| Page 34
| Page 35
| Page 36
| Page 37
| Page 38
| Page 39
| Page 40
| Page 41
| Page 42
| Page 43
| Page 44