June 10, 2021
“Research should pursue science advancement and public health development while respecting the dignity, autonomy, privacy and confidentiality of individuals.”
The Taipei declaration
The European Union’s General Data Protection Regulation (GDPR), which came into full effect in 2018, has increased regulatory oversight and subsequent potential sanctions that have caused uneasiness within the biobanking and databanking circles. The EU GDPR has posed stringent restrictions on the use of banked data and associated biospecimens for use in secondary research. Consequently, the protection of health and genomic data is of significant importance in the implementation of the EU General Data Protection Regulation (GDPR).
GDPR is overseen by ethics committees and data access committees (DACs) that limit the access and use of personal data. Ideally, these committees should be equipped with the expertise to regulate the use and sharing of genomic data and provide overall governance over personal data processing taking into account individual or social concerns that may not be explicitly laid out in the legal provisions. Unfortunately, the oversight bodies may sometimes lack adequate tools to carry out their full function. Recent advances in data science and bioinformatics may further complicate the process as the parameters may become “moving targets.”
DACs provide an extra layer of oversight over the research ethics committee oversight which is given at the start of the research. They receive direct data access requests from researchers and either approve or disapprove their access to data. As much as they are not mentioned in the GDPR, they have a crucial role to play in the governance of data access and data sharing in compliance with the overarching GDPR principles.
The governance of biobanks in view of the GDPR has three major models of data access: open access, controlled-access, and registered access.
Open-access models means that the data is available through various online platforms and can be easily accessed without any constraint. This is mainly used when the data being shared is mainly aggregate data and not personal level information.
In this model, data controllers set rules to limit access to health and genomic data. Data Access Committees (DACs) may be used to review data access requests and either approve or disapprove them. Data access agreements are used to ensure accountability and prevent the potential misuse or abuse of the protected data.
Registered access is mostly used for data that is low risk (or non-stigmatizing) and access granted to bona fide researchers who have to be registered. This model requires authentication, authorization and attestation.
The GDPR fails to provide clear legal guidance on the processing of personal data for secondary research purposes. The GDPR interpretation of pseudonymized and anonymized data as identifiable data (recital 26) have a far reaching impact on the implementation of privacy laws.
As defined in Article 4(5), this is data that ‘can no longer be attributed to a specific data subject without the use of additional information, provided such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person’.
In summary, this refers to key-coded data which can be (potentially) traced back to research participants but still preserves the de-identification of the personal data in the day-to-day operations. Consequently, pseudonymized data is considered to be personal data which falls under the scope of the GDPR.
This is where the GDPR differs conspicuously from the Health Insurance Portability and Accountability Act (HIPAA) and other data protection laws. The GDPR’s definition of anonymized data is contextual. In some instances, if there is a ‘reasonable likelihood’ of re-identification, the data is considered as non-anonymous.
In this regard, key-coded data sets must be treated as fully identifiable data and are therefore subject to all requirements that apply. This imposes a new compliance obstacle to biobanks that routinely hold biospecimens and the related phenotypic and demographic data for secondary research purposes.
The GDPR also places restrictions on the cross-border transfer of personal data outside the EU. It has specific conditions for transferring data and biospecimens to non-EU countries. These materials can only be transferred to countries that implement similar standards to protect subjects’ privacy as well as their rights and freedoms.
Secondary research refers to research conducted using data or biospecimens that were collected for a different research or for non-research purposes, this includes clinical care.
Article 89(1) of the GDPR emphasizes technical measures that are needed to safeguard the rights of the data subjects during the collection and processing of such data for purposes of scientific research, but this has certain exemption rules.
Article 89(2) of the GDPR grants Member States some rights to exemptions from some of the data subjects’ rights. However, a certain threshold must be met for these rights to be waived:
These exemptions may be seen as an impediment, in light of the ethical requirements, to the protection of the privacy, autonomy, and confidentiality of the study participants.
The GDPR has both an oversight mechanism and a sanctions mechanism. The sanctions may come in the form of liability and compensation or administrative sanctions. Indeed, the huge potential for sanctions and administrative fines are precipitating factors for compliance with data protection laws.
A regulatory-compliant, configurable biospecimen management system can help biobanks overcome logistical and regulatory challenges and comply with GDPR privacy requirements. A biospecimen management system can help biobank staff to adhere to validated standard operating procedures (SOPs) while tracking and managing archived samples and active samples from multiple studies. Furthermore, it can help to harmonize and integrate data from different sources while adhering to GDPR data sharing requirements.
The General Data Protection Regulation (GDPR) was created to protect individuals’ personal data. However, it can place considerable constraints on the scientific research process. This may also pose a significant risk for biobanks that fail to comply with the GDPR and subsequent sanction risks are an imminent risk.
A biobanking LIMS solution allows biobanks to adhere to the strict GDPR requirements by limiting access to the data, providing a complete audit trail, and ensuring that data integrity is maintained through the entire biospecimen and data lifecycle.