Published on 29.05.20 in Vol 6, No 2 (2020): Apr-Jun
Preprints (earlier versions) of this paper are available at http://preprints.jmir.org/preprint/19279, first published Apr 11, 2020.
COVID-19: Putting the General Data Protection Regulation to the Test
The coronavirus disease (COVID-19) pandemic is very much a global health issue and requires collaborative, international health research efforts to address it. A valuable source of information for researchers is the large amount of digital health data that are continuously collected by electronic health record systems at health care organizations. The European Union’s General Data Protection Regulation (GDPR) will be the key legal framework with regard to using and sharing European digital health data for research purposes. However, concerns persist that the GDPR has made many organizations very risk-averse in terms of data sharing, even if the regulation permits such sharing. Health care organizations focusing on individual risk minimization threaten to undermine COVID-19 research efforts. In our opinion, there is an ethical obligation to use the research exemption clause of the GDPR during the COVID-19 pandemic to support global collaborative health research efforts. Solidarity is a European value, and here is a chance to exemplify it by using the GDPR regulatory framework in a way that does not hinder but actually fosters solidarity during the COVID-19 pandemic.
JMIR Public Health Surveill 2020;6(2):e19279
As the severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) continues to spread around the globe, researchers are racing to understand and contain the pandemic, learn how to best treat patients with SARS-CoV-2 infection and the resulting coronavirus disease (COVID-19), and develop a vaccine. The COVID-19 pandemic is also very much a global health issue and requires collaborative, international health research efforts to address it. A valuable source of information for researchers is the large amount of digital health data that are continuously collected by the electronic health record systems of health care organizations. However, such digital health data typically exists in separate systems and researchers in many countries are currently severely hamstrung by the lack of integrated and comprehensive, publicly available, patient-level data regarding COVID-19. They are having to derive answers from limited analyses of small case series, while large amounts of relevant digital health data sits unexamined on hospital servers around the world. This situation has led to calls for a common, multinational, COVID-19 database to be created, pointing to the Medical Information Mart for Intensive Care (MIMIC) database at the Beth Israel Deaconess Medical Center in Boston as a model for publicly sharing deidentified electronic health data .
While setting up COVID-19-related databases for research makes obvious sense from a research perspective, there is also currently a broader societal reason why this is a good idea. Indeed, the COVID-19 pandemic has put solidarity into strong focus; many ongoing measures to contain the spread have been described as solidarity practices—that is, as prosocial behaviors to help and/or protect others, or collective resources such as health care systems, that are based on the recognition of a shared interest. Health databases and biobanks have also previously been framed as solidarity-based endeavors, and solidarity-based governance models have been proposed to reflect the prosocial motivation many people have toward such resources, which at the same time avoid some of the burden of the usual restrictive, autonomy-based governance models .
As the total deaths from COVID-19 continues to increase globally, the ethical and social imperative to quickly curtail the pandemic is clear. However, this does not negate the need for the use of digital health data to respect data protection regulations and patient privacy and confidentiality . In fact, although the scale of COVID-19 is clearly new, the ethical challenge of balancing confidentiality with public health has been well discussed [ - ].
With the epicenter of the pandemic currently shifting from Europe to the United States, the European Union’s (EU) General Data Protection Regulation (GDPR) will be the key legal framework with regard to using and sharing European digital health data for research purposes . However, concerns persist that the GDPR has made many organizations very risk-averse in terms of data sharing, even if the regulation permits such sharing. Health care organizations focusing on individual risk minimization threaten to undermine COVID-19 research efforts.
The European Data Protection Board has stressed the importance of protecting personal data during the COVID-19 pandemic. However, it has also noted: “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic” . Indeed, article 9(2)(i) of the GDPR explicitly allows the processing of sensitive personal data (including genetic data, biometric data, and data concerning health) if it is “necessary for reasons of public interest in the area of public health.” Recitals 46, 52, 53, and 54 also explicitly acknowledge the need to sometimes process special categories of personal data for reasons of public interest in the area of public health.
Furthermore, article 9(2)(j) sets out a scientific research exemption for the processing of sensitive personal data, which could occur without consent if subject to appropriate safeguards, which may include pseudonymization (deidentification) (see article 89(1)) (). Researchers and health care organizations wanting to utilize and share patient-level data regarding COVID-19 from data subjects residing in the EU will need to be aware of the following:
- The GDPR applies to any personal data concerning an identified or identifiable natural person, but not to anonymous information. As the GDPR does not distinguish between anonymized and anonymous data, databases collecting identifiable data for research purposes will be excluded from the scope of the GDPR if the data are later rendered anonymized [ , ].
- Pseudonymized data is now recognized as personal data if it could be attributed to a natural person by the use of additional information. Given pseudonymized health data is what health care databases typically use, recognizing pseudonymized data as personal data may result in more bureaucracy, particularly for those countries that currently consider pseudonymized data to fall outside the scope of personal data [ , ].
- The processing of special categories of personal data (“sensitive personal data”), including genetic data, biometric data, and data concerning health, shall be prohibited under the GDPR unless certain conditions applies. Health care databases using pseudonymized sensitive personal data will need to either obtain explicit consent from the data subject or for the data to be processed under the scientific research exemption set out in the GDPR, which could occur without consent if subject to appropriate technical and organizational safeguards [ , ].
In our opinion, there is an ethical obligation to use the GDPR scientific research exemption clause during the COVID-19 pandemic to support global collaborative health research efforts. However, while the provision is there, researchers and research institutions in Europe have been reluctant to use it, likely due to fear of the difficulties that may be caused by their national bodies. In fact, consortia funded in the current H2020 funding scheme by the European Commission have overwhelmingly used other more burdensome legal justifications, such as informed consent, than the research exemption.
This is not sufficient for the current situation. COVID-19 is a real test for the GDPR. There is a strong ethical case that countries use the regulatory leeway the GDPR provides for enabling health data to be used for research purposes and that they support health care organizations and investigators to invoke the research exemption confidently in the context of a global pandemic. Recent research in some European countries also suggests that many people would accept the secondary use of their data for health-related research under the research exemption, based on prosocial motivations such as solidarity . Solidarity is a European value, and here is a chance to exemplify it by using the GDPR regulatory framework in a way that does not hinder but actually fosters solidarity during the COVID-19 pandemic.
|GDPR article||Relevant sections|
|Article 9: Processing of special categories of personal data||Section 1: Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.|
Section 2: Paragraph 1 shall not apply if one of the following applies:
|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes||Section 1: Processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.|
LAC is funded by the National Institutes of Health through NIBIB R01 EB017205.
Conflicts of Interest
- Cosgriff C, Ebner D, Celi L. Data sharing in the era of COVID-19. The Lancet Digital Health 2020 May;2(5):e224 [FREE Full text] [CrossRef]
- Prainsack B, Buyx A. A solidarity-based approach to the governance of research biobanks. Med Law Rev 2013 Jan 16;21(1):71-91. [CrossRef] [Medline]
- Ienca M, Vayena E. On the responsible use of digital data to tackle the COVID-19 pandemic. Nat Med 2020 Apr;26(4):463-464 [FREE Full text] [CrossRef] [Medline]
- Wallis KA, Eggleton KS, Dovey SM, Leitch S, Cunningham WK, Williamson MI. Research using electronic health records: Balancing confidentiality and public good. J Prim Health Care 2018;10(4):288. [CrossRef]
- The Lancet Respiratory Medicine. Data protection: balancing personal privacy and public health. The Lancet Respiratory Medicine 2016 Jan;4(1):1. [CrossRef]
- Vayena E, Salathé M, Madoff LC, Brownstein JS. Ethical challenges of big data in public health. PLoS Comput Biol 2015 Feb 9;11(2):e1003904 [FREE Full text] [CrossRef] [Medline]
- Wartenberg D, Thompson WD. Privacy Versus Public Health: The Impact of Current Confidentiality Rules. Am J Public Health 2010 Mar;100(3):407-412. [CrossRef]
- McLennan S, Shaw D, Celi LA. The challenge of local consent requirements for global critical care databases. Intensive Care Med 2019 Feb 19;45(2):246-248. [CrossRef] [Medline]
- EDPB. 2020 Mar 16. Statement by the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak URL: https://edpb.europa.eu/news/news/2020/statement-edpb-chair-processing-personal-data-context-covid-19-outbreak_en [accessed 2020-05-25]
- Shabani M, Borry P. Rules for processing genetic data for research purposes in view of the new EU General Data Protection Regulation. Eur J Hum Genet 2018 Feb 29;26(2):149-156 [FREE Full text] [CrossRef] [Medline]
- Richter G, Borzikowsky C, Lieb W, Schreiber S, Krawczak M, Buyx A. Patient views on research use of clinical data without consent: Legal, but also acceptable? Eur J Hum Genet 2019 Jun 25;27(6):841-847. [CrossRef] [Medline]
|COVID-19: coronavirus disease|
|EU: European Union|
|GDPR: coronavirus disease|
|SARS-CoV-2: severe acute respiratory syndrome coronavirus 2|
Edited by T Sanchez; submitted 11.04.20; peer-reviewed by P Schulz, H van den Heuvel; comments to author 06.05.20; revised version received 22.05.20; accepted 22.05.20; published 29.05.20
©Stuart McLennan, Leo Anthony Celi, Alena Buyx. Originally published in JMIR Public Health and Surveillance (http://publichealth.jmir.org), 29.05.2020.
This is an open-access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in JMIR Public Health and Surveillance, is properly cited. The complete bibliographic information, a link to the original publication on http://publichealth.jmir.org, as well as this copyright and license information must be included.