Ministry of Justice: Call for Evidence on EU Data Protection Proposals

Similar documents
Justice Select Committee: Inquiry on EU Data Protection Framework Proposals

TechAmerica Europe comments for DAPIX on Pseudonymous Data and Profiling as per 19/12/2013 paper on Specific Issues of Chapters I-IV

clarification to bring legal certainty to these issues have been voiced in various position papers and statements.

The EFPIA Perspective on the GDPR. Brendan Barnes, EFPIA 2 nd Nordic Real World Data Conference , Helsinki

The General Data Protection Regulation and use of health data: challenges for pharmaceutical regulation

ICC POSITION ON LEGITIMATE INTERESTS

IAB Europe Guidance THE DEFINITION OF PERSONAL DATA. IAB Europe GDPR Implementation Working Group WHITE PAPER

Data Protection Regulation: Keeping Health Research Alive in the EU. A Roundtable Event Hosted by Nessa Childers MEP. European Parliament, Brussels

Ethical Governance Framework

GDPR Implications for ediscovery from a legal and technical point of view

Biometric Data, Deidentification. E. Kindt Cost1206 Training school 2017

Questions and answers on the revised directive on restrictions of certain dangerous substances in electrical and electronic equipment (RoHS)

PRIVACY ANALYTICS WHITE PAPER

BBMRI-ERIC WEBINAR SERIES #2

IMI2 Intellectual Property rules in light of Call 10 topics. Magali Poinot, IMI Legal Manager IMI Stakeholder Forum 28 September 2016

European Union General Data Protection Regulation Effects on Research

Preparing for the new Regulations for healthcare providers

Recast de la législation européenne et impact sur l organisation hospitalière

Medical Technology Association of NZ. Proposed European Union/New Zealand Free Trade Agreement. Submission to Ministry of Foreign Affairs & Trade

ARTICLE 29 Data Protection Working Party

Interaction btw. the GDPR and Clinical Trials Regulation

Privacy Policy SOP-031

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

ITAC RESPONSE: Modernizing Consent and Privacy in PIPEDA

WG food contact materials

The General Data Protection Regulation

Chemicals Risk Management and Critical Raw Materials

What does the revision of the OECD Privacy Guidelines mean for businesses?

Recast of RoHS Directive

Position Paper.

IN VITRO DIAGNOSTICS: CAPITA EXOTICA

Committee on the Internal Market and Consumer Protection

Machinery Directive 2006/42/EC

Guidance for Industry and FDA Staff Use of Symbols on Labels and in Labeling of In Vitro Diagnostic Devices Intended for Professional Use

This policy sets out how Legacy Foresight and its Associates will seek to ensure compliance with the legislation.

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C. ) ) ) ) )

DERIVATIVES UNDER THE EU ABS REGULATION: THE CONTINUITY CONCEPT

19 Progressive Development of Protection Framework for Pharmaceutical Invention under the TRIPS Agreement Focusing on Patent Rights

(Non-legislative acts) DECISIONS

[Definitions of terms that are underlined are found at the end of this document.]

Elements of a global strategy and plan of action

Fiscal 2007 Environmental Technology Verification Pilot Program Implementation Guidelines

THE LABORATORY ANIMAL BREEDERS ASSOCIATION OF GREAT BRITAIN

Global Alliance for Genomics & Health Data Sharing Lexicon

Herts Valleys Clinical Commissioning Group. Review of NHS Herts Valleys CCG Constitution

Proposal for a COUNCIL REGULATION. on denominations and technical specifications of euro coins intended for circulation. (recast)

Proposal for a COUNCIL DECISION

EXIN Privacy and Data Protection Foundation. Preparation Guide. Edition

Operational Objectives Outcomes Indicators

COMMISSION DELEGATED DIRECTIVE (EU).../ of XXX

CAMD Transition Sub Group FAQ IVDR Transitional provisions

From a practical view: The proposed Dual-Use Regulation and Export Control Challenges for Research and Academia

Lexis PSL Competition Practice Note

An Essential Health and Biomedical R&D Treaty

CBD/ Access and Benefit Sharing

COMMISSION DELEGATED DIRECTIVE../ /EU. of XXX

DEVELOPMENTS IN EU MDD & IVDD SOFTWARE REGULATION

European Charter for Access to Research Infrastructures - DRAFT

Conformity assessment procedures for hip, knee and shoulder total joint replacements

SAUDI ARABIAN STANDARDS ORGANIZATION (SASO) TECHNICAL DIRECTIVE PART ONE: STANDARDIZATION AND RELATED ACTIVITIES GENERAL VOCABULARY

European Law as an Instrument for Avoiding Harmful Interference 5-7 June Gerry Oberst, SES Sr. Vice President, Global Regulatory & Govt Strategy

B) Issues to be Prioritised within the Proposed Global Strategy and Plan of Action:

TGA Discussion Paper 3D Printing Technology in the Medical Device Field Australian Regulatory Considerations

Policies for the Commissioning of Health and Healthcare

(Non-legislative acts) REGULATIONS

2

Triennial Review of the Medicines and Healthcare Products Regulatory Agency. Call for Evidence

ORGALIME Position. on the Proposal for a

Interest Balancing Test Assessment on the processing of the copies of data subjects driving licences for the MOL Limo service

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT. pursuant to Article 294(6) of the Treaty on the Functioning of the European Union

RECOMMENDATIONS. COMMISSION RECOMMENDATION (EU) 2018/790 of 25 April 2018 on access to and preservation of scientific information

EU Research Integrity Initiative

THE ASEAN FRAMEWORK AGREEMENT ON ACCESS TO BIOLOGICAL AND GENETIC RESOURCES

EN Official Journal of the European Union L 117/176 REGULATION (EU) 2017/746 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL.

CBD Request to WIPO on the Interrelation of Access to Genetic Resources and Disclosure Requirements

Towards Code of Conduct on Processing of Personal Data for Purposes of Scientific Research in the Area of Health

THE UNIVERSITY OF AUCKLAND INTELLECTUAL PROPERTY CREATED BY STAFF AND STUDENTS POLICY Organisation & Governance

The New Delhi Communiqué

Details of the Proposal

TITLE V. Excerpt from the July 19, 1995 "White Paper for Streamlined Development of Part 70 Permit Applications" that was issued by U.S. EPA.

Statement on variation of 900 MHz and 1800 MHz Wireless Telegraphy Act licences

Mineral Exploration and Development Section Regulation 308/12 Update

The Recast RoHS Directive 2011/65/EU

Appendix 6.1 Data Source Described in Detail Vital Records

The Cremation (Scotland) Regulations Consultation. Introduction. The regulations

EU-GDPR The General Data Protection Regulation

NCRIS Capability 5.7: Population Health and Clinical Data Linkage

Having regard to the Treaty establishing the European Community, and in particular its Article 286,

Proposed International Standard on Auditing 315 (Revised) Identifying and Assessing the Risks of Material Misstatement

WEON 2018 COREON (1) Marjolein Timmers. What is COREON? CO = Commissie (Committee) RE = Regelgeving (Regulation) ON = Onderzoek (Research)

Council of the European Union Brussels, 8 March 2017 (OR. en)

OMCL Network of the Council of Europe GENERAL DOCUMENT

Ocean Energy Europe Privacy Policy

COMMISSION DELEGATED DIRECTIVE../ /EU. of XXX

Health Technology Assessment of Medical Devices in Low and Middle Income countries: challenges and opportunities

European Regulatory Approach to Orbital / Spectrum Registrations

TOOL #21. RESEARCH & INNOVATION

Decision regarding PHARMAC s Implementation of Trans-Pacific Partnership (TPP) provisions and other Amendments to Application Processes

Herefordshire CCG Patient Choice and Resource Allocation Policy

Technical Assistance. Programme of Activities

Transcription:

Ministry of Justice: Call for Evidence on EU Data Protection Proposals Response by the Wellcome Trust KEY POINTS It is essential that Article 83 and associated derogations are maintained as the Regulation moves through the legislative process. Amendments to clarify and strengthen research provisions would be beneficial to ensure these achieve their intended purpose and do not inhibit important health research. Amendments are needed to ensure that the use of pseudonymised data in health research is regulated proportionately and to ensure clarity in the scope of the Regulation. INTRODUCTION 1. Information from patient records provides the foundation for much health research, and offers significant potential to answer questions about the factors that influence health and disease. Information from patient records can be used for epidemiological research; to understand more about the causes of disease; to detect outbreaks of infectious diseases; to monitor the safety and efficacy of drugs and medical devices; and to study the effectiveness of treatments and interventions. Identifiable data is also used to identify participants for research studies. Researchers may wish to approach individuals in order to gain their consent to participating in a particular piece of research, for example the trial of a new treatment for a particular disease. 2. We welcome the opportunity to respond to this call for evidence since it is vital that the EU and UK can establish a regulatory framework that balances the rights and interests of individuals with the societal benefits of research using patient information. 3. This response has been informed by a legal analysis of the potential impacts of the Directive commissioned by the Trust and conducted by Lawford Davies Denoon. This detailed response supplements a joint statement from the Trust and other health research organisations setting out the impacts of the data protection proposals for the sector and including a number of case studies. Without further information on the intention and detail of requirements set out in the Regulation, it has not been possible to provide information on costs. 1

HEALTH RESEARCH IMPACTS Research derogations 4. The Regulation appears to provide a number of derogations from particular requirements for the use of personal data for scientific research, providing that personal data is processed in accordance with the conditions set out in Article 83. These derogations do not exempt research studies from all the requirements set out in the Regulation. The Wellcome Trust warmly welcomes this approach since it provides a framework that balances the facilitation of research with the protection of the interests of research participants. The Government must prioritise the protection of Article 83 and ensure the associated derogations for research are protected as the Regulation moves through the legislative process. 5. There are a number of issues around Article 83 and the associated derogations that would benefit from clarification to better reflect the intent of the clauses. The lack of clarity in the current UK Data Protection Act has contributed to a risk-averse culture among those sharing and using data for research. This has led to delays to research that would be in the public interest. 6. In order to avoid replicating these difficulties, it is essential that any lack of clarity is rectified in the new Regulation. The following clarifications are needed and suggested amendments to achieve these are set out in detail in box 1: Clarification of Article 6.4 and Recital 40 to ensure that the processing of personal data for other purposes intends scientific research to be viewed as a compatible purpose in itself (amendment A). Clarification that the reference to Article 83 (processing for historical, statistical and scientific research purposes) within Article 81 (processing of personal data concerning health) is intended to link the two sections, rather than to impose an additional restriction on research (amendment B). 7. A number of aspects of the research requirements and derogations rely on demonstrating necessity. 1 While this approach is reasonable in principle, it will be important that an appropriate and consistent definition of necessity can be applied in this context to ensure clarity in implementation. 1 For example Articles 6.2; 9.29(i); 17.3(c); 83.1(a); and 83.2(c). 2

Box 1 Deletions are struck through Insertions are underlined Amendment A Clarify that scientific research is a compatible purpose per se: Article 6.4: revise by appending the following sentence: Processing necessary for historical, statistical or scientific research purposes shall always be deemed compatible processing, provided it is conducted with the rules and conditions laid down in Article 83. Recital 40: The processing of personal data for other purposes should be only allowed where the processing is compatible with those purposes for which the data have been initially collected, such as in particular where the further processing is necessary for historical, statistical or scientific research purposes. Where the other purpose is not compatible with the initial one for which the data are collected, the controller should obtain the consent of the data subject for this other purpose or should base the processing on another legitimate ground for lawful processing, in particular where provided by Union law or the law of the Member State to which the controller is subject. In any case, the application of the principles set out by this Regulation and in particular the information of the data subject on those other purposes should be ensured. Add a new Article to allow Member States to enact delegated legislation regarding processing for scientific research being a legitimate interest. Amendment B Clarify that the reference to Article 83 in Article 81.2 is not intended to impose an additional restriction on processing for research purposes, but rather is intended to connect the two sections. This could be achieved by moving Article 81.2 to 81.1(d). Scope of the Regulation 8. The scope of the Regulation is personal data that identifies a natural person, or from which a natural person can be identified. 2 It is important that the research community is clear about how personal data relates to the different types of data used in research anonymised data; key-coded or pseudonymised data; and identifiable data (see Annex A) since the scope determines which research studies are brought within its remit and therefore must comply with its requirements. Clarity in the scope is essential so that those sharing and using patient data in research are fully aware of their responsibilities, but do not implement beyond the requirements that are necessary in law. 9. The Regulation is not explicit on whether pseudonymised data are intended to be included within its scope. Pseudonymised or key-coded data underpin a substantial amount of research, for example studies at the Wellcome Trust Sanger Institute and the UK Biobank research resource. Inclusion of pseudonymised data within the scope will therefore dramatically increase the regulatory burden on research. 2 Articles 3 and 4 3

10. The use of pseudonymised data in health research is well-established and operates within a system designed to reduce the possibility of re-identification of participants. It is important that the use of pseudonymised data in research is handled within a proportionate regulatory framework that takes into account the actual likelihood of reidentification under current conditions, not just the technical possibility of re-identification. Conditions that will reduce the actual likelihood of re-identification could include the use of safe havens, such as England s new Clinical Practice Research Datalink and comparable services in the devolved nations, and contractual data sharing agreements and professional standards for researchers that prohibit re-identification. In many instances the identifying code will not be held at the research site where the pseudonymised data are used in research, but at a hospital or by a safe haven. Article 23 should be amended to provide greater clarity on this issue for research by noting that conditions could be established in a Member State that preclude re-identification, therefore ensuring that re-identification would not be considered reasonably likely (amendment C). Amendment C Clarify that the likelihood of identification of the individual (Recital 23) should take into account the conditions of access to data so that if the conditions of access for research purposes preclude re-identification then re-identification would not be reasonably likely. 11. Anonymous data falls outside of the scope of the Regulation. However, the act of removing identifiers to ensure that data are no longer personal anonymisation could fall within the definition of processing (Article 4). This would mean that the process of anonymisation itself would have to comply with the requirements of the Regulation to be lawful. We suggest that the Regulation should be revised to expressly permit anonymisation, while prohibiting re-identification for data that has been anonymised (amendment D). Amendment D Expressly permit processing for the purpose of anonymisation (new definition of anonymisation and new Articles 6.1(g) and 9.2(k)) together with a new prohibition of reidentification for data that has been anonymised: anonymisation means any steps taken towards processing personal data in such a manner that it can subsequently no longer be considered personal data; 6.1(g)/9.2(k): processing is conducted for the purpose of anonymisation the processing of data which has undergone a process of anonymisation with the objective of re-identifying a data subject or otherwise rendering such data personal data shall be prohibited except where any of the conditions in Article 9.2(a), (c), (e), (g), (h) or (i) apply. 4

12. Clarification is needed around genetic data and data concerning health to ensure that these definitions are only intended to apply to personal data that falls within these categories, rather than all related data (amendment E). Amendment E Deletions are struck through Insertions are underlined Clarify that the Regulation does not capture non-personal data in the definitions of data concerning health (Article 4.12) and genetic data (Article 4.10): data concerning health means personal data any information which relates to the physical or mental health of an individual, or to the provision of health services to the individual; genetic data means all personal data, of whatever type, concerning the hereditary genetic characteristics of an individual which are inherited or acquired during early prenatal development; 13. Furthermore, the definition of data concerning health must be consistent with the related Recital. Recital 26 includes information derived from the testing or examination of a body part or bodily substance, including biological samples in its description of personal data relating to health. However, no reference is made to biological samples in the definition at Article 4.12. This inconsistency should be rectified to clarify that data concerning health does not include biological samples per se, but rather to personal data obtained from testing such material (amendment F). Amendment F Deletions are struck through Insertions are underlined Amend Recital 26 to clarify that the Regulation does not capture biological samples per se within its scope, but personal data derived from these samples. For example: Draft Recital 26: Personal data relating to health should include in particular all personal data pertaining to the health status of a data subject; ; information personal data derived from the testing or examination of a body part or bodily substance, including biological samples;... Increases in the regulatory burden for health research 14. Beyond potential increases in scope, the Regulation increases the regulatory burden for health research compared to the current Data Protection Directive and the corresponding UK Data Protection Act (1998). If implemented, these additional burdens will make it increasingly difficult to conduct this important research in the UK and EU. The following 5

Box 3 issues present particular concerns and potential amendments to address these are presented in Box 3: Article 5(e) on data storage provides a welcome derogation that enables data to be held for extended, potentially indefinite, periods for research purposes. However, this derogation imposes a requirement to undertake periodic review to assess the necessity to continue storage. These reviews would be impractical since data are routinely held over long periods and it can be difficult to predict future uses or need for the data. Furthermore, these reviews would create a substantial burden for research institutions that currently hold valuable data and research resources, which may not be sustainable for the sector. We therefore recommend amending Article 5 to remove the need for such review (amendment G). The right of the data subject to information (Article 14) could be problematic for research in situations where notifying participants would create a disproportionate burden that could prevent the research from proceeding. The Regulation includes a disproportionate effort 3 provision, but this only applies where the data are not collected from the data subject. It would be helpful to clarify the situation for research by amending this Article to create a specific disproportionate effort provision for research, in line with the current Data Protection Directive (amendment H). The right to rectification (Article 16) is inherently problematic for health research since researchers routinely hold data generated through their studies that cannot be guaranteed to be accurate. For example, data generated by genetic sequencing in the laboratory environment will rarely meet diagnostic standards used in a clinical setting. As a result, such data cannot be considered analytically accurate. In addition, a person s health status changes over time, for example pregnancy. The Regulation does not contain any guidance as regards practical means for researchers to assess or rectify such inaccuracies. The Regulation should be amended to take this reality of health research into account (amendment I). Deletions are struck through Insertions are underlined Amendment G Amend Article 5.3 to remove the need for periodic review to resolve practical issues and the burden this creates for research. For example: Draft Recital 5.3(e): [Personal data may be] kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Article 83 and if a periodic review is carried out to assess the necessity to continue the storage until it becomes apparent that continued storage is no longer necessary. 3 Article 14.5(b) 6

Amendment H Amend Article 14 to ensure that there is express disproportionate effort provision from notification for research. For example: Draft Recital 14.5 (xx): the data are processed for historical, statistical or scientific research purposes and the provision of such information proves impossible or would involve a disproportionate effort. Amendment I Amend Article 16 or provide a Recital to reflect the fact that data generated in research cannot be guaranteed to be accurate and to propose limits as regards the steps that researchers should be required to take to assess or to rectify any potential inaccuracies. The Wellcome Trust is a global charitable foundation dedicated to achieving extraordinary improvements in human and animal health. We support the brightest minds in biomedical research and the medical humanities. Our breadth of support includes public engagement, education and the application of research to improve health. We are independent of both political and commercial interests 7

ANNEX A: THE TYPES OF PATIENT DATA USED ON HEALTH RESEARCH Health data can be accessed by researchers in the following forms: Identifiable data these include information in patient records such as patients names, addresses, dates of birth and NHS numbers. There are also aspects of health data that could become identifying when they relate to a diagnosis of a rare condition or when combined with other data. Identifiable data are needed when future contact is needed with the participant, for example to contact them to take part in a study, or to link information across different data sets. Key-coded or pseudonymised data these cannot directly identify an individual, but are provided with an identifier that enables the patient s identity to be reconnected to the data by reference to a separate database containing the identifiers and identifiable data. Pseudonymised data can often be used in place of identifiable data. Anonymised data these data cannot be connected to the original patient record. Anonymised data are suitable when no contact is needed with the participant or where the data does not need to be linked to any other data sources. 8

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback