On April 21, the European Data Protection Board (“EDPB”) released guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (“Guidelines”).
The Guidelines note that the GDPR includes various provisions which permit health data to be collected and processed for scientific research purposes connected with COVID-19 and also envisages specific derogations to the prohibition on processing certain special categories of personal data, such as health data, where necessary for scientific research purposes.
“Processing for the purposes of scientific research” includes (among other things) “studies conducted in the public interest in the area of public health”. Both “primary use” (data directly collected for the purpose of scientific studies) and “secondary use” (further processing of data for scientific purposes initially collected for another purpose) are allowed, although the GDPR distinguishes between the two in various ways.
The Guidelines note that data subjects’ consent may provide a legal basis for processing health-related data in the context of COVID-19, if consent is freely given, specific, informed and unambiguous and provided in the form of a statement or “clear affirmative action”. However, the GDPR also provides a legal basis for processing health-related data for scientific research purposes, so individual consent need not necessarily be relied upon (local Member State laws may vary in this regard).
The GDPR requires personal data to be processed fairly, lawfully and transparently and certain information regarding the processing must be provided to data subjects. Scientific researchers often process health-related data that they have not obtained directly from individuals. Generally, if personal data is further processed for scientific research purposes other than those for which the data were obtained, controllers must provide data subjects with information about such purposes before commencing the new research project.
The Guidelines note that data controllers may be able to deviate from this general requirement: (1) if it proves impossible, would involve disproportionate effort, or would render impossible or seriously impair the achievement of the objectives of the processing; or (2) when obtaining or disclosure is expressly laid down by EU or Member State law.
The Guidelines also focus on the GDPR’s “purpose limitation” principle, noting that while personal data shall be collected for specified, explicit and legitimate purposes, “further processing for … scientific … research purposes … shall, in accordance with Article 89(1) not be considered to be incompatible with the initial purposes.” Processing of data for research purposes must be subject to appropriate safeguards, especially regarding data minimization. Security, integrity and confidentiality and data protection by design and default are also stressed.
The Guidelines also observe that data minimization can be achieved by researchers clearly specifying research questions in advance and only collecting the data required to properly answer them (data should also be anonymized whenever possible). Proportionate storage periods should also be set (the GDPR allows personal data to be stored for longer periods if it will only be processed for scientific purposes, subject to certain conditions and safeguards).
Because of the sensitive nature of health data, it attracts more stringent protection, which is particularly relevant in the context of COVID-19. Among other things, the Guidelines emphasize that the GDPR’s security requirements must be fully complied with, stressing that data collectors must, as a minimum, use pseudonymization, encryption, non-disclosure agreements and strict access role distribution.
In principle, the current situation does not suspend or restrict the exercising of data subjects’ rights, although the Guidelines note that Member States may restrict some such rights and other restrictions can be based directly on the GDPR. Any restrictions must be limited to what is strictly necessary.
If health data transfers outside the EEA are required, the Guidelines note that the GDPR’s rules on international transfers must be complied with. Data exporters should inform individuals about intended transfers and, if they cannot rely on adequacy decisions or appropriate safeguards, the GDPR includes various exemptions under which international transfers can take place (e.g. where transfers are necessary for important public interest reasons or data subjects have given explicit consent). These may be available, at least temporarily, to data exporters when sharing data with third countries or international organizations collaborating to combat COVID-19, although the EDPB emphasizes that they should be interpreted restrictively.
Hopefully, the Guidelines will provide some welcome clarification for those using personal data for scientific research purposes to combat COVID-19. Further information on the Guidelines set out in our recent Client Alert (available here).