The current global climate has changed the manner in which we socialize, work and engage even in the simplest activities. We had to quickly adapt to speaking with our friends over video calls, working primarily from home and going out of the house to the most limited extent possible, generally only to conduct essential activities, as defined by the public authorities. In the mean time however, various organizations and entities around the world are doing their best to protect us and to perform the necessary research in order to pin down COVID-19.
An inherent part of scientific research is that an accurate and sufficiently vast set of data is necessary in order to obtain reliable results. If the information comprises personal data, as it will in most cases, then the rules regarding processing of personal data come into play.
To start off, scientific research has always been a primary focus for the EU with the sharing of data for this purpose being promoted in the fundamental treaties of the Union. Recently, the Committee for Medicinal Products for Human Use of the European Medicines Agency has indicated it is now more than ever necessary for institutions to collaborate to obtain “robust and interpretable evidence” in view of finding a safe treatment for COVID-19.
As processing personal data in this context may pose a lot of questions, we summarize some main points of interest particularly with respect to scientific research.
If we collect data for a particular purpose and then decide we want to use it or share it for scientific research, are we allowed to?
Yes, the GDPR institutes a compatibility presumption in relation to further processing for scientific research, if this is conducted subject to specific safeguards (e.g., pseudonymisation) as regulated under the GDPR. In this scenario, scientific research may not be considered incompatible with the initial processing purposes.
This presumption may prove useful for the various actors within the medical and healthcare sectors, insofar a particular set of data could be useful for research in the context of COVID-19.
Actually, in its “Preliminary opinion on data protection and scientific research“, the European Data Protection Supervisor (EDPS) stated that, generally, personal data which has been collected in a healthcare context may be used for scientific research purposes by the original or a new controller, subject to appropriate safeguards being in place.
Is our processing lawful?
Processing personal data must always be substantiated on a legal ground and, if special categories of data are involved (such as health data), an additional guarantee is needed to ensure processing is conducted in compliance with data protection rules.
Depending on their regulated object of activity, entities might be able to argue that processing data for scientific research purposes in the context of COVID-19 is undertaken for the performance of a task carried out in the public interest or in the legitimate interests of a third party (e.g., the public authorities, the community as a whole) and for reasons of substantial public interest, including as regards protecting against serious cross-border threats to health.
The Romanian local data protection regime also provides for suitable and specific measures to safeguard processing data for tasks carried out in the public interest, such as implementing adequate technical and organizational measures for ensuring compliance with the data minimization principle.
Before commencing processing for scientific research purposes, entities should always analyze the particularities of their processing and any legal obligations which may be incumbent/ relevant in their object of activity.
Are there any safeguards we should particularly consider?
Yes. The GDPR specifically indicates pseudonymisation as a safeguard for data processed for scientific research indicating this could be particularly relevant for compliance with the data minimization principle.
In addition, the GDPR provides for the undertaking of scientific research on the basis of data which does not permit or no longer permits the identification of data subjects, if the processing purpose may be fulfilled as such. In this respect, Recital 26 of the GDPR indicates that “principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable”.
“Effectively anonymised data” has also recently been confirmed to fall outside the scope of data protection rules by the EDPS, in its Statement on monitoring the spread of COVID-19.
What about storage?
Data processed for scientific research may be stored for longer periods of time subject to implementing appropriate technical and organizational measures. That being said however, such data cannot be stored on an indefinite basis and entities are still subject to determining storage durations and ensuring such durations are being complied with in practice.
Does anything change in relation to data subject rights?
Yes, there are certain exemptions and particularities for data subject rights being exercised in the context of scientific research purposes.
For example, an entity may be able to not give effect to a right to erasure request if this would render impossible or seriously impair the achievement of the objectives of its scientific research processing.
In addition, data subjects are able to object to scientific research processing on grounds relating to their particular situation, if such processing is not necessary for the performance of a task carried out for reasons of public interest.
Do we have to take into consideration any other aspects?
While scientific research processing may be subject to certain specificities and, in certain cases, derogations, GDPR obligations and measures stemming from local data protection regimes continue to be applicable.
Entities engaging in scientific research should carry out an assessment as to the manner in which they will comply with any data protection rules, such as the need to conduct a data protection impact assessment for large scale processing of health data, the provision of information to data subjects as regards further processing, etc. This was applicable even before the current pandemic activity, hence a first step would be to check if the data protection impact assessments prepared before are sufficient to cover this activity or need to be slightly adjusted.
Scientific research may enable us to overcome the current global crisis. The GDPR and the local regimes outline the necessary mechanisms to follow in order to ensure that data protection is being complied with and remains a priority. Stay safe!