Reuse of personal data for research purposes in light of the most recent guidelines from the Garante

The Italian version of this article has been published on December 1, 2022 on AboutPharma.com, within our bi-monthly column about Clinical Trials Regulation EU 536/2014 and its implementation in Italy.

In the context of clinical studies, companies are concerned about the legal conditions for use for research purposes of previously collected personal data, including data from third parties. Consider retrospective studies, which by their very nature look at past events and use “archival” personal data. These data likely were collected for different purposes and their use would require new consent from the data subjects. Similar issues also arise with reference to the creation of databases and later use of personal information in future research activities.

In such cases, it is not always possible to contact the individuals whose personal information is in play. Even if it is possible, it can prove difficult and burdensome for companies.

Italian legislation is especially restrictive, even in comparison to European legislation. With or without explicit consent from data subjects, it places cumbersome procedural burdens on companies. However, the Italian legislature did employ the option provided by Regulation (EU) 2016/679 (“GDPR”) to introduce further conditions, including limitations, regarding the processing of health-related data (Art. 9, para. 4, GDPR), later codified in Legislative Decree 196/2003 (“Privacy Code”) in Articles 110 and 110-bis.

The decisions of the Italian Data Protection Authority (“Garante”) reflect this approach, with regard to both general measures issued by that authority in relation to certain types of data processing and opinions issued upon specific consultation by companies in accordance with the provisions of Article 36 of the GDPR.

Regulatory context

At the European level, processing personal data for research purposes, especially sensitive data such as genetic data, is governed by Article 9 of the GDPR. This article permits processing necessary for scientific research purposes when it is proportionate to the pursued purposes and appropriate safeguards are in place to preserve the rights and freedoms of the data subject under Article 89 of the GDPR. Article 89 includes technical measures such as pseudonymization. Alternately, processing is allowed with the data subject’s explicit consent for one or more specific purposes.

Interestingly, it is not apparent from the structure of the GDPR whether there is a preference for one option over the other. The intent seems to be to simplify, where possible and with due safeguards, the use of personal health data in scientific research. Then, further processing of collected personal data is allowed at a general level by the GDPR—even in the absence of newly obtained consent—when the purpose of the secondary processing “is not incompatible” with that of the original processing. The processing of personal data for scientific research purposes is further facilitated by presuming an absence of incompatibility. Moreover, secondary processing is allowed even in the absence of consent and provided that the abovementioned safeguards in Article 89 of the GDPR are adopted (Art. 5, para. 1(b), GDPR).

At the national level, on the other hand, the legislature employed the option in the GDPR to introduce more restrictive measures. Essentially, it is moving in the opposite direction from activity at the European level. Articles 110 and 110-bis of the Privacy Code codify a system that bases the processing of data for scientific research purposes on either the consent of the person concerned or—when attaining that is not possible—on a series of procedural requirements. One that stands out is the obligation of prior consultation with the guarantor previously provided in Art. 36 of the GDPR (or even prior authorization, with the silence-rejection mechanism triggered). In particular, under Article 110 of the Privacy Code, the processing of data for scientific research purposes is possible in the absence of the data subject’s consent, if:

• The processing is carried out on the basis of provisions of the law or regulation or under the GDPR (Art. 9(2)(j)), and an impact assessment is conducted and made public (a scenario that legitimizes processing by public and private facilities on the basis of specific legal regulations). Informing the data subjects proves impossible or otherwise excessively burdensome or in any case attempting to do so may undermine the purposes of the research, provided that (i) appropriate measures are taken to protect the rights and freedoms of the data subjects; (ii) the research program receives a favorable opinion from the relevant ethics committee; and (iii) the program is subject to prior consultation with the Garante pursuant to Article 36 of the GDPR.

Further processing of data may be authorized by the Garante, including by means of general measures, when contacting data subjects is similarly impossible or objectively difficult, or the research activity may be otherwise affected (Art. 110-bis of the Privacy Code). The provision adopted by the Garante on June 5, 2019, “Provision containing prescriptions regarding the processing of special categories of data, pursuant to Article 21, paragraph 1 of Legislative Decree No. 101 of August 10, 2018,”^[1] includes among various items a section devoted to the processing of data for scientific research purposes and another devoted to the processing of genetic data.

According to the content provided by the Garante therein, biological samples and genetic data previously collected for health protection purposes may be retained and used further without the consent of the data subjects (i) in the context of scientific research provided for by EU law or by law; or (ii) limited to the pursuit of further scientific purposes directly related to those for which consent was originally obtained.

Also, for use in research projects other than the original project and outside the cases provided by law—and when it is not possible to inform the data subjects—preservation and further use are still possible if research for a similar purpose cannot be carried out by processing the data of subjects whose consent can be acquired. In addition, the research program must involve the use of biological samples and genetic data that do not allow the identification of data subjects—at least after further processing. Alternately, the program must be submitted for the aforementioned reasoned opinion of the appropriate ethics committee and then submitted for prior consultation with the Garante pursuant to Article 36 of the regulations.

Recent Garante guidelines

Among the Italian Garante’s recent significant actions on the issue of further processing of data for research purposes is the opinion issued on June 30 by the authority pursuant to Art. 110 of the Privacy Code and Art. 36 of the GDPR,^[2] at the behest of Azienda Ospedaliera Universitaria Integrata di Verona. This opinion does not have a general scope but instead is an opinion issued in response to a specific case submitted to the Garante. However, it contains useful indications for interpreting current regulations and handling processing in compliance with the stringent rules adopted by the Italian legislature.

The case submitted to the Garante refers to an observational prospective and retrospective study of a nonpharmacological type—subject to impact assessment under Article 35 of the GDPR and required to obtain a favorable opinion from the appropriate ethics committee—aimed at creating a database for future studies to be conducted in the field of thoracic-area pathologies. In addition to offering a clear purpose for creating the database, the study envisaged implementation of nine future “areas of investigation,” research projects not yet currently defined and for which reference protocols do not exist. The petitioner posited that the relevant treatments, including those that would be carried out as part of the future research studies, were lawful on the basis of consent collected in the initial phase of the study—unless this was impossible or excessively difficult to obtain—as the Azienda Ospedaliera believed that future treatment was compatible with the purpose of the initial collection (the establishment of a database) and therefore lawful under the sole and subsequent approval of the protocol by the appropriate ethics committee.

With specific reference to retrospective collection of data, the petitioner claimed that almost all of the patients (90 percent) were either deceased or otherwise unavailable, making it impossible to inform individuals and obtain the relevant consent for data processing. The Garante issued a favorable opinion pursuant to Article 110 of the Privacy Code for the purposes of establishing the database. It deemed suitable the specific measures adopted by the petitioner to reduce the risks for the data subjects—in particular the anonymization techniques employed after the data retention period elapsed—and the methods for making processing publicly known pursuant to Article 14(5)(B) of the GDPR by means of a special information page published on the hospital website.

On the other hand, for the use of the data collected as part of future research studies, which still lacks a protocol, the Garante first ruled out the compatibility of this purpose with the original purposes of data collection. Furthermore, it pointed out that GDPR, Recital No. 33, recognizes that in many cases it is not possible to identify fully the purpose of processing personal data for scientific research purposes at the time of data collection. Consequently, according to this recital, data subjects should have the opportunity to give their consent to only certain areas of research or parts of research projects to the extent permitted by the intended purpose, and  this does not in any case allow an exception to the firmly established principles of specificity and granularity of consent. It follows that the Azienda Ospedaliera must be required to integrate the expressions of consent already obtained from the interested parties once the protocols for future studies have been approved—and therefore the purposes of further processing are specific and well-defined—to eventually arrive at a legal prerequisite suitable for processing data for research purposes. Should the company find itself in one of the situations cited in Article 110 of the Privacy Code and thus unable to “supplement” the consent given by data subjects, it will once again have to make specific requests for prior consultation under Article 110.

A glimpse into the future

Prior positive outcome of Garante consultation under Art. 110 undoubtedly represents a viable avenue for companies, although it imposes not-insignificant burdens for the purposes of conducting research—especially considering the frequency with which scenarios where it is impossible or difficult to obtain consent may arise in practice . This process certainly does not go in the favorable direction of encouraging clinical research activities. Moreover, it appears to be at odds with the very spirit of the GDPR, which, as mentioned above, does not express a preference for the consent rule in the processing of data for research purposes, nor does it intend, in not expressing a preference, to make processing subject to what can be considered for all intents and purposes prior authorization from the national data protection authority.

The same considerations seem to have been expressed by the National Coordination Center of Ethics Committees in a document on observational studies dated July 26, 2022, published on the AIFA website.^[3] This discusses overcoming the consent rule and simplifying the current requirements for data processing in research by removing or limiting as much as possible the formal obstacles that an interventional and single-use interpretation still poses to the use and reuse of research data, including through the possible use of lawful interest as a basis for processing, accompanied by the adoption of appropriate security measures for the protection of data subjects.

At this point, the Italian approach to processing and secondary use of personal data for research purposes still appears to stray far from these mutually agreeable positions.

[1] https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9124510.

[2] https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9791886.

[3] https://www.aifa.gov.it/documents/20142/1619588/Nota_studi_osservazionali_26.07.2022.pdf.