The Italian version of this article was first published on Diritto 24 – Il Sole 24 Ore
The health emergency due to the spread of COVID-19 has made the need to correctly manage the processing of health data for scientific research purposes even more topical. In this regard, on April 21, 2020, the European Data Protection Board (“EDPB”) adopted specific Guidelines (“Guidelines”),[1] specifying that — although the agenda for 2020 included the publication of detailed guidelines on the processing of health data for scientific research — the current situation called for rapid and specific action to address the main legal aspects of the processing of health data for scientific research purposes in the context of COVID-19. In the wake of this intervention, the Italian Data Protection Authority (“Garante”) dedicated a section of the FAQ on COVID-19 and the processing of personal data (“FAQ”)[2] to scientific research, introducing specific derogations to adapt the legal framework to the emergency situation.
Some of the main aspects that regulate the abovementioned processing are examined below, in the light of the complex intersection between European and national legislation on the processing of personal data and the responses that European and national legislators have given to the specific needs posed by the health crisis.
The legal basis for the processing of health data for scientific research purposes
In recent months, a large amount of health data have been collected for the diagnosis and treatment of those found to be affected by coronavirus. Indeed, this collection has led to the creation of databases[3] that could be used to carry out scientific studies to examine the various aspects that characterize this pathology. Consider the case, for instance, of a patient with symptoms related to COVID-19 who consulted a healthcare professional to get a diagnosis: the data collected in such a context (for healthcare purposes) could also be used subsequently for scientific research,[4] configuring so-called secondary use of the data, i.e., the further processing of the personal data initially collected for other purposes. In this regard, article 5.1.b) of Regulation 679/2016 (“GDPR”)[5] introduces a “presumption of compatibility” of the secondary use for scientific research purposes. Once the compatibility between the original and secondary purposes has been established, it is then necessary to identify the legal basis for the additional processing.[6]
The processing of personal data for scientific research purposes is generally based on the consent of the data subject in accordance with Articles 6.1.a) and 9.2.a) GDPR, which, as reiterated by the EDPB in the Guidelines, must be freely-given, specific,[7] informed, unambiguous, and made by way of a statement or “clear affirmative action.” However, especially in the case of data processing for secondary purposes, such as scientific research, the collection of consent may be overly complex, or even impossible (as, for example, in the case of dead patients). In addition, any withdrawal of consent by the data subject would entail an obligation for the data controller to cease the processing activity.
Therefore, a different legal basis than consent could facilitate the processing of data for such purposes. On this point, reference could be made to the processing necessary for archiving purposes in the public interest, for scientific or historical research, or for statistical purposes on the basis of European Union or Member State law (ex Article 9.2.j) , in conjunction with Article 6.1.f) GDPR). The Italian legislature has defined the actual scope of this provision through the introduction of Article 110 in the Privacy Code (Legislative Decree 196/2003, as amended by Legislative Decree 101/2018) which, in summary, excludes the need to collect consent for the processing of health data for scientific research purposes in the medical, biomedical, or epidemiological fields when the research is carried out on the basis of legal or regulatory provisions or EU law and an impact assessment is conducted and made public. Furthermore, consent is not required when, for particular reasons, informing the data subject(s) is impossible or involves a disproportionate effort, or is likely to make it impossible to achieve or seriously jeopardize the achievement of the research objectives, provided that appropriate measures are taken to protect the rights, freedoms, and legitimate interests of the data subject, and that the research program obtains the favorable opinion of the relevant ethics committee and is subject to prior consultation with the Garante.[8]
However, the need to meet the requirements listed in Article 110 Privacy Code could be an obstacle to carrying out research that can provide useful results as soon as possible to address the epidemiological crisis. Taking note of the emergency situation, the FAQ of the Garante has intervened on this point by introducing a partial derogation from Article 110 Privacy Code only in cases of processing that concern exclusively experimental studies and compassionate use of medicinal products for human use for the treatment and prevention of COVID-19. The derogation provides that if it is impossible to obtain consent (including from third parties) the controller can legitimately carry out the processing without the obligation of prior submission of the research project, of impact assessment, and of prior consultation of the Garante.[9] On the other hand, in the case of kinds of scientific research other than those governed by Article 110 Privacy Code, the Ethics Rules for processing for statistical or scientific research purposes must be taken into account.[10]
Finally, it should be noted that a further legal basis that could be used in this case is that of processing necessary for reasons of substantial public interest (ex Article 9.2.g) GDPR). However, there is currently no European Union or national legal provision, required by Article 9.2.g), that would legitimate such processing.
The implementation of appropriate technical-organizational security measures
Article 32 GDPR provides an obligation for the controller to adopt technical and organizational security measures appropriate to the level of risk of the processing. In the field of scientific research, this provision must be read in conjunction with Article 89.1 GDPR, which requires the identification of adequate safeguards for the rights and freedoms of the data subject to ensure the implementation of measures aimed, in particular, at the minimization of data (e.g., pseudonymization). Therefore, principles such as integrity and confidentiality, data minimization and data protection by design and by default are of crucial importance for processing for scientific research purposes, especially where health data are concerned. The evaluation of the level of risk and the identification of adequate safeguards becomes even more relevant, and at the same time complex, in the context of the COVID-19 epidemic, as highlighted in the Guidelines, including in order to determine whether or not there is a need to carry out an impact assessment under Article 35 GDPR.
First of all, it is likely that, especially in these early stages of coronavirus-related research, exploratory research will be used. Even this kind of research must take into account the principle of minimization; consequently, the controller shall identify the type and amount of information needed to answer the queries (favoring, where possible, the use of anonymized data). Secondly, due to the global reach of the phenomenon under analysis and the urgent need to access scientific evidence, it can be expected that the reuse of health data for scientific purposes will increase the number and heterogeneity of the subjects that can process such data, exposing the data subjects to greater probability of negative impact, as well as to greater severity of the latter. Therefore, the measures implemented will need to ensure a particularly high level of safety not only due to the type of data used, but also in view of the contingencies caused by the epidemic. In this respect, the EDPB identifies some minimum measures that should be used by the controller, such as pseudonymization, encryption, non-disclosure agreements, and strict access role distribution, as well as restrictions concerning the logs. In addition, the concept of “functional separation,” used by Working Party 29 in Opinion 03/2013 on purpose limitation in relation to guarantees in the case of processing for research purposes, should be mentioned. It is essential that the data controller ensures that the personal data being processed cannot be used to “support measures or decisions” taken with regard to the data subject. Such a guarantee appears to be extremely relevant in the context of research for COVID-19, which, as mentioned above, sees the potential involvement of many different entities that may process special categories of data relating to an extremely large number of data subjects.
Finally, it is worth mentioning the implications linked to the use of Artificial Intelligence, which have played a primary role in the fight against the epidemic from the beginning.[11] The use of such technologies to carry out scientific research is often extremely promising, but at the same time it requires careful risk assessment and the implementation of security measures that take into account the specific characteristics of such systems.[12] A guide to conducting this evaluation and to designing a system that is privacy-compliant by design and by default could be identified in the White Paper on Artificial Intelligence (“White Paper”) adopted by the European Commission,[13] which lists key elements that must be subject to scrutiny, such as, for example, human supervision, reliability, accuracy, and transparency.
In a nutshell
Therefore, in order to be able to process health data for scientific research purposes in the context of COVID-19, on the one hand, it will be necessary to pay particular attention to some special aspects related to the epidemic that have an impact on obligations and safeguards under a data protection point of view, and on the other hand, the specific derogations introduced in the emergency situation will have to be considered. In particular:
- If consent is adopted as the legal basis, it should be collected in accordance with the GDPR and should be distinguished from informed consent to participate in the research.
- If the processing is carried out for medical, biomedical, or epidemiological purposes, consent will not be necessary where certain conditions are met and specific guarantees are implemented pursuant to Article 110 Privacy Code, together with the Authorization, where applicable. Exclusively for experimental studies and compassionate use of medicinal products for human use for the treatment and prevention of COVID-19, the obligations imposed by Article 110 Privacy Code may be waived, under certain conditions.
- The technical-organizational measures implemented should ensure a particularly high level of safety not only in light of the type of data used, but also in view of the contingent risks related to the epidemic, such as the increased likelihood of negative impact for data subjects due to the number and heterogeneity of the subjects that may process the data.
- Where Artificial Intelligence systems are used, the risk assessment should take into account the special qualities related to this technology. The White Paper could be used as a guide to identify the key elements that need to be scrutinized.
[1] EDPB, Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak, adopted on April 21, 2020.
[3] Specific databases have been created in order to share data relating to COVID-19; in the European context, reference is made to the Covid19-DataPortal, while in the national context, reference is made to the biobank built at the Sacco hospital in Milan.
[4] See Guidelines, paragraph 3.3.
[5] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
[6] Although recital 50 GDPR mentions the possibility of processing personal data for further purposes without the need for a separate legal basis — provided that there is compatibility between the purposes — this provision has not been incorporated into the binding text; therefore, it is considered necessary to identify such a basis, partially in light of the interpretation provided by the European Data Protection Supervisor (“EDPS”) and by Working Party 29 (“WP29”) in the Preliminary opinion on data protection and scientific research, published on January 6, 2020, and in the Opinion 03/2013 on purpose limitation, respectively.
[7] In the case of scientific research, recital 33 GDPR allows the purpose to be described in more general terms, although, especially where the processing relates to special categories of data, this exception should be interpreted restrictively. See EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, version 1.0, adopted on May 4, 2020.
[8] In order to be able to base the processing on this provision, the controller must comply with the general authorization to process personal data for purposes of medical, biomedical, or epidemiological research whose compliance with the GDPR has been verified by the Garante (“Authorization”). This authorization specifically authorizes certain subjects (e.g., research bodies or institutes, healthcare professionals, etc.) to process sensitive data for medical, biomedical, or epidemiological research for which the consent of the data subjects has not been obtained and for which the impossibility of informing the data subjects derives from particular circumstances documented in the research project (proven by ethical reasons or organizational impossibility). See Garante Provision No. 146 of June 5, 2019, regulating the processing of special categories of data, pursuant to Article 21, paragraph 1 of Legislative Decree No. 101/2018, web document No. 9124510.
[9] Moreover, the FAQ provides guidance on the processing of personal data, also related to health, carried out by the IRCSS as part of medical research on COVID-19 funded by the Ministry of Health.
[10] As amended by Garante Provision No. 515 of December 19, 2018, web document No. 9069637.
[11] An overview of the uses of Artificial Intelligence in the fight against COVID-19 is available here.
[12] EDPS, Preliminary opinion on data protection and scientific research, published on January 6, 2020.
[13] European Commission, White Paper on Artificial Intelligence – A European approach to excellence and trust, Brussels, February 19, 2020, COM(2020) 65 final.