The Voice of Patients on Data Protection

Similar documents
COMMISSION OF THE EUROPEAN COMMUNITIES REPORT FROM THE COMMISSION TO THE COUNCIL AND THE EUROPEAN PARLIAMENT

SUMMARY REPORT OF THE STANDING COMMITTEE ON THE FOOD CHAIN AND ANIMAL HEALTH HELD IN BRUSSELS ON 10 DECEMBER 2012 (Section General Food Law)

EFA Briefing Update January 2012

Access to electronic communications services for disabled customers

COUNCIL OF THE EUROPEAN UNION. Brussels, 7 September 2009 (OR. en) 11261/09 Interinstitutional File: 2008/0002 (COD) DENLEG 51 CODEC 893

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

C 178/2 Official Journal of the European Union

EUROPEAN COMMISSION HEALTH AND FOOD SAFETY DIRECTORATE-GENERAL. PHARMACEUTICAL COMMITTEE 21 October 2015

EPF s response to the European Commission s public consultation on the "Summary of Clinical Trial Results for Laypersons"

Medical Research Law & Policy Report

(Legislative acts) REGULATIONS

COMMISSION IMPLEMENTING DECISION. of

REGULATION (EC) No.141/2000

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

BACKGROUND + GENERAL COMMENTS

Professional Development: proposals for assuring the continuing fitness to practise of osteopaths. draft Peer Discussion Review Guidelines

REPORT FROM THE COMMISSION TO THE COUNCIL. on Directive 2011/64/EU on the structure and rates of excise duty applied to manufactured tobacco

Collecting and Handling Health Data in a GDPR World

EUROPEAN COMMISSION HEALTH AND CONSUMERS DIRECTORATE-GENERAL. Health systems and products Medicinal products authorisations, EMA

Roadmap to review the Nutrition and Health Claims legislation expression of interest to contribute to the upcoming external study

COUNCIL RECOMMENDATION of 2 December 2003 on cancer screening (2003/878/EC)

POLICY BRIEF 4. The Nagoya ABS Protocol and Pathogens. By Gurdial Singh Nijar. Contents

COMMISSION DELEGATED REGULATION (EU).../... of XXX

Consistency in REC Review

Background EVM. FAO/WHO technical workshop on nutrient risk assessment, Geneva, May 2005, published 2006.

Secretary-General of the European Commission, signed by Mr Jordi AYET PUIGARNAU, Director

WORKABLE REGULATORY FRAMEWORK EUROPEAN PARLIAMENT, BRUSSELS 9 NOVEMBER 2016

WORLD MEDICAL ASSOCIATION DECLARATION OF HELSINKI. Ethical Principles for Biomedical Research Involving Human Beings

October 2003 Revision 1, February INTRODUCTION AND SCOPE

PUBLIC CONSULTATION DOCUMENT

Survey results - Analysis of higher tier studies submitted without testing proposals

Co-ordinated multi-agency support for young carers and their families

(Text with EEA relevance) (2014/798/EU)

EMEA WORKING PARTY ON HERBAL MEDICINAL PRODUCTS

EUCERD Recommendations on Rare Disease European Reference Networks (RD ERNs)

COMMISSION OF THE EUROPEAN COMMUNITIES COMMISSION STAFF WORKING DOCUMENT. Accompanying document to the

Integrating and strengthening the European research area *

Guidelines for the Ethical Treatment of Animals in Research and Teaching at the University of Münster (WWU)

IMPORTANT DISCLAIMER. Note

CED GUIDELINES TO INTERPRET AND IMPLEMENT COUNCIL DIRECTIVE 2011/84/EU ON TOOTH WHITENING PRODUCTS

Citation for published version (APA): Oderkerk, A. E. (1999). De preliminaire fase van het rechtsvergelijkend onderzoek Nijmegen: Ars Aequi Libri

6078/16 LB/dk 1 DGD 1C

Response to: Concept paper of 9 February 2011 submitted for public consultation by the European Commission on the

DRAFT COMMISSION DELEGATED REGULATION (EU) /... of XXX

CODE OF CONDUCT PROTECTION AGAINST SEXUALIZED DISCRIMINATION, HARASSMENT AND VIOLENCE CODE OF CONDUCT FOR THE MAX PLANCK SOCIETY

COMMISSION REGULATION (EU) / of XXX

Statement regarding: Key ideas of a draft legal proposal on information to patients by the European Commission (DG Enterprise and Industry)

SUBMISSION OF COMMENTS ON DRAFT COMMISSION PAEDIATRICS GUIDELINE

EUROPEAN COMMISSION. Modus Operandi for the management of new food safety incidents with a potential for extension involving a chemical substance

Basis for Conclusions: ISA 230 (Redrafted), Audit Documentation

A proposal for collaboration between the Psychometrics Committee and the Association of Test Publishers of South Africa

European Legal Database on Drugs

EUROPEAN UNION. Brussels, 15 October 2007 (OR. en) 2005/0227 (COD) PE-CONS 3627/07 MI 149 ECO 83 SAN 123 CODEC 621

COMMISSION REGULATION (EU) / of XXX

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

BMA response to the European Commission Green Paper on the European Workforce for Health

15050/15 JS/pm 1 DGB 3B

ROADMAP TO REVIEW THE NUTRITION AND HEALTH CLAIMS REGULATION 1924/2006 Food Supplements Europe Comments

This document is meant purely as a documentation tool and the institutions do not assume any liability for its contents

PROBLEMATIC USE OF (ILLEGAL) DRUGS

Common Criteria. for. CGIAR Research Proposal (CRP) Design and Assessment

COMMISSION REGULATION (EU) / of XXX

TEXTS ADOPTED. Mandatory indication of the country of origin or place of provenance for certain foods

COMMISSION OF THE EUROPEAN COMMUNITIES

COMMISSION REGULATION (EU)

Glossary of Research Terms Compiled by Dr Emma Rowden and David Litting (UTS Library)

Hearing aid dispenser approval process review Introduction Hearing aid dispenser data transfer... 6

STANDING COMMITTEE ON THE FOOD CHAIN AND ANIMAL HEALTH SECTION ON GENERAL FOOD LAW. Summary Record of Meeting of 30 April 2012

EUROPEAN UNION. Brussels, 29 June 2010 (OR. en) 2008/0238 (COD) PE-CONS 19/1/10 REV 1 SAN 114 CODEC 431

Paper. Donation review conditional donation. Hannah Darby, Policy Manager. Decision

Consultation Strategy. Impact Assessment on an initiative to limit industrial trans fats intakes in the EU

Legal perspectives on Essentially Derived Varieties

UPR UNIVERSAL PERIODICAL REVIEW CROATIA. Croatian Association of Deafblind Persons DODIR

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

COMMITTEE FOR MEDICINAL PRODUCTS FOR HUMAN USE (CHMP)

1. The Working Party on Public Health discussed and agreed the draft Council conclusions as set out in the Annex.

Information about cases being considered by the Case Examiners

Special guidelines for preparation and quality approval of reviews in the form of reference documents in the field of occupational diseases

Other EU Activities Contributing to Harmonization of Labeling

Consumers Association s response to the European Commission s Discussion paper on nutrition claims and functional claims

Guidelines to Commission Regulation (EU) No 655/2013. laying down common criteria for the justification of claims used

PODS FORUM GUIDELINES

Practical guidance for applicants on the submission of applications on food additives, food enzymes and food flavourings

Health Claims and Botanicals: How to Proceed with European Harmonisation?

European Food Safety Authority (EFSA)

Mr José Manuel Barroso President of the European Commission Rue de la Loi 200 B-1049 Brussels. Courtesy translation

Assurance Engagements Other than Audits or Review of Historical Financial Statements

DRAFT (Final) Concept Paper On choosing appropriate estimands and defining sensitivity analyses in confirmatory clinical trials

Round robin summary - March 2012 Co-payment for unlicensed drug Egg donation Recruitment and training of Lay members

Mental Health Act 2007: Workshop. Section 12(2) Approved Doctors. Participant Pack

COMPETENT AUTHORITY (UK) MEDICAL DEVICES DIRECTIVES GUIDANCE NOTES FOR MANUFACTURERS OF DENTAL APPLIANCES

on the advertising of medicinal products for human use

COMMISSION REGULATION (EU) / of XXX

End of life treatment and care: good practice in decision making

WCO Guidelines for the recognition of University Customs Curricula (2018)

Summary of responses: Consultation on determining the amount of a variable monetary penalty. April 2017

Human Research Ethics Committee. Some Background on Human Research Ethics

12883/16 PR/mk 1 DG B 1C

CAPT Responses to HPRAC s Recommendations in New Directions (2006) Concerning Psychotherapy

Psychotherapists and Counsellors Professional Liaison Group (PLG) 30 September 2010

Transcription:

The Voice of Patients on Data Protection Aarlenstraat 22 1050 Brussels Belgium +32 (0)2 511 50 40

Index List of abbrevrations... 4 Foreword... 5 1. Introduction... 6 1.1. Problem description and research purpose... 6 1.2. Demarcation... 6 1.3. Research questions... 7 1.4. Research methodology... 7 2. Proposed regulations... 9 2.1. General remarks... 9 2.2. European Commission... 9 2.2.1. Background of the proposal... 9 2.2.2. Relevant articles... 9 2.2.3. Definitions and applicability of the rules... 10 2.2.4. Exemption on the prohibition for research... 10 2.2.5. Protective measures... 10 2.2.6. Uncertainties... 11 2.3. European Parliament... 11 2.3.1. Changes proposed by the EP resolution... 11 2.3.2. Relevant acticles... 12 2.3.3. Types of data... 12 2.3.4. Purpose limited consent... 12 2.3.5. More protective measures... 13 2.3.6. Measures in the interest of research... 13 2.3.7. Uncertainties... 14 2.4. Conclusion... 14 3. Opinion of patients... 16 3.1. Introduction... 16 3.2. Consensus... 16 3.3. Differences of opinions... 16 3.4. The requirement of consent... 17 3.4.1. Importance of consent... 17

3.4.2. Exemptions ons consent... 17 3.4.3. General consent... 18 3.4.4. Right to withdraw consent... 18 3.5. International transfer and harmonisation of legislation... 19 3.6. Provision of information... 19 3.7. Conclusion... 19 4. Conclusions and recommendations... 21 4.1. Introduction... 21 4.2. Observations: similarities and differences... 21 4.3. Recommendations: work to do... 22 Bibliography... 24 Anex I Description EC articles... 25 Annex II Description EP amendments... 28 Annex III Overview of proposed measures... 31 Annex IV Interview protocol... 32 Annex V Survey results... 35

List of abbrevrations DPD EC ECPC EP EPF EU EURORDIS MS NFU NVN OJ PGDPR Directive 95/46/EC European Commission European Cancer Patient Coalition European Parliament European Patients Forum European Union European Organisation for Rare Diseases Member States Nederlandse Federatie van Universitair Medische Centra Nierpatiënten Vereniging Nederland Official Journal of the European Union Proposal for a General Data Protection Regulation

Foreword [Titel] This study is done during an internship at the Netherlands House of Education and Research (Neth-ER) and performed at the request of the Nederlandse Federatie van Universitair Medische Centra (NFU). Special thanks go to the patient organisations that participated in this study. These are the following: European Organi-sation for Rare Diseases (EURORDIS); European Cancer Patient Coalition (ECPC); European Patients Forum (EPF); De Hart&Vaatgroep; Levenmet-kanker; Nierpatiënten Vereniging Nederland (NVN). 5

1. Introduction [Titel] 1.1. Problem description and research purpose Changes in society have created the need for a new European data protection regulation, according to the European Commission (EC). 1 The EC proposed their PGDPR in 2012, 2 followed by EP amendments in 2014. 3 The way data may be used for scientific research purposes is part of this proposal. The impact the regulation can have on scientific research is currently being discussed. The research community expressed concerns with regard to the amendments of the EP on the PGDPR and several authors published about the links between new data protection rules and scientific research possibilities. 4 The debate so far has not included an investigation of the opinions of patients on how personal data should be protected, if used for scientific research. This study aims to fill in this gap. The objective is to provide insight into the opinions of patients on the protection of personal data that are processed for scientific research. The opinions of patients are compared with the proposals on a new general European regulation on data protection. 1.2. Demarcation The study focuses on the opinions of patients on the balance between protection of personal data and the use of personal data for research purposes. This focus is chosen because information on the opinions of patients is missing in the informed discussion on the right balances within new data protection legislation. To gather information on the opinions of patients, an extensive survey among patients can be a good method. However, this requires a longer period of time then available for this study. Therefore this study relies on surveys with patient organisations. It is assumed that patient organisations can clearly represent patient opinions, as this is their main purpose, also on this topic. The interviewed organisations meet three criteria: they represent patients, they pay attention to scientific research and to the use of personal data for scientific research purposes and they represent Dutch patients or are active at European level. The choice for these organisations has to do with the fact that this study emerges from the request of the NFU. The NFU represents Dutch medical centres and their request is related to the legislation process on the 1 COM/2012/0011 (Explanatory memorandum, p. 1). 2 COM/2012/0011. 3 A7-0402/2013. 4 For example: M.R. Andersen & H.H. Storm, Eur J Cancer 2013, O. Nyrén, M. Stenbeck & H. Grönberg, Eur J Epidemiol 2014, p. 227-230 and Protecting health and scientific research in the Data Protection Regulation. Position of non-commercial research organisations and academics December 2014, wellcome.ac.uk (search for: Position of non-commercial research organisations and academics December 2014). 6

level of the EU. This study therefore is limited. It is not unlikely that cultural differences have an impact on the way patients think about the balance between protection of personal data and the use of this data for research purposes. The criterion of being involved into research is confirmed by the interviewees. On the last question of the survey, all organisations answered affirmative. 5 Furthermore this study gives no particular attention to different types of patients and to the special position of children in the PGDPR. 1.3. Research questions Main question What are the opinions of patients, with regard to EU legislation, on the balance between the protection of personal data and the use of this data for research purposes? Sub questions a. How do the EC and the EP suggest to strike the balance between the protection of personal data and the use of this data for research purposes, in their proposals on a new European regulation for data protection? b. What are the opinions of patients on the balance between protection of personal data and the use of this data for research purposes? 1.4. Research methodology This study can be characterised as a legal and practice-oriented study. It is a legal study since the legislation of data protection is analysed. The study is also practice-oriented. The results of the study can be used for informed discussions in data protection legislation debates. The study consists of two parts: an analysis of the proposed European regulations for data protection and the survey conducted among patient organisations. The first part has an explanatory character and encompasses a systematic content analysis. Consistently, the investigated regulations are taken as starting point. More primary and secondary legal sources were consulted, if necessary, in order to achieve the right interpretation of the investigated regulations. Several times the recitals that accompany the regulation are important in order to identify the exact meaning of the proposals. The recitals that are part of the proposals and precede the articles themselves are mentioned in this report at the articles they relate to. This analysis delivered input for the second part of this study: the surveys with patient organisations. 6 To identify the opinions of patients a survey is conducted among three Dutch and three European-based patient organisations. The survey consisted of thirteen statements and two questions. For all participating organisations the Dutch or English protocol is used. 5 The survey protocol is attached in Annex IV. 6 The survey results are discussed in Chapter 3. Annex V gives a schematised representation of outcomes. 7

The information that derived from the first part of the study is used as a guidance to develop the survey protocol. While analysing the interview results, it was not always clear whether the respondents reflected their own opinions, the opinions of patient organisations or the opinions of patients. The given comments are not used in this study when they clearly do not present opinions of patients. In the interest of readability, the wordings used by respondents have sometimes been adapted. These adjustments have been made without altering the content. 8

2. Proposed regulations [Titel] 2.1. General remarks This section gives an answer to sub question (a): How do the EC and the EP suggest to strike the balance between the protection of personal data and the use of this data for research purposes, in their proposals on a new European regulation for data protection? Both the proposal of the EC and the resolution of the EP with their amendments are discussed. 2.2. European Commission 2.2.1. Background of the proposal In the context of the Stockholm Programme, the European Council requested the EC to evaluate the functioning of the EU instruments on data protection. 7 The EC concluded: [ ] the EU needs a more comprehensive and coherent policy on the fundamental right to personal data protection. Although the current regulations contain the appropriate objectives and principles, the EC recognises that there are imperfections. The current regulations have not prevented fragmentation in the protection of personal data in the EU and legal uncertainty, while they foster the public concern that there are significant risks at online activity. 8 As a result of these views, the EC proposes the PGDPR. The elements of the proposal that hit the use of personal data for scientific research are the topic of this section. 9 2.2.2. Relevant articles Some parts of the PGDPR are specifically relevant in the context of this study: those parts that plainly affect data protection conditions for processing personal data for scientific research purposes. Table 1 gives a classification, made on the basis of this criterion. 1. 2. 3. Definition Relevant for scientific research No specific relevance Art. 4 Art. 6 1 under (a) Art. 1-3 Art. 7 Art. 5 Art. 9 1 and 2 under (i) Art. 8 Art. 81 Art. 10-80 Art. 83 Art. 82 Art. 84-91 Table 1: Classification of PGDPR articles. 7 Official Journal of the European Union (OJ) 2010, C-115. 8 COM/2012/0011, p. 1-2 9 Figure 6, displayed at the end of this section, shows the elements that plays a role. Whether the elements chosen by the EC create a balance or not, is not part of this study. 9

Of course, also the general principles, rights and duties will affect the way personal data may be processed for research purposes. These provisions however are not specifically targeting the use of personal data for research purposes. Annex I of this study comment on the articles of column 1 and 2. An overview of the main elements the EC proposes according to the protection of personal data in scientific research situations is given in this section. 2.2.3. Definitions and applicability of the rules In its proposal the EC gives the following definition of personal data : any information relating to an identified natural person or a natural person who can be identified, directly or indirectly. 10 This definition can be summarised in the phrase: all data that relate to an identified or identifiable natural person. Only for this type of data the proposed regulation is applicable. Within this general category of personal data the EC distinguishes the categories genetic data and data concerning health. Regarding the applicability of the rules relating to research purposes this categorisation makes no difference. The provisions for the processing of personal data for research purposes apply to personal data in general. The EC states very clearly that anonymised data is not covered by the data protection regulations of the PGDPR. 11 2.2.4. Exemption on the prohibition for research The PGDPR is founded on the principle that processing personal data is limited, because of the protection of individuals. The processing of personal data, revealing i.a. genetic data or data concerning health shall be prohibited according to the PGDPR. 12 The EC nevertheless pays attention to the progress of scientific research. Therefore it proposes an exemption on the prohibition to progress personal data, if meant for scientific research purposes. This exemption is given under the requirement of consent, explained in section 2.2.5. With the expected approved possibility of a general consent, the EC provides room for research. 2.2.5. Protective measures Two protective measures the EC proposes mainly constitute the system for the protection of personal data processed for research purposes. 13 Firstly, consent is always mandatory. This consent needs to be explicit 14 and a freely given specific and informed indication of the data subject s wishes. 15 The proposal seems to indicate that general consent is sufficient. It is not explicitly mentioned that consent should be given for specific research projects separately. 10 Art. 4 PGDPR. 11 Recital 23. 12 COM/2012/0011, art. 9, p. 45-46 PGDPR. 13 Annex I gives a description of the relevant articles 6 and 7 PGDPR. 14 COM/2012/0011, p. 7. 15 COM/2012/0011, art. 4, p. 41-42 and recital 25, p. 21. 10

On the way this consent should be granted the EC notes that there should not be a significant imbalance between the data subject and the recipient of consent. 16 As an example the EC gives the situation of an employment relationship and the position of the government in specific situations. Whether the relation between a doctor and a patient, relevant for medical research situations, can be recognised as imbalanced, is not clear. Attached to the required consent the EC furthermore wants to regulate that the data subject has the right to withdraw her or his consent at any time. 17 The processing of personal data is always subject to two conditions: the purposes cannot be fulfilled otherwise, e.g. with non-identifying data and identified or identifiable data are kept separately from other data. 18 2.2.6. Uncertainties Despite the choices made by the EC and the clarity the proposal should give, the proposal still has some uncertainty. Firstly, as referred to in section 2.2.4., the EC does not explicitly indicate whether a general consent for research purposes in broad sense, or a more specific consent is required. 19 Furthermore there can be doubt on the provision that there should not be a significant imbalance between the position of the data subject and the controller 20, as referred to in section 2.2.5. It is uncertain whether this applies to e.g. the relationship between doctors and patients. 2.3. European Parliament 2.3.1. Changes proposed by the EP resolution On 12 March 2014, the EP passed its resolution on the PGDPR. With a total of 207 amendments, the EP proposes many changes to the PGDPR. A number of these amendments are regarding the balance the EP proposes between the protection of personal data and the use of this data for research purposes. In relation to the EP amendments, organisations in the field of scientific research have raised their concerns. 21 It is suspected that the EP amendments can have damaging effects on the progress of scientific research with use of personal data. The amendments of the EP contain changes to the articles of the PGDPR proposed by the EC and a number of new articles. 16 COM/2012/0011, recital 34, p. 22. 17 COM/2012/0011, art. 7 paragraph 3, p. 45. 18 COM/2012/0011, art. 83 paragraph 1 under b, p. 96. 19 Recital 25. 20 The natural or legal person [ ] which alone or jointly with others determines the purposes, conditions and means of the processing of personal data [ ], COM/2012/0011, art. 4 under 5, p. 41-42. 21 See for example the Position of non-commercial research organisations and academics (12 february consulted on the website http://www.wellcome.ac.uk/), TMF Comment (12 february consulted on the website ), CESSDA. 11

2.3.2. Relevant acticles Table 2 shows which amendments particularly determine the balance the EP proposes. An explanation of the all the amendments of the columns 1 and 2 is given in Annex II. The system in general, being established by these articles, is discussed in this section 2.3. 1. 2. 3. Definition Relevant for scientific No specific relevance research Am. 98 Am. 6 on recital 23 PGDPR Am. 1-5 Am. 8 on recital 25 PGDPR Am. 7 Am. 12 on recital 33 PGDPR Am. 9-11 Am. 86 for a new recital 123a Am. 13-85 Am. 101 on art. 7 PGDPR Am. 87-97 Am. 103 on art. 9 PGDPR Am. 99-100 Am. 110 on art. 14 PGDPR Am. 102 Am. 127 for a new art. 32a Am. 104-109 Am. 191 on art. 81 PGDPR Am. 111-126 Am. 194 on art. 83 PGDPR Am. 128-190 Am. 192-193 Am. 195-207 Table 2: Classification of EP amendments. 2.3.3. Types of data According to the scope of the regulation, the EP does not propose any changes. Even as proposed in the PGDPR, the EP determines the regulation is not applicable if the data is anonymous. 22 Besides this the EP makes a distinction between personal data as such, and pseudonymous data and encrypted data. 23 Nevertheless the impact of this distinction is limited. Only once in the proposal is, in addition to the definition article, referred to pseudonymous data. This deals with acquiring of additional information from the data subject. 24 The same applies to encrypted data. Encrypted data is only mentioned in relation to information policies 25 and icons. 26 2.3.4. Purpose limited consent As starting point, the EP also chooses a ban on the use of personal data concerning i.a. genetic or biometric data or data concerning health. This protection of data however, is accompanied with an exemption for scientific research purposes. Even as the EC the EP proposes in relation to this exemption the EP proposes consent required for the use of personal data for research purposes. 27 22 Am. 6 on recital 23. 23 Am. 98 on art. 4 PGDPR. 24 Am. 104 on art. 10 PGDPR. 25 Am. 109 on a new PGDPR article; art. 13bis. 26 Am. 207 on a new PGDPR article. 27 A7-0402/2013, am. 8 on recital 25, am. 12 on recital 33 and am. 100 on art. 6 PGDPR. 12

According to the scope of the required consent the EP proposes a more strict regime. The EP proposes explicitly that the consent shall be purpose limited: Consent shall be purposelimited and shall lose its validity when the purpose ceases to exist or as soon as the processing of personal data is no longer necessary for carrying out the purpose for which they were originally collected. 28 Specifically according to personal data concerning health used for public health purposes of scientific research, the EP determines that consent may be given for one or more specific and similar research projects. 29 In relation to this requirement, the EP proposes the provision that Member States (MS) can regulate an exemption. 30 With regard to research that serves high public interest, MS law may provide exemptions to the requirement of consent. Not explained is what the EP means by high public interest. 31 2.3.5. More protective measures The EP proposal deviates on two other topics from the PGDPR. Firstly, the EP proposes the obligation for performing a risk analysis. Operations that are likely to present specific risks are, according to EP amendments, for example the situation that personal data relating to more than 5.000 data subjects and the situation that special categories of personal data, like presented in art. 9 PGDPR, are processed. 32 Both situations can easily occur in the processing of personal data for scientific research purposes. Which consequences should follow from the risk analysis, according to the amendments of the EP, is not clear. Secondly, the EP adds a requirement to the obligation that identified or identifiable data is kept separately from other data. This obligation is connected to the demand that this happens under the highest technical standards, and that all necessary measures are taken to prevent unwarranted re-identification of the data subjects. 33 When this condition is met, is not indicated. 2.3.6. Measures in the interest of research The exemption on the general prohibition to process personal data remains in the EP amendments on the PGDPR. 34 The EP adds here, in the interest of scientific research, that information requirements do not have to be fulfilled. 35 The provision for MS to make exemptions on the specific consent obligation, as explained in section 2.3.4., can be considered as a measure in the interest of research. This should create the opportunity for research without the requirement of consent. 28 A7-0402/2013, am. 101 on art. 7 paragraph 4 PGDPR. 29 A7-0402/2013, am. 191 on art. 81 paragraph 1b PGDPR. 30 A7-0402/2013, am. 191 on art. 81 paragraph 2a PGDPR. 31 Annex II provides in an explanation on am. 86. 32 A7-0402/2013, am. 127 on a new art. 32a. 33 A7-0402/2013, am. 194 on art. 83 paragraph 1 under b PGDPR. 34 A7-0402/2013, am. 103 on art. 9 under h PGDPR. 35 A7-0402/2013, am. 110 on art. 14 paragraph 5 under b PGDPR. 13

2.3.7. Uncertainties On tree issues the resolution of the EP creates confusion. Firstly, the meaning of the wording purpose limited, according to required consent, is unclear. Should consent be requested for each specific research project, or is permission for a certain category of researches sufficient? The resolution does not clarify this. Secondly, it is not clear how to determine whether there is high public interest, according to the provision for MS to provide exemptions to the requirement of consent. Opinions about whether medical research can always be qualified as of high public interest, may differ. How this condition thus should function is not fixed. Finally, the obligation that personal data is kept separately from other data under the highest technical standards leaves confusion. It is not clear when this obligation can be fulfilled. 2.4. Conclusion How do the EC and the EP suggest to strike the balance between the protection of personal data and the use of this data for research purposes, in their proposals on a new European regulation for data protection? Both the EC and the EP proposes measures for the protection of personal data on the one hand, and provisions to enable the use of personal data for research purposes on the other hand. In general, it can be concluded that both the PGDPR of the EC and the resolution of the EP do not create clear rules. 36 The starting point of the EC to reduce legal uncertainty might not be achieved with the legislation as proposed. Specifically on the scope of consent, both proposals are not clear. For the PGDPR, also uncertainty exists on the potential imbalance between a data subject and the recipient of consent. Next to this, the EP s proposal create confusion from the provision for MS to establish an exemption on consent if there is high public interest. When this objective is met, is not clear. Similarly, the requirement that personal data should be kept separately under the highest technical standards can be questioned. The information given about the proposed regulations therefore is based on the expected meaning. This implies that further explanation in the future by the institutions, could lead to conclusions which differ from the conclusions given in this study. A main answer on sub question (a) is the conclusion that both the EC and the EP proposes exemption on a general prohibition for processing personal data for scientific research purposes. Thereby, both institutions require consent of the data subject and the right for a data subject to withdraw this consent. Differences between the EC and the EP exist on the way how they suggest this consent should be shaped. The EC proposes that consent should 36 Annex III gives an overview of the proposed measures by the EC and the EP. With this overview the differences between their proposals can be seen easily. 14

always be required. This consent seems to be accepted in the opinion of the EC in a general way. For research purposes as a whole, not limited to a project or time period, permission could be sufficient. The EP, on the contrary, requires a purpose limited consent and states, according to personal data used for public health purposes of scientific research: consent may be given for one or more specific and similar research projects. In this way, the EP intensifies the data protection system. This stricter condition is in addition however linked to a provision for MS. The MS may constitute an exemption on the requirement of consent if the research serves high public interest. On this manner the EP gives a part of the regulatory power on data protection back to the MS. Next to this, the balance is surrounded by a number of additional conditions. There is broad similarity between the PGDPR and the resolution of the EP on the additional obligations. Both propose to introduce the requirements that the purposes cannot be fulfilled other than with personal data, and identifiable data should be separated from other data. On the last condition the EP proposes the stricter requirement that it should be done under the highest technical standards. In addition the EP proposes the obligation of a risk analysis. Both legislative proposals thus hold that data protection in research situations is shaped by required consent. In the PGDPR, a consent is always prescribed and a general consent seems to be sufficient. According to the EP, a limited consent is required, combined with the provision for MS to create exemptions in situations of high public interest. How far in practice the general consent of the EC and the limited consent of the EP diverge, cannot be concluded on the basis of the yet proposed legislation. The EP seems to propose a stricter premise starting point, but more clarity should be given on both the PGDPR and the resolution of the EP. 15

3. Opinion of patients [Titel] 3.1. Introduction What are the opinions of patients on the balance between protection of personal data and the use of this data for research purposes? This question will be answered in this chapter. The opinions of patients are determined through interviews. 37 Information about the method and the interview protocol has been given in section 1.4. On the question which elements that were not part of the interview questions but nevertheless should be taken into account, the respondents mentioned the following issues: data integration; cultural differences in opinions of patients; patient access to their own data and incidental findings; nuances in legislation for vulnerable populations such as rare disease patients. 3.2. Consensus On five statements of the interview protocol all respondents agree. 38 This result shows that patients consider the following issues important: Scientific research, for which the use of personal data is required. Protection of their personal data, when used for scientific research purposes. Existence of legislation which sets rules for the use of personal data for scientific research purposes. Distinction between data protection for research situations and data protection for the use of personal data for other purposes. Input of patients on data protection legislation. 39 3.3. Differences of opinions The interview outcomes show that there are topics on which the opinions of patients are divided in two ways. In the first place, there were statements on which some respondents agreed and some disagreed. In the second place, respondents not always agree or disagree with a statement. In this situation they sometimes explained that this differs among patients. 40 The conclusion can be drawn that there is no general consensus among patients on four topics: Whether it is important to have sufficient control as data subject on personal data that is used for scientific research purposes. Whether general consent is sufficient. Whether consent should be required for the use of personal data for scientific research purposes in the public s interest. 37 The interview protocol is attached in Annex IV. 38 Figure 1 of annex V gives an overview of the reactions of the respondents on the thirteen statements of the interview protocol. 39 The underlying arguments for these opinions are shown in table 1 of annex V. 40 Figure 2 of annex V shows the reasons respondents gave for neither agree or disagree on statements. 16

Whether consent should be required for the use of personal data that is edited in such a way that it could not lead to an identifiable person. Three of these topics have to do with the manner in which the requirement for consent must be designed. Patients are not unanimous about the adequacy of a general consent and also on exemptions to the requirement of consent opinions divide. 3.4. The requirement of consent 3.4.1. Importance of consent Five respondents agreed that patients consider the requirement of consent as important. One respondent neither agreed or disagreed and explained: not all patients know that their personal data is being used for scientific research purposes, they just do not think about the requirement of their consent. This indicates that there are situations in which personal data is used for scientific research purposes, without knowledge of this by patients. Nevertheless there can be concluded that the majority of the patients consider consent as important. Opinions are divided on the form of this consent. 3.4.2. Exemptions ons consent On the statement that no consent is needed for the use of personal data for scientific research in the case of public interest one respondent agreed, three respondents disagreed and two did not choose to agree or disagree. The respondent who agreed, argued for a specific exemption: derogation for population-based cancer registries. As explanation to disagree or to leave a choice absent, the following arguments were given: It differs among patients. If there are exemptions on the consent rule, involvement of patients in ethics committees is important. This for setting up the priorities and issues of public interest. No specific patient information available on this issue. It depends on how public interest is defined. However, also if there is a clear definition and there is public interest, patients want to give their consent. One could say each medical scientific research project is of public interest. Another option for exemption lies in the field of editing. One respondent argued that consent can be omitted when the data is edited in such a way that the data could not be traced back to the person. 41 Arguments given by the respondents who did not agree or disagree are the following: It depends on the way the personal data is edited. Patients find the risk of identification important. 41 Statement 9 of the interview protocol. 17

There is no response for the entire patient community on this statement. Patient opinions on this will differ among different situations, for example the life-limiting nature of the disease of the patient. If anonymised, personal data cannot be used anymore as being personal data. For personal data however, consent always should be required. Not sure about patients opinions on this. Anonymising and encrypting is a good thing, patients can give a general consent in that case. 3.4.3. General consent On the statement whether general consent is sufficient 42, the opinions are divided. One respondent agreed and one disagreed, the others chose neither of the two options. The respondent who agreed, explained that a broader consent for a range of research projects in the future is sufficient, if it is provided in firm legislation and ethically approved. The respondent who disagreed argued that patients want to know where they give consent for, as one respondent states; a general consent is not sufficient in that case. Four respondents did not choose to agree or disagree. The following reasons were given: 43 There is a lot of discussion on this issue. It is beyond doubt that patients want to have a clear picture for which use they give their consent. There is no one size fits all -solution on the opinions of patients on the required consent. Rare disease patients are, generally spoken, comfortable with broad consent. This remains under the condition that evaluation of that research is regularly communicated back to patients, individually or generally. Moreover, allowing patients to understand new advances in which their samples may be used and to withdraw their consent from research if desired. It depends on the trust patients have in the research institution in question. In general, broad consent would be acceptable under the condition of good communication to patients. They can withdraw their consent if desired. The patient organisation does not know the patient opinions on this issue. The opinions of patients are varying on this issue. 3.4.4. Right to withdraw consent Five of the six respondents agree on the statement that patients want to have the possibility to prohibit the use of their personal data for research purposes at any time. 44 Some respondents explained their choice. The following motivations were given: Patients are often concerned about the information imbalance between the patient as a layperson and the healthcare system. Patients therefore wish to have their rights, regardless the frequency of using them in the clinical practice. 42 Statement 7 of the interview protocol. 43 Statement 7 of the interview protocol. 44 Statement 10 of the interview protocol, as attached in Annex IV. 18

[Titel] It is important for patients to have the right to withdraw; this has to do with the right to be forgotten. However, there needs to be proportionality, for example taking into account possible harmful effects on the research project. The right to withdraw needs to be combined with the possibility for patients to know wherefore their data is used on each moment. Transparency by researchers need to be of importance therefore. 3.5. International transfer and harmonisation of legislation Do patients care whether personal data is used internationally and do they find harmonisation on EU level important? Yes, on both issues a majority of the respondents answered affirmative. 45 Respondents that did not choose to agree or disagree did not give an explanation for their choice. Arguments of the respondents that agree are the following: The fact of personal data being used internationally or not, is part of the information that patients want to have. With the implementation of cross-border healthcare, harmonisation becomes essential. Patients recognise that for some kind of diseases, cross-border research is necessary. This justifies more cooperation. Harmonisation will make this easier. 3.6. Provision of information In various explanations, the respondents stressed the value that patients attach to the provision of information. One respondent stated: For patients, information is the most important. 3.7. Conclusion What are the opinions of patients on the balance between protection of personal data and the use of this data for research purposes? On the one hand, it must be concluded that patients do find scientific research with the use of personal data important. On the other hand, patients find attention must be paid to data protection. According to this protection the patients consider it relevant: that data protection legislation exists and that they have input, that a distinction for different use of personal data is made and that consent is required. On the basis of a majority under the respondents also can be concluded that patients find it important to know whether data is transferred internationally and that legislation is harmonised on EU level. Whether patients do want to have sufficient control on their data the interview results give no consensus. 45 Figure 3 of Annex V gives insight to the choice the respondents made according to international transfer and harmonisation. 19

It is already concluded that the requirement of consent is considered important for patients. The opinions differ on the topic how this consent should be conducted. Most of the respondents did not chose to agree or disagree with the statement that a general consent would be sufficient. Also on the statements that patients approve on exemptions if there is public interest or if the data is threatened data, only one respondent agreed. The right to withdraw consent at every moment can count on broad support of patients based on the interview results. Thus, the answer to the question should be: patients want that research with personal data remains possible, and patients want to have data protection legislation and the requirement of consent. 20

4. Conclusions and recommendations [Titel] 4.1. Introduction The opinions of patients in relation to new EU data protection legislation can be understood by presenting similarities and differences between the proposals and the interview results, and by paying attention to issues on which debate exists. Both are addressed in this chapter. Furthermore, recommendations are given. Seen the number of held surveys and the choice to search for the opinions of patients by asking patients organisations; the conclusions can been seen as an indication patients opinions. 4.2. Observations: similarities and differences Progress of scientific research From the large amount of topics encountered by data protection, the EC and the EP pay attention to the progress of scientific research. Both create exemptions for research on the prohibition to process personal data. The proposals of the EC and the EP differ in the conditions under which this exception is allowed. The focus on scientific research by regulations for data protection fits with the opinions of patients according to the use of personal data for scientific research purposes. Consent requirement The requirement of consent exists in the proposal of the EC as well the EP. These choices correspond with the opinions of patients: the majority of patients consider consent important. Position according to general consent Neither in the proposals and the survey results a clear explicit statement according to general consent is visible. The proposal of the EC seems to indicate that general consent will suffice. This can be concluded since it is not explicitly mentioned that consent should be given for specific research projects separately. The resolution of the EP seems to suggest a stricter regime with their requirement that consent shall be purpose-limited. The interview results show that the opinions of patients on general consent are mixed. Exemptions on consent Two possible exemptions on consent emerged from this study: research with public interest and situations with edited data. On the first exemption, only the EP resolution gives a legal provision. For personal data concerning health, the EP proposes that MS can create an exemption on the requirement of consent in the case of research that serves high public interest. The majority of the respondents disagreed on the statement that research with high public interest is excluded from the consent requirement. This has several reasons; amongst others, the problem of defining public interest is mentioned. The opinions of patients vary on the requirement of consent for edited data. This could be because of the phrasing edited in such way that the personal data could not be traced back to the person. It is not entirely clear what should be understood by this. The EC and the EP do not use this term, nevertheless 21

they both give a definition of personal data and determine that anonymised data is not covered by the data protection regulations. Clarity of legislation This study reveals that the proposals of the EC and the EP contain ambiguities. This observation stands next to the wish of the EC to prevent legal uncertainty and the value that patients attach to the provision of information. Whether the EC is going to meet its own ambition, they need to assess themselves. The opinion of patients shall mainly relate to the level of research projects, but can also be influenced by the extent to which laws create clarity. Data separation One of the conditions the EC proposes as required for the use of personal data for research purposes is the obligation that identified or identifiable data are kept separately from other data. The EP proposes the same condition, but gives more concretisation on this requirement: it needs to be done under highest technical standards, and all necessary measures must be taken to prevent unwarranted re-identification of the data subjects. This kind of technical issue is not discussed with the patient organisations. Role for MS Only the EP proposes to give competence to MS according to the regulation of data protection. This concerns the possibility for MS to provide exemptions to the requirement of consent regard to research that serves high public interest. This choice is unfortunate, seen the fragmentation of legislation which the EC wants to prevent and the support of patients for harmonisation on EU level. 4.3. Recommendations: work to do Use the legislative process Patient organisations should take the opportunity to ensure that their points of interest are included in new legislation. This can be done by either concrete legislation proposals or with support to broad rules in which much is possible. Existing confusion 46 can be used to disseminate and capture points of view. Involve patients in the legislation process and implementation of regulations Patients find it important to be involved in the process of data protection legislation. Patient organisations can play an important role in this; they are a means to let the voice of patients be heard in the legislation process. Demonstrate how scientific research and data protection can go hand in hand The fact that both the progress of scientific research and data protection is recognised by all parties is a good starting position for successful development of legislation. All parties are 46 This is explained under observations, no. 5. 22

aware of the importance of the same two matters. Positions on how to achieve these interests in legislation however can differ, as became visible in this study. Therefore organisations that have expertise and knowledge on the way how scientific research and protection of personal data work in practice, need to point out which legislation will be the best. Moreover the proposals for data protection with regard to research situations is only a small part of a very big legislation process. It should not be assumed that the legislative parties pay the utmost attention to this element. Therefore insight from practice needs to be given on a clear and accessible way. Give attention to information services for patients Patients are mainly the providers of personal data and this study shows the importance they attach to knowledge on what happens with their data. Good information services can increase the support of patients for scientific research with personal data. Develop consensus on elements still disputed The study showed that opinions still differ on the scope of a general consent and the right to withdraw. The systems which the EC and the EP propose differ on the topic of general consent. Both proposals include the right to withdraw, although the practical implementation is not defined clearly. It would be fruitful to develop a vision on these topics which could be shared by patients as well as researchers. Attention after the legislative process It is not inconceivable that the legislative process results in broad and guidelines that require further interpretation. Therefore it is recommendable to continue lobbying when the PGDPR established to influence on how the rules will be applied in practice. 23

Bibliography [Titel] M.R. Andersen & H.H. Storm, Eur J Cancer 2013 M.R. Andersen & H.H. Storm, Cancer registration, public health and the reform of the European data protection framework: Abandoning or improving European public health research?, Eur J Cancer 2013. O. Nyrén, M. Stenbeck & H. Grönberg, Eur J Epidemiol 2014, p. 227-230 O. Nyrén, M. Stenbeck & H. Grönberg, The European Parliament proposal for the new EU General Data Protection Regulation may severely restrict European epidemiological research, Eur J Epidemiol 2014, p. 227-230 Position of non-commercial research organisations and academics - July 2014 Protecting health and scientific research in the Data Protection Regulation (2012/0011(COD)). Position of non-commercial research organisations and academics - July 2014, wellcome.ac.uk (search protecting health and scientific research in the Data Protection regulation). 24

Anex I Description EC articles [Titel] Art. 4 PGDPR In art. 4 PGDPR at number (1) to (19), definitions are given which are important for the determination of the balance the EC proposes. These are the definitions of the legal notions: data subject (1), personal data (2), processing (3), the data subject s consent (8) and data concerning health (12). Figure 2 shows the meanings given to those legal notions in art. 4 PGDPR. Legal notion Data subject Definition elements Identified or to identify natural person. Personal data Any information relating to a data subject. Processing Any operation or set of operations performed upon personal data or sets of personal data. The data subject s consent Any freely given specific, informed and explicit indication of wishes by which the data subject signifies agreement for processing personal data relating to them. Data concerning health Any information relating to the physical or mental health of an individual, or to the provision of health services to the individual. Table 1: Definitions according to art. 4 PGDPR. In connection with the scope of the PGDPR on the basis of the definitions, recital 23 is important. The EC makes clear there that anonymised data should not be regarded as personal data according to art. 4 PGDPR. This means the PGDPR does not apply for anonymised data. Art. 6 PGDPR Art. 7 PGDPR Art. 6 PGDPR determines when Processing of personal data shall be lawful. Only if and to the extent that at least one of situations of art. 6 PGDPR paragraph 1 under (a) until (f) applies, the processing of personal data shall be lawful. For the use of personal data for research purposes according to the PGDPR therefore, the consent of the data subject is necessary. This use of personal data namely does not fall within any of the other categories of art. 6 PGDPR paragraph 1. In addition, art. 6 2 PGDPR adds the requirement that processing of personal data which is necessary for scientific research, is subjected to the conditions and safeguards referred to in art. 83 PGDPR. In art. 7 PGDPR, four conditions are given, shown in Figure 1, for the validity of consent as a legal ground for lawful processing. In the context of the balance between the protection of personal data and the use of personal data for scientific research purposes, two 25

conditions are particularly of interest. These are the right to withdraw consent for the data subject at any time, and the requirement that there should not be a significant unequal relationship between the data subject and the controller. The right to withdraw consent at any time is not mentioned as a general right in the Data Protection Directive 47 (DPD), but proposed by the EC in art. 7 PGDPR. Whether the consent required by the EC consist of general consent or specific consent is not entirely clear. The EC explains: Consent should cover all processing activities carried out for the same purpose or purposes. 48 This supports the conclusion that the EC considers general consent to be sufficient. However, the proposal does not clarify this explicitly. The requirement that there should not be a significant imbalance Burden of proof for controller Requirement to give consent distinguishable from other matters Consent Right to withdraw consent for the data subject at any time No significant imbalance between position data subject and controller Figure 1: Elements of consent according to art. 7 PGDPR. between the position of the data subject and the controller however, can give uncertainty in the context of the use of personal data for scientific research purposes. The EC explains 49 that consent should not provide a valid legal ground for the processing of personal data when there is a clear imbalance between the data subject and the controller. According to the EC this is especially the case when the data subject is in a situation of dependence from the controller. As an 47 Directive 95/46/EC. 48 Recital 25. 49 Recital 34. 26

example, the EC mentions the relation between an employer and employee in the employment context. It is unclear whether a doctorpatient relationship may also be considered as a relation with significant imbalance between position data subject and controller. Art. 9 PGDPR Art. 81 PGDPR Art. 83 PGDPR In art. 9 paragraph 1 PGDPR, the EC introduces a prohibition for the processing of special categories of personal data. These categories includes genetic data and data concerning health. On the prohibition of paragraph 1 of art. 9 PGDPR the EC gives exemptions in paragraph 2 of art. 9 PGDPR. This exemption also applies to data concerning health for health purposes (h) and processing which is necessary for scientific research purposes (i). Processing for scientific research purposes is subject to the conditions of art. 83 PGDR as stated in art. 9 paragraph 2 under (1) PGDPR. Besides the conditions given for special categories of data, as provided in art. 9 PGDPR, art. 81 PGDPR regulates specific safeguards for processing for health purposes. For the research question of this study this article does not have much relevance, besides the fact that paragraph 2 of art. 81 PGDPR refers to art. 83 PGDPR. In practice the use of personal data for health purposes will merge with the use of personal data for research purposes. But in the case of processing for research purposes, the requirements of art. 83 PGDPR always have to be fulfilled. Art. 83 paragraph 1 under (a) and (b) gives conditions under which processing for scientific research purposes is allowed. These conditions are shown in figure 2. Use of personal data for research purposes These purposes cannot be fulfilled otherwise, e.g. with non-identifying data. Identified or identifiable data are kept separately from other data Figure 2: Conditions for the use of personal data for research purposes according to am. 83 PGDPR. Public disclosure is only allowed, according to art. 83 paragraph 2 PGDPR, if (a) the data subject has given consent, as mentioned in art. 7 PGDPR, if (b) the publication is necessary to present research findings or to facilitate research insofar as the interests of the data subject do not override these interests, or (c) the data subject has made the data public. 27

2024 © healthdocbox.com Privacy Policy | Terms of Service | Feedback