Medical Research Law & Policy Report

Similar documents
Collecting and Handling Health Data in a GDPR World

COUNCIL OF THE EUROPEAN UNION. Brussels, 7 September 2009 (OR. en) 11261/09 Interinstitutional File: 2008/0002 (COD) DENLEG 51 CODEC 893

The Nutrition (Amendment) (EU Exit) Regulations 2018

Sexual Assault. Attachment 1. Approval Date: Policy No.: The University of British Columbia Board of Governors

INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS 3000 ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OR REVIEWS OF HISTORICAL FINANCIAL INFORMATION CONTENTS

C 178/2 Official Journal of the European Union

BACKGROUND + GENERAL COMMENTS

The Impact of GDPR on Clinical Trials

Assurance Engagements Other than Audits or Review of Historical Financial Statements

(Legislative acts) REGULATIONS

Specialist Research Ethics Guidance Paper RESEARCH INVOLVING ADULT PARTICIPANTS WHO LACK THE CAPACITY TO CONSENT

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

EUROPEAN COMMISSION HEALTH AND FOOD SAFETY DIRECTORATE-GENERAL. PHARMACEUTICAL COMMITTEE 21 October 2015

COMMISSION OF THE EUROPEAN COMMUNITIES REPORT FROM THE COMMISSION TO THE COUNCIL AND THE EUROPEAN PARLIAMENT

Commissioner Borg addresses the European Parliament's Interest Group on Complementary and Alternative Medicine

COMMISSION DELEGATED REGULATION (EU).../... of XXX

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person.

Auditing Standards and Practices Council

SUMMARY REPORT OF THE STANDING COMMITTEE ON THE FOOD CHAIN AND ANIMAL HEALTH HELD IN BRUSSELS ON 10 DECEMBER 2012 (Section General Food Law)

DISCLOSURE OF ALCOHOL AND SUBSTANCE/DRUG ABUSE RECORDS. This Policy describes permissible disclosures of Alcohol and Substance/Drug Abuse Records.

Human Research Ethics Committee. Some Background on Human Research Ethics

Brussels, 20 December 2011 (Case ) 1. Proceedings

17. Storage of gametes and embryos

The Voice of Patients on Data Protection

WORLD MEDICAL ASSOCIATION DECLARATION OF HELSINKI. Ethical Principles for Biomedical Research Involving Human Beings

OFFICIAL STATE BULLETIN

DIRECTIVES. (Text with EEA relevance)

Information about cases being considered by the Case Examiners

Survey results - Analysis of higher tier studies submitted without testing proposals

POLICY BRIEF 4. The Nagoya ABS Protocol and Pathogens. By Gurdial Singh Nijar. Contents

Ethical Conduct for Research Involving Humans

Guidance - IDE Early/Expanded Access for Devices

GDC Disclosure and Publication Policy

REGULATION (EC) No.141/2000

2018 Farm Bill to Lift Federal Prohibition on Hemp Production, but State Laws May Restrict Certain Activities

TREATMENT OF INVOLUNTARY PATIENTS 2.4

This document is meant purely as a documentation tool and the institutions do not assume any liability for its contents

EUROPEAN UNION. Brussels, 15 October 2007 (OR. en) 2005/0227 (COD) PE-CONS 3627/07 MI 149 ECO 83 SAN 123 CODEC 621

World Medical Association Declaration of Helsinki Ethical Principles for Medical Research Involving Human Subjects

Common Criteria for Cosmetic Claims

REQUIRED INSTITUTIONAL REVIEW BOARD (IRB) EDUCATIONAL READING FOR FLETCHER SCHOOL RESEARCHERS APPLYING FOR EXEMPTION FROM IRB

Consultation on Carers Legislation

IAASB Main Agenda (March 2005) Page Agenda Item. DRAFT EXPLANATORY MEMORANDUM ISA 701 and ISA 702 Exposure Drafts February 2005

REPUBLIC OF LITHUANIA LAW ON DONATION AND TRANSPLANTATION OF HUMAN TISSUES, CELLS AND ORGANS. 19 November 1996 No I-1626 Vilnius

Flexibility and Informed Consent Process

15 May 2017 Exposure Draft. Response Due Date 23 June Exposure Draft

COMMISSION REGULATION (EU)

CED GUIDELINES TO INTERPRET AND IMPLEMENT COUNCIL DIRECTIVE 2011/84/EU ON TOOTH WHITENING PRODUCTS

(Text with EEA relevance) Having regard to the opinion of the European Economic and Social Committee ( 1 ),

Assurance Engagements Other Than Audits or Reviews of Historical Financial Information

Nova Scotia Board of Examiners in Psychology. Custody and Access Evaluation Guidelines

Communication and Information Sharing Agreement. between. The Care and Social Services Inspectorate Wales. and

Contribution by the South African Government to the Proposals, Practical Measures, Best Practices and Lessons Learned that will contribute to

Unofficial translation - No legal value. Bundesanzeiger Nr. 229 vom 04. Dezember 1998, S

HIPAA FOR THE DENTAL PRACTICE

MRS Best Practice Guide on Research Participant Vulnerability

IMPORTANT DISCLAIMER. Note

Use of Standards in Substantial Equivalence Determinations

The Food for Specific Groups (Information and Compositional Requirements) (England) Regulations 2016

IAASB Exposure Draft, Proposed ISAE 3000 (Revised), Assurance Engagements Other Than Audits or Reviews of Historical Financial Information

International Framework for Assurance Engagements

Laura Beatriz Herrero Montarelo, Maria Dolores Gómez Vázquez and Victorio José Teruel Muñoz

ATMPs & EU GMP Update. Bryan J Wright July 2017

Ref: E 007. PGEU Response. Consultation on measures for improving the recognition of medical prescriptions issued in another Member State

We get your personal data from the following sources (examples detailed below are not exhaustive):

October 2003 Revision 1, February INTRODUCTION AND SCOPE

COMMITTEE FOR MEDICINAL PRODUCTS FOR HUMAN USE (CHMP)

CODE OF ETHICS FOR RESEARCH IN THE SOCIAL AND BEHAVIOURAL SCIENCES INVOLVING HUMAN PARTICIPANTS

UNIVERSITY OF LEICESTER, UNIVERSITY OF LOUGHBOROUGH & UNIVERSITY HOSPITALS OF LEICESTER NHS TRUST JOINT RESEARCH & DEVELOPMENT SUPPORT OFFICE

5.I.1. GENERAL PRACTITIONER ANNOUNCEMENT OF CREDENTIALS IN NON-SPECIALTY INTEREST AREAS

Roadmap to review the Nutrition and Health Claims legislation expression of interest to contribute to the upcoming external study

Medical gap arrangements - practitioner application

Policy Prohibiting Discriminatory Harassment & Sexual Misconduct. Definitions. Wesleyan University

COMMISSION IMPLEMENTING DECISION. of

WORLDWIDE FLIGHT SERVICES PRIVACY SHIELD POLICY

ECT and the law. Dr Hugh Series. Consultant old age psychiatrist, Oxford Health NHS FT Member, Law Faculty, University of Oxford

COMMISSION REGULATION (EU) / of XXX

Details of Authorised Personnel

EUROPEAN COMMISSION SUMMARY REPORT OF THE STANDING COMMITTEE ON THE FOOD CHAIN AND ANIMAL HEALTH HELD IN BRUSSELS ON 13 JUNE 2014

QUALITY REVIEW PROGRAM REVIEW OF FORENSIC ACCOUNTING ENGAGEMENT QUESTIONNAIRE

Counterfeit Medicinal Products. FINLAND Roschier, Attorneys Ltd.

Consent to research. A draft for consultation

State of Connecticut Department of Education Division of Teaching and Learning Programs and Services Bureau of Special Education

OPIOID EMERGENCY RESPONSE REGULATION

HIV /Aids and Chronic Life Threatening Disease Policy

Act on Narcotic Drugs and Psychotropic Substances and Precursors thereof

This document is meant purely as a documentation tool and the institutions do not assume any liability for its contents

MEMBER SHARE A Pastoral Medical Association - Private Membership Program MEMBER SHARE AGREEMENT (MSA)

Designing publicly funded healthcare markets Note by the Russian Federation

EUROPEAN COMMISSION SUMMARY REPORT OF THE STANDING COMMITTEE ON PLANTS, ANIMALS, FOOD AND FEED HELD IN BRUSSELS ON 10 FEBRUARY 2015

The Chinese University of Hong Kong. Survey and Behavioural Research Ethics

OUR GROUP GDPR INFORMATION SECURITY FRAMEWORK

COMMISSION DELEGATED REGULATION (EU) /... of XXX

Access to electronic communications services for disabled customers

Framework on the feedback of health-related findings in research March 2014

Testimony of. Eric J. Cassell, M.D., M.A.C.P. Member, National Bioethics Advisory Commission. and. Clinical Professor of Public Health

Governance. Defend. Prevent. Respond OUR GROUP GDPR INFORMATION SECURITY FRAMEWORK FOREWORD

COLUMBIA UNIVERSITY INSTITUTIONAL REVIEW BOARD GUIDANCE ON ELECTRONIC INFORMED CONSENT

Claims about health in ads for e-cigarettes. CAP and BCAP s regulatory statement

Alert That Restricts the Use of the Auditor s Written Communication

Transcription:

Medical Research Law & Policy Report Reproduced with permission from Medical Research Law & Policy Report, 16 MRLR 18, 09/20/2017. Copyright 2017 by The Bureau of National Affairs, Inc. (800-372-1033) http:// www.bna.com Reconciling Personal Data Consent Practices in Clinical Trials with the EU General Data Protection Regulation Mark Barnes, Rohan Massey, David Peloquin, and Nick Wallace are attorneys with Ropes & Gray LLP. BY MARK BARNES, ROHAN MASSEY, DAVID PELOQUIN, AND NICHOLAS WALLACE Clinical trial sponsors, and the research community more generally, should evaluate closely their privacy practices in preparation for the May 25, 2018, compliance date of the European Union s General Data Protection Regulation ( GDPR ) in the 28 member states of the European Union ( EU ) and three additional countries that together with the EU comprise the European Economic Area ( EEA ) (collectively, Member States ). (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter GDPR )). Among other challenges, the GDPR will require an evaluation of practices for obtaining clinical research subjects informed consent for the processing of their personal data. A previous article by three of the present authors provided a more general overview of various aspects of the GDPR on scientific research and secondary uses of personal data, and we do not repeat here all the previously described considerations. (Barnes, et al., Impact of the European Union s Approved General Data Protection Regulation on Scientific Research and Secondary Uses of Personal Data, BLOOMBERG BNA MED. RES. L. & POL Y REP. (Feb. 17, 2016)). As a matter of practice, the research community has traditionally relied on data subjects consent as the basis for processing personal data. Typically, researchers involved in human subjects research have obtained the subjects consent to process their data during the informed consent process such that through signing a single informed consent form, the subject provides his or her consent to participation in the research, as well as consent to the processing of his or her personal data in connection with the research. In the United States, this dual permission consent form is used widely in research occurring at health-care providers that are covered entities under the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) Privacy Rule. Under the Privacy Rule, a subject typically executes an authorization providing the health-care provider permission to use and disclose the subject s protected health information in connection with a study, and the Privacy Rule also allows that authorization to be combined with an informed consent for participation in the research itself. (See 45 C.F.R. 164.508(b)(3)(i)). Outside of the United States, this dual permission is often accomplished through including in the informed consent form a distinct section that addresses the use and disclosure of the subject s personal information for purposes of the research. This article first explains the instances in which consent may serve as a basis for processing personal data under the GDPR. Second, it notes the ways in which the GDPR has been interpreted by regulators to disfavor the use of consent by clinical researchers as a basis for processing personal data. Third, and finally, the article flags a few of the implications for the research community if that community must rely on theories other than consent as the basis for processing personal data collected as part of a research study. GDPR Requirements for Processing Personal Data Under the GDPR, data controllers and processors may rely on a number of grounds to process personal data, which are defined broadly to include any information relating to an identified or identifiable natural COPYRIGHT 2017 BY THE BUREAU OF NATIONAL AFFAIRS, INC. ISSN 1539-1035

2 person. (GDPR Art. 4(1)). The GDPR in turn defines an identifiable natural person as one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. (See id.). Consent is one ground recognized by the GDPR as a basis for processing personal data. Entities subject to the GDPR may process personal data when the data subject has given consent to the processing of his or her personal data for one or more specific purposes. (GDPR, Art. 6(1)(a)). The GDPR also permits processing of personal data on the ground that processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (GDPR, Art. 6(1)(f)). In limited circumstances, the legitimate interests basis may allow a researcher or clinical trial sponsor to process data without a subject s consent, although as noted in the following section, the particular types of sensitive personal data often collected during human subjects research are subject to heightened requirements for processing. GDPR Requirements for Processing Special Categories of Personal Data Heightened requirements must be met in order to process certain special categories of personal data, which are likely to be collected during any clinical research (or even social science research) study. These special categories include personal data revealing racial or ethic origin... genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person s sex life or sexual orientation. (GDPR, Art. 9(1)). The GDPR prohibits the processing of special categories of personal data in the absence of an applicable exception. One such exception is the consent of the data subject, provided that the subject provides explicit consent to the processing of those personal data for one or more specified purposes. (GDPR, Art. 9(2)(a)). The Article 29 Data Protection Working Party (the Working Party ), an advisory body that issues non-binding guidance on EU data protection law, provided guidance interpreting explicit consent under the EU Data Privacy Directive (Directive 95/46/EC), the predecessor regime to the GDPR. The Working Party noted that explicit consent is understood as having the same meaning as express consent. (Opinion No. 15/2011 (WP187) of the Article 29 Data Protection Working Party on the Definition of Consent 26 (Jul. 13, 2011)). According to the Working Party, express consent encompasses all situations where individuals are presented with a proposal to agree or disagree to a particular use or disclosure of their personal information and they respond actively to the question, orally or in writing. Usually, explicit or express consent is given in writing with a handwritten signature. (Id.). It is also important to note that the GPDR provides that more restrictive laws of the EU or of an individual EEA Member State may provide that the data subject may not lift, by the data subject s consent, the general prohibition on the processing of such special categories of personal data. (GDPR, Art. 9(2)(a)). Accordingly, depending on future EU and Member State enactments, there may emerge some variation between EEA Member States regarding the extent to which explicit consent may be used as a basis for processing special categories of personal data. In instances in which entities processing personal data do not have a data subject s explicit consent, the GDPR permits processing of special categories of personal data on certain other grounds, including when processing is necessary (i) for scientific or historical research purposes or (ii) for reasons of public interest in the area of public health. Processing for scientific or historical research purposes must be done in accordance with Article 89(1) based on Union or Member State law which shall be: proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. (GDPR, Art. 9(2)(j)). The wording of Article 9(2)(j) with its statement that processing must be in accordance with Article 89(1) based on Union or Member State law raises a question of whether the EU or individual Member States must issue affirmative legislation interpreting Article 89(1) before Article 9(2)(j) may be relied upon as an independent basis for processing of special categories of personal data. In our judgment, the better interpretation, in light of the GDPR s recitals on this point, is that Article 9(2)(j) is available immediately as an independent basis for processing, though the EU or individual Member States are empowered (though not required) to impose additional requirements on such processing. For example, GDPR Recital 156 (emphasis added) states: Member States should provide for appropriate safeguards for the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. Member States should be authorised to provide, under specific conditions and subject to appropriate safeguards for data subjects, specifications and derogations with regard to the information requirements and rights to rectification, to erasure, to be forgotten, to restriction of processing, to data portability, and to object when processing personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Under this Recital, therefore, Member States should be authorised to provide for these additional protections and measures but are not required to do so meaning, presumably, that such Member State actions are not somehow a predicate for the use of the sensitive data processing authority afforded by Article 9(2)(j). Moreover, as described immediately below, Article 89(1) already requires certain protective conditions for research subjects, thus already meeting the Article 9(2)(j) requirement that there be suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. Article 89(1) requires that processing of personal data for historical or scientific research purposes shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Safeguards must ensure that technical 9-20-17 COPYRIGHT 2017 BY THE BUREAU OF NATIONAL AFFAIRS, INC. MRLR ISSN 1539-1035

3 and organisational measures are in place... to ensure respect for the principle of data minimisation, which holds that the data processed shall be limited to what is necessary in relation to the purposes for which they are processed (GDPR, Art. 5(1)(c)). Article 89(1) instructs that when applied to scientific research, data minimization requires that where the research purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, then the research shall be fulfilled in a manner that does not permit identification. If this is not possible, technical and administrative measures shall be in place to protect the data, which may include pseudonymization, provided that the research purposes can be fulfilled with pseudononymized data. The GDPR defines pseudonymization as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. (GDPR Art. 4(5)). Additional requirements may apply to the processing of data for scientific research purposes under Member States laws. In these ways, Article 89(1) itself already imposes some specific protective conditions on the processing of sensitive data of research subjects. Also relevant for the research community, special categories of personal data may be processed on the alternative basis of necessity of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices. (GDPR, Art. 9(2)(i)). This basis for processing most directly authorizes health professionals to use special categories of personal data to protect public health in epidemics, pandemics, or safety threats in connection with drugs or devices. It is therefore not clear that the research community should or could rely on this basis to process personal data for most scientific research, unless that research has a direct, non-attenuated public health application, but this basis may permit the processing of data concerning adverse events that arise in connection with the use of a drug or medical device. In addition, the GDPR provides that processing of special categories of personal data may take place when necessary to protect the vital interests of the data subject or another natural person where the data subject is physically incapable of giving consent. (GDPR, Art. 9(2)(c)). The Working Party has suggested that vital interest involves a life or death situation, and thus this may provide a basis for processing in cases of emergency research in which the research subject may not be able to provide consent for administration of an experimental, potentially life-saving intervention, or in compassionate use cases in which a physician, unable to obtain patient or authorized representative consent, must transmit a patient s personal data to enable a pharmaceutical company to assess the patient s eligibility for a potentially life-saving treatment. See Working Document No. 01/2012 (WP189) of the Article 29 Data Protection Working Party on epsos (Jan. 25, 2012); Working Document No. WP131 of the Article 29 Data Protection Working Party on the Processing of Personal Data Relating to Health in Electronic Health Records (Feb. 15, 2007). The Stringent Nature of Consent under the GDPR and Potential Conflict with Established Consent Practices in the Research Community Relevant to both the general consent and explicit consent bases for processing personal data and special categories of personal data, respectively, the GDPR s definition of consent calls into question whether consent may be relied upon as a basis for processing personal data if the data processor simultaneously plans to assert an additional regulatory basis for processing the personal data (e.g., scientific research purposes) in the event that the data subject withdraws his or her consent. The GDPR defines consent as any freely given, specific, informed and unambiguous indication of the data subject s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. (GDPR, Art. 4(11)). The Recitals to the GDPR provide that [c]onsent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. (GDPR, Recital 42). The danger is that consent to processing of personal data in the context of research could be regarded as not being a genuine choice if the data processor intends to rely simultaneously on another ground, such as scientific research, to process the data if the data subject withdraws consent. The Working Party has issued guidance interpreting the interaction of the consent requirements with the other bases for processing personal data. In addition, the United Kingdom s Information Commissioner s Office ( ICO ), the supervisory authority charged with enforcing the GDPR in the United Kingdom, issued draft guidance earlier this year that touches on this issue. The ICO s guidance will remain in draft form until the Working Party agrees on its Europe-wide consent guidelines, which is expected to take place in December 2017. The Working Party has provided guidance that [c]onsent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent. Opinion No. 15/ 2011 (WP187) of the Article 29 Data Protection Working Party on the Definition of Consent 12 (emphasis added). The Working Party guidance additionally notes that, [i]f, once consent is withdrawn, the data processing continues based on another legal ground, doubts could be raised as to the original use of consent as the initial legal ground: if the processing could have taken place from the beginning using this other ground, presenting the individual with a situation where he is asked to consent to the processing could be considered as misleading or inherently unfair. (Id. at 13). The Working Party allows that subsequent reliance on a ground other than consent, would be different if there were a change of circumstances, for example if a new legal basis were to appear in the course of the processing, such as a new law regulating the database concerned. (Id.). Consequently, the Working Party concludes, reliance on consent should be confined to cases where the MEDICAL RESEARCH LAW & POLICY REPORT ISSN 1539-1035 BNA 9-20-17

4 individual data subject has a genuine free choice and is subsequently able to withdraw the consent without detriment, and, [i]n principle, consent can be considered to be deficient if no effective withdrawal is permitted. Working Document No. WP 131 of the Article 29 Data Protection Working Party on the Processing of Personal Data Relating to Health in Electronic Health Records (EHRs); Opinion No. 15/2011 (WP187) of the Article 29 Data Protection Working Party on the Definition of Consent. Echoing the Working Party, the ICO provides in consultation guidance on consent under the GDPR issued earlier this year that, [c]onsent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair. INFORMATION COMMISSION- ER S OFFICE, CONSULTATION: GDPR CONSENT GUIDANCE 11 (start date, Mar. 2, 2017; end date, Mar. 31, 2017). The ICO guidance continues by stating that [t]his may be the case if, for example[,] you would still process the data on a different lawful basis if consent were refused or withdrawn. (Id. at 13). Notably, the ICO guidance does recognize that consent will often provide the basis for processing personal data for research purposes, as it states as follows: If you are seeking consent to process personal data for scientific research, you don t need to be as specific as for other purposes. However, you should identify the general areas of research, and where possible give people granular options to consent only to certain areas of research or parts of research projects. (Id. at 27). In addition, the ICO guidance states that, [y]ou may need to consider whether you have another lawful basis for any of the processing, so that you can focus your consent request. (Id. at 31). This suggests that one may be able to craft a consent whereby the consent for processing is tailored such that a subject is told that consent is the basis for the initial processing, but if the subject later withdraws his or her consent, processing of the subject s data may continue as needed to preserve the integrity of the research under the scientific research basis for processing. In sum, the available guidance provides that, if personal data would still be processed on a different lawful basis other than consent, even if consent were refused or withdrawn, then seeking consent from the individual would be misleading and inherently unfair and would present the individual with a false choice and only the illusion of control. These regulatory interpretations do not appear to contemplate adequately current scientific research practice, in which consent to data processing is often obtained at the outset of a research project and subjects are told that if they withdraw consent to such processing, no new data will be collected about the subject but the data already collected will continue to be used to preserve the integrity of the research. In the absence of the above-cited interpretive guidance, one would think that under the GDPR one could make the case that consent is the primary basis for processing special categories of personal data, with the scientific research basis providing a secondary rationale to continue processing necessary for the scientific research in the event that the subject withdraws his or her consent. While the ICO guidance may provide a path to this conclusion, the ICO guidance applies only to the United Kingdom (which soon will no longer be part of the European Union) and is not entirely clear on this point. Notably, the GDPR provides in its recitals that for the purpose of consenting to the participation in scientific research activities in clinical trials, the relevant provisions of the EU s Clinical Trial Regulation (scheduled to take effect in 2019) should apply. See Regulation (EU) No. 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use and repealing Directive 2001/ 20/EC (hereinafter EU Clinical Trial Regulation ). The EU Clinical Trial Regulation in turn provides that withdrawal of informed consent should not affect the results of the activities already carried out, such as the storage and use of data obtained on the basis of informed consent before withdrawal. (See EU Clinical Trial Regulation, Recital 76). Thus read together, the GDPR and the EU Clinical Trial Regulation suggest that consent may be the most appropriate basis for processing personal data in the context of a clinical trial, and that withdrawal of consent should not affect continued processing of data as needed for the research. Implications for Scientific Research Before the GDPR compliance date, the scientific research community should examine, and encourage regulatory bodies to issue clear guidance regarding, whether the GDPR requires the research community to revise its common practice of obtaining subjects consent to the processing of personal data in order to ensure that the research community will have ongoing access to data necessary for the integrity of the research study even in the event that the data subject withdraws consent. Most personal data involving human subjects are likely to be among the special categories of personal data to which additional protections apply. Researchers will therefore likely face a choice of continuing to rely on the subjects consent to the processing of the personal data, or alternatively, will need to rely on the scientific research basis for the processing. However, as noted above, the scientific research basis for processing may be subject to additional requirements imposed by the laws of individual EEA Member States, thus leading to complications for those conducting research in multiple jurisdictions, such as most pharmaceutical and medical device company sponsors of research, as well as academic multi-site, multi-national trials. As reviewed above, Working Party and draft ICO guidance states that consent cannot be relied upon as a basis for processing data if researchers intend to rely simultaneously on another basis for processing the data, such as the scientific research basis, in the event the subject withdraws consent to processing. However, the draft ICO guidance introduces confusion, as it also contains statements that could be read to suggest that consent and another basis for processing the data may be relied upon simultaneously. Under the Working Party guidance and the most conservative reading of the ICO guidance, if researchers continue to rely on subjects consent as the basis for processing data under the GDPR, they could face limits on their ability to process collected information if a subject withdraws his or her consent to the processing at a later point. However, at least in the United Kingdom, assuming that the draft 9-20-17 COPYRIGHT 2017 BY THE BUREAU OF NATIONAL AFFAIRS, INC. MRLR ISSN 1539-1035

5 ICO guidance is adopted in its current form following finalization of the Working Party s yet-to-be-issued GDPR consent guidance, researchers might also be able to rely on arguments that the ICO guidance contemplates the simultaneous reliance on consent and another basis for processing, although the ICO s position on this point is not entirely clear. Alternatively, if researchers choose not to rely on consent and instead rely on scientific research as the basis for processing, possible revisions to standard informed consent forms and practice may be necessary. Further, abandoning the practice of obtaining consent raises derivative questions such as whether sponsors should disclose to subjects, as an ethical matter, that the sponsors will process their data without seeking the subjects consent. Until adequate guidance is addressed to reconcile the GDPR s mandates to the issues faced by the research community, researchers and their companies and medical institutions will face the challenge of complying with an unclear regulatory framework requiring compliance without providing sufficient guidance to address current practice. MEDICAL RESEARCH LAW & POLICY REPORT ISSN 1539-1035 BNA 9-20-17

2024 © healthdocbox.com Privacy Policy | Terms of Service | Feedback