“Research should pursue science advancement and public health development while respecting the dignity, autonomy, privacy and confidentiality of individuals.”
The Taipei declaration
The European Union’s General Data Protection Regulation (GDPR), which came into full effect in 2018, has increased regulatory oversight and subsequent potential sanctions that have caused uneasiness within the biobanking and databanking circles. The EU GDPR has posed stringent restrictions on the use of banked data and associated biospecimens for use in secondary research. Consequently, the protection of health and genomic data is of significant importance in the implementation of the EU General Data Protection Regulation (GDPR).
Oversight of the GDPR
GDPR is overseen by ethics committees and data access committees (DACs) that limit the access and use of personal data. Ideally, these committees should be equipped with the expertise to regulate the use and sharing of genomic data and provide overall governance over personal data processing taking into account individual or social concerns that may not be explicitly laid out in the legal provisions. Unfortunately, the oversight bodies may sometimes lack adequate tools to carry out their full function. Recent advances in data science and bioinformatics may further complicate the process as the parameters may become “moving targets.”
DACs provide an extra layer of oversight over the research ethics committee oversight which is given at the start of the research. They receive direct data access requests from researchers and either approve or disapprove their access to data. As much as they are not mentioned in the GDPR, they have a crucial role to play in the governance of data access and data sharing in compliance with the overarching GDPR principles.
Data Access Models in the View of the GDPR
The governance of biobanks in view of the GDPR has three major models of data access: open access, controlled-access, and registered access.
Open-Access
Open-access models means that the data is available through various online platforms and can be easily accessed without any constraint. This is mainly used when the data being shared is mainly aggregate data and not personal level information.
Controlled-Access
In this model, data controllers set rules to limit access to health and genomic data. Data Access Committees (DACs) may be used to review data access requests and either approve or disapprove them. Data access agreements are used to ensure accountability and prevent the potential misuse or abuse of the protected data.
Registered Access
Registered access is mostly used for data that is low risk (or non-stigmatizing) and access granted to bona fide researchers who have to be registered. This model requires authentication, authorization and attestation.
Biobanking Challenges Created by the GDPR
The GDPR fails to provide clear legal guidance on the processing of personal data for secondary research purposes. The GDPR interpretation of pseudonymized and anonymized data as identifiable data (recital 26) have a far reaching impact on the implementation of privacy laws.
Pseudonymized Data
As defined in Article 4(5), this is data that ‘can no longer be attributed to a specific data subject without the use of additional information, provided such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person’.
In summary, this refers to key-coded data which can be (potentially) traced back to research participants but still preserves the de-identification of the personal data in the day-to-day operations. Consequently, pseudonymized data is considered to be personal data which falls under the scope of the GDPR.
Anonymized Data
This is where the GDPR differs conspicuously from the Health Insurance Portability and Accountability Act (HIPAA) and other data protection laws. The GDPR’s definition of anonymized data is contextual. In some instances, if there is a ‘reasonable likelihood’ of re-identification, the data is considered as non-anonymous.
In this regard, key-coded data sets must be treated as fully identifiable data and are therefore subject to all requirements that apply. This imposes a new compliance obstacle to biobanks that routinely hold biospecimens and the related phenotypic and demographic data for secondary research purposes.
The GDPR also places restrictions on the cross-border transfer of personal data outside the EU. It has specific conditions for transferring data and biospecimens to non-EU countries. These materials can only be transferred to countries that implement similar standards to protect subjects’ privacy as well as their rights and freedoms.
Secondary research refers to research conducted using data or biospecimens that were collected for a different research or for non-research purposes, this includes clinical care.
‘Research Exemption’ in Light of the GDPR
Article 89(1) of the GDPR emphasizes technical measures that are needed to safeguard the rights of the data subjects during the collection and processing of such data for purposes of scientific research, but this has certain exemption rules.
Article 89(2) of the GDPR grants Member States some rights to exemptions from some of the data subjects’ rights. However, a certain threshold must be met for these rights to be waived:
- Exemption must be necessary for the research purpose to be fulfilled
- Failure to exempt will seriously impair the research process
These exemptions may be seen as an impediment, in light of the ethical requirements, to the protection of the privacy, autonomy, and confidentiality of the study participants.
Why Should Biobanks Comply with the GDPR Rules
The GDPR has both an oversight mechanism and a sanctions mechanism. The sanctions may come in the form of liability and compensation or administrative sanctions. Indeed, the huge potential for sanctions and administrative fines are precipitating factors for compliance with data protection laws.
How Can a BioSpecimen Management System Help Biobanks Overcome Regulatory Challenges Imposed by the GDPR?
A regulatory-compliant, configurable biospecimen management system can help biobanks overcome logistical and regulatory challenges and comply with GDPR privacy requirements. A biospecimen management system can help biobank staff to adhere to validated standard operating procedures (SOPs) while tracking and managing archived samples and active samples from multiple studies. Furthermore, it can help to harmonize and integrate data from different sources while adhering to GDPR data sharing requirements.
Conclusion
The General Data Protection Regulation (GDPR) was created to protect individuals’ personal data. However, it can place considerable constraints on the scientific research process. This may also pose a significant risk for biobanks that fail to comply with the GDPR and subsequent sanction risks are an imminent risk.
A biobanking LIMS solution allows biobanks to adhere to the strict GDPR requirements by limiting access to the data, providing a complete audit trail, and ensuring that data integrity is maintained through the entire biospecimen and data lifecycle.