This is the third post in a three-part series designed to provide a summary of some of the GDPR features that are likely to have the most substantial impact on healthcare/life science related businesses. (Links for Part One and Part Two)
GDPR Features that Apply Specifically to the Healthcare/Life Science Sectors
Even though the GDPR is a general regulation, some provisions are expressly addressing the specificities of the processing of personal data in the healthcare/life science sectors.
Specific Categories of Personal Data Relating to Health
There was no definition of health data in the Directive. Now, the GDPR defines “data concerning health” as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status” (Article 4).
The core rules on the processing of health data remain basically the same as in the Directive:
- Health related data qualifies as sensitive data as well as genetic and biometric data (two new notions that were introduced by the GDPR)
- The processing of sensitive data is in principle prohibited
- Exceptions are listed, lawful grounds allowing the processing of such data (for example explicit consent)
Exemptions for Scientific Research
The GDPR provides exemptions to organizations that process personal data for scientific research purposes as long as they implement appropriate safeguards which include “technical and organizational measures to ensure data minimization”, like for example pseudoanonymization (Article 89).
In particular, the GDPR establishes three data subject’s rights:
- The right to information under which data subjects have the right to be provided with information on the identity of the controller, the contact details of the DPO (where applicable), the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.
- The right to object to the processing under which data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data, where the basis for that processing is either public interest or legitimate interests of the controller. In case of such objection, the GDPR provides that the controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
- The right to erasure of personal data (also called “right to be forgotten”) under which data subjects have the right to obtain from the controller the erasure of their personal data without undue delay in some situations such as: if the personal data are no longer necessary or if the data subject withdraws his or her consent (and the only lawful basis for the processing was such consent).
However, organizations that process personal data for scientific research purposes may in certain circumstances override those rights:
- Regarding the right to information and access (where personal data have not been obtained directly from the data subject) if the provision of information involves a disproportionate effort;
- Regarding the right to object to the processing if it is likely to render impossible or seriously impart the achievement of the objectives of that processing;
- And regarding the right to be forgotten if the processing is necessary for the performance of a task carried out for reasons of public interest.
As regards consent, the GDPR also provides a breathing space for research activities that will certainly be useful. It recognizes that it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects will be allowed to give their consent to certain areas of research or parts of research projects when in keeping with recognized ethical standards for scientific research.
Unfortunately, it is still uncertain what “scientific research” really means. There is only a broad definition of research in the GDPR that encompasses the activities of public and private entities but is unclear exactly how far the GDPR’s research exemption will extend, in particular as regards research activities with a commercial goal. Concerning its application to clinical trials, one of the Recitals of the Regulation states that the processing of personal data for scientific purposes should also comply with other relevant legislation such as that applicable to clinical trials.