EDPB guidelines on processing health data for COVID-19 scientific research

QUICK READ

What's the issue?

The race is on to understand more about COVID-19 and find a cure, treatment or vaccine. This is all fuelled by data, much of it sensitive personal data. Data protection regulators have been issuing guidelines on COVID-19-related processing across a number of areas including in relation to contact tracing apps and scientific research.

What's the development?

The European Data Protection Board (EDPB) has adopted Guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak. To a considerable extent, these reiterate previously published guidelines, for example on clinical trials and research, but greater emphasis is placed on exceptions and derogations, and, in particular, the ability of Member States to enact laws providing for them.

What does this mean for you?

While some of the data protection COVID-19 guidance is highly specific to the situation, discussions about lawful basis, consent, anonymisation, the data protection principles and the use of health data, have wider application and are worth considering even if your data processing operations are unchanged during the pandemic.

For more on guidelines issued by the ICO and the EDPB, particularly in relation to contact tracing apps, see our Global Data Hub news pages or sign up for our regular updates.

The GDPR provides special rules for processing health data for the purpose of scientific research which are also applicable during the COVID-19 pandemic.
National legislators may enact specific laws pursuant to Articles 9(2)(i) and (j) to enable processing of health data for scientific research which must also be based on one of the Article 6(1) conditions. This means that conditions and the extent of processing will vary across the EU depending on the laws of the relevant Member State.
All national laws dealing with clinical research must be interpreted in light of the data protection principles and ECJ jurisprudence. Any derogations and limitations provided for must only apply in so far as is strictly necessary.
Given the processing risks in the context of the COVID-19 outbreak, high emphasis must be placed on compliance with Article 5(1)(f), Article 32(1) and Article 89(1) GDPR. A DPIA should be carried out where necessary.
Storage periods should be set and must be proportionate. Criteria such as the length and the purpose of the research should be taken into account. National provisions may also stipulate rules concerning the storage period and may need to be taken into account.
While the current situation does not suspend or restrict data subject rights under Articles 12 and 22, national legislators may act to restrict some of the data subject rights as set out in Chapter 3 GDPR. Again this will lead to a diverging approach across Member States.
With regard to data transfers, in the absence of an adequacy decision or appropriate safeguards, both public authorities and private entities may rely on applicable Article 49 derogations (eg consent), but should remember that these are exceptional in character.

Some interesting points which are emphasised include:

There is no hierarchy between lawful bases, but if consent is the lawful basis, it must be full GDPR consent including that it is freely given and the data subject is not pressured and does not suffer from disadvantage if they refuse to give consent. There shouldn't be any dependency of the data subject on the data controller or adverse consequences of refusing. In addition, consent must be able to be withdrawn and data controllers will have to act accordingly if it is.
Any national laws enacted need to safeguard data subject rights and freedoms and be proportionate to the aim pursued. Derogations and limitations should apply only in so far as strictly necessary.
The exemption from information requirements where it is impossible to provide information should be narrowly interpreted. Something is either impossible or it isn't. In determining what constitutes disproportionate effort with regard to information requirements, Recital 62 suggests the number of data subjects, the age of the data and the safeguards in place may be indicative and a balancing exercise should be carried out.
Where there is a derogation from information requirements because of Union or Member State law, the data must be subject to appropriate protections to protect the data subject's legitimate interests and the data controller must be able to demonstrate that the relevant law applies to them and requires them to obtain or disclose the data in question.
With regard to purpose limitation and the compatibility presumption, further processing for scientific research purposes must be subject to appropriate safeguards. These include data minimisation, pseudonymisation, encryption, NDAs, role distribution restrictions and logs. Data integrity, data protection by design and default and strong security will be important. DPIAs will most likely be necessary and the role of the DPO is also crucial. All decisions and processes should be documented to comply with the accountability requirement.
Data minimisation can be achieved through specifying the research questions and assessing what data is needed to answer them. In addition, proportionate storage periods should be set. National provisions may stipulate rules around storage periods.
For the purposes of international data transfers, the EDPB considers that the fight against COVID-19 has been recognised by the EU and the majority of Member States as an "important public interest which may require urgent action in the field of scientific research". This means that private and public entities may be able to rely on the related exemption to justify data transfers to third countries as a temporary measure.