The approval of the new European Data Protection Regulation, which will be fully applicable as of May 25, 2018, will have effect in any sector that deals with personal data. GDPR takes into account especially biomedical research, so we will detail and analyze what positive consequences will have the application of this unifying regulation.
The European Union approved the new European Data Protection Regulation on May 25, 2016, as we discussed at the time in Xnoccio. However, until May 25, 2018, two years later, it will not enter into force to leave both the Administrations of each member country as well as the companies and others affected to adapt to this new situation. In Spain, the Organic Law project is still being processed.
The introduction of the GDPR can be a positive evolution of the current situation for companies that perform their work in biomedical research, since the Personal Data Protection Organic Law is not too beneficial for this sector. However, we are still in the implementation process so that final conclusions cannot be drawn until it has been in force for a while.
The entry into force of the new regulations is in line with the common objective of all countries member to make the Digital Single Market a reality, guaranteeing that the rights of all citizens of countries member have the same level of protection. This, facing the companies, also means a benefit, since they only need to adapt to a regulation, the GDPR. Previously, it was necessary to adopt the rules of each of the member states in which they would operate.
One of the most remarkable aspects of the new GDPR is precisely the increase in online security. The hardening of the data protection requirements will be implemented to cover all those legal gaps that the OLPD and other national regulations of each country member had in terms of the digital environment.
In addition, it is important to point out the weight that the new regulation has in regard to companies and laboratories that are in the process of digital transformation. Thus, the inclusion of tools that guarantee fulfillment with the requirements stipulated in the GDPR, such as viafirma documents, are a perfect ally in the digital transformation process.
Next, we present 5 aspects to consider about the application of the GDPR in the laboratories and health sector:
Improvement of the current legislation
The Spanish legislator addressed the protection of health data from a wrong perspective, considering that health professionals are only dedicated to diagnose and treat, definitely, heal, so the treatment of data should also be oriented at healing.
Possibly, research on medicines, like clinical trials, is the least affected by this regulation, but other specialties like observational studies or epidemiological investigations have suffered more because they don’t have enough resources to obtain the necessary consent.
In the environment of the laboratories, there are many cases in which informed consent is needed to proceed, and the new GDPR has reinforced its requirements with the objective of ensuring that the subject truly knows what is being accessed with the signing of that document. Solutions like viafirma documents guarantee that documents comply with all requirements.
Consideration of health data in special categories
The new GDPR includes the health data among the special categories, whose treatment is subject to the following basic conditions: explicit consent or without consent in case of necessary treatment, this is:
- To protect vital interests of the interested party or another person not qualified to consent (art.9.2.c);
- For preventive medicine purposes, evaluation of the worker’s capacity, assistance or sanitary or social treatment, health and social care systems and services management, or by a contract with a health professional (Article 9.2.h);
- For public interest reasons in the field of public health, protection against serious cross-border threats to health, to guarantee high levels of quality and safety of health care and medicines and medical products (Article 9.2.i);
- For statistical, historical or scientific research purposes in accordance with article 89.1, complying with requirements of proportionality with the objective pursued, respecting data protection and establishing appropriate and specific measures to protect the fundamental rights and interests of the affected.
The definition of “data related to health” has added a new nuance and is that now it also includes information or data related to the provision of health care services that reveal information about the health status of a person.
Genetics and biomedical research recognition
In addition, a separate definition of “genetic data” has been included, which reveals and recognizes the importance of genetics in personalized and preventive medicine nowadays, which progressively forms part of biomedical and clinical research.
Recitals 156, 157 (recognizes the virtues of data records in the field of epidemiological research big data – health -), 159 and 161 (explicit mention of clinical trials and their specific Community regulation) of the European regulation demonstrate that the Biomedical research is highly recognized, prioritizing when possible to act with irreversibly anonymized data.
There is also speculation about the possibility of extending to biomedical research, the compatible purpose category with the healthcare objective in application of article 5 (data will not be treated in an incompatible manner with the purposes for which it was obtained).
This is reinforced by what is established in section 4 of article 5, in which it is foreseen that the responsible of the treatment must make an analysis of the conditions of the new treatment to determine its compatibility.
On the other hand, the Data Protection Spanish Agency has carried out a report as a result of the concern of the scientific community about the repercussion that the new European regulation and the OLDP project that is still in process.
Defense of a flexible interpretation of consent
The report states that the GDPR and the Organic Law Project on Data Protection (OLDP) not only maintain the regime contained in Law 14/2007 of biomedical research and RD 1090/2015 on clinical trials with medicines, but also allow an interpretation more flexible of the scope that may be given to the consent given in accordance with it, overcoming the more restrictive interpretation contained in Article 60 of the Biomedical Research Law.
At this point, the Agency mentions in its text that from the application of the Regulation it will not be necessary for the person to give his/her consent for a specific investigation; not even for the realization of investigations in a very delimited area, for example, a certain type of cancer.
Taking into account the interpretation derived directly from the GDPR, it will be sufficiently specific and unambiguous the consent given in relation to a broad area of research such as, for example, oncological research, or even for more extensive areas.
It should be noted that this analysis of the new European GDPR on the impact it will have on the laboratory sector is still provisional, since it remains to be known how the Spanish OLDP will adapt the regulation to the laws of our country.
Benefits for patients, researchers and the National Health System
As stressed by Lourdes Fraguas, general secretary and director of the Legal Department of Farmaindustria, “it is important that in Spain there are no obstacles to research through the Regulation development, since in this way we will be able to promote biomedical I+D and we will obtain great benefits “.
Fraguas stands out among the beneficiaries the patients, who will have access to new treatments at an early stage within the framework of clinical trials, the research itself, by pulling in investments in this field, and even the Health National System in terms of sustainability.
Definitely, the scientific community is committed to a broad definition of consent because it is not always possible to determine the specific purpose of the processing of personal data, so it is important that the interested can give their consent to different areas of research.
The new GDPR recognizes and highlights the work that is done in biomedical research and the DPSA has reassured the scientific community with its report in which it ensures that the interpretation of consent will be flexible to allow the promotion and development of this important area.