Text and photo: Kaisa Järvelä

EU's Data Protection Regulation Ended Up Fairly Research-friendly

According to the Regulation, collecting health data for research purposes always requires consent from research participants, and separate consent is required, for instance, for the reuse of clinical test results. By contrast, personal data in registers or places such as the social media may be used for research purposes unless individual member countries set stricter restrictions in their national legislation.

The European Parliament and Council approved the new General Data Protection Regulation in April 2016. The Regulation and Directive officially entered into force in May 2016, which means that member countries must adapt their national legislation to adhere with the Regulation by May 2018. The new Regulation will replace the European Union's Data Protection Directive from 1995 which is currently in effect.

The reform of the Data Protection Regulation has stemmed from a desire to strengthen EU citizens' rights to their own data in a digitalised world. An additional objective has been to standardise data protection legislation in the EU's member countries.

Regulation also affects the use of research data

The reform is significant from the perspectives of research and of data archiving, as both the Regulation and the national legislation enacted to comply with it will substantially affect how researchers and research infrastructures are able to use and share research data. The best-case scenario is that better standardised regulations make cross-national research cooperation and data sharing over the national borders of EU countries easier in the future.

However, only time will tell how standardised the legislation in different countries will become. The Regulation itself leaves member countries fairly large national margins for its implementation. This gives individual countries room for making considerably stricter restrictions than the Regulation demands when it comes to issues such as restricting the research use of already collected personal data.

Process had researchers worried

Reforming the Data Protection Regulation has been a long process. The European Commission first proposed fundamental reform to the regulation as early as in January 2012.

At times, it seemed like the new Regulation would hinder research activities unreasonably and even make it practically impossible to archive any data that include personal data or use data collected for administrative purposes in scientific research. This caused widespread concern in research circles around Europe. The finalised Regulation approved in the spring, however, is relatively research-friendly.

'Regulation does not lead to dramatic changes'

In a webinar arranged by Big Data Europe in May, Associate Director Vigdis Kvalheim from the Norwegian Centre for Research Data stated that the new Regulation does not, generally speaking, seem to cause any dramatic changes in European research institutions. According to her, the most important specific rules concerning research will be transferred from the old Data Protection Directive into the new Regulation – and even clarified here and there.

Kvalheim considered it a particular victory that studying data that include already collected personal data does not require separate consent every time – even though the new Regulation emphasises the importance of consent as a key mechanism in the protection of privacy.

According to Article 5, archiving personal data for research use will also remain possible under the new Regulation. However, archiving data that include personal data for reuse purposes requires that the personal information included is minimised. Only the identifying information that is absolutely necessary can be stored. The Regulation further demands that those archives which archive personal data use appropriate data protection measures and have their status confirmed by legislation.

Member countries may tighten restrictions

According to Kvalheim, the Regulation improves the possibilities of conducting register-based research and provides a legal basis for the research use of social media data. Her interpretation is based on the introductory wording of Article 5 which states that research purposes are always considered compatible with the initial purposes.

Individual member countries may still enact stricter national legislation to restrict some activities, such as the research use of health or social media data stored in registers.

Data collection requires consent

Even though the research use of already existing personal data does not necessarily require consent, the new Regulation always requires the research participant's voluntary consent for the collection of new personal data. In the seminar on data protection in medical and health science research now and in the future that was organised by the Finnish Social Science Data Archive (FSD) and the Open Science and Research project, Consultant in Information Law and Policy Marjut Salokannel from SaReCo remarked that stipulations on the research use of health data in the Regulation are slightly stricter than on the research use of personal data in general.

kuvituskuva

Marjut Salokannel shed light on the Data Protection Regulation at the seminar organised by the FSD and the Open Science and Research project.

According to Salokannel, all data that can be conceived as health data are now interpreted as such. One clear change caused by the Regulation is that genetic data and biological samples are now separately defined as health data. The status of the personal identity code is also new from a Finnish perspective: in the future, the code is automatically processed as health data when it is related to health information.

Salokannel also states that, under the new Regulation, the scientific reuse of data created in clinical tests will always require separate consent given in connection with the original consent. Consent is also required when researchers wish to combine register data with personal data created in clinical tests.

Pseudonymised data are considered personal data

Salokannel emphasised in the seminar that coded and encrypted data are also personal data regardless of where the code key is located, as long as it exists somewhere in the world. Pseudonymised health data are thus to be considered sensitive, which means that they cannot be processed without consent. By contrast, anonymised data are not personal data and thus not considered sensitive. According to the Regulation, data can be interpreted as anonymised when it cannot be reasonably connected to an individual person.

Salokannel still considers the EU's Data Protection Regulation a positive reform for research due to factors such as the Regulation's broad definition of scientific research: it includes technological development work, basic research, applied research and privately funded research as well as reports in the realm of public health that serve the public interest.

National interpretative guidelines and legislation under way

The final effects that the Data Protection Regulation will have on Finnish research will only become clear once national interpretative guidelines and legislation are finished. Until then, researchers planning data collection as well as regional ethics committees will unfortunately have to operate more or less in uncertainty.

National work is already well under way, though: for instance, a working group set by the Ministry of Justice is currently scrutinising problematic areas in Finnish legislation from the perspective of the new Regulation. The working group is due to produce its proposed amendments by summer 2017.

Creative Commons -license