What health and life sciences companies need to know about the ICO’s draft guidance on the research provisions of UK data protection law
The Information Commissioner’s Office (ICO) has published new draft guidance on the provisions of the UK General Data Protection Regulation and the UK Data Protection Act 2018 (collectively, the UK GDPR) relating to the processing of personal data for research purposes.
The guidance brings clarity to healthcare and life sciences businesses and will be widely welcomed in an area that is often difficult to navigate, not least because the law is contained in various provisions and there is varying guidance on how to interpret dispositions. The ICO consultation on the guidance closed on 22 April 2022.
The ICO is also conducting a consultation on its draft guidelines regarding anonymization, pseudonymization and privacy-enhancing technologies. This consultation closes on September 16, 2022.
In addition, the UK government is currently considering changes to the research provisions as part of its proposals to reform the UK data protection regime and build on its vision of improving life sciences in the UK. United. In April 2022, the UK government published a study on the use of health data for research and analysis. The ICO acknowledged these proposals, but says the advice is important to support organizations that now use personal data for research purposes.
DRAFT ICO GUIDANCE ON RESEARCH ARRANGEMENTS
Why is this important?
The guidance is particularly relevant to life sciences, medical device and health technology companies that use health data for research purposes, including clinical trials, clinical investigations or broader research. It is also relevant for healthcare and life sciences companies looking to reuse the datasets they already hold.
Does an organization process health data for research purposes? What is the definition of scientific research?
The UK GDPR refers to three broad types of research purposes: archival purposes in the public interest, scientific or historical research purposes, and statistical purposes.
In the health and life sciences sector, scientific research is probably the most common objective, although the guidance also provides useful guidance on the use of statistical objectives when the primary objective or purpose processing is to produce statistical results. The ICO notes that there is no definition of scientific research in the UK GDPR and argues that this term should be understood broadly and extend beyond traditional academic research to the research in commercial contexts.
How could an organization show that its processing falls within the research objectives?
The guidelines indicate that the main characteristic of scientific research is to produce new knowledge or to apply existing knowledge in innovative ways, often with the aim of benefiting the public interest. Examples include advancing the state of the art in a given field or providing innovative solutions to human problems, generating new understandings that add to the sum of human knowledge or producing results of general application that can be tested and reproduced.
What are the indicative activities and characteristics of scientific research?
In the guidelines, the ICO produces an indicative non-exhaustive list of activities and characteristics that will help to demonstrate that the purpose of the processing is scientific research.
While not all features need to be answered, the ICO said it would expect an organization to respond to more than one. So it seems to be sort of a balancing act.
- Activities could include formulating hypotheses, isolating variables, designing experiments, objective observation, measuring data, peer reviewing and publishing results.
- Standards could include ethical guidance and committee approval, peer review, compliance with regulatory requirements, and public participation.
- Access could include publication of results and commitment to share research results, but it does not need to be open access publication.
These characteristics are likely to be met when a health and life sciences organization conducts a regulated clinical trial or clinical investigation. However, when research falls outside of regulatory formalities and in a commercial setting, including for artificial intelligence (AI) or product development, careful assessment is required.
On what legal basis can an organization rely to process health data for research purposes?
Health and life science companies that process special category data (such as health-related data) need both a lawful basis under Article 6 and a condition special category under Article 9. The ICO notes that there is no specific Article 6 legal basis for the processing and will depend on the status and context of the controller. For example, public organizations may rely on the public interest while commercial enterprises and research organizations may seek to rely on legitimate interest.
To satisfy the special category requirement of scientific research, the controller must also only process special category data if the processing is: (1) necessary, (2) subject to appropriate safeguards, (3) n is not likely to cause significant harm or distress to any individual, (4) not used for action or decision-making about particular individuals except for approved medical research, and (5) in the interest audience.
What about consent as a legal basis for data processing?
According to the guidance, in most cases consent will not be the most appropriate legal basis for processing special category data for scientific research purposes. Indeed, under the UK GDPR, the individual must be able to withdraw their consent at any time. If an entity is relying on consent as a legal basis and the individual withdraws their consent, the entity must immediately stop processing their personal data. Additionally, if an entity collects data on the basis of consent and wishes to reuse it for secondary research, it is likely that it will need to obtain new consent from data subjects under the UK GDPR to do so. ensure that an individual’s initial informed choice to share that data is not compromised.
Informed consent is required for clinical trials and clinical investigations. The guidelines confirm that consent as a legal basis for data processing under the UK GDPR is distinct from, and not to be confused with, consent to participate in a research study.
In practice, consents for clinical investigations and clinical trials can often be confused. Healthcare and life sciences companies must clearly define the basis on which they are processing data in any informed consent form.
A new goal: can an organization reuse the data it has collected for secondary research?
The guidance provides a useful interpretation of the UK GDPR Article 5 purpose limitation, which has sometimes been viewed restrictively. The guidelines state that purpose limitation requires a processor to be open and honest about the purposes for which they are obtaining data and to help prevent “function hijacking”. However, the ICO goes on to say that this limitation does not apply specifically to search. This means that an organization is permitted to reuse existing personal data for research-related purposes if it has appropriate safeguards in place, such as technical and organizational measures to ensure data minimization, and if the processing is otherwise fair. and lawful.
However, the ICO also states that data cannot be reused if the original basis for processing was consent.
A new purpose: what about data obtained from another organization?
The guidelines state that if the data was obtained from another organization, the receiving organization collects new data rather than reusing data it has already collected. In this case, the recipient organization cannot rely on the purpose of the originating organization. Instead, they must identify their own lawful basis for processing and must update their privacy information. Furthermore, data subjects should be informed of this practice, unless informing them proves impossible or involves disproportionate effort.
Medical privacy: is consent required for GDPR research in the UK?
The ICO states that clinical trials or ethical consents should not be confused with GDPR consent in the UK. This is an important clarification.
However, a thorny issue that remains unanswered in the draft ICO guidelines is the interplay between medical privacy consent and the legal basis and special category terms in the UK GDPR.
In 2017, the ICO ruled that processing by Royal Free London NHS Trust in connection with research into a possible medical device breached the common law duty of confidentiality because patients were not sufficiently informed that their records would be processed for clinical safety testing. and that informed consent was likely to be required. Accordingly, the ICO concluded that the processing was not lawful under the UK GDPR.