Difference between revisions of "Journal:The effect of the General Data Protection Regulation on medical research"

From LIMSWiki
Jump to navigationJump to search
m
(Saving and adding more.)
Line 44: Line 44:


Differences between E.U. member states can result in research ethics committees in United Kingdom denying permission for National Health Service (NHS) data to be transferred to other E.U. countries (the opposite might also be the case in some circumstances).<ref name="VeerusLegi14">{{cite journal |title=Legislative regulation and ethical governance of medical research in different European Union countries |journal=Journal of Medical Ethics |author=Veerus, P.; Lexchin, J.; Hemminki, E. |volume=40 |issue=6 |pages=409-413 |year=2014 |doi=10.1136/medethics-2012-101282}}</ref> These differences have also contributed to the passage of the GDPR as part of the Digital Single Market strategy.<ref name="EUReform16">{{cite web |url=http://ec.europa.eu/justice/data-protection/reform/index_en.htm |title=Reform of EU data protection rules |author=DG Justice |publisher=European Commission |date=18 January 2016 |accessdate=04 February 2017}}</ref>
Differences between E.U. member states can result in research ethics committees in United Kingdom denying permission for National Health Service (NHS) data to be transferred to other E.U. countries (the opposite might also be the case in some circumstances).<ref name="VeerusLegi14">{{cite journal |title=Legislative regulation and ethical governance of medical research in different European Union countries |journal=Journal of Medical Ethics |author=Veerus, P.; Lexchin, J.; Hemminki, E. |volume=40 |issue=6 |pages=409-413 |year=2014 |doi=10.1136/medethics-2012-101282}}</ref> These differences have also contributed to the passage of the GDPR as part of the Digital Single Market strategy.<ref name="EUReform16">{{cite web |url=http://ec.europa.eu/justice/data-protection/reform/index_en.htm |title=Reform of EU data protection rules |author=DG Justice |publisher=European Commission |date=18 January 2016 |accessdate=04 February 2017}}</ref>
==The law as it will be from 2018: The General Data Protection Regulation==
The text of the GDPR has recently been agreed after a prolonged trilogue between the European Commission, Parliament, and the Council of Ministers.<ref name="AnsipState15">{{cite web |url=http://europa.eu/rapid/press-release_SPEECH-15-4926_en.htm |title=Statement by Vice-President Andrus Ansip at the press conference on the adoption of the Digital Single Market Strategy |author=Ansip, A. |publisher=European Commission |date=06 May 2015 |accessdate=04 February 2017}}</ref> This legislation will replace the national transpositions of the DPD. Regulations are directly enforceable across the E.U. The GDPR comes into full effect on May 25, 2018, although member states are permitted minor differences in interpretation (the European Court of Justice is the ultimate arbiter). This legislation has the potential to affect projects using research data banks and Big Data.<ref name="MarrTheFive15">{{cite web |url=http://www.datasciencecentral.com/profiles/blogs/the-5-v-s-of-big-data-by-bernard-marr |title=The 5 V's of Big Data by Bernard Marr |author=Marr, B. |work=Data Science Central |date=09 April 2015 |accessdate=04 February 2017}}</ref><ref name="ThompsonAnal16">{{cite web |url=https://wellcome.ac.uk/sites/default/files/new-data-protection-regulation-key-clauses-wellcome-jul16.pdf |format=PDF |title=Analysis: Research and the General Data Protection Regulation - 2012/0011(COD) |author=Thompson, B. |publisher=Wellcome Trust |date=July 2016 |accessdate=04 February 2017}}</ref> There had been concerns that a clause inserted by the European Parliament requiring specific consent would prevent significant long-term epidemiological research taking place in the future<ref name="StevensTheProp15">{{cite journal |title=The Proposed Data Protection Regulation and Its Potential Impact on Social Sciences Research in the UK |journal=European Data Protection Law Review |author=Stevens, L. |volume=1 |issue=2 |pages=97–112 |year=2015 |doi=10.21552/EDPL/2015/2/4}}</ref>, but this was rejected and the agreed text permits broad consent to "certain areas of research when in keeping with recognized ethical standards" (Recital 33).<ref name="SimonActive11">{{cite journal |title=Active choice but not too active: Public perspectives on biobank consent models |journal=Genetics in Medicine |author=Simon, C.M.; L'heureux, J.; Murray, J.C. |volume=13 |issue=9 |pages=821–31 |year=2011 |doi=10.1097/GIM.0b013e31821d2f88 |pmid=21555942 |pmc=PMC3658114}}</ref> Broad consent is not blanket or open consent<ref name="HofmannBroad09">{{cite journal |title=Broadening consent—and diluting ethics? |journal=Journal of Medical Ethics |author=Hofmann, B. |volume=35 |issue=2 |pages=125–129 |year=2009 |doi=10.1136/jme.2008.024851}}</ref> although some commentators argue that blanket or open consent is acceptable for biobank and databank research as the risks are minimal and do not vary for different projects.<ref name="SheehanCanBroad11">{{cite journal |title=Can broad consent be informed consent? |journal=Public Health Ethics |author=Sheehan, M. |volume=4 |issue=3 |pages=226–235 |year=2011 |doi=10.1093/phe/phr020}}</ref> Another possibility is consent to a form of governance.<ref name="LaurieGovern13">{{cite book |chapter=Governing the spaces in-between: Law and legitimacy in new health technologies |title=European Law and New Health Technologies |author=Laurie, G. |editor=Flear, M.L.; Farrell, A.; Hervey, T.K.; Murphy, T. |publisher=Oxford University Press |year=2013 |pages=193 |isbn=9780199659210}}</ref> Open consent without any ongoing regulation or communication about proposed projects would be potentially problematic. Dynamic consent offers advantages for an engaged community of participants but might not be considered beneficial by some individuals.<ref name="SteinsbekkBroad13">{{cite journal |title=Broad consent versus dynamic consent in biobank research: is passive participation an ethical problem? |journal=European Journal of Human Genetics |author=Steinsbekk, K.S.; Kåre Myskja, B.; Solberg, B. |volume=21 |issue=9 |pages=897-902 |year=2013 |doi=10.1038/ejhg.2012.282 |pmid=23299918 |pmc=PMC3746258}}</ref>
The derogations for research without consent have been expanded to specifically include medical research where “in the public interest” (Recital 51). How public interest will be defined has not been elaborated, but European jurisprudence demands member states satisfy a high threshold where human rights are involved (eg, a “pressing social need” [14]). This standard would not be required for the conduct of medical research using databanks, but it might exclude all commercial research for “me too” drug development (drugs that offer no advantages over drugs already on the market), arrangements that have no evidence of benefit sharing, or simply require that projects address issues of public importance regardless of the profits made [15]. This requirement reflects public attitudes in the United Kingdom to the use of health care data, where there is resistance to use of public data for commercial ventures unless the research could not happen without commercial involvement [16,17].


==References==
==References==

Revision as of 20:01, 1 March 2017

Full article title The effect of the General Data Protection Regulation on medical research
Journal Journal of Medical Internet Research
Author(s) Rumbold, John Mark Michael; Pierscionek, Barbara
Author affiliation(s) Kingston University London, Nottingham Trent University
Primary contact Email: J dot Rumbold [at] Kingston dot ac dot uk
Editors Eysenbach, G.
Year published 2017
Volume and issue 19 (2)
Page(s) e47
DOI 10.2196/jmir.7108
ISSN 1438-8871
Distribution license Creative Commons Attribution 2.0
Website http://www.jmir.org/2017/2/e47/
Download http://www.jmir.org/2017/2/e47/pdf (PDF)
This article should not be considered complete until this message box has been removed. This is a work in progress.

Abstract

Background: The enactment of the General Data Protection Regulation (GDPR) will impact on European data science. Particular concerns relating to consent requirements that would severely restrict medical data research have been raised.

Objective: Our objective is to explain the changes in data protection laws that apply to medical research and to discuss their potential impact.

Methods: Analysis of ethicolegal requirements imposed by the GDPR

Results: The GDPR makes the classification of pseudonymised data as personal data clearer, although it has not been entirely resolved. Biomedical research on personal data where consent has not been obtained must be of substantial public interest.

Conclusions: The GDPR introduces protections for data subjects that aim for consistency across the EU. The proposed changes will make little impact on biomedical data research.

Keywords: pseudonymity, anonymity, untraceability, privacy-preserving protocols, informatics, data reporting, data protection, research ethics

Overview

There have been significant developments in European Union (E.U.) data protection law recently that will have an impact on health care professionals, particularly those engaged in research and audit. The General Data Protection Regulation (GDPR) has replaced the current legislation and comes into full effect in 2018.[1] The implications for the handling of health care data of the GDPR will be discussed in this paper. Despite the recent referendum vote in the United Kingdom to leave the E.U., the GDPR will continue to be relevant to the United Kingdom, whether this is due to cooperation in European projects or because the United Kingdom continues to be a member of the European Economic Area (EEA).

The Data Protection Directive

Currently the relevant law in the United Kingdom is the Data Protection Act 1998, which is the United Kingdom’s transposition of the Data Protection Directive (DPD). European directives are not directly enforceable, requiring member states to pass legislation to comply with their requirements. There are derogations (legal exemptions) for research, which in the case of the United Kingdom have been criticized for being too broad. The LRDP Kantor report for the European Commission criticizes the United Kingdom for disregard of the limitations, stating that the Data Protection Act blatantly violates the Directive by adding "medical research" to the list of medical purposes.[2] The DPD requires a "substantial public interest" for member states to add to the derogations for processing of sensitive personal data (Article 8.4).

Differences between E.U. member states can result in research ethics committees in United Kingdom denying permission for National Health Service (NHS) data to be transferred to other E.U. countries (the opposite might also be the case in some circumstances).[3] These differences have also contributed to the passage of the GDPR as part of the Digital Single Market strategy.[4]

The law as it will be from 2018: The General Data Protection Regulation

The text of the GDPR has recently been agreed after a prolonged trilogue between the European Commission, Parliament, and the Council of Ministers.[5] This legislation will replace the national transpositions of the DPD. Regulations are directly enforceable across the E.U. The GDPR comes into full effect on May 25, 2018, although member states are permitted minor differences in interpretation (the European Court of Justice is the ultimate arbiter). This legislation has the potential to affect projects using research data banks and Big Data.[6][7] There had been concerns that a clause inserted by the European Parliament requiring specific consent would prevent significant long-term epidemiological research taking place in the future[8], but this was rejected and the agreed text permits broad consent to "certain areas of research when in keeping with recognized ethical standards" (Recital 33).[9] Broad consent is not blanket or open consent[10] although some commentators argue that blanket or open consent is acceptable for biobank and databank research as the risks are minimal and do not vary for different projects.[11] Another possibility is consent to a form of governance.[12] Open consent without any ongoing regulation or communication about proposed projects would be potentially problematic. Dynamic consent offers advantages for an engaged community of participants but might not be considered beneficial by some individuals.[13]

The derogations for research without consent have been expanded to specifically include medical research where “in the public interest” (Recital 51). How public interest will be defined has not been elaborated, but European jurisprudence demands member states satisfy a high threshold where human rights are involved (eg, a “pressing social need” [14]). This standard would not be required for the conduct of medical research using databanks, but it might exclude all commercial research for “me too” drug development (drugs that offer no advantages over drugs already on the market), arrangements that have no evidence of benefit sharing, or simply require that projects address issues of public importance regardless of the profits made [15]. This requirement reflects public attitudes in the United Kingdom to the use of health care data, where there is resistance to use of public data for commercial ventures unless the research could not happen without commercial involvement [16,17].


References

  1. "EUR-Lex - 32016R0679 - EN". EUR-Lex. European Union. 27 April 2016. http://eur-lex.europa.eu/eli/reg/2016/679/oj. Retrieved 04 February 2017. 
  2. LRDP Kantor (20 January 2010). "Comparative study on different approaches to new privacy challenges in particular in the light of technology developments" (PDF). European Commission. http://ec.europa.eu/justice/policies/privacy/docs/studies/new_privacy_challenges/final_report_en.pdf. Retrieved 04 February 2017. 
  3. Veerus, P.; Lexchin, J.; Hemminki, E. (2014). "Legislative regulation and ethical governance of medical research in different European Union countries". Journal of Medical Ethics 40 (6): 409-413. doi:10.1136/medethics-2012-101282. 
  4. DG Justice (18 January 2016). "Reform of EU data protection rules". European Commission. http://ec.europa.eu/justice/data-protection/reform/index_en.htm. Retrieved 04 February 2017. 
  5. Ansip, A. (6 May 2015). "Statement by Vice-President Andrus Ansip at the press conference on the adoption of the Digital Single Market Strategy". European Commission. http://europa.eu/rapid/press-release_SPEECH-15-4926_en.htm. Retrieved 04 February 2017. 
  6. Marr, B. (9 April 2015). "The 5 V's of Big Data by Bernard Marr". Data Science Central. http://www.datasciencecentral.com/profiles/blogs/the-5-v-s-of-big-data-by-bernard-marr. Retrieved 04 February 2017. 
  7. Thompson, B. (July 2016). "Analysis: Research and the General Data Protection Regulation - 2012/0011(COD)" (PDF). Wellcome Trust. https://wellcome.ac.uk/sites/default/files/new-data-protection-regulation-key-clauses-wellcome-jul16.pdf. Retrieved 04 February 2017. 
  8. Stevens, L. (2015). "The Proposed Data Protection Regulation and Its Potential Impact on Social Sciences Research in the UK". European Data Protection Law Review 1 (2): 97–112. doi:10.21552/EDPL/2015/2/4. 
  9. Simon, C.M.; L'heureux, J.; Murray, J.C. (2011). "Active choice but not too active: Public perspectives on biobank consent models". Genetics in Medicine 13 (9): 821–31. doi:10.1097/GIM.0b013e31821d2f88. PMC PMC3658114. PMID 21555942. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3658114. 
  10. Hofmann, B. (2009). "Broadening consent—and diluting ethics?". Journal of Medical Ethics 35 (2): 125–129. doi:10.1136/jme.2008.024851. 
  11. Sheehan, M. (2011). "Can broad consent be informed consent?". Public Health Ethics 4 (3): 226–235. doi:10.1093/phe/phr020. 
  12. Laurie, G. (2013). "Governing the spaces in-between: Law and legitimacy in new health technologies". In Flear, M.L.; Farrell, A.; Hervey, T.K.; Murphy, T.. European Law and New Health Technologies. Oxford University Press. pp. 193. ISBN 9780199659210. 
  13. Steinsbekk, K.S.; Kåre Myskja, B.; Solberg, B. (2013). "Broad consent versus dynamic consent in biobank research: is passive participation an ethical problem?". European Journal of Human Genetics 21 (9): 897-902. doi:10.1038/ejhg.2012.282. PMC PMC3746258. PMID 23299918. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3746258. 

Notes

This presentation is faithful to the original, with only a few minor changes to presentation. In several cases the PubMed ID was missing and was added to make the reference more useful.

Per the distribution agreement, the following copyright information is also being added:

©John Mark Michael Rumbold, Barbara Pierscionek. Originally published in the Journal of Medical Internet Research (http://www.jmir.org), 24.02.2017.

Retrieved from "https://www.limswiki.org/index.php?title=Journal:The_effect_of_the_General_Data_Protection_Regulation_on_medical_research&oldid=29459"