Medical researchers have access to valuable data and biological material, the further processing of which by researchers in other fields presents immense opportunities for greater advances in medical science and significant improvements in patient outcomes. Data subjects who have donated biological material for research are often more than willing, therefore, to consent to the sharing of their samples and relevant data for further and continuing research.
The GDPR and the Irish Health Research Regulations provide for such data sharing in the context of medical research once there are necessary and appropriate measures in place to safeguard the fundamental data protection and privacy rights of the data subjects.
Clear procedures and appropriate governance concerning the processing (and further processing) of such data ensures that any research undertaken is consistent with the principles of transparency, accountability and privacy by design and default.
This article outlines key measures for researchers and institutions to consider in order to ensure the further sharing and processing of this data is aligned with data protection requirements.
Role of Data Sharing Agreements
Accountability is a key principle of data protection law and it is good practice for controllers, such as researchers, to have an agreement in place with the other party (e.g. a biobank) to demonstrate compliance and ensure all parties are clear about their roles and obligations.
Biological material is not “personal data” for the purposes of the GDPR, however, any related data provided about the data subject (e.g. medical or demographic information) and/or any data obtained from those samples is their personal data, including special category data concerning genetics, health or race/ethnicity.
Pseudonymisation (rather than anonymisation) of the data, where the data subject is still identifiable, is one safeguard available when sharing data, but the data will still fall within the definition of personal data under the GDPR. Data subject rights are not confined, however, to privacy and concerns about being identified or identifiable but also extend to autonomy and control about how their data can be used and by whom. Research ethics has a key part to play in this, particularly by ensuring that research participants’ data can only be used in the manner for which they have provided informed consent.
Researchers have a statutory obligation to obtain explicit, informed consent such that it can be relied on as an appropriate measure for safeguarding the fundamental rights and freedoms of the data subject. The Department of Health has issued guidance for researchers on the principles for obtaining broad consent for future uses and biobanks. Researchers must provide relevant and appropriate information to the data subject so they are clear as to what they are consenting to, in terms of how their data can be used in the future and by whom. The terms of this consent should form the basis of, and align with, any Data Sharing Agreement between the researcher and a biobank, for example.
What must be agreed?
A Data Sharing Agreement must be specific to the context, the relationship between the parties and their respective roles – for example depending on whether data and biological material are being shared in order to facilitate collaborative or independent research and requires processor, controller or joint controller status.
Any agreement should:
- Specify what data and biological material are being shared and for what purpose (including secondary research purposes, whole genome sequencing etc),
- Outline the terms of the consent obtained from the data subject and the need to obtain further consent to process data for any other purpose,
- Specify what data cannot be used for and/or if data transfers are to be prohibited or limited to transfers within the EU etc.,
- Outline the process if data subjects seek access to their data and/or to withdraw consent,
- Specify status of the parties as data processor, data controller or joint controllers,
- Clarify what is to happen to data at each stage, including at the end of the agreement,
- Provide information about the other party/biobank, including its governance, funding, partnerships and any oversight mechanisms,
- Detail any partnerships or projects which might require biomaterial to be shared or transferred to a third party, either with or without the associated personal data being shared or disclosed, for research and non-research purposes,
- Clarify whether data subjects can seek the return or destruction of samples,
- Set cooperation processes for breach notification and facilitating rights of access and erasure,
- State whether samples and/or related data will be used by commercial/for-profit bodies,
- Outline the rights (of the parties) to any data, biological material, related research and/or intellectual property rights,
- Set out the retention periods for data and biological material,
- Provide contact details for the parties.
There may also be additional ethical requirements, over and above the requirements of data protection laws, and the agreement should detail the agreed applicable standards for medical research.
As with any agreement, there should be provisions on its duration, mechanisms for termination and dispute resolution. The agreement should also state the applicable national laws/courts under which the agreement is to be interpreted. The agreement should be subject to regular reviews to ensure that the data sharing is working in practice and should provide a mechanism for the parties to agree amendments, as may be required.
Trilateral’s Data Protection and Cyber-risk Team has significant experience supporting organisations to develop Data Sharing Agreements, specifically for biobanking and other health research requirements. For more information please feel free to contact our advisers, who would be more than happy to help.