Medical research

You learned that the GDPR requires a legal basis for processing personal (health) data, consent being one of them. Article 6 determines that personal data may be processed if a data subject, like Anna, gives consent for processing her data for one or more specific purposes. For special categories of data the requirements for processing are stricter than for other types of personal data. As a consequence, Anna has to give explicit consent if someone wants to process her personal health data (Article 9 GDPR).

There are however situations where organisations who do not have explicit consent, are permitted to process health data. Article 9 (2, i and j) GDPR mentions two exemptions from the prohibition to process health data that could be interesting for research purposes.

The first exemption is if processing is necessary for reasons of public interest in the area of public health. The second is if processing is necessary for scientific or historical research purposes. Unfortunately, the GDPR does not provide a definition of what scientific research purposes are. Recital 159 of the GDPR explains that this term should be interpreted in a broad manner, which suggests a somewhat flexible definition of the term ‘scientific research’.

If an organisation, like a hospital, wants to process personal health data for scientific research purposes, the processing has to be in accordance with Article 89 (1) GDPR. This means that appropriate safeguards have to be put in place, meaning that the hospital needs to take technical and organisation measures to ensure protection of the data. The principle of data minimisation is mentioned specifically in Article 89. Data minimisation is also required in a research context considering that a researcher should think about what data is necessary for the research to be carried out. Only the personal data necessary for the research purpose should be collected and used, and no more than that.

The other exemption is if the research is necessary for reasons of public interest in the area of public health (Article 9 paragraph 2 (i) GDPR. This mainly applies to the processing of personal health data in order to protect public health, for example in epidemics or pandemics. It also applies if the research has a connection with threats in combination with medicines or medical devices.

You heard the research nurse explain that Anna’s consent is required for participating in the research carried out by her doctor. You learned that consent has to be freely given, specific and informed (Article 4 (11) GDPR). This means that Anna should be able to make the choice whether she wants to participate in the research or not. If she does not want to participate, this should not have any impact on her treatment. Anna’s hospital organises a meeting for Anna with a research nurse in order to provide Anna with all the information she needs. This way, Anna has the possibility to ask questions and the research nurse can point out Anna’s rights, for example her right to withdraw her consent at any time.