Marco Aurélio Constantino seeks in this text to highlight the openings of the General Data Protection Regulation (GDPR) in the context of clinical research.
The importance of clinical research for the advancement of health care sciences and, consequently, for the improvement of people’s health and well-being is widely recognized.
The concerns and regulations that are required for the development of clinical research are also known whenever they involve interventions on human beings. The widely held principle that clinical research is not an end in itself and that the progress of science in the field of health care is not self-justification but that it is found in a relation of instrumentality to the well- being and only in this context they become legitimate.
In the foreground, as established in the Clinical Investigation Law (CIL), is the primacy of the person. This postulate is subject to any clinical research practices, which must take place “in strict respect of the principle of the dignity of the human person and of his fundamental rights”, always prevailing the rights of the participants over the interests of science and society and, as a result, it is necessary to take “all precautions to respect the privacy of the individual and minimizing any harm to his personality rights and to his physical and mental integrity”[i].
Concerns about respect for the dignity of persons participating in clinical research activities naturally arise from the use made of their information and personal data. The essential nature of data relating to persons for the conduct of scientific studies and for research in general must necessarily be in harmony with their fundamental rights and freedoms, such as the right to privacy private life, constitutionally protected, in accordance with Article 26 of the Constitution of the Portuguese Republic.
GDPR’s context
The General Data Protection Regulation (GDPR) [ii], the purpose of which, as highlighted in the respective recitals, is “to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons’[iii] has not failed to take account of the importance of clinical research for the development of knowledge and science and its consequent benefits for people, namely, to address people’s health problems and improve their health status[iv].
The activity of scientific research, and thus also of clinical research and the processing of personal data, is therefore covered by the GDPR[v]. In this sense, considering the full applicability of the GDPR as of May 25, 2018, it is essential to ensure the adequacy of the clinical research practices developed from that date with the GDPR.
The GDPR represents a solution for a legal instrument of regulation that is sensitive to the importance of clinical research and to all necessary use, for the purposes of its development, of people’s data, including data belonging to special categories such as data of health.
Exceptions to the rule
Scientific research is one of the cases in which the GDPR allows for exceptions to the general rule prohibiting the processing of special categories of personal data, as is apparent in paragraph j) of no. 2 of Article 9.
The legal solution adopted by the GDPR regarding the processing of data for research purposes is based on the same reasoning as was considered for other domains of activities involving the processing of personal data: the processing of data for clinical research purposes is subject to adequate rights and freedoms of the data subject.
What GDPR’s requires of promoters of scientific research as data controllers in the development of personal data processing activities naturally include their subjection to the principles of lawfulness, fairness and transparency, minimization of data, limitation of conservation, integrity and confidentiality.
In view of these principles and in view of their important respect, it will be shown that there is a basis for the processing of personal data, in particular by obtaining the consent of the data subject.
The general requirement that, to that effect, the consent of the data subject should be provided by a clear positive act indicating a free, specific, informed and unequivocal expression of his consent to the processing of data concerning him, namely by a written statement, and the information to be transmitted to the data subject for that purpose shall be borne by the data controller responsible for the development of the investigation.
Definition of purposes
The GDPR does, however, accept that in cases where it is not possible to identify the entire purpose of the processing of data for scientific research purposes at the time of collection, data holders consent to certain areas of scientific research, provided they are in accordance with recognized ethical standards for scientific research.
However, this possibility, although posing an important advantage for the data controller, presents significant challenges in that it is the responsibility of the data controller to demonstrate that the processing of personal data, when he has opted for it, based on consent for a given field of research, respects the principle of limitation of purpose. Such respect will be legally assessed on a case-by-case basis in order to assess if whether there are legitimate conditions to base the processing of data for research purposes in a consent given to a wider field of investigation, and not for a concrete and determinate purpose, as is the rule.
The GDPR also accepts that personal data previously collected for a particular purpose is subsequently processed for purposes other than those for which the personal data was originally collected. The GDPR generally admits that the processing of data for research purposes is considered to be a lawful processing compatible with the purposes for which the personal data was originally collected, but it needs to be ascertained in concrete whether the purpose of the new data processing is or is not compatible with the purpose for which the personal data was initially collected. The controller is therefore required, after having fulfilled all the requirements for the lawfulness of the initial processing to ascertain, among others, the existence of a link between the first purpose and the one for which the new operation is intended. the context in which personal data were collected, in particular the reasonable expectations of the data owner as to their subsequent use, based on their relationship with the controller, the nature of the personal data, the consequences that the new data processing may have for its owner and the existence of adequate safeguards both in the initial processing and in the other planned processing operations.
If the research objective with the anonymity of the data is properly pursued, this should be adopted for compliance with the Regulation.
Information and precaution
Also in what regards the respect for the principles of equitable and transparent treatment, particularities arise in the case of the processing of personal data for research purposes. The data owner is required to be informed of the data processing operation and its purposes as well as the addressees and their rights, including the right to object to its processing by the data controller, at the time of the data collection. The GDPR allows for an exceptional application of these principles in cases of data processing for research purposes, in particular where the information to the data owner is impossible to deliver or where it involves a disproportionate effort.
The development of clinical research and the need of the research promoter, responsible for the processing of data, according to the GDPR, to resort to other people, in particular researchers, also gives rise to considerable caution in ensuring that the processing of data by such persons, including researchers, shall comply with the requirements applicable and imposed by the GDPR. The subcontracting relationships and the corresponding legal requirements, foreseen in the GDPR, find in clinical research activities involving personal data processing a field of particular and careful application.
The GDPR, not having overlooked the specialization of the field of personal data processing for clinical research purposes and reflecting, at various points, a legal approach based on a rational balance, thus poses significant challenges to the promoters of clinical research and investigators, who need to be adequately weighted and legally supported to ensure full compliance with the new regime.
[i] Cf. article 3 of Law no. 21/2014, of April 16, amended by Law no. 73/2015, of July 27.
[ii] Approved by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
[iii] In this sense, see Recital (2) of the GDPR.
[iv] In this sense and in clear terms, see GDPR’s Recital (157) recognizing the relevance of the combination of information from registers for researchers to obtain ‘high-level knowledge of general medical problems such as cardiovascular diseases, cancer and depression’ as well as the wider range of data sources and the number of people covered to improve research results.
[v] Recital (157) of the GDPR unequivocally states this scope and makes it clear that a broad sense must be given to consideration of what should be understood as the processing of personal data for scientific research purposes; the GDPR clarifies in the same recital, that such treatment covers, ‘for example, technological development and demonstration, fundamental research, applied research and research funded by the private sector. (…) The purposes of scientific research should also include studies of public interest carried out in the field of public health care’.
