The General Data Protection Regulation (GDPR) entails a tightening of EU data protection rules. These rules do not only apply to the processing of personal data by companies. They apply in general, also to scientific research, which in many cases could entail serious restrictions on research. However, the GDPR allows for several derogations and exemptions when it comes to research that would otherwise probably be made impossible or considerably more difficult.

Such derogations are allowed only if appropriate safeguards, which are in accordance with the regulation, are in place. But what safeguards may be required? Article 89 of the regulation mentions technical and organizational measures to ensure compliance with the principle of data minimization: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Otherwise, Article 89 does not specify what safeguards are required, or what it means that the safeguards must be in accordance with the GDPR.

Biobank and genetic research require large amounts of biological samples and health-related data. Personal data may need to be stored for a long time and reused by new research groups for new research purposes. This would not be possible if the regulation did not grant an exemption from the rule that personal data may not be stored longer than necessary and for purposes not specified at data collection. But the question remains, what safeguards may be required to grant exemption?

The issue is raised by Ciara Staunton and three co-authors in an article in Frontiers in Genetics. The article begins by discussing the regulation and how to interpret the requirement that the safeguards should be “in accordance with the GDPR.” Then six possible safeguards are proposed for biobank and genetic research. The proposal is based on a thorough review of a number of documents that regulate health research.

Here, I merely want to recommend reading to anyone working on the issue of appropriate safeguards in biobank and genetic research. Therefore, I mention only briefly that the proposed safeguards concern (1) consent, (2) independent review and oversight, (3) accountable processes, (4) clear and transparent policies and processes, (5) security, and (6) training and education.

If you want to know more about the proposed safeguards, you will find the article here: Appropriate Safeguards and Article 89 of the GDPR: Considerations for Biobank, Databank and Genetic Research.

Pär Segerdahl

Written by…

Pär Segerdahl, Associate Professor at the Centre for Research Ethics & Bioethics and editor of the Ethics Blog.

Ciara Staunton, Santa Slokenberga, Andrea Parziale and Deborah Mascalzoni. Appropriate Safeguards and Article 89 of the GDPR: Considerations for Biobank, Databank and Genetic Research. Frontiers in Genetics. 18 February 2022 doi: 10.3389/fgene.2022.719317

This post in Swedish

We recommend readings