The Ethics Blog

A blog from the Centre for Research Ethics & Bioethics (CRB)

Tag: governance of health data

Safeguards when biobank research complies with the General Data Protection Regulation

17 May, 2022 / / 1 Comment

The General Data Protection Regulation (GDPR) entails a tightening of EU data protection rules. These rules do not only apply to the processing of personal data by companies. They apply in general, also to scientific research, which in many cases could entail serious restrictions on research. However, the GDPR allows for several derogations and exemptions when it comes to research that would otherwise probably be made impossible or considerably more difficult.

Such derogations are allowed only if appropriate safeguards, which are in accordance with the regulation, are in place. But what safeguards may be required? Article 89 of the regulation mentions technical and organizational measures to ensure compliance with the principle of data minimization: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Otherwise, Article 89 does not specify what safeguards are required, or what it means that the safeguards must be in accordance with the GDPR.

Biobank and genetic research require large amounts of biological samples and health-related data. Personal data may need to be stored for a long time and reused by new research groups for new research purposes. This would not be possible if the regulation did not grant an exemption from the rule that personal data may not be stored longer than necessary and for purposes not specified at data collection. But the question remains, what safeguards may be required to grant exemption?

The issue is raised by Ciara Staunton and three co-authors in an article in Frontiers in Genetics. The article begins by discussing the regulation and how to interpret the requirement that the safeguards should be “in accordance with the GDPR.” Then six possible safeguards are proposed for biobank and genetic research. The proposal is based on a thorough review of a number of documents that regulate health research.

Here, I merely want to recommend reading to anyone working on the issue of appropriate safeguards in biobank and genetic research. Therefore, I mention only briefly that the proposed safeguards concern (1) consent, (2) independent review and oversight, (3) accountable processes, (4) clear and transparent policies and processes, (5) security, and (6) training and education.

If you want to know more about the proposed safeguards, you will find the article here: Appropriate Safeguards and Article 89 of the GDPR: Considerations for Biobank, Databank and Genetic Research.

Pär Segerdahl

Written by…

Pär Segerdahl, Associate Professor at the Centre for Research Ethics & Bioethics and editor of the Ethics Blog.

Ciara Staunton, Santa Slokenberga, Andrea Parziale and Deborah Mascalzoni. Appropriate Safeguards and Article 89 of the GDPR: Considerations for Biobank, Databank and Genetic Research. Frontiers in Genetics. 18 February 2022 doi: 10.3389/fgene.2022.719317

This post in Swedish

We recommend readings

Share this post

Research for responsible governance of our health data

wrist wearing smart watch with hand holding dumbbell
15 December, 2020 / / 1 Comment

Do you use your smartphone to collect and analyse your performance at the gym? This is one example of how new health-related technologies are being integrated into our lives. This development leads to a growing need to collect, use and share health data electronically. Healthcare, medical research, as well as technological and pharmaceutical companies are increasingly dependent on collecting and sharing electronic health data, to develop healthcare and new medical and technical products.

This trend towards more and more sharing of personal health information raises several privacy issues. Previous studies suggest that people are willing to share their health information if the overall purpose is improved health. However, they are less willing to share their information with commercial enterprises and insurance companies, whose purposes may be unclear or do not meet people’s expectations. It is therefore important to investigate how individuals’ perceptions and attitudes change depending on the context in which their health data is used, what type of information is collected and which control mechanisms are in place to govern data sharing. In addition, there is a difference between what people say is important and what is revealed in their actual behaviour. In surveys, individuals often indicate that they value their personal information. At the same time, individuals share their personal information online despite little or no benefit to them or society.

Do you recognise yourself, do you just click on the “I agree” button when installing a health app that you want to use? This behaviour may at first glance suggest that people do not value their personal information very much. Is that a correct conclusion? Previous studies may not have taken into account the complexity of decisions about integrity where context-specific factors play a major role. For example, people may value sharing health data via a physical activity app on the phone differently. We have therefore chosen to conduct a study that uses a sophisticated multi-method approach that takes context-specific factors into account. It is an advantage in cybersecurity and privacy research, we believe, to combine qualitative methods with a quantitative stated preference method, such a discrete choice experiment (DCE). Such a mixed method approach can contribute to ethically improved practices and governance mechanisms in the digital world, where people’s health data are shared for multiple purposes.

You can read more about our research if you visit the website of our research team. Currently, we are analysing survey data from 2,000 participants from Sweden, Norway, Iceland, and the UK. The research group has expertise in law, philosophy, ethics and social sciences. On this broad basis, we  explore people’s expectations and preferences, while identifying possible gaps within the ethical and legal frameworks. In this way, we want to contribute to making the growing use and sharing of electronic health data ethically informed, socially acceptable and in line with people’s expectations.  

Written by…

Jennifer Viberg Johansson, Postdoc researcher at the Centre for Research Ethics & Bioethics, working in the projects Governance of health data in cyberspace and PREFER.

This post in Swedish

Part of international collaborations

Share this post