It’s a well-known fact in the life sciences world that data collected today in a clinical trial can have significant value to the research sponsor and to the public years after a trial has been completed. But use of patient data for future research can be a difficult issue to navigate. The European Data Protection Board’s (“EDPB”) recent clarifications on the application of GDPR in health research (hereinafter, “Clarifications”) provides life sciences privacy professionals with useful interim guidance, but also many instances of “wait and see” until the Board issues its planned Guidelines on Processing Personal Data for Scientific Research Purposes later this year.
Legal Basis of Processing
It is important to understand the legal bases for processing patient data in clinical trials, as the legal basis will directly impact whether – and the manner in which – patient data can be used for future research. Traditionally, processing in the clinical trial environment has been based on patient consent, typically via GDPR Articles 6(1)(a) for “standard” personal data and 9(2)(a) for health and other special categories of personal data.
The EDPB Clarifications echo previous guidance from the Article 29 Working Party that since consent provided by a seriously ill individual to a health care provider may be considered to have not been freely given, legal bases other than the consent model should be considered. Specifically, and as addressed in the Clarifications, clinical research sponsors should consider the combination of Article 6(f) (legitimate interest) for the processing of the basic personal data and 9(2)(j), which allows processing special categories of personal data for purposes of scientific research without data subject consent. In addition to creating a model in which the question of freely given consent is eliminated, this approach also removes the possibility of clinical trial patients attempting to revoke consent or seeking data portability under Article 20.
Compatible Purposes and Broad Consent
While the EDPB Clarifications do not provide a definitive answer to the question of the use of clinical trial patient data for future research, they do point to the fact that GDPR allows for further processing of personal data for compatible purposes via Article 5(1)(b) and 6(4). Article 5(1)(b) specifically states that further processing for scientific research purposes is not considered incompatible with the initial purposes.
Legitimate Interest and 9(2)(j)
However, in instances where the legal basis of processing is legitimate interest combined with 9(2)(j), the controller must take additional steps. Specifically, Article 6(4) requires that where the legal basis of processing is not consent (i.e., health data under 9(2)(j)), the controller must assess the compatibility of the future use based on specific criteria, including:
- any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
- the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
- the nature of the personal data, in particular whether special categories of personal data are processed;
- the possible consequences of the intended further processing for data subjects; and
- the existence of appropriate safeguards, which may include encryption or pseudonymization.
Thoughtful application of these criteria may form a solid basis for the use of patient data in new scientific research, particularly research into a disease related to the subject disease in the original trial, and where there are clear potential benefits to public health. However, final determinations of the validity of such use of patient data will be left to supervisory authorities and the EU judiciary.
Where consent is the legal basis for processing of both personal data and sensitive personal data, as is the case in the majority of current trials (in particular those commenced prior to GDPR), the EDPB Clarifications point to GDPR Recital 33, and the concept of “broad consent”. Recital 33 indicates that researchers may obtain a general consent from clinical trial patients that can be used for future processing in connection with “areas of scientific research,” regardless of whether detailed study plans have been finalized for such research at the time consent is obtained.
The EDPB Clarifications warn against navigating around the requirement to specify the purpose of processing and stress that applying the “flexible approach” of Recital 33 requires a high degree of scrutiny, including careful evaluation of “the rights of the data subject, the sensitivity of the data, the nature and purpose of the research and the relevant ethical standards”. However, the Clarifications indicate that it is possible for trial subjects to consent the specific known stages of a research project, as well as future, compatible research purposes that are not known at the time the study subject is presented with an Informed Consent Form (“ICF”). In instances of use of health data for new research, there should be an obvious link between the new research and the purpose for which the data was originally collected. Of course, the controller should strive to provide as much transparency as possible.
The EDPB adds in its Clarifications that “the presumption of compatibility can only be used under the condition that in such further processing for scientific research purposes adequate safeguards as required by Article 89(1) GDPR are respected”. And while the Clarifications do not provide detail on what types of safeguards will be considered “adequate”, Article 89(1) does call out pseudonymization – a near universal standard for patient data in clinical trials.
In Articles 5(1)(b), 6(4) and Recital 33, GDPR appear to provide a framework by which researchers can provide a specific description of the purposes of processing for current research and a more broad, general description of potential future research in their initial ICFs in order to further process patient data and biological samples for compatible future research. The EDPB’s Clarifications seem to broadly support this view, while emphasizing that data controllers must continue to meet their fundamental data protection requirements if and when they choose to use patient data for research that could not be specified at the time of the original trial. While the Clarifications do not provide a definitive point of view on the question of future research, privacy professionals in the life sciences should expect more clarity later this year with the EDPB’s planned Guidelines on Processing Personal Data for Scientific Research Purposes.
 EDPB Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research
 Note that 9(2)(j) applies only where permitted by applicable Member State law.
 The EDPB defers guidance on the use of Article 6(4), which allows processing for a purpose other than that for which personal data was were originally collected, where the new purpose is compatible, until its upcoming Guidelines on Processing Personal Data for Scientific Research Purposes, expected later this year.
 It’s also worth noting that Article 89(2) provides that EU or Member State law may provide derogations for some data subject rights (access, rectification, restriction and objection) where processing is taking place for purposes of scientific research, if the fulfilment of those data subject rights would impact the achievement of the purposes of the research.