What are the conclusions of the 4th GDPR SUMMIT applied to Health Data 2021?
December 16, 2021
The goal of MyData-TRUST is to create events about Data Protection, exclusively dedicated to Clinical Professionals, people who work on a daily basis with Health Data.
This 4th session took place in Brussels and was also available in live streaming. We welcomed 50 people on site (restricted number due to COVID) and more than 100 people online.
The opening lecture of the 4th GDPR Summit was given by the Data Protection Lawyer Aline Jouniaux presenting trends of Laws governing use of data and data protection all around the world. It became apparent that GDPR marked the beginning of a new chapter in the protection of personal data resulting in the straightening and escalation of national and regional Data Protection Laws. Most came without guidelines and though all have the same fundamentals, their multitude results in fragmentation of the overall framework (e.g. Transfers). Indeed, the next challenge that we will have to face is “How to handle national specificities within global activities?”. During the last 2 years, we faced to a pandemic, Covid19. This event forced the sector of Life Science to innovate, including the way clinical trials are performed. Sometimes disruptive, it is making a paradigm shift. It’s maybe time also for GDPR as well to reinvent itself.
Secondary Use of Health Data
Today, healthcare and health research can rely on exponentially growing volume of data to generate knowledge and avoid exposing patients to the physical risks thanks to the use of data of many. The reuse of health data offers clear benefits, both for researchers and for society, whether being used in the academic or private sector. The way to face this reality from the GDPR compliance standpoint was discussed from different angles by GSK’s Head Data Privacy (Hartmut Nedebock), Medtronic’ Sr. Clinical Data Protection Program Manager (Eric Lemaire) and representatives of “Universiteit Gent” (Hanne Elsen, DPO, and Michiel Verlinden, Sr. Legal Counsel).
In practice, according to the framework proposed by the GDPR, the re-use of existing data must mainly consider the purpose of the re-use (is it compatible with the initial purpose for which the data was collected? (art. 5, 1b)), the principle of transparency (is the subject sufficiently informed?), as well as the other basic principles for GDPR data processing activities (minimization of data, data security, …).
In addition to the critical requirement to develop and maintain open and secure databases for existing data, speakers also highlighted the need for clear process and governance as well as the key role of a “Data Access Committee” within private or academic organizations.
A committee or a panel compounded by the legal department, the DPO, the IT department and the Quality department is a good way to sort and approve each demand of re-use of data. If the committee cannot advice the researchers, the ethics committees must be involved in the decision. This assessment must remain a case-by-case evaluation systematized through the processes all stakeholders implemented.
There is a lot of “grey zone” concerning the re-use of data and many concepts are frequently misunderstood, starting from the notions of anonymous versus pseudonymous data. It also became clear to the audience that those structures and processes of many companies are not yet entirely fit to leverage this opportunity.
Data Transfers in Life Sciences: a large concept
Data Transfers is not an easy topic to explore. Knowing which tool to select, when and how to put it in place can be difficult even for the top experts. The use of SCCs is cumbersome; its use in the life science sector is further complicated by its scope (GDPR entity to no-GDPR entity), the complexity of characterization of roles in the sector and the fact that transfer tool may have to cover several activities at once between partners whose role changes from one activity to the other. It may be difficult to for an exporter-processor to negotiate with the importer-controller.
In Belgium, hospitals subcontracted by Sponsor are processors and exporter from the SCCs point of view. There is a paradigm then because they have to, in a way, assess the Sponsor, and the power balance is not really in their favor.
One element that Ellen Lecrenier, DPO of the CHC Groupe Santé, insisted on is the hostile way in which companies not subject to the GDPR can sometimes receive such “restrictive” measures.
There is also the reality in the field that imposes the choice of the tool (i.e. Ethics Committee opinion or standard national site contracts), even if not entirely in line with EDPB guidelines.
Potential additional measures, such as encryption, are frequently poorly understood and underused, as they represent sometimes and important investment to make.
In the Life Science sector, it is difficult to imagine clinical research without data transfer. The choice of the adequate transfer mechanisms offered by the GDPR remains a major challenge as tools at the disposal of researchers are largely insufficient and national field specific guidelines and templates may contradict those of EDPB (or even sometimes GDPR itself).
Transfer Impact Assessment represents is an additional difficulty, see mission impossible for some stakeholders as it calls to evaluate the law but also the practice. TIA is super hard to set up to the extent that it is worth to be budgeted. Sometimes, controller-importer is a big actor and processor-exporter is small; its capacity to make such a complex undertaking is limited. Regarding the assessment for the non-EU based Sponsors, in a trial with a lot of sites, each site, as exporter of data it provides, in theory will have to do the same assessment. This can bring a problem of costs, time and seems to be meaningless.
Jean-Christophe Le Toquin, public affairs advisor for Tech compagnies in cyber security, took a helicopter view on the subject and called to the health research community to gather together and plead its cause (i.e. the need for more sector specific guidance and tools) in front of the legislator.
Alexandre Meunier, DPO at the Institute of Pathology and Genetics (Belgium), for his part underlined the crucial need of clarifying and increasing the security level that cloud providers should have. Indeed, the choice of the cloud provider is critical for activities requiring large-scale processing of highly sensitive data, such as genetic data. With technological means advancing every day in the field of scientific research, there is a growing need to identify cloud providers offering a level of security in line with what GDPR demands.
Tools to support the Life Science sector
Given its multitasking function, and its increasingly demanding expertise, the role of the DPO become more and more challenging. DPO is by itself a kind of GDPR tool, an adviser and compliance enabler supporting controllers and processors. DPO is a new domain of expertise, a new profession yet not receiving enough support and advise from the data protection authorities. This section of the summit focused on the tools available to support and guide DPOs in their daily tasks.
In this regards, DPO-pro, non-for profit association of DPOs in Belgium, represented by Philippe Costard, DPO and Group Administrator, is in the process of setting up an independent platform for DPOs. This platform is a central place where DPOs can communicate and exchange to better deal with legal, technical and operational issues within the framework of GDPR, e- Privacy and existing legislation.
The GDPR gives yet another tool to support compliance, the code of conduct. The code of conduct must be approved by the Supervisory Authority and by the EDPB.
The European CRO Federation’s GDPR Code of Conduct for Clinical Research Service Providers (EUCROF GDPR Code), introduced by Kate Smirnova, DPO for PSI CRO AG, aims to create a transnational GDPR code of conduct for the CROs of the healthcare industry. The objective of the EUCROF GDPR code is to provide support to guarantee the rights and freedoms of the data subjects while promoting the legal and fair use of their personal data.
There are several codes in preparation regarding the Life Science sector (i.e. EUCROF GDPR Code of Conduct, BBMRI CoC & EFPIA CoC). Those Code of Conduct will help the sector to better frame the GDPR into their activities and will bring trust and transparency. The IT platform of the EUCROF is already launched and each CRO can connect and see the requirements of the Code of Conduct.
One Code of Conduct for Data Processors, EU Cloud CoC, is already approved and several cloud providers are certified. The Cloud providers certified will save money and gain time in the implementation of the compliance regarding the GDPR and echoes the needs expressed earlier in the day with regards to the criticality of choice of trustful cloud provider for hosting very sensitive health data.