GDPR for Biobanks – A sheep in wolf’s clothing?
In our latest blog post we hear from Heather Coupar, Programme Manager at the Medical Research Council’s Regulatory Support Centre, about the General Data Protection Regulation (GDPR) and how it applies to the world of biobanking.
Heather Coupar's three key messages on GDPR and research
I recently presented at the 2019 UK Biobanking Showcase, where I delivered three key messages about GDPR and research:
1. What counts as personal data?
- pseudonymised data is personal data when your organisation holds both the pseudonymised dataset and the key to unlink it, and
- pseudonymised data can be anonymised when both content and context are controlled.
→ For more please see our guidance on identifiability, anonymisation and pseudonymisation.
2. GDPR doesn't stop you sharing data; and
3. Whilst you as a researcher or biobanker have a role to play, ultimately, your organisation is responsible for compliance with GDPR.
→ If you follow your local organisational data policies, you will be well placed to meet the requirements of GDPR.
Whilst these are all useful messages, they don’t fully consider the complexity of the environment within which biobanks operate. In this blog, I’ll further explore GDPR research requirements and how these apply to biobanking.
What role does consent play in GDPR?
You may have heard some myths about consent and GDPR, such as:
- obtaining explicit consent is the only way to comply with GDPR;
- you have to re-consent people every year or two; or
- you don’t need consent at all.
In fact, GDPR demands that organisations are lawful, fair and transparent when collecting, using or holding (processing) personal data for research.
In terms of being lawful, organisations must have a ‘lawful basis’ to process personal data. Whilst consent is one way for organisations to be lawful, there are other more appropriate lawful bases for research. In the UK, ‘task in the public interest’ or ‘legitimate interest’ are the most likely lawful bases – not consent. Therefore, ICO consent guidance, such as requirements to refresh consent, often doesn’t apply to research in the UK.
This isn’t to say that consent isn’t important or that you don’t need to obtain consent anymore!
Informed, voluntary and fair consent to take part in a study is the cornerstone of ethical research. It’s also a central requirement of other law such as human tissue legislation, common law of confidentiality, and Clinical Trial Regulations.
We have more guidance on lawful basis and the role of consent in managing confidentiality.
Other GDPR myths…
I can only keep personal data for a limited time – MYTH!
You can keep personal data indefinitely for research – and there’s no requirement to delete it either (subject to ‘safeguards’).
All genetic data is personal data – MYTH!
Not all genetic data is personal data. It depends on uniqueness and identifiability (both direct and indirect), as it does for all other data.
Personal data collected for clinical care can only be used for that purpose, and that purpose alone – MYTH!
Any personal data can be used for research, regardless of why it was initially collected (subject to ‘safeguards’).
How can we be fair and transparent?
GDPR requires organisations to be fair and transparent in how they process personal data.
Being fair with donors includes respecting their rights and using their personal data in line with their expectations. Transparency is therefore intrinsically linked to fairness.
Transparency is about providing information to let people know how their personal data will be used in research, and doing this well. It should also tell individuals about the types of data that will be used, how they can object to a particular use of their data, and so on. There are a number of ways to deliver transparency information.
The ICO recommends a layered approach to transparency, which means transparency information can be split into key messages which point to other relevant sources of information where appropriate. All sources of transparency information should align and complement each other.
How can your biobank be transparent?
It very much depends on your set-up.
It may be that your biobank is closely integrated with an NHS organisation and all donor contact is through the NHS. In this case, working closely with your NHS colleagues to provide transparency information would be the best approach. NHS organisations should have information on their websites detailing their role in research, and it may be appropriate to name your biobank there. You could also provide posters and/or leaflets for NHS clinics as well as documentation to support the consent process describing to donors how your biobank will use their personal data to support research.
Alternatively, it may be that your biobank is embedded within a University and your donors are all healthy volunteers. In this case, transparency information could be provided during the consent process: both in conversation and in any written materials (e.g. information sheet, consent form, clinic posters, leaflets, and pages on the University and/or biobank websites).
All transparency information should be accessible, concise and consistent, and cross link where appropriate.
What are the exemptions and ‘safeguards’ for research?
GDPR recognises that we use data differently in research, and as such provides some exemptions. We’ve mentioned two of these above, related to storage and purpose. There are also exemptions to the rights donors have over the personal data that you and/or your organisation hold about them.
To qualify for these exemptions, ‘safeguards’ must be in place, most of which you and/or your organisation will have in place already. For example, data security and storage arrangements, that data are pseudonymised or anonymised wherever possible, and that personal data are adequate, relevant and limited to what is necessary (data minimisation). We have created guidance about the full range of safeguards needed for research.
Where a donor seeks to exercise one of their rights (e.g. right to access, right to erasure, etc.), you should seek advice from your Data Protection Officer since applying an exemption can rely on further conditions.
We need to be fair. It’s important to only promise donors things that can be delivered, to understand what donors want, and to respect donor wishes wherever possible. If a donor wishes to use a right, try to have a conversation with them so that you can better understand what they want.
You should also take advantage of any opportunities at the outset to explain what rights donors can expect, such as discussing withdrawal options during the consent process. For further guidance on consent please see our HRA/MRC Consent and Participant Information Guidance.
Where can I go for help?
Your local research governance offices and/or Data Protection Officer can help you in the first instance.
The MRC Regulatory Support Centre also has guidance on both GDPR and the common law of confidentiality on our GDPR resources page.
Or, if you have a specific question, please email us.