The COVID-19 pandemic has given increased impetus to scientific research, with fields such as epidemiology becoming part of the public discourse in the fight against the virus.  There has rarely been a time where such research has played a more vital and time-critical role in our society.  Yet, the processing of sensitive health data is a necessary corollary in evaluating the risk factors and spread of the disease.  This raises questions as to the balance that must be struck between public health and privacy.

On 21 April 2020, the European Data Protection Board (the “EDPB”) announced its “Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak” (the Guidelines) to address some of the key concerns, such as the legal basis, implementation of adequate safeguards and the exercise of the data subject rights.

What are the key messages in the Guidelines? 

The Guidelines appear to be a product of the urgency of the situation, largely reiterating earlier EDPB guidelines, GDPR provisions and recitals.  

The EDPB is keen to stress that “data protection rules (such as the GDPR) do not hinder measures taken in the fight against the COVID-19 pandemic.”  Indeed, the GDPR foresees a specific derogation to the prohibition of processing certain special categories of data, such as health data, where it is necessary for the purposes of scientific research.

Broad definitions

The EDPB note that “data concerning health” encompasses data from a variety of different sources, such as data traditionally collected by a heath care provider in a patient’s medical records as well as information that becomes health data by cross-referencing with other data, thereby inferring the state of health.  

The latter includes information derived from “self-check” surveys and information that becomes health data by virtue of its use in a specific context, for example a doctor may interpret travel in high risk regions as health data in diagnosing a patient.

Although not explicitly defined in Article 4 GDPR, “processing for the purpose of scientific research” is also characterised in a “broad manner”, comprising of activities such as “technological development and demonstration, fundamental research, applied research and privately funded research”.

Legal basis for processing

As to be expected, the EDPB reiterate the requirement that all processing of personal data relating to health must comply with the principles relating to processing set out in Article 5 GDPR and with one of the legal grounds and the specific derogations listed respectively in Article 6 and Article 9 GDPR for the lawful processing of this special category of personal data.  

The Guidelines discuss the legal bases and applicable derogations including the use of explicit consent and needing to ensure that all the conditions for valid consent are met. The Guidelines also touch on national legislations which may provide a legal basis for the processing of health data for scientific research. The conditions and the extent for such processing are dependent on the enacted laws of particular Member State and the guidance emphasises that derogations and limitations in relation to the protection of data provided in Article 9 (2) (j) and Article 89 GDPR must apply only in so far as is strictly necessary.

Data protection principles

The Guidelines are clear that the data protection principles (e.g. transparency) must be observed. Amongst other principles, the Guidelines focus on the need to ensure robust measures are taken to ensure the security of health data used for scientific research particularly given that processing of health data may to negative impacts for data subjects. The Guidelines stress the importance of reading the principle of integrity and confidentiality together with the requirement to take appropriate technical and organisational measures which should, according to the guidance, include at least pseudonymisaiton, encryption and non-disclosure agreements.   

International data transfers

International cooperation is vital in ensuring important lessons are learnt.  The sharing of knowledge and data will therefore be critical in pooling resources to tackle the virus.  However, when personal data is transferred to a non-EEA country or international organisation, in addition to complying with the rules set out in the GDPR, the data exporter must also comply with Chapter V (data transfers).

In the absence of an adequacy decision pursuant to Article 45 (3) GDPR or appropriate safeguards pursuant to Article 46 GDPR, public authorities and private entities may rely upon the applicable derogations pursuant to Article 49 GDPR.  However, the derogations of Article 49 GDPR are a “temporary measure due to the urgency of the medical situation globally”.  This means the derogations may justify the initial transfers of data for immediate research into COVID-19, although transfers in the future would need to be founded on appropriate safeguards pursuant to Article 46 GDPR.

Final thoughts

The EDPB has been compelled to provide the guidance in light of the risks associated with the proliferation of highly sensitive health data worldwide due to COVID-19.  The balance between public safety and privacy is a task that must continually be reviewed as we navigate our way through this pandemic.  Yet, it is reassuring to receive sensible guidance that provides clarity on how COVID-19 sits within the GDPR framework.  The EDPB stress at the outset that the development of a further and more detailed guidance for the processing of health data for the purpose of scientific research is part of the annual work plan of the EDPB.

If you'd like to discuss the use of health data for scientific research, please get in touch. 

This blog post was written by Lucy Pegler and Simon Cox.