The GDPR and Healthcare Research

March 21, 2016

The agreed text of the forthcoming GDPR contains provisions that will facilitate the conduct of healthcare research, contrary to the fears of some during the prolonged trilogue. There was concern in the UK over the possible effects of the GDPR on healthcare research of a clause inserted by the European Parliament that would have required specific consent for research.[1] This requirement would have massively increased the administrative burden for research data banks who, like tissue biobanks, prefer to rely on broader forms of consent as the direction and exact nature of future research projects cannot be predicted. Further, empirical research has found that a substantial proportion of the public considers broad consent acceptable and even preferable (see Simon CM, L’Heureux J, Murray JC, Winokur P, Weiner G, Newbury E, et al. Active choice but not too active: Public perspectives on biobank consent models. Genetics in Medicine. 2011;13(9):821-31 and Aitken M. SHIP Public Engagement: Summary of Focus Group Findings. Scottish Health Informatics Programme; 2011). The agreed text allows for this:

‘(25aa) It is often not possible to fully identify the purpose of data processing for scientific research purposes at the time of data collection. Therefore data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.’ 

The permissible breadth of consent is not specified, except to state ‘in keeping with recognized ethical standards’. This may mean that all biomedical projects of the same level of risk could be covered by broad consent. There is now a specific derogation for the sensitive personal data for research (which covers healthcare data) in Recital 40:

‘Derogating from the prohibition on processing sensitive categories of data should also be allowed for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes. (Recital 42)’ 

This use of healthcare data is qualified in Recital 42a:

 ‘which has to meet an objective of public interest’ 

What this will mean in practice is uncertain. Will this exclude commercial research? Recent Wellcome research confirmed public attitudes are markedly different for commercial research and public health research.[2] The Scottish Health Informatics Programme had similar findings.[3] Public concern over commercial applications are mitigated by arrangements for benefit sharing or at least limiting the profits made by the commercial sector from the use of the public’s data,[4] so it is conceivable that evidence of appropriate benefit sharing arrangements may suffice to satisfy the public interest test. As the issues with Care.data have demonstrated, compliance with relevant law is not sufficient to ensure public confidence and trust (see Carter P, Laurie GT, Dixon-Woods M. The social licence for research: why care.data ran into trouble. Journal of Medical Ethics. 2015:pp.medethics-2014).

The most significant change is perhaps the confirmation of the Article 29 Working Party opinion that pseudonymised data should be treated as personal data. Also, where consent is required this needs to be via a “clear, affirmative action”. “Opt-outs” are not acceptable. These two changes will arguably make the current basis for the Care.data project illegal (although there is a review underway currently by Dame Fiona Caldicott).

In summary, the GDPR should facilitate healthcare research, contrary to early fears, but not where the research is not in the public interest.

 Dr John Rumbold is a postdoctoral medico-legal researcher at Kingston University, London, currently working on the ethico-legal issues related to the use of healthcare data.


[1] Stevens L. The Proposed Data Protection Regulation and Its Potential Impact on Social Sciences Research in the UK. European Data Protection Law Review. 2015;1(2):97-112.

[2] Wellcome Trust. Frontiers: Digital Phenotypes – Health Research in the Digital Age. London: Wellcome Trust; 2015

[3] Aitken M. SHIP Public Engagement: Summary of Focus Group Findings. Scottish Health Informatics Programme; 2011

[4] Haddow G, Laurie G, Cunningham-Burley S, Hunter KG. Tackling community concerns about commercialisation and genetic research: A modest interdisciplinary proposal. Social Science & Medicine. 2007;64:272-82