Data Protection Legislation in the Area of Health Research in EU

There are strict regulations and restrictions in the European legislation about personal data and medical information, collected from the patients. Some of the legal requirements have recently been implemented and still confuse medical and research circles and insufficient information of doctors about what is allowed and what is not. On the other hand, physicians and researches need to use data for the development of the medical science, in interaction with other physicians and medical institutions, for statistics, prevention, and public health, for clinical trials, est. The aim of the current survey is to highlight some areas of the Data Protection Legislation that are particularly relevant to the area of health research.


Introduction
Community institutions and bodies collect and use health data. Most of the rules defining the conditions and hypothesis in which health data are collected and used by Community institutions and bodies are provided by the Data Protection Legislation.
The General Data Protection Regulation (EU) 2016/679 (GDPR) [1] and the Data Protection Act of each EU-member, including health research regulations are known collectively as the Data Protection Legislation. In summary, the GDPR requires the implementation of effective controls across the six privacy principles of [1]:  Lawfulness, Fairness and Transparency  Purpose Limitation  Data Minimisation  Accuracy  Storage Limitation  Integrity & Confidentiality.
The GDPR is designed to ensure individuals have more control over their personal data and gives them the following rights [2]:  to be informed about how their personal data will be processed;  access to their personal data and details of how it is processed;  rectification of inaccuracy in a timely manner;  erasure of their personal data ('right to be forgotten');  to restrict processing of their personal data;  to obtain their personal data and reuse it for their own purposes ('data portability');  to object to the processing of their personal data;  not to be subject to automated decision making and profiling.
The healthcare sector is significantly impacted by the Data Protection Legislation because of the volume of sensitive personal data which is used for the purposes of patient care, related institutional management and scientific research.
Organizations must have a valid, legal reason to process personal data. This is called a 'legal basis'. Organizations have to record, and inform data subjects, what their legal basis for processing data is.
The legal basis that research organizations have used before data protection legislation is most likely to support 'legitimate interests' [4,5,6,7]. Under GDPR, commercial companies and charitable research organizations will continue to use 'legitimate interests' as their legal basis. However, public authorities, when carrying out public tasks -such as research in public health organizations, universities and Research Council institutes -will no longer be able to use 'legitimate interests'. Instead, they will use 'task in the public interest' as their legal basis. Public authorities should document their justification for this, by reference to their public research purpose as established by statute or University Charter.The new legislation does not introduce different standards between organizations that use 'legitimate interests' and organizations that use 'task in the public interest'. The legislation will also require research organisations to be explicit about which of the new legal bases they are using. Under the new legislation, you will need [3]:  a legal basis to process personal data; and  an additional legal basis to process any 'special category' personal data (e.g. health information).

3.2.
Legal basis for processing personal data. Legal basis and consent. Legal basis for processing "special category" personal data. Appropriate safeguards Data controllers must already have a legal basis for processing personal data. This information should be given at the appropriate level [7,8]. For example, the legal basis for a research organisation's processing can be provided in corporate information but project-specific details about the purpose of the processing should belong in the participant information sheet for the individual research project.
Consent is an important part of the research process and is frequently sought for participation in research studies. One reason is to ensure that any disclosure of confidential information meets the requirements of the common law duty of confidentiality [9]. Where consent is sought from research participants, they are normally told how information about them will be used.
Consent to participation in research is not the same as consent as the legal basis for processing under data protection legislation. An example is that a person is asked to consent to participate in research but is told that, if they agree to participate, data about them will be processed for a task in the public interest [9,10,11]. The legal basis for data processing is not consent [3].
'Special category' personal data is [1]:  data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership;  data concerning health (the physical or mental health of a person, including the provision of health care services);  data concerning sex life or sexual orientation;  genetic or biometric data processed to uniquely identify a natural person.
'Genetic data' means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
Whether processed by a public authority or by a commercial organization or charitable research organization, special category personal data can be processed for research purposes, but only if processing such data is:  necessary for archiving purposes, scientific or historical research purposes or statistical purposes,  subject to appropriate safeguards and  in the public interest.
Appropriate safeguards to the processing of personal data for health research require the following [1,3]:  the research will not cause substantial damage or distress to the data subject (physical harm, financial loss or psychological pain);  medical research has approval from a research ethics committee if it involves processing data in order to do or decide something with respect to an individual person;  the data controller has technical and organisational safeguards in place that ensure respect for the principle of data minimisation and ensure that exemptions to data subjects' rights are not exercised unless the rights are likely to render impossible or seriously impair the achievement of the purposes of the processing;  if processing special category personal data, this must be in the public interest.

Personal data collected from the data subject
When personal data is collected from the data subject, the data controller must provide information to the data subject at the time it is obtained. The following are examples of personal data collected from a data subject [3]:  a researcher asks a patient to complete and return a questionnaire;  a research site collects information from research participants and then transfers the data to the research sponsor.
When personal data is collected from the data subject, the controller must give them the following information [1]:  The name and contact details of the controller (including the data protection officer);  Why the data is being processed and the legal basis for doing so;  The recipients or categories of recipients of the data;  How long the data will be stored;  What are the data subject's rights, including, where consent is the legal basis for processing the data, the right to withdraw that consent at any time (this is different from consent to participate in research);  That the data subject has a right to make a complaint;  Whether there will be any automated decision-making and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;  How appropriate or suitable safeguards are achieved if the data is to be transferred out of Europe.
When personal data has been collected from a data subject but the controller intends to further process the data for a different purpose, the controller must also give the data subject information about that further purpose before the data is processed. An example is that researchers may wish to use personal data originally collected for clinical or local audit for research [12].
However, if the information about further processing is in fact the same as the information for the original processing, the data controller does not need to give the data subject that information again.
Information given to data subjects should be as precise as possible without unduly restricting the possibility of further research uses of data in the future. The scientific research purposes in question should then be detailed but do not need to be project-specific. If particular organizations are excluded from the statement, the data controller must ensure that the information is not shared with them.

Personal data obtained from other sources
When relying on the presumption of compatibility stipulated in Article 5(1)(b) GDPR for further processing personal data for scientific research purposes in different research projects, it should be taken into account that the presumption of compatibility can only be used under the condition that in such further processing for scientific research purposes adequate safeguards as required by Article 89(1) GDPR are respected. Therefore the application of this exception is dependent on a further clarification of what such safeguards should entail [12].
Where personal data is obtained from other sources for research, the new (receiving) data controller must give the data subject the same information as listed above, as well as the source from which the personal data the personal data originate, and if applicable, whether it came from publicly accessible sources.
This information should be given by the new data controller within a reasonable period. Specifically [3],  within one month, or  if the personal data is to be used to contact the data subject, by the time of contact, or  if disclosure to another recipient is envisaged -for example to a researcher employed by another controllerby the time the personal data is disclosed.
If research purposes were not a purpose for which the data was obtained by the original controller, the relevant information should be given before processing for research purposes.
This information should be provided, rather than must, because there are circumstances where it is not a requirement to provide the information.

Ethical principles and Data Protection Legislation
How to reconcile the ethical principle embedded in the Oviedo Convention and Declaration of Helsinki [13] with the possibility to process health data based on legitimate interest or public interest?
Ethics standards cannot be interpreted in such a way that only explicit consent of data subjects can be used to legitimise the processing of health data for scientific research purposes. Article 6 and Article 9 GDPR contain other options for a legal basis and an exemption, that can be relied on for processing health data for scientific research purposes. The requirement of informed consent for participation in a scientific research project can and must be distinguished from explicit consent as a possibility to legitimise the processing of personal data for scientific research purposes [12].
It can be argued that ethical statements and bio-ethics conventions primarily aim to protect individuals against being included in medical research projects against their will and/or without their knowledge [. Hence, informed consent to participate in the medical research project is a necessary requirement, with some exceptions for situations where consent cannot be given (incapacitated individuals, emergency situations etc.). However, such consent can and should be distinguished from 'consent as a legal basis for processing of personal data' in Article 6(1)(a) of the GDPR. Taking into consideration that Article 6 (1) GDPR provides for legal bases other than consent and Article 9 (2) GDPR provides for exemptions other than explicit consent, it is foreseeable and not incompatible (with ethical standards) that the other legal grounds can be relied on for the processing health data for scientific research purposes.
However, when relying on another legal basis in Article 6 other than consent and one of the other exemptions in Article 9 (2) GDPR, the 'ethical' requirement of informed consent for participation in the medical research project will still have to be met. In the GDPR-framework, this can be perceived as one of such additional safeguards as foreseen in Article 89(1) GDPR that should be in place when processing personal data for scientific research purposes.

Right of access
The right of data subjects to access personal data about them includes a right to a copy of the personal data and access to information about the processing. However, this right does not apply when data is processed for health or social care research purposes where:  appropriate safeguards are in place; and  the results of the research or any resulting statistics are not made available (including to other data controllers) in a form which identifies the data subject; or in the opinion of an appropriate health professional, disclosure to the data subject is likely to cause serious harm.

Right to rectification
Data protection legislation gives data subjects the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data. This can include having incomplete personal data completed by means a supplementary statement.
However, this right does not apply where data is processed for research purposes and appropriate safeguards are in place.

Right to erasure ('Right to be forgotten')
Data protection legislation gives data subjects the right to request erasure of personal data about them (including pseudonymised data) in specific circumstances.
However, this right does not apply where data is processed for research purposes and appropriate safeguards are in place.

Right to erasure and consent
The significance of this research exemption on the right to erasure is reduced when consent is the legal basis for processing under data protection law. If consent is the legal basis for processing the data involved and the data subject withdraws this consent, the data will need to be erased even if this is likely to render impossible or seriously impair the achievement of the objectives of that processing. This underlines the importance of ensuring that, when specifying the legal basis upon which data is processed, consent is only used where there are no more suitable alternatives.

Right to restriction of processing
Data protection legislation gives data subjects the right to restrict the processing of data by the data controller in specific circumstances.
However, this right does not apply where data is processed for research purposes and appropriate safeguards are in place.

Right to data portability
Data protection legislation gives data subjects the right to data portability: to move, copy or transmit personal data easily from one IT environment to another. The right applies where:  the processing is carried out electronically;  the data was given directly to the controller by the data subject; and  processing is on the basis of either consent or contract.
 However, this right does not apply where the legal basis for processing the data is 'task in the public interest' or 'legitimate interests'.

Right to object
Data protection legislation gives data subjects the right to object to the processing of personal data about them. This applies where the legal basis for processing is 'task in the public interest' or 'legitimate interests'.
However, this right does not apply where:  data is processed for research purposes;  appropriate safeguards are in place, and  the processing is necessary for a task carried out in the public interest.
If the legal basis for processing is 'task in the public interest', this meets the requirement that the processing is necessary for a task carried out in the public interest. No additional justification is necessary.However, if the legal basis for processing is different from this, the data controller should document alternative justification for the processing being necessary for a task carried out in the public interest. You can demonstrate that the processing is necessary for a task carried out in the public interest, even if the legal basis for your processing is not 'task in the public interest'. This justification allows the exemption to be used, and the data to be processed, even where a research participant withdraws from a study, provided that consent is not the legal basis for processing. Although the research exemption means the right to object does not need to be upheld, you should consider what participants have been told about withdrawing from the study and the ethical considerations of relying on the exemption to this right [3].

Conclusion
The healthcare research sector is significantly impacted by the Data Protection Legislation because of the large volume of sensitive personal data of patients and health related data. In summary, the GDPR requires the implementation of effective controls across the six privacy principles of 1. Lawfulness, fairness and transparency ;2. Purpose limitation; 3.Data minimization; 4.Accuracy; 5.Storage limitation; 6.Integrity and confidentiality. Topics, observed in this review: legal basis for processing personal data; legal basis and consent; legal basis for processing "special category" personal data; appropriate safeguards; ethical principles and Data Protection Legislation; data subject rights and research exemptions are of great importance for companies and health establishments, working in the field of the health research and clinical trials in EU.