Discussion on data protection regulations and the balance between patient confidentiality and legitimate research demand is a crucial debate that started in 2012.

Data protection legislation as it currently exists dates back to 1995.

Remaining concerns from the public

According to the Eurobarometer survey[1] published by the European Commission in June 2015, personal data remains a very important concern for EU citizens. In spite of improved data protection, EU citizens still don’t feel they have complete control over the information they provide online.

Data Protection Regulations

On the other hand, a large majority of people (71%) say that providing personal information is an increasing part of their life and they accept that there is no other alternative than to provide it if they want to obtain products or services.

Data as a way to improve healthcare

Health data is considered sensitive personal information and therefore its collection and use are even more protected.

As Dr. Bonnie Wolff-Boenisch, who leads the Research Affairs Unit at Science Europe, emphasizes, collecting and using personal data for scientific research purposes would “contribute to the wellbeing of European citizens through the development of innovative products […] There is an increasing understanding by legislators and policy makers that scientific research requires a ‘special status’ within the labyrinthine regulation framework of the data protection regulation[2].

Reinforcing data protection regulation

The General Data Protection Regulation is a set of rules to “give control back to citizens over of their personal data, and to simplify the regulatory environment for business[3]. This law would unify data protection within the European Union and adapt data protection legislation to the evolutions of the internet.

The text is currently under discussion with the European Commission, the European Parliament and the European Council so that they can agree on the final version, expected by December 2015.

This new law “extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations.”[4]

The major evolutions would be[5]:

  • A broader definition of personal data
  • Greater restrictions on profiling and higher levels of consent from data subjects
  • A new right of data portability
  • Increased obligations on data processors
  • Compulsory privacy impact assessments

Combining two objectives

The processing of personal data for scientific research purposes in Europe is carried out while maintaining high standards of protection for individuals” Bonnie Wolff-Boenisch explains, with both strong external regulations and internal policies in pharmaceutical companies, which makes it possible to combine the two objectives.

The General Data Protection Regulation position on health data is to try and protect citizens while allowing data to be used for scientific research purposes[6] (it is important to remember that the text has not been finalized yet):

  • Individuals can provide consent to their data being used for scientific research even if it is not possible for the controller to fully identify the purposes at the time of data collection so long as such scientific research is in keeping with recognised ethical standards;
  • The further processing of personal data for scientific purposes is considered to be lawful processing compatible with the purposes for which the data was initially collected;
  • Health data may be used in the context of the management of health or social care services including the use of such data for quality control, management information and national and local supervision of health or social care systems;
  • Health data may be used for public interest reasons in the area of public health without the consent of individuals but such data use should not result in data being used for other purposes by third parties such as employers, insurance companies and banks;
[1] Eurobarometer survey: http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_eurobarometer_240615_en.pdf
[2] EFPIA Blog: http://pharmaviews.eu/the-data-protection-regulation-balancing-patient-confidentiality-and-legitimate-research-demands-guest-blog/
[3] European Commission: http://ec.europa.eu/justice/data-protection/
[4] Law Patent Group: http://mlawgroup.de/news/publications/detail.php?we_objectID=227
[5] http://www.v3.co.uk/v3-uk/opinion/2431216/legal-view-how-the-general-data-protection-regulation-will-affect-iot-firms
[6] Hogan Lovells: http://www.hldataprotection.com/2015/04/articles/health-privacy-hipaa/the-treatment-of-health-data-under-the-eu-data-protection-regulation/