Sensitive personal data

The following is a list of Ethical, Legal and Social implications (ELSI) are topics that has to been considered when working with human data. The content on this page is based on a checklist on theses topics that has been developed in the Tryggve project. The checklist can be used as a tool to document these considerations and is available here.

Before the collection of personal data is begun you should always consult with the Data Protection Officer of your organisation.

GDPR (more info)

  • What is the purpose of processing of the personal data?
  • Who is the Controller(s) of the personal data?
  • What is the legal basis processing of the personal data?
  • What are the exemptions for the prohibition for processing of special categories of data (such as health and genetic data) under Art. 9 GDPR used?
  • Have data processing agreements been established between the data controller(s) and any data processors?
  • Has a Data Protection Impact Assessments (DPIA) been performed for the personal data?
  • What happens with the data after project completion?
  • What technical and procedural safeguards will be established for processing the data?

Other considerations (more info)

  • Are there other relevant national legislation considerations that has to be taken into account?
    • e.g. regarding public access to information, biobank acts, etc.
  • Are there other Terms & conditions for data access (in particular if presenting obstacles for cross-border processing of health data)?
    • e.g. register data access policies
  • Are there other legal agreements between project parties that should be considered?
    • e.g. conditions regarding data reuse and intellectual property

Clarifications and comments

Ethical reviews and informed consents

The purpose of these questions is to spell out what uses the subjects have consented to, and/or for what uses ethical approvals have been given. Then, given the stated research purpose of this project, are the consents and ethical approvals for the datasets compatible with this.

GDPR

State the purpose of processing the personal data

The GDPR stipulates that to process personal data the controller must do that with stated purposes, and not further process the data in a manner that is incompatible with those purposes (Article 5 - Principles relating to processing of personal data).

Who are the data controller of the personal data processed in the project?

Article 4 (7): “‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; […].” The Controller is typically the university employer of the PI, and the PI should act as a representative of her university employer and is responsible for ensuring that personal data is handled correctly in her projects. If the project involves more than one legal entity, and joint controllership is considered, make sure that all parties understand their obligations, and it is probably good to define the terms for this in an agreement between the parties.

What are the exemptions for the prohibition for processing of special categories of data (such as health and genetic data) under Art. 9 GDPR used?

Processing of certain categories of personal data is not allowed unless there are exemptions in law to allow this. Among these categories (“sensitive data”) are “‘[…] data revealing racial or ethnic origin, […] genetic data, […] data concerning health’”. Most types of personal data collected in biomedical research will fall under these categories. Article 9 (2) lists a number of exemptions that apply, of which consent and scientific research are most likely to be relevant for research. Please consult with your Data Protection Officer of your organisation.

Have data processing agreements been established between the data controller(s) and any data processors?

Article 4 (8): “‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” Examples of this is if you use a secure computing environment provided by another organisation to do your analysis or to store the data, along with several other scenarios. In the case that you do, there needs to be a legal agreement established between the controller(s) and processor(s) as defined in Article 28 (3): “Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. […]” Article 28 also lists the required contents of such an agreement. Your organisation and/or the processor organisation will probably have agreement templates that you can use.

Have Data Protection Impact Assessments (DPIA) been performed for the personal data?

Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, a so called Data Protection Impact Assessment (DPIA) - Article 35. To clarify when this is necessary, the Swedish Data Protection Authority (DPA) “Datainspektionen” has issued guidance of when an impact assessment is required. Large-scale processing of sensitive data such as genetic or other health related data is listed as requiring DPIAs. The French DPA has made a PIA tool (endorsed by several other DPAs) available that can help in performing these impact assessments. Please also consult your Data Protection Officer of your organisation.

What technical and procedural safeguards have been established for processing the data?

To ensure that the personal data that you process in the project is protected at an appropriate level, you should apply technical and procedural safeguards to ensure that the rights of the data subjects are not violated. Examples of such measures include, but are not limited to, pseudonymisation end encryption of data, the use of computing and storage environments with heightened security, and clear and documented procedures for project members to follow.

What happens with the data after project completion?

The GDPR states that the processing (including storing) of personal data should stop when the intended purpose of the processing is done. There are, however, exemptions to this e.g. when the processing is done for research purposes. Also, from a research ethics point of view, research data should be kept to make it possible for others to validate published research findings and reuse data for new discoveries. This is also governed by what the data subjects have been informed about regarding how you will treat the data after project completion. The recommendation is to deposit the sensitive data in the appropriate controlled access repositories if such are available, but this requires that the data subjects are informed and have agreed to this.

Other considerations

There might also exist other national legal or procedural considerations for cross-border research collaborations. Other laws might affect how and if data can or cannot be made available outside the country of origin. The operating procedures of government authorities or other organisations might create obstacles for sharing data across borders. To make sure that it is clear how original and derived data, as well as results, can be used by the parties after the project completion, consider establishing legal agreements that defines this. This can include e.g. reuse of data for other projects or intellectual property rights derived from the research project.