The Impact of the GDPR on the Governance of Biobank Research

In order to identify the adequate organizational and technical measures in accessing and sharing genomic and health data in the context of biobanks, it is crucial to investigate the status of data, and whether the data is being considered as personal data under the GDPR. A relevant distinction enshrined in the GDPR, with significant implications for the processing and governance of access to sensitive data in the field of biobanking, is the one between pseudonymized and anonymized data.

When we focus on anonymization, the main question to be addressed is: Under what circumstances, if any, can genomic and health data be anonymous in light of the GDPR?¹³ Interestingly, the GDPR differs conspicuously, in this respect, from other major data protection legislations, such as the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in the US.¹⁴ Within the Privacy Rule, the Safe Harbor standard for achieving the de-identification of personal data singles out 18 distinct identifiers, the removal of which is said to make the resulting information ‘not individually identifiable’, and thus anonymous.¹⁵

Differently from this approach, recital 26 of the GDPR states instead that personal data should be considered anonymous insofar as the data subject cannot be identified ‘by any means reasonably likely to be used [...] either by the controller or by any other person’.¹⁶ To ascertain whether means are reasonably likely to be used to identify the natural person, the GDPR further states that ‘account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments’ (Recital 26). In addition, opinion 05/2014 of the Article 29 Working Party has outlined other factors that should be taken into consideration, such as the existence of publicly available data which can be cross-referenced with the original dataset, thus heightening the risk of de-anonymization. As such, and in line with the overall decentralized thrust of the Regulation, the GDPR can be said to adopt a context-base criterion to determine whether personal data should be considered as irreversibly de-identified (and thus anonymous), bestowing upon controllers the responsibility to address such a question (is there a ‘reasonable likelihood’ that re-identification techniques can be effectively used to de-anonymize my given dataset?) in the context of their concrete processing activities.

Samples and data collected by biobanks can be accessed for various research purposes. Such access may not be limited only to the researchers/clinicians who collected the data, but also a broader range of researchers. Adopting adequate governance models would assist to protect data subjects against potential privacy breaches. The current governance model can be grouped under three major models of open access, controlled-access and registered access, which are explained below.

Open-access models generally refer to making data available for the users through various online platforms without any constraint. Sharing data through open-access models has been initially pursued by the Human Genome Project, which sequenced the whole human genome for a first time in the course of 13 years.¹⁷ However, the concerns related to identifiability of genomic data that has been demonstrated by a number of re-identification studies, questioned the adequacy of adopting such model when sharing health and genomic data.¹⁸ Consequently, genomic data have been moved to the controlled-access databases.¹⁹ This has been mainly the case when sharing personal level information rather than aggregate data.

A key question here is when genomic data could be considered as non-identifiable under GDPR, therefore suitable for sharing through open-access models? The regulation states that the principles of data protection ‘should not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable’ (Recital 26).

As it has been shown in the previous part, GDPR adopts a context-based criterion to determine whether personal data should be considered as irreversibly de-identified (and thus anonymous) and do not define the standards for de-identification itself. Hence, it is important, to decide when data can be considered as anonymous and do not fall under GDPR protection. Thereby, this is the responsibility of the data controllers to confirm whether the data is not identifiable by reasonable likelihood. For example, in the context of genomics, only sharing variant-level aggregate data may not be considered as identifying personal data, therefore adopting open-access model for sharing such data would seem acceptable under the GDPR. In a same vein, recently National Institutes of Health (NIH) updated its Genomic Data Sharing Policy and allowed unrestricted access to genomic summary results that do not raise privacy concerns.

In the view of privacy concerns when sharing health and genomic data, adopting a controlled-access model for data sharing is favored. Thereby, the data controllers can set rules for data access and limit access to the datasets to the approved users and under the determined terms and conditions. Such access control mechanisms can be considered as technical and organizational measures, which are mentioned in Article 89(1). Although there is no single model for controlled-access, a common approach is to establish oversight committees, or so-called Data Access Committees (DACs) to review the data access requests for the purpose of approval or disapproval. One of the important aspects of controlled-access data sharing is to use tools such as data access agreements (see Sect. 5), which are legally binding documents, in order to hold users accountable against potential misuses of data. This is in contrast with the open-access model where the users do not enter to any agreement with the data holders.

Oversight by DACs could be considered as an example of organizational measures that have been stressed in Article 89. Thereby, further safeguards could be offered to protect the privacy of the data subjects and ensure the downstream data uses conform to the original consent forms.²⁰ However, the recent studies have showed that the current oversight by DACs are not always efficient or effective.²¹ One major reason for the identified shortcomings is DACs are not always equipped with sufficient tools and oversight mechanisms to effectively review the data access requests or detect the potential violations of data access agreements.

In response, novel approaches to data access oversight are being developed. In particular, it has been suggested to replace or supplement review by DACs by automated tools.²² In addition, not all steps of data access review are deemed to be necessary for all types of health and genomic data sharing. In the next section, we will provide an overview of one of these recently suggested methods for data governance, namely the Registered Access model.

Registered access is likely to be suitable as a mechanism for access to data types that are less sensitive and low risk, such as non-stigmatizing health-related data from non-vulnerable individuals who would expect, or have consented to, data sharing for the purposes envisaged.²³ This model would focus primarily on ensuring that the data users are bona fide researchers. The rationale behind the registered model is that if processing data is not creating high risks of identifiability and the users are trusted, then further access review (for instance reviewing the ethical or scientific aspects of the proposals) would be redundant or disproportionate.

The ‘registered access’ model hinges on a number of core elements, namely authentication, authorization and attestation. First, the data use applicants should provide personal and professional information within a registration process, including their name, title, position, affiliation, email address, institutional website and mailing address for the purpose of authentication. In contrast to a controlled-access model, a registered-access model would not entail verification on a case-by-case basis by a DAC of the users’ qualifications. In addition, the applicants should declare that they are ‘bona fide’ researchers in order to be authorized access. At last, the applicants should agree with the terms and conditions of the data access. Within the registered access model, data users would not need to sign a data access agreement in a paper-based format but could instead agree via clickwrap-type online agreements. Indeed, the procedure for signing data access agreements by DACs, and users and their home institution, is administratively heavy and this proposed alternative approach could reduce pressure on DACs and create rapid, open and efficient access to data.

A Registered-access model is only one proposed solution in response to the limitations of the controlled-access model. It is expected that novel governance models will emerge in the coming years in order to address the identified shortcomings of the controlled-access models, and in line with the principles of responsible data sharing. In addition to emerging governance mechanisms, novel technical solutions are also proposed,²⁴ including the introduction of federated networks in which multiple distributed databases are connected.²⁵ By using federated networks, users would be able to have (a level of) access to data in a protected virtual environment, and each database would be able to monitor data uses in real time. To date, few models of federated data computation have been suggested.²⁶ Considering the limitations of controlled-access models, there is a pressing need for the introduction of such innovative solutions. Concurrently, it is important to ensure the core elements of secure data computational environments are in line with data protection principles.

The need to establish an extra layer of oversight through DACs is grounded in the nature of data sharing, which allows downstream data uses that are not known at the time of the initial sample and data collection. Therefore, research ethics committees cannot foresee all downstream data uses when they approve the research protocol in the beginning. In that sense DACs are considered as an extra layer of oversight next to research ethics committees, which review the proposals in the beginning of the studies. In particular, DACs are established to receive data access requests from actual users and assess them for the purpose of approving or disapproving their access to data.²⁷ DACs are not mentioned in the GDPR, but their role in governance of data access is important. This can indeed be considered as part of research self-regulation in order to ensure data sharing and use is in line with the overarching principles and the relevant regulations.

DACs, function in different ways. As Lowrance illustrates, ‘some of these groups are formally constituted, have terms of reference and hold regular meetings. Others, are casual, rarely meeting but existing to be consulted from time to time by the custodian and in a position to address serious problems should any arise’.²⁸

The composition of DACs varies across the institutions. Ideally, such committees should be consisting of internal and independent members with expertise in technical, ethical and legal aspects of processing health and genomic data. Some have suggested establishing two-layer committee is beneficial, namely an advisory committees together with operational access committees. The advisory committees will be tasked with auditing the performance of the operational access committees, while the operational committee will be responsible for reviewing the access requests.

Moreover, the oversight committees, such as DACs and Research Ethics Committees, should be given the opportunity to assess the data access rules on a regular basis, and propose revision of the provisions when needed. This could ultimately strengthening effective operation of the organizational measures under Article 89(1). In addition, transparency of the data access governance could be considerably enhanced if adequate information dissemination policies are adopted. It is expected that the oversight bodies within the institutions provide information about the access review procedure, incoming data access requests and approved and disapproved requests to enhance transparency and facilitate external scrutiny. Furthermore, data access governance models should adopt mechanisms that hold users accountable.

The GDPR sets further requirements in terms of governance of data processing when higher risks for the freedoms and the rights of the data subjects are perceived. One of the relevant organizational measures foreseen by the GDPR is to appoint a data protection officer (DPO) and conduct data protection impact assessment when specific conditions are met. The biobanks as entities that process health and genomic data should adhere to these provisions.

The Regulation in Article 37 provides a set of rules for designating the DPO when the processing of personal data within institutions meets certain criteria. According to the explanation provided by the European Data Protection Supervisor: ‘the main task of the data protection officer is to ensure, in an independent manner, the internal application of the provisions of the Regulation in his/her institution. The data protection officer is also required to keep a register of all of the processing operations involving personal data carried out by the institution. The Register, which must contain information explaining the purpose and conditions of the processing operations, should be accessible to any interested person.’²⁹ The appointment of a DPO must of course be based on her personal and professional qualities, but particular attention must be paid to her expert knowledge of data protection.

In addition, according to Article 35, a privacy impact assessment is necessary: ‘where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purpose of the processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.’ Therefore, a broad scope for these data protection impact assessments is expected, which goes beyond compliance with the Regulation and privacy rights and includes consideration of a plethora of individual’s fundamental rights. This will therefore provide an opportunity to take into account a broader range of concerns relating to the rights of individuals in processing personal data and not only those that are related to storage and safety. Article 35(b) adds that the data protection impact assessment shall in particular be required in cases where there is ‘processing on a large scale of special categories of data referred to in Article 9(1)’.

The controller shall receive a data protection officer’s advice (if he/she has been appointed) when carrying out a data protection impact assessment. Consequently, the data controller shall consult the supervisory authority prior to processing ‘where a data protection impact assessment under Article 35 indicates that the processing would result in high risk.’³⁰ Article 35(9) also requires the data controller, where appropriate, to ‘seek views of data subjects or their representatives on the intended processing’.

The impact assessment will therefore replace the previous obligation to notify the data protection authority, which was outlined by the Directive 95/46/EC on the protection of individuals with regard to the processing of personal data. This change was welcomed by commentators, who argued against the effectiveness of the previous notification requirement. As Townend argues: ‘Although data controllers are required to register their activity with the relevant supervisory authorities and that authority has power to investigate and prosecute breaches of the data subject’s rights, the sheer amount of processing that goes on within any jurisdiction at any given time makes it impossible for a supervisory authority to be seen as the primary protector in the system’.³¹ In turn, the new requirements will see a shift towards the accountability of the controllers and reinforce their role in establishing adequate safeguards in the course of the processing, not only limiting it to the outset of the project.³² This could also draw the attention of the data controllers towards the ethical concerns associated with data processing and take the concerns into account in the design of the processing.

Contractual agreements are essential operational instruments intended to legally bind the parties to specific rules ensuring adequate individuals’ privacy protection throughout personal data processing. Such contracts can take many forms and be labelled differently such as ‘Data Access Agreements’ (DAAs), ‘Data Transfer Agreements’ (DTAs) or ‘Confidential Data Agreements’ (CDAs). Personal data protection measures are also included within other special research agreements, in particular within the so-called ‘material transfer agreements’ (MTAs) when biological samples are also transferred. In particular, it is widely recommended to include in MTAs provisions regarding samples’ quality, transportation, conditions and restrictions of use (e.g. derivations of original material) and storage (biosafety/biosecurity).

The nature and scope of the contract can vary depending on the internal practices of operators or applicable national legal framework, the requester’s processing operation and purposes, the database governance model (cf. supra) and on the cross-border features of the access (intra-EU or including outside-EU elements). For example, where data is managed within a closed controlled system (e.g. digital data analysis platform), an access agreement could take the form of terms and conditions in the view of the applicable regulations. In addition, a decentralized infrastructure could rely on a general Access policy having a contractual value. For example, BBMRI-ERIC³³ provides such template while allowing its members to adopt specific and compliant contractual activities to frame collaborations.³⁴

The legal qualification of the parties to such agreements is context-dependent and needs a case-by-case analysis of the role and activities of each stakeholder. Access could be requested in a framework of a research collaboration with the biobank or by an external researcher to conduct an independent research project. Thereby, the contract will define a controller-processor relationship or a joint-controllers relationship. This is in line with the GDPR that requires setting up a contract for organizing joint-controllers³⁵ and/or controller-processor relationships³⁶ in terms of duties and rights in processing data.

The data access agreements usually include negotiable and non-negotiable provisions. Contracts shall echo and respect the will of the initial donor and facilitate the exercise of the donors’ rights. The parties shall commit to respect confidentiality and plan cooperation procedures, in particular regarding personal data breach notifications. The agreement must also clearly describe any restriction specified by the initial controller during the deposit of the data/sample in the biobank or imposed by the biobank policy based on a legitimate interest (e.g. regarding onward transfers possibilities, the return of the data/samples or destruction, intellectual property issues). For ensuring proper legal security, agreements must include information about the applicable laws and dispute resolution mechanisms, including out-of-court proceedings. Financial provisions could also be included but should not be indexed on the intrinsic personal data or sample value but on the necessary investments performed for ensuring samples or data quality, integrity and FAIRness for example.

In addition, the GDPR is setting specific conditions when transferring data/and samples to non-EU countries. Accordingly, materials can only be transferred to a third entity in a country that ensures an appropriate level of protection of individuals’ rights and freedoms compared to the one guaranteed within the EU. Therefore, such a transfer can be permitted where it is based on an adequacy decision adopted by the European Commission after analysis of a country general and sectorial legislation,³⁷ or where appropriate safeguards are in place.³⁸ This is including the use of binding corporate rules (applying to cross-border personal data transfers in a group of undertaking or a between entities of a multinational enterprise), or of standard contractual clauses adopted by the European Commission³⁹ (provided that they are not modified, otherwise the competent supervisory authority should be consulted to validate the adapted clauses), the respect of an approved Code of Conduct or the use of an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

In exceptional circumstances, in the absence of an adequacy decision and of appropriate safeguards a transfer shall take place only if one of the conditions of Article 49 GDPR are met. This includes situations where the data subject has explicitly consented to the transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards, or the transfer is necessary for protecting the vital interests of the data subject, or is necessary for important reasons of public interest recognized in the Union or relevant Member State law (e.g. fight against cross-border public health threats), or is made from a public register intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest.