NEW YORK (GenomeWeb) – A new European initiative is drafting a code of conduct for sharing health data in line with the General Data Protection Regulation (GDPR) that came into force earlier this year.
Led by researchers at the Biobanking and Biomolecular Resources Research Infrastructure-European Research Infrastructure Consortium (BBMRI-ERIC), the effort intends to clarify how entities should share data, including genomics information, across institutions and countries. The initiative aims to have a code ready for public comment by spring 2019.
"Right now, every data transfer, even within Europe, is largely complicated and involves a long negotiating process," said Michaela Mayrhofer, chief policy officer at Graz, Austria-based BBMRI-ERIC.
"If there was a code that provided guidance and was agreed upon, it could simplify this negotiation and provide clarity to others, especially patient organizations who are rightly saying to biobanks that they have submitted the data and want to see what is happening with it," Mayrhofer said.
Mayrhofer is the coordinator for the Code of Conduct for Health Research initiative, which BBMRI-ERIC catalyzed last year, and now enjoys the support of about 80 different organizations representing industry, patients, and the healthcare and biomedical research sectors.
BBMRI-ERIC, a nonprofit that unites the various players in the biobanking field, decided to draft the code in response to the implementation of GDPR and, particularly Article 40, which provides for "associations and other bodies" to prepare codes of conduct for the "purpose of specifying the application" of the regulation. The point of the code, Mayrhofer noted, is not to question the GDPR, but to make its application clearer to researchers.
"The reality of the GDPR, due to its complexity and due to the fact that it is a general data protection regulation that tries to cover everything, is that a lot of research institutions are anxious about sharing data, being uncertain to what extent they can do that," Mayrhofer said.
"In any research project that involves multiple countries, one can come to a mutual data transfer agreement, but when there is a code in place that helps to navigate through the various systems, to understand the workflow of data in health research, it can speed up this process," she said.
"The negotiation of agreements always has to happen," Mayrhofer added. "Our aim is to be the bridge in understanding and interpreting GDPR for research."
Since the code of conduct is in the process of being drafted, Mayrhofer could not provide its specific content. However, she said that key topics include the legal basis for processing data and providing some clarity on what is considered informed consent, as well as clarifying the roles of data processors and controllers.
"In some countries there is a specific biobank law" covering informed consent, while "in clinical trials, informed consent is not necessarily the legal basis," said Mayrhofer. "There is a conflict, a difficulty in understanding in one context consent as a legal basis, and another as an appropriate safeguard," she said. "These discussions make the drafting of the code difficult but also important."
Regarding data processors and controllers, Mayrhofer said that institutions run into trouble when they have three or more data controllers. Such situations are becoming more common as more institutions share larger amounts of data. "It's an unbelievable burden in terms of deciding who does what, and the risk is higher the more controllers you have," said Mayrhofer. "You need to define the limits, and one of our recommendations will be to have a maximum of two controllers."
According to Deborah Mascalzoni, a researcher at the Center for Research Ethics and Bioethics at Uppsala University in Sweden, the envisioned Code of Conduct for Health Research should provide a "common ground" for researchers to share data and use data across countries.
Mascalzoni has been involved in drafting the code, which will be made available for public comment next year before it is submitted to the European Commission for review. Should it be approved by the commission, it will become a "formal guideline for research," Mascalzoni said.
While the initiative drafts the code, they are also pondering how to ensure adherence to it. For Mayrhofer, it's another unanswered question. "Any code is only as good as it makes sense for the community, and if adherence can be followed up," she said. Mayrhofer suggested than an independent organization might be created or selected to enforce adherence to the proposed code.
Complying with GDPR
One of the reasons that European researchers are interested in producing such a code of conduct is to avoid any misunderstandings related to the GDPR. The regulation, which came into force in May, grants individuals the right to know who controls their data, including the identity of a designated data protection officer; the purposes for which their data is used; the right to object to certain uses of their data; and the right to be forgotten or deleted by an entity holding their data.
What really sets the GDPR apart from its predecessor act, the Data Protection Directive, which entered into force in 1995, are the penalties for being found in violation of the new regulation.
Article 83 of GDPR, for instance, mentions administrative fines up to €20 million ($23 million), or, in the case of businesses, up to 4 percent of their total worldwide annual turnover for the preceding year, "whichever is higher."
"The sanctions are very tough, and there are active data protection authorities that will enforce the rules," said Heidi Bentzen, a researcher in the Center for Medical Ethics at the University of Oslo. She noted that the territorial application of GDPR has also widened, making it a concern for US researchers and companies that are working with European partners.
Another issue is that national governments are implementing their own laws governing genomic data, which means that even though the GDPR is in force across the continent, there may be variations in the law from member state to member state.
"Those laws are not allowed to have any effect on the free flow of data," Bentzen said, "but it opens it up for fragmentation and can make it difficult to collaborate." Bentzen advocated that researchers "express the need for legal harmonization" to their representatives, so that any conditions or limitations imposed regarding genomic data would be harmonized among as many countries as possible. "Single-country specific rules are not helpful for international collaborations," said Bentzen.
The main thing genomics researchers should keep in mind going forward, Bentzen said, is that they need to be in compliance with GDPR. To accomplish that, she and others have advocated a process called "dynamic consent" to serve as a model for genomic research going forward. Dynamic consent is a personalized online consent and two-way communication tool. Research participants are queried each time their data might be used for a specific research purpose.
Dynamic consent "solves several of the problems associated with static, one-time paper-based consent forms for very dynamic research where there is often also a wish to reuse the data," said Bentzen. She said the approach makes it easy for researchers to be transparent and provide up-to-date information throughout the research project; to contact participants for new consents; to know which genetic findings the participants would like to be informed about; and to get participant feedback.
"The key to ensuring legal compliance while at the same time allowing researchers to keep their main focus on research instead of on law is to build the law into technical solutions," Bentzen said. "The GDPR focus on privacy by design is very much in line with this idea."
"The GDPR requires consent to be as specific as possible," Mascalzoni said. "It requires that people are updated about use of data and therefore have the right to object to use of their data," she said. She said that dynamic consent could serve as an alternative to older methods of informed consent, as research on genomics data, for instance, is often conducted over many years for diverse purposes. "In principle, the GDPR gives more control to people over their data," said Mascalzoni. "That is something to be aware of."
Evaluating regulations, but not a disruption
For genomics researchers, the GDPR has resulted in a re-evaluation of the ways in which they handle personal data. At the same time, many believe the community was largely in compliance with the regulation, even before they came into force.
"There is still, I think it's fair to say, a large amount of uncertainty overall as to how one applies the GDPR," said Paul Flicek, a senior scientist at the European Bioinformatics Institute in Hinxton, UK. "The legislation is not tested in courts, and many EU member states do not have full interpretations of how it should be applied in various situations," he said. "This is all very natural for something like this."
Despite this uncertainty, Flicek said the genomics community has been conducting its research in line with the new regulations before they came into force. "I think it is really important to point out that, philosophically, the way data in genomics has been shared over time has been incredibly robust," Flicek said. He noted that in the past, genomics data has typically been shared based on consent agreements signed by research participants. In many cases, the act of data sharing has been reviewed by a research ethics board that has seen a precise proposal as to what will be done with the data.
"The actual sharing is done in the context of a bilateral data transfer agreement that specifies how the data is to be used, disposed of, how it is to be deleted," said Flicek. "All of these things are clearly delineated."
With GDPR, all of these steps require review to demonstrate compliance with the regulation, but he maintained that the "philosophical foundations" of GDPR — control, transparency, the right to withdraw — have "been baked into genomics research for years." He added that the idea of dynamic consent, like Bentzen and Mascalzoni suggested, is viewed as a "potential solution" for researchers concerned about demonstrating compliance in light of the GDPR.
"It is not apparent what level of granularity research participants want to have," Flicek added. "They should be offered options so that people are comfortable with how their data is used."
Jan Korbel, a senior scientist at the European Molecular Biology Laboratory in Heidelberg, Germany, said that his group, which is involved in international genetic data sharing and cloud computing, has been "rather carefully" reviewing GDPR since it came into effect.
He said that the GDPR has not changed many of the conditions for using personal data.
But, "we, at the institution level, certainly have put more work on checking whether we are compliant ... over the past few months," said Korbel. "You could call that extra work, in a sense."
Korbel also noted that to realize large data-sharing initiatives, such as the Million European Genome Alliance (MEGA), it will be of "the utmost importance to show compliance" in terms of personal data use to study participants willing to share their genomic sequence with researchers. MEGA, launched earlier this year, aims to make a million genomes accessible by 2022.
To streamline such efforts, a Code of Conduct for Health Research is therefore important, noted Fruzsina Molnar-Gabor, group leader at the Heidelberg Academy of Sciences and Humanities in Germany, who is also involved in the initiative to draft the code.
"I think it is important to specify rules for particular data-processing contexts, and health research is special," Molnar-Gabor said. "Making this code will provide the clarification of rules, in this sense it is crucial," she said. Overall, she said that GDPR has not hindered genomic research since it came into force.
"I wouldn't call it a disruption," Molnar-Gabor said. "I think the GDPR does not stop research," she said. "Of course, you have to comply with the rules, but it doesn't make research impossible, on the contrary, it contains rules that promote research. What is important now is to apply those rules — taking into account member states' implementations."