R.T. Lawlor, Z. Kozlakidis and M. Bledsoe from the International Society for Biological and Environmental Repositories chart the challenges posed by the General Data Protection Regulation (GDPR) in biobanking for precision medicine research through the sharing of samples and data
Biobanks are essential infrastructures fuelling scientific breakthroughs in precision medicine and leading to new treatments. Biobanks collect and provide research-ready, high-quality samples (blood, tissue, fluids) together with associated clinical data. The last two decades have seen sustained growth in the creation of biobanks and biobanks now exist in almost every country.
However, several preconditions are essential to carry out biobank research effectively: the availability of a sufficient quantity of high-quality samples and data, together with funding and importantly a framework for sharing samples and data potentially across many borders. This article provides a first glance at some of the challenges posed by the General Data Protection Regulation (GDPR) to biobanking and approaches to address those challenges.
The GDPR, 2016/679, is the new, EU-wide legal framework for the protection of personal data and became binding in its entirety and directly applicable in all EU Member States in May 2018.1 Its purpose is to increase the protection of personal data of European citizens and to reduce the legal fragmentation, complexities and uncertainties that existed between the different EU Member States on this matter. Transparency and accountability are emphasised once more as the main principles in terms of data protection.2
The GDPR provides both general rules applying to any kind of personal data processing and specific rules applying to the processing of special categories of personal data, including data concerning health and genetic data. Importantly, definitions are provided for what is meant by the terms: ‘data concerning health’, genetic data’, ‘biometric data’, ‘anonymous data’, and ‘pseudonymisation’.
Additionally, the GDPR includes a new definition for the ‘consent’ term which must be explicit, clear and unambiguous but this can be expanded to certain areas of scientific research when in keeping with recognised ethical standards. The GDPR explicitly contemplates that pseudonymised data remains personal data if the key to the data is maintained anywhere in such a way that the data could be re-identified.
The GDPR requires an additional basis for the processing of special categories of personal data, for example, data concerning health, genetic data, race/ethnic origin. The regulation indicates in its recitals that personal data concerning health also includes all data derived from testing on biological samples and such data is, therefore, included in these special categories. The additional bases for processing special categories of data include explicit consent, processing for reasons of public interest in the area of public health, and processing necessary for scientific or historical research purposes.
GDPR provides derogations for the processing of personal data in the context of scientific research, including clinical and translational research areas, circumventing the need for informed consent. This is subject to technical and organisational safeguards to ensure the rights and freedoms of data subjects and, in particular, the principle of data minimisation (processing only what is relevant and necessary in relation to the research question).2 Of note, what is lawful under the scientific research derogation could differ among the 28 EU Member States as the GDPR, by deferring to the national legislatures, accommodates various scientific research-related data collection practices.
The view within
Clinical research biobanks are expected to be heavily affected by the GDPR because they collect, process, store and distribute human biological material, together with associated data, including sensitive genetic and health data. Moreover, they often provide such material and information for the broad sharing of research purposes.
Privacy protections and data security measures have been used in biobanks for a number of years, through existing national regulations. Biobanks have to adhere to strict sets of regulations for both sample uses and data protection purposes. Although biobanks have used ethics committees and IRBs to provide guidance and approval for informed consent, sample and data usage, the GDPR does not consider the opinion of IRBs as a mechanism to process data.
Furthermore, the GDPR introduces new operational requirements for the collection, use and transfer of personal data that may be held by biobanks. It is likely that EU hospital/university/disease biobanks would need to appoint a Data Protection Officer, to monitor compliance with GDPR,3 given that they process samples and data in a systematic manner and their processing includes special data categories.4 Data protection officers, whether or not they are an employee of the biobank or the academic institution within which the biobank is located, should be able to perform their duties and tasks in an independent manner.5
Of particular importance for biobanking and research collaborations, the GDPR has a broad territorial reach. The GDPR applies to the processing of personal data of all European citizens regardless of where this takes place, therefore, extending the “reach” of the regulation beyond the EU borders.
The ripple effect on the rest of the world The GDPR is likely to have a major impact outside of the EU, where biobanks support multinational studies involving personal data held by entities within the EU or data from EU citizens. The GDPR requires that the high standard warranted by EU law is expanded to collaborative research institutions outside the EU for biobanks involved in international data transfer and research purposes who would be now obliged to follow the GDPR. In addition, personal data processed in the EU from third country citizens would also have to respect these requirements for processing.
According to GDPR, personal data may be transferred to a third country outside the EU which is deemed to have an adequate level of protection. While there are a number of countries that have existing legal data protection structures deemed to be equivalent by the European Commission, there are many countries currently participating in international collaborations with European countries that do not, including the U.S. and African countries.
For countries without this adequacy decision, additional legal bases are required for the transfer of personal data from the EU. Other measures are available but are not particularly amenable to biobanking and research collaborations. The GDPR has introduced two new mechanisms for international transfers, certification and the code of conduct. These
incorporate additional layers of approval and as new mechanisms, they will take some time to evolve. Other measures, such as standard contractual clauses exist but are not “research-friendly” and easy to apply in a research/biobanking setting. This last option could be to bring the use of material transfer agreements into the GDPR fold, but this would require adoption either directly by the European Commission or by a supervisory authority in accordance with the consistency mechanism and then adoption by the Commission.
Several efforts are underway in the biobanking and research communities to respond to these challenges, including short-term approaches, such as those identified above, and the development of Codes of Conduct, which will provide further refinement on the
implementation requirements for biobanking and research.6 Overcoming the challenges of implementing the GDPR will be critical to ensure that important research needed for the development of precision medicine can proceed.
The authors would like to acknowledge the assistance and advice offered by Mr. Øien Morten (Senior Advisor, Norwegian University of Science and Technology) during the creation of this article.
(1) (2016) Regulation (EU) 2016/679 of the European Parliament and of
the Council of 27 April 2016 on the protection of natural persons
with regard to the processing. of personal data and on the free
movement of such data, and repealing Directive 95/46/ EC (General
Data Protection Regulation) Official Journal L 119(1).
(2) Article 5.
(3) Article 39, paragraph 1.
(4) Article 37, paragraph 1.
(5) Recital 97.
Rita T. Lawlor
ARC-Net Applied Research on Cancer Centre
University of Verona
Department of Diagnostics and Public Health
Head, Laboratory Services and Biobanking
International Agency for Research on Cancer (WHO), Lyon, France
Independent Consultant, Silver Spring, MD
Deputy Editor, Biopreservation and Biobanking
Chair, ISBER Science Policy Advisory Committee