PATIENT DATA MANAGEMENT UNDER THE GDPR

8TH ANNUAL EU MEDICAL DEVICE CLINICAL RESEARCH6 November 2015

Erik Vollebregtwww.axonadvocaten.nl

General Data Protection Regulation

The current EU system is:

• Fragmented• Outdated• Unclear

Proposal for a new framework: The General Data Protection Regulation.

• Regulation: direct effect in member states (no national legislation except implementation)

• Requires significant work by mHealth companies to implement

Looks to be finished end of 2015 – in force 2016?

3

GDPR: threatening healthcare

GDPR: interfaces

Dependencies with other legislation on security and data breaches

• e-Privacy directive (2002/58)• NIS directive (in trilogue)

GDPR – when?

Background

• Proposed new General Data Protection Regulation on clinical investigations and clinical data

• In Vitro Diagnostics Regulation• Medical Devices Regulation

• To address national inconsistencies, each of the new laws will be a Regulation rather than a Directive. While this is intended to harmonise the approach to these issues, it will increase the compliance burden and increases uncertainty

• Impact• Practical preparations for the draft Regulations

Overview of Data Protection

• Significant Changes in Data Protection Regulation• Consent• Research• Administratively burdensome bureaucracy• Fines

•Collateral damage: ‘Potentially catastrophic’ effects on biobanks, registries, personalised medicine, e-health and the development of new therapies

•What we hate in marketing and social media, we actually want in health care

• further processing, monitoring, profiling, predictions, traceability, secondary processing

• Innovative and/or long-term uses of personal data are problematic• known unknowns and unknown unknowns

• International transfers and sharing of personal data

What is the same

• “Personal Data” remains a cornerstone• Reasonable likelihood of identification of an individual remains a dynamic test

– probably• Data can still become “personal” as a result of technological or other reasons

(mosaicing) • Privileged status of “data concerning health” (and data re racial or

ethnic origin) requires extra care • Consent to processing (and purpose limitation) remains a cornerstone

• Capacity to consent remains a matter of national law• Focus remains on each act of processing personal data rather than the

collection or holding of data. The data controller must verify that there is a legitimate basis for the processing

• Even anonymising or pseudonymising data = processing• Export of personal data outside EEA only permissible with adequate level

of protection

What Changes (or is clarified) (1)• “Personal data” Likelihood of identification of data subject

• Deleted qualifier “by means reasonably likely” (but this may come back)• Added a definition of “pseudonymisation” which appears to mean that

pseudonymised data remains personal data regardless of the number and nature of steps taken to key code

• Consent requirements/invalidation• Broad consent and “opt-out” consent explicitly rejected

• Biological samples should be considered identifiable data• Definitions of Genetic data and Biometric data

• Scope of the Research derogation under threat

What Changes (or is clarified) (2)• Data Protection becomes a fundamental right• Access Rights• Impact Assessments required • Data Protection Officers• Right to compensation for incompliant processing• Fines

• staggered fines for violations depening on severity up to € 1 mio / 2% world wide annual turnover but final percentage / threshold still under debate (may go up to 5%)

Consent: Validity & Purpose Limitation

• To be valid, consent to the processing of personal data must:• be freely given, specific, informed and explicit• be a clear affirmative action (no opt-outs)

• The use of default options which the data subject is required to modify to object to the processing, such as pre-ticked boxes, does not express free consent.

• cover all processing activities carried out for the same purpose. • Once the original purpose ends, data subject must re-consent/ re-affirm.• Consent shall be purpose-limited and shall lose its validity when the

purpose ceases to exist or as soon as the processing of personal data is no longer necessary for carrying out the purpose for which they were originally collected.

• Where the conclusion of the intended purpose is unclear, the controller should in regular intervals provide the data subject with information about the processing and request a re-affirmation of their consent.

Consent by persons lacking legal capacity

• What is the best approach to re-consent from a person who loses capacity as a result of a degenerative condition?

• Broad consent before the data subject loses capacity?• Power of Attorney (or equivalent) before the data subject loses

capacity?• “Delegated” or “surrogate” consent?

• Consent to such actions processing as is approved by the Registry’s Ethics Committee (in line with Helsinki Declaration)

Impact Assessment: Art 33• Data controller must conduct impact assessments on the rights and

freedoms of the data subjects, especially their right to protection of personal data when processing:

• [personal data relating to more than 5000 data subjects during any consecutive 12-month period;]

• “special categories of personal data” - personal data revealing race or ethnic origin; genetic or biometric data or data concerning health or sex life;

• [location data or data on children in large scale filing systems]; or• personal data for the provision of health care, epidemiological researches, or

surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale.

• The good news is that a single assessment may suffice for similar processing operations that present similar risks.

• The bad news is that the exact methodology will be implemented by delegated act

Mandatory Data Protection Officer (35)• The data protection officer should have at least the following qualifications:

• extensive knowledge of the substance and application of data protection law, including technical and organisational measures and procedures;

• mastery of technical requirements for privacy by design, privacy by default and data security;

• industry-specific knowledge in accordance with the size of the controller or processor and the sensitivity of the data to be processed;

• the ability to carry out inspections, consultation, documentation, and log file analysis; and

• the ability to work with employee representation. • The controller should enable the data protection officer to take part in advanced

training measures to maintain the specialized knowledge required to perform his or her duties.

• The designation as a data protection officer does not necessarily require fulltime occupation of the respective employee.

Consent: Procedural aspects• To be valid, consent to the processing of personal data must:

• be separated from other matters (eg consent to treatment)• If the data subject's consent is given in the context of a written declaration

which also concerns another matter, the requirement to give consent must be presented clearly distinguishable in its appearance from this other matter. Provisions on the data subject’s consent which are partly in violation of this Regulation are fully void.

• comply with national laws if given on behalf of a child or someone lacking capacity

• In case of a child or a person lacking legal capacity, relevant Union or Member State law should determine the conditions under which consent is given or authorised by that person.

Scenarios re Validity of Consent • Status of valid consent given under the existing DP Directive?

• Valid if consent was a condition of entry into a clinical investigation?• Not freely given if the data subject would suffer detriment by refusing or

withdrawing consent

• Will consent given in a clinical investigation of product X be valid if it leads to a new product Y?

• What if X was a HPV diagnostic and Y a new “morning after” pill?

• Valid when given by a patient to a doctor (power imbalance)?

• Valid if given in a single document with the consent to treatment?

• Valid if given in the same consultation as the consent to treatment?

• What if consent will skew (or invalidate) the results of the study?

Consent in the context of a clinical trial• Difficult to be certain that consent obtained in a clinical context (trial,

investigation or other) will satisfy data protection requirements

• Consent ceases to legitimise once processing is no longer necessary

• Secondary purposes must be compatible with the original purpose or “re-consent”

• Consent rigor makes these derogations more important:

• Medical treatment privilege - Article 81(1)(a)

• Public health purposes – Article 81(1)(b)

• Genetic data – Article 81a

• Research Purposes – Article 83

• Parliament, Commission and Council vary considerably in position on derogations

Derogations from consent requirement• In the absence of explicit consent, unless the processing is necessary to

protect the vital interests of the data subject, processing of sensitive data concerning health is only permitted for:

• tasks carried out in the substantial public interest;• health purposes subject to the conditions and safeguards (e.g.

obligations of professional secrecy); or• scientific research subject to the adequate legal safeguards.

• When relying on derogation, should still disclose the possible or proposed processing in the interests of “fairness” (a fundamental Data Protection Principle)

Medical treatment derogation

Derogation for Research Purposes• Commission, Parliament and Council propose different standards for

the derogation• Export of personal data outside Europe for research purposes probably

requires explicit consent or other derogations – no recognition of the value of international research

Derogation for Research Purposes

Confusion about pseudonimisation

Council recitalIncentives?

Confusion about pseudonimisation

• Definition of a pseudo-category of personal data without clarity on what standards apply

Exporting personal data• Can only transfer personal data outside the EEA:

• to a country whose DP laws have been approved by the EC; or • if there is an adequate level of protection for the rights of data subjects

• The United States does not offer “adequate protection”• The data controller may:

• carry out his own assessment of the adequacy of the protection• use contracts to ensure adequacy• obtain EC approval for a set of Binding Corporate Rules governing intra-group

data transfers• rely on one of the exceptions to the prohibitions on transfers of personal data

outside the EEA• Use “Safe Harbours” [Schrems vs Facebook]

• Where the data controller has found a basis to legitimise the transfer, this must be disclosed for “fairness”

Exporting personal data (2)• While the data controller could ask the data subject to consent to the export

of personal data to a country that does not have adequate protection, the data subject must have consented unambiguously to the proposed transfer: Art. 26(1)

• To be valid, this consent must be a freely given, specific and informed: Art. 2(h)

• Hence, consent is rarely used as the sole criteria to justify exports of personal data on an ongoing basis: e.g. heuristic systems

• Most data controllers take the view that the proposed “export” must be disclosed to the data subject to satisfy the requirement of fairness

Data Subject’s rights• Data subjects are granted a right of access – a right to obtain a copy of

data concerning them provided in a commonly used electronic format.• Data subjects have rights to have data corrected or erased

• The right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain a copy of the data concerning them also in commonly used electronic format. The data subject should also be allowed to transmit those data, which they have provided, from one automated application, such as a social network, into another one.

• Data controllers should be encouraged to develop interoperable formats that enable data portability.

• These requirements are challenging in clinical contexts or in the context of Big Data.

| 26

In conclusion• Consent alone will be a “brave” justification for data processing• Articles 81 and 83 become crucial for secondary processing• If Parliament amendments are accepted, it will be VERY difficult to justify

many registry studies, retrospective studies or health technology assessments under the research derogation

• Article 83 will only be available for the processing of sensitive personal data (broadly defined) if:

• There is an exceptionally high pubic interest• The research cannot be conducted data cannot take place in any other way • The data is anonymised or pseudonymised to the highest technical standards

• Even if Parliament amendments are not accepted, significant work will be needed to justify many studies (particularly any study re label extensions, comparisons with competitors, health economics or retrospective studies)

European Data Protection Supervisor:

www.axonlawyers.com

THANKS FOR YOUR ATTENTIONErik VollebregtAxon LawyersPiet Heinkade 1831019 HC AmsterdamT +31 88 650 6500F +31 88 650 6555M +31 6 47 180 683E erik.vollebregt@axonlawyers.com @meddevlegalB http://medicaldeviceslegal.com

READ MY BLOG:http://medicaldeviceslegal.com