Looking beyond consent for research under GDPR

Wendy Spires, Privacy Lead, European Privacy Solutions at Datavant, explores alternatives to consent which can be explored by organisations undertaking research in GDPR jurisdictions.

Consent can feel like the right lawful basis for processing personal data on an intuitive basis. To the uninitiated, it may even sound like the simplest path too (veterans in the field will know otherwise, however). Indeed, GDPR experts will often urge you to find alternative lawful bases as your base case if you possibly can. And, when it comes to research purposes, you very often can do so.

Organisations seeking to carry out research in GDPR jurisdictions or using EU data need to appreciate the necessary separation between the ethical-legal concept of informed consent for the purposes of taking part in clinical trials and consent under the GDPR for the purposes of processing the data which surrounds it.

Informed consent is a core norm in the medical research community and is rightly enshrined in countless rules and codes. Yet from a data processing perspective, consent can be a problematic path to take - and one that can be avoided. 

Consent conundrums

Firstly, aligning consent across a multi-regional study is a challenge because of local variation as to what constitutes informed consent under the Clinical Trial Regulations and its counterparts, how this has to be evidenced and the extent of notification required for it to be considered valid for secondary processing. If privacy notices and consent templates have to envisage all the permutations of all data partnerships involved in secondary research, consent becomes both constraining and administratively painful. How organisations can know the identity of all parties which will be relying on the consent ahead of time and all of the purposes for which data may be processed  is a huge consent conundrum.

Then there is the salient point that consent must be revocable to be meaningful at all, in other words that a person can change their mind and opt out of the research. Relying on consent therefore exposes organisations to the risk of having their ability to process data removed without notice. The potential disruption to clinical trials, data sharing, big data analytics and algorithmic research is huge and trying to find a needle in a haystack where individuals might choose to opt out of a large study .

The potential for misunderstandings is not to be overlooked. As privacy experts have pointed out, failing to make a clear distinction between research ethics consent and data processing consent can lead to the ‘consent misconception’, where research participants can think that consent to participate in a research project also extends to the consent to process their personal data. They may therefore erroneously believe that they can exercise rights to be forgotten or to restrict further processing when exceptions or exemptions may in fact apply. It is vital to correctly set expectations and address concerns through clear language and driving data literacy amongst ‘data donors’.

Exemptions and exceptions

A scant reading of the GDPR might indicate that explicit consent is the only feasible path for the secondary research use of health data and biological materials; a fuller appreciation of its recitals and derogations affirms that there are exemptions from the explicit consent requirement and alternative lawful bases organisations can seek to deploy. 

Firstly, Article 6 of GDPR, which sets out the lawful bases for processing personal data, has to be read alongside Recital 50, provides that further processing for scientific research purposes should be considered to be a compatible processing operation that requires no further or separate lawful basis. If scientific research is carried out as a secondary purpose, it may well be that no further lawful basis is needed. 

Then there is Article 9(2)(i) of the GDPR, which cites “processing is necessary for reasons of public interest in the area of public health” as an exemption from the requirement for explicit consent and the ‘research condition’ under the Article 9(2)(j), and which allows genetic and health data to be processed on the grounds of scientific research purposes, based on EU or Member State law. That does create a need for regional expertise, as each Member State will have their own requirements for using data for ‘Scientific research or statistical purposes’. Several require a public interest lawful basis with additional strictures on top, such as pseudonymisation or additional balancing tests of respective interests to be carried out. The tools to carve out greater data utility are there though, and more look sure to come as governments move to boost research innovation. In one exciting recent development, under the proposals of the new Data (Use and Access) Bill (DUAB), the UK is set to expand the concept of scientific research to include privately funded and commercial projects, and to allow individuals to consent upfront to different uses of their data as research projects evolve.

Alternative legal pathways

Consent may be necessary in some conditions or for some elements of your project, but there are other legal pathways for organisations to consider for secondary processing which would grant them greater freedom in maximising data utility and reduce the risk of consent reliance posing problems further down the line. What is clear is that a comprehensive understanding of the research design and the data flow is fundamental to the technicalities of consent. When it comes to tokenisation and other de-identification techniques, delineating what is within the protocol of the study itself and what is secondary processing will be key, as will developing a thoroughgoing understanding of which exemptions and derogations might apply. 

There is likely good reason to look beyond consent as our ‘official’ lawful basis for processing personal data, yet this should not imply any reduction in our commitment to transparency and informing data subjects appropriately. Indeed, deploying the public interest lawful basis makes it all the more important to be able to clearly articulate the benefits envisaged from research to the data subjects and/or society at large. Individuals taking part in clinical trials and other research projects are often being asked for a big data commitment in a fast-moving technological milieu today, after all. Offering them intelligible reassurance about privacy controls, infosec and PETs is an invaluable opportunity to build trust. Similarly, if organisations are processing personal data on the legitimate interests lawful basis, then there may be great merit in articulating how these are balanced against those of the individual and that data subjects can still seek to exert control over their data. Tackled well, notification can function as both education and outreach.

The European Health Data Space seems to augur well for a more liberal approach to data use once it has been sufficiently de-identified and, for further context, we can consider the liberal approach which seems to be embodied in the Clinical Trial Regulations. The CTR provides for data from clinical trials to be used for future scientific research of a medical, natural or social sciences nature, if the subject gives consent to use his or her data ‘outside the protocol of the clinical trial’ but, importantly, doesn’t require it (Recital 29 and Article 28 (2)). Scholars have also noted the introduction of the concept of ‘data altruism’ in the EU’s Data Governance Act, cementing the notion of ‘processing for purposes of general interest’. 

Consent will continue to be central, however it is only one tool in the toolkit, and we should not confuse the right to be informed with informed consent. We should remember that flexibility was always meant to be on offer for research innovators and facilitation seems set to continue as a top concern for the authorities. If you would like to explore your options, book a free consultancy call; Trace’s expert privacy and data governance team stands ready to help, whether that be on an individual Data Protection Impact Assessment (DPIA), a data privacy diagnostic ‘sprint’ or establishing a forward-thinking trust framework for all your future research efforts.

This article was authored by Wendy Spires, CIPP/E. This article is should not be taken as legal advice. Trace is now a Datavant company.