'A comparative analysis of the requirements for the use of data in biobanks based in Finland, Germany, the Netherlands, Norway and the United Kingdom' by L. Briceño Moraia, J. Kaye, A.M. Tasse, B.M. Knoppers, C. Mitchell, S. Soini, N. Hoppe, S.E. Wallace and M. Øien in (2015)
Medical Law International comments
To understand the causes of disease and improve diagnosis and treatment regimes, biomedical researchers need access to large numbers of well-characterized data and samples. Over the past decade, biobanks have been established across Europe to collect and manage access to data and samples. The challenge that we face is how to develop the tools and collaborations to enable researchers to access samples and data from a network of biobanks, rather than applying to individual biobanks. One of the perceived stumbling blocks to achieving this is represented by the different legal requirements in each country. The aim of the BioSHaRE-European Union (EU) project is to address these challenges by developing tools and methods for researchers to access and use pooled data from different cohort and biobank studies. The purpose of this article is to identify and compare the key legal requirements regarding research use of data across biobanks based in Finland, Germany, the Netherlands, Norway and the United Kingdom. Our investigation starts with the analysis of the key differences for the use of data between these countries. As a result, we identified three key areas where legal requirements differ across the five BioSHaRE-EU jurisdictions, namely, in the definition of personal data, the requirements regarding pseudonymization and processing for medical research purposes. This article provides an overview of these differences and describes them in the light of the proposed EU regulation on data protection.
The authors conclude -
This article identifies and compares the key legal requirements regarding research use of
data in Finland, Germany, the Netherlands, Norway and the United Kingdom. In all the
BioSHaRE-EU jurisdictions, in addition to the legislation implementing the EU Data
Protection Directive, there are provisions for data protection in other regulations or
sources of law. For example, in patient’s rights legislation (Finland), hospital laws (Germany),
civil codes (Germany and Netherlands), specific HRAs (Norway) or case law
(United Kingdom). This fragmentation of the sources of law undermines the certainty
of the rules necessary to guarantee the flow of the information contained in samples
between biobanks and to allow researchers to share them without undue burdens. The proposed draft of the EU Regulation on data protection will ensure a single set of rules on data protection across Europe, explicitly incorporating genetic information, but the latest
amendments contain several changes that overall could have a negative impact on medical
research.
The main grey areas of the 1995 Directive concern the concept of personal data, anonymization
and data processing. The definition of personal data adopted in the
BioSHaRE-EU jurisdictions leaves space for broad interpretation to also include genetic
information as sensitive health data. In Finland, the definition of personal data of an individual
expressly includes ‘members of his/her family or household’. Arguably, this is in
line with the views of the Article 29 Working Group and latest proposals for EU data
protection reform. Anonymization and pseudonymization are not expressly regulated
by the current Directive, which recognizes the possibility of member states adopting
Codes of Practices on the issue. Even though the latest draft of the proposed EU Data
Protection Regulation contains a definition of pseudonymization, it still leaves space for
different interpretations of its scope.
With regard to data processing, the BioSHaRE-EU jurisdictions have implemented
the Directive rules without major differences. The general principle is that the
processing of sensitive data is prohibited unless express consent is provided or when
it is for the purposes of historical, scientific or statistical research. A unique feature
of the German law compared to the other BioSHaRE-EU countries, and which
exceeds the requirements of Data Protection Directive, is that consent for processing
data shall be given in writing.
As far as access to data is concerned, the general principle and the main relevant
exceptions are the same in all BioSHaRE-EU jurisdictions; again, consent of the
data subject is essential, but this requirement can be waived if access is requested
for research purposes and if specific conditions are satisfied. However, these conditions
vary from one country to another. The proposed EU Data Protection Regulation
would require consent for processing health data for research purposes, leaving
it to member states to introduce exceptions. If member states decide to introduce a
research exemption, it could again lead to different legal requirements across the
EU. This would affect international research consortia that need to share data and,
to an extent, diminish the benefits of a single EU Regulation on data protection for
biomedical research.
Our analysis has shown that although data protection rules across BioSHaRE-EU jurisdictions
are substantially uniform and share the same European origin, there are still
some grey areas relating to research that have not been clarified or specified at the
national level. This leaves room for different interpretations by national courts. The situation
is further complicated by the variety of regulations and sources of law through
which EU data protection rules have been implemented in each member state, raising
further problems linked to the hierarchy of the law. Importantly, even if a single EU Data
Protection Regulation were enacted and directly applicable in all member states, as the
current proposals stand, it would not provide enough clarification to remove the existing
grey areas for data-based research. Unfortunately, the EU data protection law reform process seems to have taken insufficient account of the importance of data sharing for biomedical research and, ultimately, population health.
The peculiarities of biomedical research call for a specific regulation at European
level, which could apply both for samples and data. In fact, there is a straight linkage
between samples and data, that is, researchers require access to a sample in
order to get the information contained in it, and the usefulness of biological samples
for research is greatly reduced when associated data are not shared with the samples.
Nevertheless, they are considered as two different legal entities as different sources
of law regulate access to data and samples. Following the Norwegian example, having
a unique regulation, applying both to samples and data, and specific, focusing on
biomedical research, would clear the path towards simplification of the sources of
law, guaranteeing a better harmonization across member states and the desired sharing
of data across different jurisdictions.
The BioSHaRE-EU project tries to overcome the legal restraints by encouraging the
development of cutting-edge technologies that enhance collaborations among investigators
and enable the development of tools for data harmonization, database integration
and federated data analysis. In particular, it has proposed a new approach,
named DataSHIELD, a federated infrastructure allowing researchers to jointly analyse
harmonized data whilst retaining individual-level data within their respective host
institutions. Such a system enables to share data for research purposes without the
need to physically pool them together, therefore avoiding to incur in the traditional
legal constraints.
The BioSHaRE-EU Healthy Obese Project aims to gain insights into the consequences
of (healthy) obesity using data on risk factors and phenotypes across several
large-scale cohort studies. This project has combined 10 different cohorts in seven
countries, using data transformed into a harmonized format, that is, it has used a computing
infrastructure to enable the effective pooling of data and research into critical
sub-components of the phenotypes associated with common complex diseases.
BioSHaRE-EU has also supported the development of the so-called ‘omics connect
toolbox’, which includes a set of software to be locally used by researchers for omics
data validation, management, viewing and sharing.
It has been created also a unified system to integrate and compare observation data
across experimental projects, disease databases and clinical biobanks; the system comprises
models, formats documentation and software that are all available for free and
open source at http://www.observ-om.org.
At the same time, BioSHaRE-EU cohorts do not have a common access policy, that is,
researchers still need to contact each cohort individually to get access authorization. To
overcome some of the issues raised by not having such ‘common data access policy’, an
internal process has been developed, allowing tracking which cohorts under the
BioSHaRE-EU project have provided access authorization for research.
The BioSHaRE-EU project shows that cutting-edge technologies could enable effective
sharing of data overcoming legal constraints and at the same time raises the question
on whether different kind of governance systems are needed to support the current lack
of a uniform regulatory framework.
