To understand the causes of disease and improve diagnosis and treatment regimes, biomedical researchers need access to large numbers of well-characterized data and samples. Over the past decade, biobanks have been established across Europe to collect and manage access to data and samples. The challenge that we face is how to develop the tools and collaborations to enable researchers to access samples and data from a network of biobanks, rather than applying to individual biobanks. One of the perceived stumbling blocks to achieving this is represented by the different legal requirements in each country. The aim of the BioSHaRE-European Union (EU) project is to address these challenges by developing tools and methods for researchers to access and use pooled data from different cohort and biobank studies. The purpose of this article is to identify and compare the key legal requirements regarding research use of data across biobanks based in Finland, Germany, the Netherlands, Norway and the United Kingdom. Our investigation starts with the analysis of the key differences for the use of data between these countries. As a result, we identified three key areas where legal requirements differ across the five BioSHaRE-EU jurisdictions, namely, in the definition of personal data, the requirements regarding pseudonymization and processing for medical research purposes. This article provides an overview of these differences and describes them in the light of the proposed EU regulation on data protection.The authors conclude -
This article identifies and compares the key legal requirements regarding research use of data in Finland, Germany, the Netherlands, Norway and the United Kingdom. In all the BioSHaRE-EU jurisdictions, in addition to the legislation implementing the EU Data Protection Directive, there are provisions for data protection in other regulations or sources of law. For example, in patient’s rights legislation (Finland), hospital laws (Germany), civil codes (Germany and Netherlands), specific HRAs (Norway) or case law (United Kingdom). This fragmentation of the sources of law undermines the certainty of the rules necessary to guarantee the flow of the information contained in samples between biobanks and to allow researchers to share them without undue burdens. The proposed draft of the EU Regulation on data protection will ensure a single set of rules on data protection across Europe, explicitly incorporating genetic information, but the latest amendments contain several changes that overall could have a negative impact on medical research.
The main grey areas of the 1995 Directive concern the concept of personal data, anonymization and data processing. The definition of personal data adopted in the BioSHaRE-EU jurisdictions leaves space for broad interpretation to also include genetic information as sensitive health data. In Finland, the definition of personal data of an individual expressly includes ‘members of his/her family or household’. Arguably, this is in line with the views of the Article 29 Working Group and latest proposals for EU data protection reform. Anonymization and pseudonymization are not expressly regulated by the current Directive, which recognizes the possibility of member states adopting Codes of Practices on the issue. Even though the latest draft of the proposed EU Data Protection Regulation contains a definition of pseudonymization, it still leaves space for different interpretations of its scope.
With regard to data processing, the BioSHaRE-EU jurisdictions have implemented the Directive rules without major differences. The general principle is that the processing of sensitive data is prohibited unless express consent is provided or when it is for the purposes of historical, scientific or statistical research. A unique feature of the German law compared to the other BioSHaRE-EU countries, and which exceeds the requirements of Data Protection Directive, is that consent for processing data shall be given in writing.
As far as access to data is concerned, the general principle and the main relevant exceptions are the same in all BioSHaRE-EU jurisdictions; again, consent of the data subject is essential, but this requirement can be waived if access is requested for research purposes and if specific conditions are satisfied. However, these conditions vary from one country to another. The proposed EU Data Protection Regulation would require consent for processing health data for research purposes, leaving it to member states to introduce exceptions. If member states decide to introduce a research exemption, it could again lead to different legal requirements across the EU. This would affect international research consortia that need to share data and, to an extent, diminish the benefits of a single EU Regulation on data protection for biomedical research.
Our analysis has shown that although data protection rules across BioSHaRE-EU jurisdictions are substantially uniform and share the same European origin, there are still some grey areas relating to research that have not been clarified or specified at the national level. This leaves room for different interpretations by national courts. The situation is further complicated by the variety of regulations and sources of law through which EU data protection rules have been implemented in each member state, raising further problems linked to the hierarchy of the law. Importantly, even if a single EU Data Protection Regulation were enacted and directly applicable in all member states, as the current proposals stand, it would not provide enough clarification to remove the existing grey areas for data-based research. Unfortunately, the EU data protection law reform process seems to have taken insufficient account of the importance of data sharing for biomedical research and, ultimately, population health.
The peculiarities of biomedical research call for a specific regulation at European level, which could apply both for samples and data. In fact, there is a straight linkage between samples and data, that is, researchers require access to a sample in order to get the information contained in it, and the usefulness of biological samples for research is greatly reduced when associated data are not shared with the samples. Nevertheless, they are considered as two different legal entities as different sources of law regulate access to data and samples. Following the Norwegian example, having a unique regulation, applying both to samples and data, and specific, focusing on biomedical research, would clear the path towards simplification of the sources of law, guaranteeing a better harmonization across member states and the desired sharing of data across different jurisdictions.
The BioSHaRE-EU project tries to overcome the legal restraints by encouraging the development of cutting-edge technologies that enhance collaborations among investigators and enable the development of tools for data harmonization, database integration and federated data analysis. In particular, it has proposed a new approach, named DataSHIELD, a federated infrastructure allowing researchers to jointly analyse harmonized data whilst retaining individual-level data within their respective host institutions. Such a system enables to share data for research purposes without the need to physically pool them together, therefore avoiding to incur in the traditional legal constraints.
The BioSHaRE-EU Healthy Obese Project aims to gain insights into the consequences of (healthy) obesity using data on risk factors and phenotypes across several large-scale cohort studies. This project has combined 10 different cohorts in seven countries, using data transformed into a harmonized format, that is, it has used a computing infrastructure to enable the effective pooling of data and research into critical sub-components of the phenotypes associated with common complex diseases.
BioSHaRE-EU has also supported the development of the so-called ‘omics connect toolbox’, which includes a set of software to be locally used by researchers for omics data validation, management, viewing and sharing.
It has been created also a unified system to integrate and compare observation data across experimental projects, disease databases and clinical biobanks; the system comprises models, formats documentation and software that are all available for free and open source at http://www.observ-om.org.
At the same time, BioSHaRE-EU cohorts do not have a common access policy, that is, researchers still need to contact each cohort individually to get access authorization. To overcome some of the issues raised by not having such ‘common data access policy’, an internal process has been developed, allowing tracking which cohorts under the BioSHaRE-EU project have provided access authorization for research. The BioSHaRE-EU project shows that cutting-edge technologies could enable effective sharing of data overcoming legal constraints and at the same time raises the question on whether different kind of governance systems are needed to support the current lack of a uniform regulatory framework.