In our last post, we considered some of the challenges of processing genetic data on the basis it has been anonymised. If such data has not been properly anonymised, it must be processed in line with the requirements for “special category” data under GDPR. One lawful basis for processing “special category” data is explicit consent. While consent is defined in the GDPR[1], explicit consent is not. According to the Information Commissioner Office’s (ICO) website, explicit consent requires a very clear and specific statement of consent. In the context of a diagnostics offering, a clearly-worded patient consent form will be an important means of fulfilling this requirement. A more onerous ICO requirement is that any third party controllers who will rely on the consent must be named – this can present difficulties where a dataset is later shared with a partner company that was not contemplated at the time consent was obtained. As noted in a recent World Economic Forum Insight Report on Diagnostics: “One challenge to be acknowledged regarding consent is that the fast pace at which technology is developing means companies and individuals may not fully realize the extent of what they are committing to.” [2]
Perhaps the most significant limitation of processing data on this basis is that consent can be withdrawn at any time; and subjects need to be able to have their data removed from any repositories in which the initial controller has kept it, as well as those it has been passed on to. If one wants to rely upon consent as the lawful basis for sharing "anonymised" data sets, it would be necessary to ensure that unique identifiers used to distinguish between samples can be linked back to a contactable individual so that he or she can be advised of the existence of a new controller and offered the ability to withdraw. This is, however, a double-edged sword as it renders it more likely that an individual could be re-identified and is not anonymised.
In light of these difficulties, it is not always feasible to rely on consent, particularly where health data is to be inputted into databases which may be accessed by third parties. Could the GDPR’s scientific research exemption be the answer? To be discussed in our next post….
1. Article 4(1): “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
2. Diagnostics for Better Health: Considerations for Global Implementation – WEF Insight Report (2021) http://www3.weforum.org/docs/WEF_Diagnostics_for_Better_Health_Considerations_for_Globa_%20Implementation_2021.pdf
Authors
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.