1 Introduction

Norway is not a member of the European Union (EU) but it is part of the European Economic Area (EEA). EU legal acts must be incorporated into the EEA Agreement before they can be implemented into national law in Norway. The PDA—including the GDPR in Norwegian translation—entered into force in Norway on July 20th 2018 by reference to the incorporation of the GDPR into the EEA Agreement through a Joint Committee Decision on July 6th 2018.

The GDPR has not revolutionised the approach to privacy and data protection but it has increased the sector’s awareness of the need to use health data and the need to protect such information through the duty of confidentiality and created uncertainty about who should make decisions about sharing data in health and research organizations the potential to ensure more awareness of research participants’ rights versus the societal and scientific interest in research.

All research and medical treatment includes processing of personal data, and the relationship between GDPR and national law provides the basis for several issues. This article raises issues related to how GDPR has been implemented, interpreted and what effects it has had, in fact and in law when it comes to biobanking and research. The GDPR provides for a two-level framework to enable derogations from these rights when scientific research is concerned, first, by directly invoking in provisions of the GDPR on a condition that safeguards that must include ‘technical and organisational measures’ are in place and second, through the Member State law.Footnote 1 These derogations can be challenging in light of the legal and ethical standards in biobanking that have been set forth in international treaties, national legislation, and how GDPR has been implemented through changes in the health legislation, and other legal instruments, as soft law.

There is also an ongoing discussion about the various roles and decision-making authority with regard to data sharing, and the division of responsibilities between the Data Inspectorate, regional ethical committees (RECs), Directorate for Health and E-Health, and the Norwegian Board of Health Supervision. An important change was that the health laws made reference to the legal definitions in the GDPR and that national regulations on the access to use personal data processing basis under the GDPR. Several examples show that there are different perceptions of the application of the GDPR in research on biological material. Some argue that the GDPR has made significant changes to the terms of research that include biological material and personal data, while others believe that it has not led to such changes with reference to the exemptions for research. Some claim that consent has become more important for the regulation of research and the publication of research results, while others claim that this is not the case.

The GDPR provides the possibility for implementation of national, sector-specific regulations as long as these regulations are not in conflict with the GDPR. In preparation for the implementation of the GDPR in Norway, the Norwegian Ministry of Health and Care Services (HOD)Footnote 2 made some amendments to ensure compatibility with it (Prop. 56 LS (2017–2018)).

2 Biobanks Infrastructure and Regulatory Framework

2.1 Biobanks in Norway

Norway is working on establishing a health analysis platform and a note on legislative amendments has been sent from the Ministry at a hearing which took place during the last half of 2019. The health analysis platform will gather the many health registers for research and innovation purposes. Norway has a long history of establishing and maintaining health registers used to track specific societal or health-related aspects. Norway has established 70 health registries and 20 are central health registries that are mandatory and nationwide. There are currently more than 50 national disease and medical quality registries.Footnote 3 They may contain health data and personal identification information. Some registers contain human biological material in biobanks that are associated with the quality registers. More detailed information on the different health registries and how to access them is available online.Footnote 4

Biobank Norway is a national infrastructure of biobanks and represents one of the world’s largest existing resources within biobanking. It covers both consented population-based and disease-specific clinical biobanks.Footnote 5 Biobanks in Norway also have access to unparalleled longitudinal health data in health registers. Hence, it is a unique asset for global research and innovation projects within life sciences, disease prevention and treatment. Below are some examples of Norwegian biobanks.

The Norwegian Mother and Child Cohort Study is a birth cohort and biobank that collected samples from 95,000 pregnant women, 114,000 children and 70,000 fathers, from 1998 to 2008. The Janus Serum Bank is a unique cancer specific cohort with blood samples from 318,628 Norwegians collected from 1974 to 2004. The biobank is reserved for cancer research and is globally unique in terms of size and number of cancer cases.Footnote 6 The Tromsø Study was initiated in 1974 in an attempt to help combat the high mortality in Norway due to cardiovascular diseases. Over the years the cohort has been expanded and now includes samples from over 40,000 people and holds unique phenotypic data. The NoPSC Biobank for primary sclerosing cholangitis (PSC) is one of the largest PSC biobanks in the world. It collects a range of different matrices and high-quality phenotypic data.

The Nord-Trøndelag Health Study (HUNT) is one of the largest health studies ever performed, comprising samples from 140,000 people collected in four rounds since the mid-1980s. It is a unique database of genetics, questionnaires, clinical measurements and biobanked samples. HUNT Biobank is a national biobank for Cohort of Norway (CONOR) with 250,000 DNA samples from all the large Norwegian Health Surveys gathered in one place. HUNT Databank contains information on the health of and samples from participants in the HUNT study conducted in three waves of data gathering.Footnote 7 The data collection was carried out with questionnaires, interviews, clinical studies and analyses of blood and urine samples. In addition, the HUNT Databank contains blood and urine samples stored in the HUNT Biobank which can be requested and defrosted for genetic analyses and other biological markers.Footnote 8

2.2 Norwegian Regulations

When the GDPR was implemented, it was pointed out by the Norwegian authorities that health services are subject to extensive regulations in Norwegian law. As the confidentiality protection applies within the health service and research, there was no need for any limited additional regulations. The Ministry has not uncovered a need to design new supplementary legal bases, for the processing of personal data within the scope of health legislation, nor has the Ministry identified the need for new national provisions that make exceptions to the prohibition on processing specific categories of personal data, which also include health information.Footnote 9 The health legislation with regulations provides a number of such guarantees, with the duty of confidentiality a particularly significant guarantee in this context. Another measure is, for example, the requirement for encryption in section 21 of the Health Register Act (HREG) or a decision on the disclosure of information.Footnote 10

There are minimal changes in the health laws, possibly because the regulation does not define how clear and specific the national regulations must be with regard to providing legal grounds for the processing of data. However, some changes are of great importance because they change the procedures of processing personal data and decision-making systems. The GDPR regulates questions that the national health legislation does not regulate specifically. References from the GDPR to national laws include the basis for processing data and exceptions from the prohibition against processing particularly sensitive data.Footnote 11

The exceptions in the GDPR Article 89 for rights in scientific research etc. are incorporated into the national laws through referrals but there are ambiguities about how they should be interpreted. Several derogations have been made in national legislation, and these are discussed below.Footnote 12 According to Norwegian law, biobanks and personal data are regulated in different laws. The PDA refers to the laws that regulate biological material and the processing of personal data.Footnote 13 Several laws regulate the storage of biological material and data in research and in connection with healthcare. These play an important role in the implementation of the GDPR (see Fig. 1).

Fig. 1
A chart of G P D R classifies into P D A, health research H R A and H R E G, health care T B A and H R E A. subjects P R A, H P A, H A.

Relationship between GDPR and central national laws regulating biobanking. Human rights underpin both GDPR and national laws

Full size image

Public and private biobanks are divided into three main groups: diagnostic biobanks, treatment biobanks and research biobanks. The first two, both of which store material gathered during the course of treatment, are regulated by the Treatment Biobank Act (TBA), and the latter by the Health Research Act (HRA).Footnote 14 Before the TBA was adopted in 2003, there was no separate law governing the large collections of biological material that had been systematically obtained and stored over several generations from the 1930s.Footnote 15

Since 2008 the HRAFootnote 16 has regulated research involving people, biological material and data, and describes medical and health research as use of ‘scientific methodology to provide new knowledge about health and disease.’Footnote 17 This definition is relatively broad and includes all interventions on humans, living and dead, on human biological material and on health information, as well as regulation of pilot studies, testing and performance of experimental studies.Footnote 18 The HRA regulates the establishment of research biobanks.Footnote 19

There may be uncertainty about what research is and what is the development of method and quality assurance. The term ‘scientific methodology’ refers both to general principles of scientific theory of reasoning and to the more specific techniques developed within various scientific disciplines to produce ‘valid knowledge’.Footnote 20 This excludes quality assurance.Footnote 21 Research on human beings requires prior approval from a research committee. With the implementation of GDPR, the Norwegian authorities have assumed that a pre-approval from the ethics committee is not sufficient to process personal data. The requirements for ‘state of art’ in healthcare will be indicative of when diagnostics and healthcare should be organised as research.Footnote 22

The TBA regulates biobanks, which are defined as ‘a collection of human biological material delivered for medical examination, diagnosis and treatment.’Footnote 23 These tissue samples have been collected from all organs of the body, from all age groups, that have been taken for medical tests, diagnostics and treatment as part of healthcare for more than 100 years. In recent years, it has included samples from all newborns. The purpose of the TBA is to secure storage of material and data in healthcare and to ensure that the collection, storage, processing and destruction is carried out in an ethically responsible and legal manner for the good of the individual and society. The storage of biological material and data for use in healthcare is aimed at achieving continuity and reliability of treatment.

Registers used for health research are regulated by the HREG.Footnote 24 This includes data transferred from patient records. Duties and rights also follow from the laws mentioned above. The HREG aims to facilitate the collection and processing of health information, to provide better health and care services through increased knowledge.

Health registers based on personal data derived from biological material in hospitals and health care providers, should mainly be processed in accordance with the Health Records Act (HREA).Footnote 25 This means that a distinction is made between the law that regulates registers in the health service and registers based on data from the health service for the purpose of health research. When giving medical treatment, healthcare professionals are required to store relevant and necessary information in the health record.Footnote 26 This means, among other things, that data must be stored when the health care is given without consent, for example because the patient is unable to consent or when using force. Data and biological material obtained in the health service can be used for research through transfer to health registers or by pre-approval from ethical research committee and data controller.

The legislation clearly distinguishes between activities that are justified on the grounds of healthcare and research and other activities, as well as between storing and processing of data and biological material for purposes of health research and for purposes of healthcare (Simonsen and Nylenna (2005), Simonsen 2014). The medical development has blurred the lines between medical treatment and health research, and this raises new issues about how to apply the law. One example is that genetic mapping as part of personalised medicine means that biological material is the starting point for knowledge about the genetics and diagnostics of patients, and for clinical testing (Befring 2019).Footnote 27 When healthcare and research are needed to safeguard and protect the vital interests of individuals, it can include using material and data according to the exceptions in HRA, HREG and GDPR.Footnote 28 Another issue that can be raised but will not be dealt with here is the question of ownership of the biobank and the material it contains, and about intangible assets that can be acquired on the basis of biobanks.

The prohibition against commercial exploitation of research participants, human biological material and health information should be assessed on the basis of the need for development of methods and if there is a trade relationship between the public health service and private actors. A central question for states is who should own and dispose of biological material obtained over several generations. Biobanks built up in public health services could be perceived as common property that should be used for the common good to develop new knowledge and new methods. Ownership and intellectual property may be a more important starting point for discussions on intellectual property rights when algorithms and costly treatment methods are developed based on biological material.

Subjects for regulation in the relevant laws are research participants and patients, researchers, health personnel and healthcare companies. The Patients’ and User Rights Act (PRA)Footnote 29 regulates them as rights subjects, and the HPA and the Hospital Act (HA)Footnote 30 regulate them as duty subjects.

The HRA requires a designated person to be in charge of the research, who must ensure that competent personnel and satisfactory equipment is available and that the research is carried out under safe conditions.Footnote 31 The person shall also ensure that the applicable regulations are followed and that the research process is cancelled immediately if the interests of the research participant so indicates. The Act also requires an ethics committee to pre-evaluate research projects and ensure compliance with the regulations for research and privacy, as well as the international obligations regarding the position of subjects. The committee’s view on whether the research project is ethically acceptable or not must be substantiated.

3 Individual Rights and Safeguards

3.1 Article 89 and the Right to Information

The legislation shall be carried out in accordance with fundamental privacy considerations that include the basic principles of respect for human dignity and for human autonomy and equality norms. The health legislation is based on three key principles for health research and storage of biological material and data in healthcare: principles of justification, of confidentiality and of autonomy. The confidentiality principle applies also after the death of persons. Research on biological material taken from a deceased person is correspondingly subject to the provisions in the Transplantation Act (TA) and Autopsy Act (AA), relating to transplantation, hospital autopsies and the donation of bodies etc. and regulations issued pursuant to this Act.Footnote 32

The ban on processing sensitive personal information, is not applicable when processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1), based on Union or Member State law.Footnote 33 Such a law must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.Footnote 34

The Norwegian legislation—in accordance with GDPR Article 89 (2)—explicitly derogates from the rights of the data subjects laid down in GDPR Articles 15, 16, 18 and 21. These exemptions are considered by the authorities to be in accordance with the regulation. It is specified in the narrative, including Recital 65, that further retention of the personal data ‘should be lawful where it is necessary’ for the performance of a task carried out in the public interest, on the grounds of public interest in the area of public health, for archiving ‘scientific or historical research purposes’.

In the national consultation round, research environments emphasised the need for several exceptions. Where the aforementioned provisions of Article 9 (2) require a ‘basis’ for the processing or that the processing is ‘permitted’, they may, in their wording, hardly be expected to make an unconditional claim that there must always be a completely explicit and specific legal basis. In connection with the implementation of the GDPR, it was stated that it does not provide a clear answer to the clear or specific national provisions that allow the processing of particular categories of personal data.Footnote 35

In connection with the implementation of GDPR, disagreement on art 89 was uncovered. The Norwegian Center for Research Data stated that an exception from the right to data portability is also necessary when processing for statistical purposes.Footnote 36 They also stated that exemptions from the duty to notify pursuant to Article 19 of the Regulation should be made for processing for research and statistics purposes. GDPR Article 21, which entitles the data subject to protest against the processing of personal data when processing is based on Article 6 (1) (e) or (f), may be relevant when processing personal data for scientific or historical research purposes, unless the processing is necessary to perform a task in the public interest. This right has not been included in the Norwegian legislation and will probably be covered by the trade-offs that are made of interests that can offset consent.

HOD points out that Article 89 allows for exemptions from the right to protest under Article 21 for research purposes.Footnote 37 A separate provision in national legislation was therefore not proposed or adopted. On the other hand, exceptions to the right of access were adopted for research purposes on the basis of Article 23 (1) (e) and Article 89 (2) and (3) of the Regulation, and these are crucial for the data subject. If research participants should be able to claim their personal information, this will be at the expense of legitimacy and ethics in research. It is important to ensure that research data through the registrant’s right to data portability is not subject to merchandise and commercial activities.Footnote 38 Exemptions from the right of access can therefore be made pursuant to Article 15 in the PDA.Footnote 39 The right of access under GDPR Article 15 does not apply to the processing of personal data for archival purposes in the public interest, purposes related to scientific or historical research or statistical purposes in accordance with GDPR Article 89 (1) as far as: (a) it will require disproportionate efforts to provide access or (b) access rights are likely to make it impossible or severely prevent the achievement of the objectives of the treatment. The third paragraph is further formulated as an exception instead of a condition, but this is not intended to have any significance to the scope of the article.

The HREG gave the data subject the right to require the erasure of ‘bothersome information’, as a result of interest shown in it.Footnote 40 The HREG gives the data subject a right to delete or block health information that has already been processed if processing of the information ‘feels strongly distressing for the data subject’ and there are no ‘strong general considerations’ that indicate that the information is being processed.Footnote 41 This form of balancing of interests exists in several laws and is also reflected in the GDPR and in human rights conventions.Footnote 42 The general provision on limitations with regard to rectification and deletion in the PDA will also apply to health information in research.Footnote 43

Pursuant to the HPA and the PRA, there are limitations on access to data that have been stored in connection with healthcare. This narrow access must be seen both in the light of the fact that data storage is based on a statutory requirement and because that information may be excluded from the person’s entitled to access or information insight.Footnote 44 The local health authority (Fylkesmannen) decides on the question of erasure.

3.2 Consent

Consent is not required for the use of anonymised human biological material and anonymous data. Anonymous data is nevertheless covered by the standard of care in research and medical care. In Norwegian legislation there are different forms of consent when researching personal data and biological material: expressed consent, broad consent in HRA sections 13 and 14, explicit and silent consent. The consent scheme has many limitations in Norwegian health legislation—these are discussed in more detail in my doctoral thesis.Footnote 45

In Norway, biological material from large parts of the population is stored without consent and it varies widely how much the emitter knows about the purpose of storing and processing the material. Storage of biological material in treatment biobanks is not based on independent and explicit consent.Footnote 46 Most of the population has biological material stored in treatment biobanks without having explicitly consented to storage. There is no general right to information, but if the material is going to be used in a different manner than originally planned then informed consent must be obtained.

All newborns are screened for different genetic diseases and the material is stored in a separate biobank.Footnote 47 Parents can refuse screening, but few do so. This material can be used for ‘method development’ without consent. The scope of this activity is not further defined. This can open up the potential for the wide use of the material. With the new newborn database in the health service, biological material from all inhabitants of the country will be stored. However, with regard to the further use of tissue samples stored in clinical biobanks for research purposes, patients’ right to self-determination may be better protected. In comparison, patients are not entitled to receive individual information about storage and further use of tissue samples. Each individual research participant must be able to give his or her consent to participate in research and has the right to receive the necessary information. An important exception to this requirement is access to research on biological material and health data without consent.Footnote 48 The HREG allows use of data obtained in the health service without the consent of the patient.Footnote 49

The main rule in HRA section 13, is that research on people must be based on a voluntary, informed and specified consent. The information must be sufficient for the person to understand the consequences of receiving healthcare or to participate in research.Footnote 50 It is possible to conduct research on material saved in treatment biobanks or personal data if the REC approves it.Footnote 51

The HRA section 14 allows ‘broad-based consent’ on certain conditions for research on human biological material and personal health data but not on research involving humans. The broad consent must define the research purposes for use of biological material and personal health data and a REC may specify conditions for use of broad consent and may order the project manager to obtain new consent if the committee deems it necessary.Footnote 52 A REC may approve new or changed use of previously collected human biological material or personal health data without new consent being obtained if it is difficult to obtain new consent and the research in question is of significant interest to society.Footnote 53 This may only be approved if the participants’ welfare and integrity are ensured. Participants who have given broad consent are entitled to receive information about the project at regular intervals.

Consent to take part in a research project may be withdrawn at any time with some exceptions.Footnote 54 The ability to withdraw consent does not apply to the researcher’s necessary requirement of fulfill his obligations, for example, to publish research results.Footnote 55 It is an obligation to have openness in research and to publish research results. Participants must receive information about this as the basis for consent. At the same time, the identity of participants must be adequately protected. A person who has withdrawn their consent may demand the destruction of their biological material and the erasure of the personal health data within 30 days.Footnote 56 The right to demand destruction, erasure or surrender of biological material or health data pursuant to the second paragraph does not apply if the material or data have been anonymised, or if the material has been processed and is now part of another biological product, or if the data have already been included in completed analyses. RECs may allow continued research on the material and defer destruction and erasure until the research project has been completed when particularly strong social or research considerations so warrant.

The law stipulates that the biological material must be stored in some situations, e.g. when the information is anonymised, when the material or processing is part of another biological product, and when the material is already included in a scientific work.Footnote 57 The right to destruction can be limited due to the same reasons. This means that there are several exceptions to the main rule of consent when researching biological material and health data provided they are proportionate.Footnote 58 This may only be applied if the research in question is of significant interest to society and the participants’ welfare and integrity is ensured. The prior approval from REC may replace individual consent after a specific consideration and REC may specify conditions for use. The patient must have been informed in advance that human biological material may be used for research and must have been given the opportunity to refuse to be involved in research on human biological material. In my doctoral thesis I assess whether biological material can be used for genome sequencing under this provision.Footnote 59 Extensive mapping of the human genome is understood as analyses that provide detailed information on large portions of the human genome of individuals whereby large volumes of information are typically generated. In the mentioned mother-child survey, the genetics of a large number of children, mothers and fathers were mapped without the affected persons being made aware of the mapping and without explicit consent. I argue that the Norwegian law was interpreted incorrectly in this case. It is assumed that the requirement for consent for invasive research in the UN Convention on Civil and Political Rights Article 7 represents a legal barrier to mapping the genetics. Public interest cannot justify interventions such as genetic mapping in normal circumstances. It can also be considered disproportionate when the patient does not benefit from the procedure or consent. At the same time, there is an argument that the law should be reassessed based on the possibilities that may arise from new technology and the GDPR.

The PDA has several general exceptions to the requirement for information and allows processing of personal data and health data for research without consent.Footnote 60 The GDPR art. 89 has an exemption for the rights of registered persons, including medical research, if it is ‘in the public interest’ (Recital 51) when the processing is proportionate.

These provisions refer to the purposes set out in GDPR Article 89 and require that it is for the benefit of society and that it is necessary for archiving which is in the public interest for scientific or historical research purposes or statistical purposes. Article 89 can be perceived as a proportionality provision that balances interests through formulations that reasonably relate to the objective sought, are consistent with the fundamental content of the right to the protection of personal data and take appropriate and specific action to safeguard the data subject’s interests. This includes assessments of what is ‘necessary’, ‘proportionate’ and what constitutes ‘due care’ when using biological material and personal data. However, the further retention of the personal data should be considered lawful when it is necessary on the grounds of public interest in the area of public health, for archiving purposes in the public interest, or for scientific or historical research purposes.

A specific question is whether the research subjects that have consented to participating in research can refuse the publishing of research results from research that is based on the interests of society. In the preparatory work for the PDA, there is disagreement on what is sufficient security in accordance with art. 89 when there are strong public interests. A central question is whether there is sufficient pseudonymization when there is public interest. Emphasis shall be placed on whether access will ‘make it impossible or substantially impede its own safeguarding of statutory duties’ regarding the storing and handling of the material.Footnote 61

The primary purpose of the measures or guarantees is to ensure that the treatment is in line with the basic principles of the processing of personal data, taking into account the sensitivity of the information, the purpose of the treatment, the risk of the treatment, etc. Hence the guarantees or measures may vary considerably.

3.3 Confidentiality Protection

Confidentiality protection is governed by several laws and includes persons in healthcare facilities who process personal data as well as health researchers.Footnote 62 Irrespective of consent and confidentiality, personal data stored in the health service can be shared for research, health analyses, quality assurance, administration, planning or management of the healthcare service.Footnote 63 However, this is limited in scope. The definition of ‘health information’ in GDPR Article 4 (15) has been incorporated into the health laws and is no longer linked to the scope of confidentiality as in previous legislation. One consequence of this change is that biological material and raw data may be covered by the duty of confidentiality but not by the definition of health information.Footnote 64 In the preparations for the incorporation of the GDPR, it is pointed out that statutory exemptions from the duty of confidentiality imposed on researchers and health personnel will be a legal basis for processing personal data. This also includes exceptions to the duty of confidentiality and has an impact on who can make decisions about sharing data.

The Norwegian confidentiality protection can constitute a source protection that includes biological material.Footnote 65 It covers both personal data and the use of biological material as the source of information, and can include protection of deceased persons who cannot consent. As the GDPR refers to the European Convention on Human Rights, it can be argued that the GDPR also entails a confidentiality protection of biological material.Footnote 66

The degree of personal identification for health information should not be greater than is necessary to achieve the objectives. Pseudonymisation is a valuable tool to reduce the risk of computing. Names, personal identification numbers and other identifiers are obscured by replacing them with a particular key, such as a number code, which is kept separately from the information. This will reduce the risk of re-identification and may give greater freedom in the use of the information. This method is not as useful for data that can be identifiable in itself, such a genetic data.

3.4 Purpose Limitation

The right to correction and the limitation of processing in GDPR Articles 16 and 18 do not apply to the same purposes under GDPR 89 (1) as far as the rights are likely to make it impossible or severely prevent the achievement of the objectives of the treatment. However, these exceptions do not apply if the processing has legal effects or direct actual effects on the data subject. PDA section 17(2) makes exceptions in the right to rectification (GDPR Article 16) and the right to restriction of processing (GDPR Article 18).

The legislator argues that there is no need for further exceptions at this stage. According to HRA section 36, the data subject may require rectification and erasure according to GDPR Articles 16 and 17, unless this exception is applicable.Footnote 67 If the necessary data are already available (i.e. have been obtained from individuals), they can be used for further research purposes regardless of what purposes they were initially obtained for. Even where data are initially obtained based on informed consent for specific purposes, they can be used for (different) research later on, irrespective of the storage and purpose limitations (Articles 5 (1) (b) and (e)).

In 2006, the Norwegian Supreme Court decided on the disclosure of material to identify a possible deceased participant in connection with a serious robbery where a police officer was killed.Footnote 68 The conclusion was that the police could not receive the biological material from the hospital as there was neither consent nor weighty interests present. In a case from 2014, the Supreme Court granted permission for the use of biological material to determine paternity.Footnote 69 The right to know one’s father was crucial in this judgment.Footnote 70 There is no deadline for a child to raise a case as it the case for parents. The information is not in itself sufficient to change paternity, but can be a basis for the child to require the question of paternity settled by the courts. DNA information is crucial for determining paternity.

However, in another case the court reached the opposite conclusion. Biological traces on a bag of drugs found on a patient could not be delivered from the hospital to the police as this would constitute a breach of the duty of confidentiality.Footnote 71 We find a similar approach in a judgment of the European Court of Human Rights. In the Great Chamber case S and Marper v. UK, Article 8 was argued to include protection of cell samples (sections 68 to 72). The ECHR concluded that biological materials were stored in an inappropriate way. The Court pointed to some of the fundamental challenges that arise when storing genetic information, amongst them that storing of data must safeguard the protection of privacy: ‘The mere storing of data relating to the private life of an individual amounts to an interference within the meaning of Article 8’ (section 67). Each case must also be considered with regard to its specific context. The Court also emphasised that the emergence of new technology makes storing of genetic data more risky that what we can foresee at this point in time (section 71).

Biobanks and the comprehensive national registers with personally identifiable information are used for very different purposes. Questions can be raised as to whether national registers are contrary to purpose limitations. In Norway, emphasis has been placed on establishing ‘platforms’ for compiling biobanks and health registers, and for broad access to health research. Patients are often not aware that their data is being transferred from hospitals to the national registers. Even though new medical knowledge may be of public interest, the use of information must satisfy the balance between individual and public interest, as expressed in the HREG (‘pressing social need’ (section 8)). It might exclude commercial research that has no evidence of benefit sharing or address issues of public importance.

A REC must approve the establishment of research biobanks. A biobank can be established without being connected to a specific research project, and material collected for specific research may be transferred to a biobank after the project is carried out.Footnote 72 The sharing of biological material from a research biobank with other countries requires consent and prior approval from the REC.Footnote 73 The HRA stipulates that human biological material from research biobanks may not be released for insurance-related purposes to an employer, a prosecuting authority or a court. This applies even if the person from whom the material stems gives consent to its release. The intention is to prevent persons in vulnerable positions from feeling pressured into disclosing sensitive information about their own health.

Transmission of data from the medical records to national health registers can take place without consent when it is stipulated in HREG section 8 and 11.Footnote 74 The provision applies only to the disclosure of information from statutory registers pursuant to the HREG section 11. It is uncertain whether this automated transfer of patient data to health registers is consistent with the GDPR’s purpose limits.Footnote 75 In the HRA there are limitations in section 38 which prohibits the storage of data beyond the time necessary for carrying out the research project. There is no corresponding restriction on storage time when it comes to biological material but it is required that material be stored and handled properly with respect for the donor of the material.Footnote 76 Health information in the health service must be relevant and necessary to maintain storage.Footnote 77

4 Law in Context: Individual Rights and Public Interest

After the implementation of the GDPR, processing of health personal data for research purposes should be limited to the legal grounds therein. Public interest require biological material and health data to be shared without consent and that the research is transparent and verifiable.Footnote 78 With regard to research on biological material, the considerations of self-determination and integrity apply in a somewhat different manner, most particularly in the form of a need for protection and right of control of sensitive information, i.e. privacy. In Norway, there are currently discussions on how data protection is weighed against the opportunities for research and medical treatment. Sharing of biological material and health data may increase patient safety, for example, through increased knowledge of medical methods. The proportionality assessment implies that this value must be weighed against risk of data processing, such as sharing data through systems that are not sufficiently secure.Footnote 79 For several of the areas of application, it is required that the information is of significant interest to the society and that the patient’s integrity and welfare is sufficiently safeguarded, i.e. by ensuring that the degree of personal identification is not greater than is necessary for the purpose in question. This proportionality assessment requires routine checks to assess whether it is necessary to use personal data. The GDPR’s principles are applicable and will be important in the trade-offs that need to be made.

Approval from the REC was previously considered a necessary and adequate legal ground for processing of health personal data for research purposes. With the implementation of the GDPR, the Norwegian ministry of Health have assumed that the pre-approval from the REC is no longer sufficient when processing data in research.Footnote 80 The research activity that has previously based the processing of data on a concession must self-assess whether there is an adequate treatment basis. This has created uncertainty about who will make final decisions about research that includes data.

The HRA reflects the need for more nuanced requirements for consent depending on whether the research concerns individuals, human biological material or personal data derived from such material. In Norway the focus on what can be perceived as a legal and correct balance between requirements for safety when biological material and personal data are used, and who will make decisions about data sharing, which is about both statutory authority, competence and legal responsibility.

Firstly, little emphasis is placed on the need for confidentiality protection to vary—even within the categories in GDPR art. 9. Genetic data can range from being insensitive to being very sensitive and meaningful to more people than the one who has given consent.

Secondly, a great deal of emphasis has been placed on consent, which may have an impact on the opportunities for implementing research results that have been initiated and in connection with the obligation to publish research results, including with a view to verification.

Thirdly, questions have arisen as to who should take data processing decisions. The disagreement concerns who should take decisions, and the relationship between the data controller, the research manager, the privacy officer and the supervision of health research and the processing of personal data. The research manager according to the law (HRA) is an institution or a legal or natural person who has the overall responsibility for the research project and who has the necessary prerequisites to fulfil the research manager’s duties under the HRA section 4 e.

It may be the same legal entity as the data controller but not necessarily. Health personnel have legal responsibility for medical treatment and research, for example, due diligence, documentation and verifiability. When conducting research on health services, the hospital’s management is responsible both for ensuring that the research is sound and that the healthcare provided is up to certain standards. Through these regulations, correlations are created between the health service’s duties, the healthcare personnel’s duties and the rights of the patient, the subject and the data subject.Footnote 81 Finally, a controversial issue in Norway is what role the DPO has in relation to decisions made by health personnel and hospital management.

When implementing GDPR Article 89, it was emphasised that the DPO should assess whether data can be processed in research. In health and research organizations the management has delegated decision-making authority to DPOs, despite the fact that they have no legal responsibility, and that many decisions about sharing personal data require medical assessments. At Oslo University Hospital, the largest hospital in Norway (and across all Nordic countries), 32 researchers have spoken out against how the DPO acts in assessments of research projects.Footnote 82 In this context, it was pinpointed that research projects of great value to the population have been halted by the DPO, who has been given wide authority from the data controller. This petition was formulated as a warning and was sent to the Board of Health. Previously, examples were given that the DPO had also stopped data sharing in connection with medical treatment, beyond their advisory role and their competence to advise.Footnote 83 This has created conflicts and public debate.Footnote 84 Discussions in the media may indicate that this has led to variations in practice, some of which are far stricter than before the implementation of the GDPR. The question is, which qualifications are required to make the necessary balances. Insight into different aspects of data processing may be necessary to prevent any consideration from being over-emphasised at the expense of other considerations, e.g. that the data processing is being too restrictive at the expense of opportunities for safeguarding patient safety and proper research. In order to achieve the balance between considerations discussed in the GDPR, it is assumed in many questions that competence is to be considered for research and academic issues.

One conclusion will be that the adoption of the GDPR has led to various interpretations of national law and how to implement it, and informal effects, that is, effects beyond what can be justified by law. This means that the actual effects of the GDPR have been greater than the legal ones.

A fundamental interest may be the opportunities for providing effective healthcare based on medical knowledge gained through the sharing of biobank material when data are the key ingredients of new medical knowledge. The ability to share data is a competitive parameter whose relevance will continue to increase with machine learning and artificial intelligence. It is challenging to develop legislation that allows use of materials and sufficient protection in all different types of research as they entail different issues. Where it is not possible to provide detailed rules on such conditions, for example, because the rules cover many different categories of treatment, it becomes necessary to establish more general rules. If the purpose of application is wide, it will be difficult to establish guarantees. An alternative is to determine mechanisms or procedures that the treatment manager should follow. Pre-approval by the supervisory authority is an example of such a mechanism.

5 Conclusions

Different interpretations of GDPR Article 89 has led to uncertainty about the legal basis for research and datasharing. A biobank contains both biological material and data, and questions arise as to whether the regulation should be the same. One argument for similar national legislation is that biological material represent a higher risk of violations due to new technology. The evolution of technology has made it possible for hospitals, companies and research institutions to collect, store and use biological material and large amounts of data from biological material. With the aid of technological methods, it can be difficult to distinguish between the protection of human biological material and data because biological material can be traced back to individuals and provide a lot of information about those individuals. This makes it even more necessary to develop new rules and arrangements for consent.Footnote 85 The indirect consent form (see Sect. 3.2) for storing biological material in the health service may be too weak to meet the requirements of the GDPR. Indirect consent means that there is no explicit consent related to the actual storage of biological material, and that the general consent to health care is used as a legal basis.

The storage of biological material should therefore rest on an independent legal basis. At the same time, the emphasis on consent regarding the preparation and publication of research could weaken the opportunities for sharing medical knowledge. As mentioned above, this is discussed in Norway on the basis of GDPR Article 89.

There are also discussions on when the individual protection of biological material occurs and whether this protection can be an obstacle to developing new medical knowledge. This applies in particular to research on human genetics and genetic variants. It may be crucial to use data and biological materials in order to achieve an appropriate management of biobanks and personal data that can be derived from such banks. This can be justified by the fact that medical assessments, research ethical assessments and legal assessments are required. The Norwegian Board of Health Supervision supervises the research to ensure that it is in accordance with legal requirements and this includes biological material.

Cooperation between the Norwegian Data Protection Authority, ethical committees (REC) and health authorities, may be essential in order to provide guidance and to make decisions regarding supervision and pre-approval (REC), when the question assumes considerations of interest under the GDPR and the legislation.

The Ministry of Health and Care Services (HOD) has prepared a circular that addresses some of the challenges with GDPR and Norwegian legislation, and points out how standards for research can be developed with reference to GDPR.Footnote 86 Furthermore, it recommended that a Code of Conduct for Health Research should be developed for biobank research. In this guide, it was recommended that the health authorities should be involved in issues concerning the processing of personal data in research. Apart from this, no new regulations have been proposed.

In any case, a code of conduct must be based on an understanding of what are duties and rights in GDPR and the national law. This is hardly sufficient given that the law does not provide a sufficient basis for processing data. Norway should instead adopt new legislation that can complement the GDPR to create greater clarity when it comes to processing biobank material/data for research purposes.

New technology provides new opportunities to build up medical knowledge but also comes with new challenges, including privacy breach risks. The freedom of both the people and the country depends to a large extent on how the comprehensive data is processed. On the one hand, to achieve the necessary security and to maintain democracy and openness about what influences governance. On the other hand in order to utilize knowledge. New questions arise about public organizations and commercial use of data.