Abstract
The coming into force of the General Data Protection Regulation (GDPR) on 25 May 2018 has brought about considerable changes in how data may collected, stored and used. Biobanks, which require the collection, use and re-use of large quantities of biological samples and data, will be affected by the proposed changes. In seeking to require ‘data protection by design’, the GDPR provides data subjects with certain individual rights. They are, the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and rights in relation to automated decision making and profiling.
This chapter will consider each of these individual rights in turn and discuss the impact on biobank research. In particular, it will discuss the challenges that are now facing biobanks in upholding the individual rights, the limits of these rights in light of the technical realities of biobanks, and the potential impact that they may have on the collection, sharing, use and re-use of biological data and material.
The author would like to thank Drs. Edward S Dove and Deborah Mascalzoni for comments on an earlier draft of this paper and Dr. Carmen Swanepoel for discussion on aspects of this paper.
You have full access to this open access chapter, Download chapter PDF
Similar content being viewed by others
1 Introduction
The General Data Protection Regulation (GDPR) seeks to strengthen the protection of personal data and it makes explicit provision for certain personal rights for data subjects: the right to information (Article 13 & 14), the right of access (Article 15), the right to rectification (Article 16), the right to erasure (Article 17), the right to restriction of processing (Article 18), the right to data portability (Article 20), the right to object, (Article 21) and the right regarding automated individual decision-making (Article 22). The rights are intended to enhance the autonomy and control that a data subject has over the processing of their personal data, and as such, could control and limit the use of a data subjects’ personal data.
Biobanks are repositories that store large quantities of biological samples and data. The data may be in the form of information that a data subject may have given the biobank themselves, or it may be data that is derived from a biological sample. In the processing of this data, biobanks will now need to consider and uphold the individual rights under the GDPR. Biobanks are often involved in collaborative research projects requiring the transfer of data across borders, but differing legal rules can slow down and hinder cross-border transfer. In response, there have been calls for a harmonisation of rules at an international levelFootnote 1 or development of a global governance of biobanks that is based on key principles and norms.Footnote 2 As such, the GDPR should be welcomed as it seeks to harmonise data protection legislation across the EU, while also facilitating the free movement of personal data across Member States (Article 1). On the face of it, a regulation that promotes the sharing of data and harmonisation of legislation in this realm should support collaborative transnational research.
These individual rights can however be derogated either directly by the biobank or through Member State derogations under Article 89 if the data is to be used for scientific research, potentially negating the rights of data subjects. Thus, when biobanks are processing data for research purposes they may not have to follow the rights of data subjects where to do so would impair research. The exact scope of these rights will depend on derogations that may be invoked either directly by biobanks, or through Member State derogations. These derogations will be examined in Chapter ‘Safeguards and derogations relating to processing for scientific purposes: Article 89 analysis for biobank research’ by Anne-Marie Duguet and Jean Herveg. This chapter will consider the individual rights of data subjects provided by the GDPR. Each right will be discussed in turn and the possible impact that they may have on biobanks.
2 Individual Rights and the Impact on Biobank Research
2.1 The Right to Be Informed
The importance of public trust in biobanks has been well documentedFootnote 3 and inherent in this trust is transparency in the use and re-use of personal data. The right to information contained in Article 13, (information to be provided when personal data is collected from the data subject), and Article 14 (information to be provided when data has not been obtained directly from the research subject), strengthens the principle of transparency.
Article 13(1) and Article 14(1) details certain information that must be provided to the data subject when their data is collected. The data subject must be provided with information about the data controller, a data protection officer if applicable, the purpose of the research and its legal basis, the legitimate interests if processing is based on Article 6(1)(f), the recipients of the data, if it is intended to transfer the data to a third country, and the safeguards in place to protect their data in that country. In addition to this, under Article 13(2) and Article 14(2) a data subject must also be told about the duration of the storage of data, criteria to determine duration if it is not known, the right to withdraw if consent is the lawful basis of processing, and the right to lodge a complaint with a supervisory authority. Similarly, under Article 13(3) and Article 14(4), if a data controller intends to process the personal data for research that was not intended at the time of data collection, the foregoing information must be provided to the data subject prior to the further processing of that data.
Thus, irrespective of whether a biobank itself collects data from a data subject or obtains data through other means (e.g. from residual samples or from another biobank), it must provide the data subject with the foregoing information. The difference is that this information must be provided at the time of collection if the biobank itself collects the data, or within 1 month if it obtains the data through other means (Article 14(3)). If a biobank intends to use personal data for research that was not envisaged at the point of data collection, they must inform the data subject in advance of the research if no exception applies.
It is important to note that the right in Articles 13 & 14 is for information purposes only. For ease of compliance with Articles 13 & 14, consent forms should detail the information outlined in Article 13(1)&(2) and Article 14(1)&(2) (where consent is the lawful basis of processing), but the right to information should not be confused with informed consent. The right to information does require biobanks to envisage at the outset who it may collaborate and share the data with, as well as the possible duration of the research.
Article 13 and 14 do provide for instances when the right to information does not apply. Under Article 13, the right to information does not apply when ‘the data subject already has the information’ (Article 13(4)). The exceptions under Article 14 are wider and are particularly pertinent for research: where the provision of information would prove impossible for research purposes; where it would constitute a disproportionate effort, in particular for research; where provision of the information would seriously impair or make the objectives of the processing (i.e. the research) impossible (Article 14(5)(b)).
If a biobank seeks to rely on the exemption under the impossibility scenario, they would have to clearly demonstrate that the research would be impossible. This could apply if individual data subjects are uncontactable, but it is unclear whether a lack of contact information is sufficient on its own as a basis to rely on impossibility, or whether reasonable efforts should be made to contact data subjects. In any case, such an exemption would apply on a case-by-case basis and would be burdensome. It is thus more likely that any exemption to the right to information for biobanks would fall under grounds of disproportionate effort under Article 14(5)(b).
In determining what could constitute a ‘disproportionate effort’, Recital 62 states that the number of data sets, the age of the data, and any appropriate safeguards should be taken into consideration. Biobanks will generally have very large data sets; thus, provided there are appropriate safeguards in place under Article 89(1),Footnote 4 biobanks could be granted an exemption to the right to information when they have not collected the data under Article 14(5)(b). To rely on this exemption, biobanks should conduct a data protection impact assessment (DIPA) to balance the effort of informing data subjects with the risks to the research, and this should be documented.Footnote 5 This DIPA should be carried out before relying on this exemption and following Article 35(7), the assessment should include a systematic description of the envisaged processing operations and the purposes of the processing, including where applicable, the legitimate interest pursued by the controller; an assessment of the necessity and proportionality of the processing operations in relation to the purposes; an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.Footnote 6
The right to information does seem to be potentially limited in the context of research under Article 14(5)(b) when data was not collected from the data subject. As will discussed in the following sections, the exercise of other rights is contingent on data subjects being aware of the processing of their personal data, thus the right to information is important in the exercise of their other rights and any limits on the right to information could impact other rights. However, Article 13(1)(e) requires data subjects to be informed about ‘the recipients or categories of recipients of the personal data’. A narrow interpretation of this provision would require biobanks to simply inform data subjects about those to whom the biobank itself shared data. On the other hand, when one considers the importance of transparency in the processing of personal data, it could be suggested that biobanks have an obligation to inform data subjects about all those to whom the data has been shared with, irrespective of whether they shared the data themselves. In reality, this would likely constitute an undue burden on biobanks, particularly when one considers the importance of research in the GDPR. The principle of accountability most likely requires a biobank to be transparent in its own processing of personal information. Thus, under Article 13(1)(e) a biobank will likely only be obliged to inform a data subject about any third party to whom it has shared personal data. Biobanks must thus ensure that they have systems or a register in place that documents all data transfers.
2.2 The Right of Access
In a further effort to promote transparency, Article 15 provides the data subject with the right to access information about their personal data, including confirmation as to whether a data controller is processing their personal data and the purpose; other recipients of their personal data, including to third countries (and the safeguards in place); where the data controller obtained the data when the data was not collected from the data subject; and the expected storage period or the criteria to determine the storage period. Under this right, data subjects can access information regarding the research projects that their data is used in, and other biobanks or researchers with whom the data may have been shared.
A data subject is unlikely to be able to exercise their right of access without knowledge that the data controller was processing their data. The right of access is thus dependent upon the right to information and it would be unlikely that a data subject would be in a position to exercise their right to access if a biobank invoked an Article 14(5) exception.
Importantly for research, Article 15(3) provides that the data subject has a right to access a copy of their personal data that is being processed. This can include genetic data, results of particular tests, and results of research and may include information about genetic mutations, conditions that may be inherited and passed onto their children, and conditions that the data subject may be predisposed or susceptible to. To fulfil their obligations under the GDPR, a biobank will be required to provide the data subject with the raw data, but not an interpretation of that genetic data. Meeting this requirement may be tricky considering the wider evolving debate on communication of incidental findings.Footnote 7 A right to access thus does not equate to a right to feedback of findings, if requested, but biobanks are now legally required to provide data subjects with access to their data which can include raw genetic data. Direct to consumer (DTC) genetic testing companies have faced criticisms for making raw genetic data available to its consumers. DTC companies do generally include a disclaimer that the information has not been validated for accuracy, nor do they provide an interpretation of the data, but the risks of possible inaccuracy and false positives have been highlighted.Footnote 8 Biobanks will now be in a similar position whereby may be legally required to return raw genetic data if requested, without any obligation of the interpretation of that data. Thus arguably biobanks can no longer have a ‘no returns’ policy, but in returning such data, they must make it clear that they have not interpreted the data and any such interpretation should be done by a trained genetic counsellor.
2.3 The Right to Rectification
The right to rectification provides the data subject with the right to have inaccurate personal data corrected and incomplete data to be completed. This rectification must then be communicated to any other recipient who has received the data, unless it involves a disproportionate effort (Article 19). This right is linked with the principle of transparency under Article 5(1)(d) that requires that personal data be accurate, kept up to date and every ‘reasonable step’ be taken to rectify any inaccuracy.
Genetic and genomic research is rapidly evolving, but genome sequencing and genetic testing may lead to results that are of uncertain significance or relevance and this uncertainty is inherent in genomic research. Uncertainty does not equate to inaccuracies, and biobanks will only be required to update any inaccurate information. This rectification must be communicated to any third party that has been provided with the data. Similar to Article 15, a data subject will likely only be in a position to exercise that right if they have been informed that their data is being processed. However, unlike Article 15, this obligation to notify third parties can be limited if it would prove to be impossible or require a ‘disproportionate effort’. Assessments of ‘disproportionate effort’ will need to be carried out and determined on a case-by-case basis, and should be recorded in the interests of transparency. Rectification of data that has formed part of research results that is published will most likely be considered disproportionate, if not impossible.
2.4 The Right to Erasure
Article 17 (a)–(f) describes when the right to erasure (more commonly known as the right to be forgotten) may be invoked, but in the context of biobanks, the right to erasure is most likely to be invoked under Article (a)–(c), namely that the personal data is no longer required for the purposes for which it was obtained (Article 17(a)), the data subject withdraws consent where consent is the lawful basis for processing (Article 17(b)), and the data subject objects to the processing under Article 21(1) (discussed below) when public interest or legitimate interest is the lawful basis of processing (Article 17(c)). Thus, data subjects can invoke a right to erasure when the research has been completed, they withdraw their consent (where consent was the lawful basis of processing), or they object to the public interest or legitimate interests as the basis for the use of their research. Data subjects have the right to request the erasure of their personal data from all data controllers that are processing their data under Article 17(2). Biobanks thus must communicate with those they have shared the data of this request for erasure.
Upon receipt of a request for erasure, a biobank will be required to erase all personal data that they have about that data subject and, as discussed, inform all other subsequent data controllers about this request. The data must then be removed from ongoing research and will not be used in any future research or shared with other data controllers. The erasure of the retrospective use of data is more challenging as the data may have formed part of published results, and it such erasure is likely to be challenging in practice if not impossible. As noted by Melham et al ‘past uses of data and samples cannot be undone’.Footnote 9
This right to erasure is, however, limited. First, similar to other rights, invoking the right to erasure pre-supposes that a data subject is aware of the processing of their personal data. As earlier discussed, this is only likely to occur where data was collected from the data subject. Second, Article 19 states that data controllers do not have to communicate to those with whom it has shared personal data a request for erasure if it is impossible or would involve a disproportionate effort. Similar to Article 16, what is considered to be disproportionate will depend on the circumstances of the case and the reasons for any decisions should be recorded. Third, Article 17(3)(c) states that a request for erasure and notification to other controllers processing the data does not have be complied with if processing is in the publics’ interest in the area of public health under Article 9(2)(h) and (i), subject to Article 9(3). Thus, a biobank can be exempt from a request to erasure if the research is for the purposes of preventive or occupational medicine, protect against serious cross-border threats to health, or ensure high standards of quality and safety of health care, medicinal products or medicinal devices.
Finally, Article 17(3)(d) states that a request for erasure does not have to be complied with if the processing is for research purposes, subject to the safeguards in Article 89(1), where fulfilment of the right to erasure would ‘render impossible or seriously impair the achievement of the objectives of that processing’. Thus, subject to Article 89(1) safeguards, a biobank processing personal data for research purposes would not have to comply with a request for erasure.
The right to erasure is significantly limited in the research context. Biobanks that are seeking to be exempt from any request for erasure should conduct an assessment, make a record of its assessment and communicate its decision to the data subject, in the interests of transparency.
2.5 The Right to Restrict Processing
Article 18 gives the data subject the right to restrict the processing of their personal data on a number of grounds: if they are contesting the accuracy of the data; if the processing is unlawful and the data subject opts for restriction of data processing over the erasure of data; if the data is no longer needed for processing but the data subject requires it for a legal purpose; or if the data subject has objected to the processing of data under Article 21(1) (to be discussed below). Although in the biobank context its practical impact may be limited, if the right to restriction is invoked on one of those grounds, the biobank can continue to store the data, but they can no longer process the data. Thus, there will be no obligation on the data controller to remove or erase the data from previously published results. As such, the right to restriction applies to both current and future research.
Similar to Articles 15, 16 and 17, a data subject can only exercise this right if they are aware that their data is being processed for research. Furthermore, it is also limited by Article 19, and therefore the biobank is under no obligation to inform subsequent data controllers about this notice of rectification if it would prove to be impossible or involve a ‘disproportionate effort’.
2.6 The Right to Data Portability
In keeping with the aim of giving data subjects greater control over their personal data, under Article 20, data subjects have the right to data portability. For biobanks, this will mean that data subjects can now move their data from one biobank to another, in circumstances where they have provided the data to the biobank. The biobank must make this data available in a ‘structured, commonly used and machine-readable format’ to another biobank that the data subject may have selected. That transfer can either be carried out by the data subject or they can require the biobank to make that transfer. As the transfer must be made ‘without hindrance from the controller’, there is an obligation to put in place measures to facilitate such a transfer. Interoperable formats are encouraged, but this does not extend to requiring controllers to adopt systems that are technically compatible with other organisations (Recital 68).
This right only applies in circumstances where the following conditions have been met: the data subject has provided the data controller with the data, consent is the lawful basis of processing and the processing is carried out by automated means (Article 20(1)). Thus, if a biobank is processing data for research on any other legal basis, they will not be required to comply with a request under Article 20. Equally, the use of shared data, irrespective of the legal basis of processing, will not be subject to Article 20. This right will have limited applicability in the biobank context as the Art 29 Working Party makes it clear that ‘inferred data and derived data are created by the data controller’. Thus any data derived from a biological sample will not come under the definition ‘provided by the data subject’.Footnote 10
In circumstances where a data subject seeks to enforce their data portability right, exercise of Article 20 does not amount to erasure and is not a withdrawal of consent. Rather, it is a transfer of data only and the Article 29 Working Party has made it clear that the data controller can continue to process the data after a transfer has been made.Footnote 11 This means that under Article 20, biobanks will be required to transfer the data if requested, but can continue to use the data in current and future research. The biobank to which the data subject originally gave and consented to the use of their personal data in research can continue to use that data after Article 20 has been invoked.
2.7 The Right to Object
Article 21 provides data subjects with the right to object to the processing of their data if the lawful basis of processing is either public interest (Article 6(1)(e)) or legitimate interests (Article 6(1)(f)). Thus, if a biobank is relying on either of these claims as the lawful basis of processing, a data subject can object to the use of their data in the research. The impact of the right to object for a biobank is that it can no longer use that data for research purposes, but does not amount to an erasure of data.
In practice, the exercise of this right could be limited for biobank research. Similar to Articles 15–18, exercise of this right will only be possible where the data subject is aware that their data is used for research. In circumstances where the data subject is aware of such use, Article 21(1) states that the data controller can continue to process data if they can demonstrate ‘compelling legitimate grounds’ that override the rights of the data subject. Article 21(6) also states that while a data subject can object to processing of data for research purposes under Article 89(1), this right can be derogated from where the processing is in the public interest.
Furthermore, although a data subject does have the right to object to the processing of data for research pursuant to Article 89(1), a data controller can continue to use the data for research purposes if it is necessary ‘for reasons of public interest’. Recital 45 states that health purposes could come within the meaning of ‘public interest’ and Pormeister argues that due to the importance of research in the GDPR, research that benefits society such as genetic research could be a legitimate claim on which to continue processing.Footnote 12
2.8 Rights in Relation to Automated Decision Making and Profiling
Finally, under Article 22, a data subject has the right not to be subject to a decision solely on automated decision making, which includes profiling, if this produces ‘legal effects’ on the data subject, or ‘significantly affects’ them. Profiling is defined in Article 4(4) as ‘any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements’.
Profiling is commonly used in biobank research as samples and data can be classified according to certain characteristics (e.g. age, sex, disease profile). Artificial intelligence can help researchers analyse and sequence DNA much quicker, enabling researchers to interpret and turn it into clinically actionable knowledge.Footnote 13 They can predict the odds of an individual developing a disease or how they may respond to a particular drug or therapy. The use of Artifical Intelligence (AI) and machine learning in genomic research is likely to increase as it assists in the analysis of increasingly complex data sets.Footnote 14
A data subject can exercise their right not to be subject to profiling or automated decision-making if it has a legal effect, or if they are similarly affected. Healthcare decisions based on such means would likely come under such a definition. The requirement of the automated decision-making having ‘legal effect’ likely leaves research biobanks outside of the application of this right. Article 22(2) provides for some derogations from this right, including if the data subject consents, or it is authorised by Member State law and subject to safeguards. Such derogations do not apply to the processing of special categories of data (which includes genetic data and data concerning health), unless processing is based on the data subject’s consent (Article 9(2)(a)), or necessary for reasons of substantial public interest that is based on EU or Member State law (Article 9(2)(g)) and subject to suitable safeguards.
The extent to which a biobank may use automated decision making and profiling depends on the activities of the biobank. However, if it intends to use automated decision making and/or profiling for genetic or genomic research, it must have either the express consent of the data subject, or this must be provided for by law and subject to safeguards.
3 Limits on Individual Rights
3.1 Limitations
Despite the promise of greater autonomy for data subjects, the individual rights for data subjects in research are severely limited and potentially unenforceable. The GDPR itself provides for EU and Member State derogations that can limit some rights, but equally important is the limitation not grounded in law whereby a data subject may not be aware of the processing of their data. Thus a Data Protection Officer (DPO) will be unable to enforce the rights on behalf of the data subject.
3.2 Knowledge of the Processing of Data
As discussed, the exercise of many individual rights is contingent on the right to be informed and a data subject’s awareness that their data is being processed for research. Biobanks that collect data from the data subject must inform them about the research under Article 13. However, in circumstances where a biobank did not collect data from the data subject, they do not have to inform the data subject about the processing if it would constitute a disproportionate effort, impair the research, or make the research impossible. If either of these grounds under Article 14(5) are satisfied, a data subject may be unaware of the processing of their data for research and from the foregoing analysis, it is likely to impact upon the exercise of a data subject’s Article 15, 16, 17, 18, and 21 rights. A data subject does have these rights under the GDPR, but the implication of Article 14(5) is that it may not be practically possible to exercise those rights.
3.3 Lawful Derogations
Articles 15 (right of access), Article 17 (right to erasure) and Article 21 (right to object) provide that biobanks can be exempted from these rights if processing is for research purposes and exercise of the right would ‘render impossible or seriously impair’ the research. If a biobank seeks to directly invoke this derogation, it can take into consideration the number of data subjects and the age of the data (Recital 62). A biobank should undertake a DPIA and consider whether it has to contact a large amount of data subjects, whether it has all relevant and up-to-date contact information, cost implications, as well as the impact it may have on the completion of the research. This is subjective test that will depend upon the research, and the outcome of this assessment must be recorded. Importantly, it is subject to safeguards as required by Article 89(1) and further discussed in Chapter ‘Safeguards and Derogations Relating to Processing for Scientific Purposes: Article 89 Analysis for Biobank Research’.
Article 89(2) specifically provides that a biobank may derogate from Article 15 (right of access), Article 16 (right to rectification), Article 18 (right to restriction of processing), and Article 21 (right to object) where the processing is for research purposes and these rights are likely ‘to render impossible or seriously impair the achievement of the research, and such derogations are provided for by law.
Under Article 89(3), a biobank can derogate from Article 15, Article 16, Article 18, Article 19 (notification obligations), Article 20 (right to data portability) and Article 21, if personal data is being processed for archiving purposes in the public interest. This is contingent on the exercise of those rights likely ‘to render impossible or seriously impair’ the research, and the derogations are provided for law and subject to safeguards. This would apply to biobanks or permanent archives such as the European Genome-Phenome Archive (EGA) that is archiving data that may in the future be re-analysed, provided it can be demonstrated that the retention is in the public interest. The scope of the research exemption and the appropriate safeguards are considered in Chapter ‘Safeguards and Derogations Relating to Processing for Scientific Purposes: Article 89 Analysis for Biobank Research’, but some points on the impact of the research exemption on individual rights are worth noting here. First, the research exemption severely limits the operation of the specified rights and, depending on the wording of the derogations in Member State law, may leave them completely unenforceable. Second, as it is for individual Member States to determine the derogations and decide on the scope of the appropriate safeguards, the scope of data subject’s rights will differ across the EU. Data that is initially processed in one jurisdiction may be shared with a data controller in other jurisdictions with weaker protections in place for data subjects. Thus, the rights of data subjects cannot be guaranteed during the consent process (where consent is the lawful basis of consent) and for all secondary use of data the rights of the data subject will vary according to its location. The same data will be subject to different rights and protections, likely resulting in confusion for the data subject (assuming, of course, that they are aware of the use of their data in research) and lacking in transparency. Third, the potential wide scope of the research exemptions means that the data subject loses almost all rights once their data is in a biobank. If all possible exemptions and derogations were to be invoked, only Article 13 would remain. The individual rights that are intended to give the data subject greater autonomy over the use of their personal data are circumvented by the potentially far reaching research exemption and it is therefore essential that robust safeguards and protections are in place, as required by Article 89.
Article 19 requires the biobank to notify any biobank or researcher to whom it may have shared data about a communication regarding rectification (Article 16), erasure (Article 17(1)), or restriction (Article 18) of processing. Such a requirement can help ensure that a data subject can fully exercise their rights. Article 19 does, however, provide that a biobank is not obliged to follow this if it would be impossible or involve a disproportionate effort. Again, such a decision will be on a case-by-case basis and any decision must be recorded and communicated to the data subject, but it has the effect of limiting the scope of these rights.
4 Conclusion
The individual rights in the GDPR are intended to give greater autonomy and control over the use of a data subject’s personal data. However, they may be severely limited in the biobank context owing to the limits that may be placed on these rights. These limits may simply be due to the lack of a data subjects’ awareness of the processing of their personal data. If a data subject is unaware that their personal data is used in research, it is unlikely that they can exercise their other rights. The GDPR itself also provides for derogations that biobanks may invoke, leaving the data subject with very limited rights. Considering the intention of the GDPR and the importance of public and participant trust in biobanks, the importance of the undefined safeguards in Article 89 cannot be overstated and must provide protection of the fundamental rights of data subjects. The national derogations (considered further by Tzortzatou et al. in Chapter ‘Biobanking across Europe post-GDPR: A deliberately created fragmented landscape’) are potentially wide ranging and the ability to introduce local exemptions provides little clarity and transparency to data subjects. The practical implication of the individual rights as written and the research exemption is to render the data subject with little, if any, rights once a biobank has begun to process their data. Rather, they are dependent on safeguards to be put in place to uphold and protect their rights. Finally, despite the intention of the GDPR to harmonise data protection across the EU, as the research exemption begins to be invoked, the standard of protection of individual rights will begin to vary across jurisdictions as well as biobanks,. Once again researchers will be left to navigate the differing levels of data protection afforded to data in biobanks across the EU.
Notes
- 1.
International Bioethics Committee (2015).
- 2.
Chen and Pang (2015), p. 113.
- 3.
- 4.
See Chapter ‘Safeguards and Derogations Relating to Processing for Scientific Purposes: Article 89 Analysis for Biobank Research’.
- 5.
- 6.
For more on DIPA’s see Dara Hallinan’s contribution in Chapter, ‘Biobank Oversight and Sanctions under the General Data Protection Regulation’.
- 7.
- 8.
Tandy-Connor et al. (2018).
- 9.
Melham et al. (2014).
- 10.
Art 29 WP (2017).
- 11.
Art 29 WP (2017).
- 12.
Pormeister (2017), p. 141.
- 13.
Williams et al. (2018), p. 237.
- 14.
Libbrecht and Stafford Noble (2015), p. 231.
References
Article 29 Data Protection Working Party (2017) Guidelines on the right to data portability. WP 242 rev.01
Article 29 Data Protection Working Party (2018) Guidelines on transparency under Regulation 2016/679. WP260
Chen H, Pang T (2015) A call for global governance of biobanks. Bull World Health Organ 93:113–117
De Clercq E, Kaye J, Wolf SM, Koenig BA, Elger BS (2017) Returning results in biobank research: global trends and solutions. Genet Test Mol Biomarkers 21(3):128–131
Information Commissioner’s Office (2018) The right to be informed. Available at https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/the-right-to-be-informed-1-0.pdf. Accessed 25 March 2019
International Bioethics Committee (2015) Report of the IBC on updating its reflection on the human genome and human rights SHS/YES/IBC-22/15/2 REV.2 Paris, 2 October 2015
Johnsson L (2013) Trust in biobank research: meaning and moral significance. Acta Universitatis Upsaliensis. Digital comprehensive summaries of Uppsala Dissertations from the Faculty of Medicine 861. 142 pp. Uppsala. ISBN 978-91-554-8585-6
Libbrecht MW, Noble WS (2015) Machine learning applications in genetics and genomics. Nat Rev Genet 16:321–332
Lipworth W, Morrell B, Irvine R, Kerridge I (2019) An empirical reappraisal of public trust in biobanking research: rethinking restrictive consent requirements. J Law Med 17(1):119–132
Melham K, Briceno Moraia L, Mitchell C, Morrison M, Teare H, Kaye J (2014) The evolution of withdrawal: negotiating research relationships in biobanking. Life Sci Soc Policy 10:16
Pormeister K (2017) Genetic data and the research exemption: is the GDPR going too far? Pormeister Int Data Privacy Law 7(2):137–146
Tandy-Connor S, Guiltinan J, Krempely K, LaDuca H, Reineke P, Gutierrez S, Gray P, Tippin Davis B (2018) False-positive results released by direct-to-consumer genetic tests highlight the importance of clinical confirmation testing for appropriate patient care. Genet Med advance online publication 22 March 2018. https://doi.org/10.1038/gim.2018.38
Williams AM, Liu Y, Regner KR, Jotterand F, Liu P, Liang M (2018) Artificial intelligence, physiological genomics, and precision medicine. Physiol Genom 50(4):237–243
Wolf SM, Crock BN, Brian Van Ness B, Lawrenz F, Kahn JP, Beskow LM, Cho MK, Christman MF, Green RC, Hall R, Illes J, Keane M, Knoppers BM, Koenig BA, Kohane IS, LeRoy B, Maschke KJ, McGeveran W, Ossorio P, Parker LS, Petersen GM, Richardson HS, Scott JA, Terry SF, Wilfond BS, Wolf WA (2012) Managing incidental findings and research results in genomic research involving biobanks and archived data sets. Genet Med 14(4):361–384
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, duplication, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, a link is provided to the Creative Commons license and any changes made are indicated.
The images or other third party material in this chapter are included in the work’s Creative Commons license, unless indicated otherwise in the credit line; if such material is not included in the work’s Creative Commons license and the respective action is not permitted by statutory regulation, users will need to obtain permission from the license holder to duplicate, adapt or reproduce the material.
Copyright information
© 2021 The Author(s)
About this chapter
Cite this chapter
Staunton, C. (2021). Individual Rights in Biobank Research Under the GDPR. In: Slokenberga, S., Tzortzatou, O., Reichel, J. (eds) GDPR and Biobanking. Law, Governance and Technology Series, vol 43. Springer, Cham. https://doi.org/10.1007/978-3-030-49388-2_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-49388-2_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-49387-5
Online ISBN: 978-3-030-49388-2
eBook Packages: Law and CriminologyLaw and Criminology (R0)