The European Data Protection Board (EDPB) released a document earlier this year in response to a request by the European Commission for clarifications on the application of the GDPR in the area of scientific health research, which you can read here. However, it’s important to note that the EDPB are currently preparing guidelines on the processing of personal data for scientific research purposes, which are set to be released later this year, which will include further elaborations.

Legal basis for processing of health-related data for scientific research purposes

The European Commission posed a question to the EDPB concerning the appropriate legal bases to rely on when personal data is processed for scientific research purposes. The European Commission was particularly interested in understanding two main issues: the interaction of the GDPR legal bases with the requirement to obtain consent for clinical trials, and whether, given the requirement for certain legal basis to have a foundation in Member State or EU law, whether multiple legal bases could be relied upon by one controller for a single research project conducted across several Member States.

The EDPB’s response states that ethical standards which require informed consent for participation in scientific research can and must be differentiated from explicit consent for processing special categories of personal data. It clarifies that they are different concepts and that consent to conduct the clinical trial is not the same (and should not be held to the same standard) as consent for processing special categories of personal data.

Moreover, with regards to legal bases for scientific research, the EDPB noted that when conducting a scientific research project in multiple Member States, they endorsed the use of the same legal basis across all Member States for processing personal data (including special category personal data) associated with the project. But they recognised that, due to the requirement for an underlying Member State or EU law in relation to some of the legal bases (e.g. legal obligation (art.6(1)(c)), reasons of public interest in the area of public health (art.9(2)(i)) and scientific research (art.9(2)(j)), this may not always be possible and a heterogeneous legal bases may be more appropriate.
Continue Reading EDPB clarifies the application of the GDPR for scientific research

On September 9, Senator Reuven Carlyle (D-WA) presented an updated draft of the Washington Privacy Act (WPA), suggesting that the WPA will be up for consideration in Washington State’s 2021 legislative session. The next legislative session is scheduled to convene on January 11, 2021, at which point the fate of the WPA will again be

On 12 June 2020, the UK’s Information Commissioner’s Office (ICO) issued new guidance for organisations on the coronavirus (COVID-19) recovery phase (Guidance).

The Guidance (available here) forms part of the ICO’s wider data protection and coronavirus information hub (available here) which aims to help organisations navigate data protection during this unprecedented time.

The new Guidance comes as the lockdown measures start to ease and businesses begin to reopen. It sets out six key data protection steps that organisations need to consider around the use of personal data.
Continue Reading ICO issues guidance for organisations amid coronavirus recovery

It has been 64 days since the UK officially went into lockdown due to the COVID-19 crisis, with many ‘non-essential’ workers vacating their workplace. In preparation for sending the UK back to work, the Information Commissioner’s Office (ICO) has issued FAQ-style guidance to assist employers wishing to track and test employees’ symptoms.

Health data is ‘special category data’ under the General Data Protection Regulation (GDPR) and is therefore subject to greater restrictions. Nonetheless, the ICO makes it clear that data protection law does not prevent employers from taking necessary steps to ensure the safety of staff and the public, provided that personal data is handled responsibly and carefully in accordance with the law.

The guidance covers the following specific activities:

  • Testing employees for symptoms of COVID-19
  • Compiling lists of employees with symptoms or positive diagnoses
  • Disclosing positive cases to other employees
  • Using temperature checks or thermal cameras in the workplace


Continue Reading ICO issues guidance on workplace coronavirus testing

The novel coronavirus pandemic has created an immediate and immense need for scientific research. Amid this urgency, the European Data Protection Board (EDPB), during its twenty-third plenary session held on April 21, adopted guidelines to shed light on legal questions concerning the use of health data (pursuant to article 4(15) of the General Data Protection Regulation (GDPR)) for such research purposes.

The guidelines reiterate that data protection rules do not hinder measures taken to combat the coronavirus outbreak and in fact provide special rules for the processing of health data for the purpose of scientific research (for instance, in article 9(2)(j) and article 89(2)) that will be applicable in the current crisis.

Data controllers and processors must respect the data protection principles set out in article 5 of the GDPR, and all processing of health data must comply with one of the legal grounds and the specific derogations listed respectively in articles 6 and 9 of the GDPR for the lawful processing of this special category of data. The guidelines specifically address the rules concerning consent and respective national legislation. It also spells out the important aspects of the article 5 principles.
Continue Reading EDPB’s new guidelines relieve concerns over processing health data for scientific research

The Council of Europe (CoE) recently issued its recommendation to member states on the protection of health-related data (Recommendation). The Recommendation guides member states to ensure that their law and practice reflect the principles of processing health-related data.

The recommendations stem from Convention 108 which was the first international treaty in the field of data protection. Like the General Data Protection Regulation 2016/679 (GDPR), Convention 108 sets out principles for processing health data, but contains fewer options than GDPR. The Recommendation’s principles related to health data align with GDPR, but in some cases provide more guidance about processing health-related data.

Some of the key recommendations on processing certain health-related data are below.

Continue Reading Council of Europe issues recommendation on processing health-related data