In medical and clinical practice «informed consent» is mandatory prior to any surgical intervention. At the same time, human tissue or human blood deriving from surgical interventions can be of scientific interest and therefore may be used for scientific research or medical education, which makes it very attractive for hospitals, universities and researchers to use such samples and to store them in so-called biobanks. Of course, this use of such samples embodying highly sensitive personal information also requires the patient's consent. The data subject’s consent, that is required for using his or her tissue or blood samples, means that «any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her» (Article 4, number 11, General Data Protection Regulation, GDPR). To ensure that those requirements are met, the data subject needs to be informed about who is allowed to use which aspects of his or her personal data and for which purpose, and if the data is to be passed on.
Studies have established that until today hospitals and research institutions often use consent forms which do not fulfil the minimum legal requirements.2 This not only causes uncertainty for the data processing entities but can also potentially lead to damage claims. It is also more than unsatisfying for the patients involved if such sensitive data is possibly not processed in accordance with the legal standards.
The new GDPR gives hospitals and institutions cause to review their consent forms and data processing practices. Generally, it can be stated that, after the adoption of the GDPR, the data protection law framework for the use of so-called special categories of personal data3 (hereinafter: sensitive personal data) has become even more complex. One of the reasons is the interaction between EU and national law caused by different escape clauses allowing the member states to adopt individual rules and thereby undermine the degree of data protection law harmonisation in the EU.4
This paper will present and analyse the legal framework the GDPR and the BDSG constitute for the processing of health data such as the storage and use of human tissue. In this context the paper will examine to what extent Article 9 of the GDPR allows the use of such sensitive «special» categories of personal data. Of particular interest are the exemptions outlined in Article 9, paragraph 2, lit. h and j of the GDPR where the data is processed for scientific research or medical diagnosis. In conjunction with the new sections 22 and 27 of the BDSG, the question of how broadly these exemptions must be interpreted arises, and, hence, to what extent is consent necessary or advisable in order to undertake scientific research on by-products of surgical interventions; for example, removed tumour tissue. But above all, this paper addresses the question of so-called «broad consent»; i.e. a broadly formulated consent covering multiple-purpose uses of the tissue sample.
Article 9, paragraph 1 GDPR ^
«1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.»
Hence, the general rule is that the processing of personal data concerning the health status of a person is not allowed.5 This clearly applies to human tissue samples or blood. Recital 51 of the GDPR reasons this rather extensive prohibition of the processing of such special categories of personal data as follows:
«Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.»
Article 9, paragaph 2 GDPR ^
«Paragraph 1 shall not apply if one of the following applies:
(a) the data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject's giving his consent; or […]
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3 […](j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.»
Applicability of the general principles ^
«In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.»
At the same time, the structure of the GDPR reveals that Article 9 must be lex specialis to Article 6 when processing sensitive data. With regard to the high significance of such data for the data owner’s fundamental rights7, the catalogue of exemptions in Article 9, paragraph 2 must be seen as conclusive. Accordingly, Article 6, paragraph 1, lit f, which permits data processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party, cannot be a valid basis for the processing of health data.8
Processing of health data according to the BDSG ^
«By derogation from Article 9 (1) of Regulation (EU) 2016/679, the processing of special categories of personal data as referred to in Article 9 (1) of Regulation (EU) 2016/679 shall be permitted […]
b) processing is necessary for the purposes of preventive medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services or pursuant to the data subject’s contract with a health professional and if these data are processed by health professionals or other persons subject to the obligation of professional secrecy or under their supervision; orc) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious crossborder threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices; in addition to the measures referred to in subsection 2, in particular occupational and criminal law provisions to ensure professional secrecy shall be complied with; […]»
Section 27 BDSG provides for a legal basis for the processing of data for, inter alia, scientific research and states that «by derogation from Article 9 (1) of Regulation (EU) 2016/679, the processing of special categories of personal data as referred to in Article 9 (1) of Regulation (EU) 2016/679 shall be permitted also without consent for scientific or historical research purposes».9 The German legislator assumes, as regards the exemptions established in section 22, that a legal basis according to Article 6, paragraph 1 is necessary.10 However, according to Article 6 GDPR, consent is no the only option to justify data processing. Hence, the processing of health data in Germany is technically possible without the patient’s consent; for example, for the purpose of medical diagnosis.11
The German legislator assumes, as regards the exemptions established in section 22, that a legal basis according to Article 6, paragraph 1 is necessary.12 In contrast, section 27 explicitly states that the processing shall be possible for scientific purposes without consent. Systematically, this raises the question if, with regard to section 22, consent is always required because no corresponding exemption is laid down, since, according to Article 6 GDPR (which the grounds of the new BDSG refer to), consent is not the only option to justify processing. The processing of health data in Germany is technically possible without the patient’s consent; for example, for the purpose of medical diagnosis.13
The processing of health data and the complex structure of, and relationship between, Articles 6 and 9, and also between paragraphs 1 and 2, and the partially deviating provisions in section 22 and 27 of the BDSG, together impose a challenge for medical practitioners, scientists and hospitals. Here, a written consent offers the «cleanest» solution from an ethical point of view, as a printed and signed document is preferable as evidence.
Written consents as the preferable approach ^
Generally, the GDPR emphasises the significance of the protection of sensitive personal data. Hence, in normal circumstances, a hospital or research institution will need the patient’s consent for the use of his or her sensitive personal data.14 Although the GDPR and the BDSG provide for exemptions from this rule, inter alia, for scientific research, from a practical point of view, it is advisable to gather the patient’s prior consent. Despite this fact, the GDPR does not necessarily require written consent. If not explicitly stated otherwise15, the (informed) consent should be given in a written form. This is not only because a document would facilitate argumentation in a trial. In clinical practice, such consent is necessary for the surgical intervention regardless. Thus, the focus should be on how to refine existing consent forms to ensure a legally watertight processing of health data.
The main criteria for a legally «clean» solution are:
- The consent must be given by an informed patient, thus it is «informed consent». The patient must understand the consequences of his or her consent. After the reading of the consent form the patient must be in the position to understand who is entitled to process which data for which purpose, to whom the data will be forwarded and who will the store the data for which period of time.16
- The consent must be given on a voluntary basis and can be revoked at any time.
- According to the principles of purpose, the data processing must be related to one or more specifically defined purposes (Article 5, paragraph 1, lit. b GDPR).17
The problem of broad consents ^
This leads directly to another issue arising in the context of the legal processing of health data: the use of (health) data for multiple scientific purposes. The practice shows that particularly with the processing of (health) data for scientific research it is hard to define the purpose in advance. In other words, many consent processes are overtaken by technological developments. Particularly in the field of health-related data, more precise methods or new software can enable the use of samples for the research on new diseases over time. This, however, requires corresponding consent. In this context, legal and clinical practice has developed the so-called controversial18 «broad consent» concept. The patient can hereby agree to a much more comprehensive processing of his or her health data, which is technically, or temporally, less restricted.
Recital 33 attracts attention in three areas. First of all, it generally affirms the legal validity of «broad consent» with very broad consent because it does not limit the broad consent in any aspect according to its wording: neither in a functional nor in a temporal regard. Hence, Recital 33 can be considered as a form of very wide-ranging «broad consent».
Second, Recital 33 refers to «certain areas of scientific research». This formulation is rather vague and allows different interpretations. Many practical and very relevant questions remain open. Does the broad consent in the sense denoted by Recital 33 require a conclusive enumeration of the areas of science the data is being used for? How precisely must an area of science be described? Using the example of cancer: is it legally sufficient to disclose that the data gathered from a liver tissue sample is processed for «liver cancer» research? Or, does the description have to be more specific, for example, «metastasising liver cancer», or less specifically, «cancer»? These questions still need to be resolved.
As can be shown, the processing of health data does not necessarily require consent. However, especially in the field of scientific research and the use of health data for multiple purposes under, possibly, not completely defined circumstances, the use of consent forms is highly recommended. Generally, Recital 33 of the GDPR leaves many questions unaddressed. Particular difficulties engender a form of broad consent which enables the data owners to give their consent to using their research data beyond the current research project. Hospitals and research institutions wishing to make use of broad consent must take into account the not negligible level of legal uncertainty.
As regards the principles of purpose, the understanding of «purpose» should not go too far. A consent form with five hundred tick boxes for a single cancer form would be neither practically manageable nor support the idea of «informed» consent with regard to the sheer amount of information to be read by the patient. Instead, it seems advisable to integrate opt-in/opt-out clauses into the consent form in the sense that the patient, for example, can determine the processing of his data by a particular research institution or project.19 The GDPR is characterised by a generally science-friendly alignment. In this context, the nomination of research fields referring to general disease patterns like Alzheimer’s or «metastasising cancer» those that an average, well-informed patient would understand seems to be a good compromise in balancing out the interests of research institutions and patients.
Finally, the aforementioned escape clauses bear the risk that the member states might adopt derogating rules. This would further increase the legal uncertainty. All corresponding stakeholders should, hence, collaborate closely to agree on basic standards for broad consents.20
- 1 The author thanks «Rechtsreferendar» Mario Schliephake and «Rechtsreferendarin» Elena Föhl for their great support.
- 2 See Schaar, Anpassung von Einwilligungserklärungen für wissenschaftliche Forschungsprojekte – Die informierte Einwilligung nach der DS-GVO und den Ethikrichtlinien, ZD 2017, p. 213 (214) with further references.
- 3 Cp. Article 8 concerning the processing of special categories of personal data in its predecessor, Directive 95/46/EC, OJ L 281/31.
- 4 Kampert, in: Sydow (ed.), Europäische Datenschutz-Grundverordnung, 2017, Baden-Baden, Nomos 2017, Art. 9, recital 61. Cp. also Spranger/Schulz, Auswirkungen der Datenschutz-Grundverordnung auf die pharmazeutische Forschung, PharmR 2017, p. 128 (128).
- 5 Cp. the definition of health data in Article 4, number 15: «data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status».
- 6 As can be seen from the wording, the processing is lawful if «at least» one of the criteria established in Article 6, paragraph 1, apply, see Albers, in: Wolff/Brink, BeckOK Datenschutzrecht, Beck, Munich 2017, Art. 6 recital 27.
- 7 Cp the aforementioned recital 51, first sentence.
- 8 Like here: Schulz, in: Gola (ed.), DS-GVO, Beck, Munich 2017, Art. 9 recital 6.
- 9 Cp. Greve, Das neue Bundesdatenschutzgesetz, NVwZ 2017, p. 737 (739).
- 10 Grounds of the new BDSG, Bundestags-Drucksache No. 18/11325, p. 94.
- 11 This, by the way, is the legal situation at the moment (before the getting into force of the new BDSG), see section 13 BDSG.
- 12 Grounds of the new BDSG, Bundestags-Drucksache No. 18/11325, p. 94.
- 13 This, by the way, is the legal situation at the moment (before the getting into force of the new BDSG), see section 13 BDSG.
- 14 Cp. Ernst, in: Paal/Pauly (eds.), Datenschutz-Grundverordnung, 2017, Art. 4, recital. 61.
- 15 See Recital 32.
- 16 Schaar, Anpassung von Einwilligungserklärungen für wissenschaftliche Forschungsprojekte – Die informierte Einwilligung nach der DS-GVO und den Ethikrichtlinien, ZD 2017, p. 213 (215) with reference to Article 12, paragraph 1; Ernst, Die Einwilligung nach der Datenschutzgrundverordnung, ZD 2017, p. 110 (113).
- 17 Cp. Spranger, Die datenschutzrechtliche Einwilligung im Gesundheitskontext: zum Umgang mit genetischen, biometrischen und Gesundheitsdaten, MedR 2017, p. 864 (865).
- 18 See, for example, Herbst, Rechtliche und ethische Probleme des Umgangs mit Proben und Daten bei großen Biobanken, DuD 2016, p. 317 (373). See also Ziegler, Datenschutzrechtliche Anforderungen an den klinischen Aufbau und Betrieb von Biomaterialbanken, GuP 2012, p. 172.
- 19 Schaar, Anpassung von Einwilligungserklärungen für wissenschaftliche Forschungsprojekte – Die informierte Einwilligung nach der DS-GVO und den Ethikrichtlinien, ZD 2017, p. 213 (215) with further references.
- 20 See also Strech et al., A template for broad consent in biobank research. Results and explanation of an evidence and consensus-based development process, European Journal of Medical Genetics 2016, p. 295.