Harmonising Medical Research with GDPR Requirements
Lishchuk. 37, William S. Hein & Co., Inc. Getzville, New York 2018, (August 2018)
HarmonicSS is a H2020 medical research project investigating primary Sjögren´s Syndrome (pSS). The idea is to harmonize well-characterized multi-national cohorts of pSS patients into an integrative structure on the cloud and facilitate cross-border data sharing and research. The legal issues of GDPR compliance come into play: How partners share the roles and data protection obligations, when all partners process the data, decide the purposes and means of processing and thus act as controllers in terms of the GDPR? Who bears responsibility to conduct the data protection impact assessment (DPIA)? How to handle data transfers to non-EU partners, e.g. UK and USA?
Contractual arrangement, namely the Data Protection Memorandum, has been proposed to settle the data protection issues and allocate responsibilities for GDPR compliance among the partners. Accordingly, the partners, categorized into data providers, developers and researchers as per the tasks, are vested with corresponding data protection obligations. The legitimacy and accuracy of data (Article 5(1)(a,c)); pseudonymisation (Article 89(1)); information duties (Article 13) lie with the data providers; developers and researchers share the security obligations and data protection by design and by default (Articles 32, 25). Profiling and de-identification are no-go. The Data Control Committee is to take over the DPIA and monitor data protection in the project. Organisation of legal background behind potential data transfers to non-EU partners is under way. Whereas the task of the research team is to harmonize the data, the legal task is to harmonize medical research with the GDPR.