The primary legal instrument regulating the collection, use and disclosure of personal data, including genetic data, is the General Data Protection Regulation which came into effect in all Members States of the EU on 25 May 2018. Its provisions were given further effect to in the Data Protection Act 2018. One important difference between the GDPR and the previous EU Data Protection Directive is that the GDPR Regulation expressly recognises genetic data as a special category of personal data deserving of a high level of protection.
Mindful of the critical need to promote public confidence in how the health system treats all patient data but especially sensitive data like genetic data, I used the Regulation making power provided for in section 36 of the Data Protection Act to make, last August, the Health Research Regulations.
The Health Research Regulations are a coherent statement of public policy in the health research area based on internationally accepted best practice information principles for those carrying out health research and strong and focused safeguards for those whose personal data is being processed for health research. The collecting, use, storage and disclosure of genetic data for health research purposes is, therefore, not only governed by the GDPR and the Data Protection Act 2018 but by the Health Research Regulations.
I also want to make the point that the preparation of the Regulations not only had full regard to the provisions of the GDPR but also to the Constitutional right to privacy, the Common Law duty of confidentiality between health professional and patient and the right to privacy provisions in and case law of the European Convention on Human Right (ECHR).
At the core of the Regulations are two related national and internationally accepted principles. First, support for the longstanding principle of patient confidentiality as a key value in our health system. Second, the promotion of patient empowerment in relation to their information to bring about a truly patient centred health service.
Consequently, the Regulations emphasise explicit consent of the data subject as the default position, provide for high levels of transparency which is a new core data protection principle and for information security controls to limit access to the personal data of individuals as well as controls to log who has accessed the data.
They also address the reality that those requirements for consent, transparency, security and other data subject’s rights mean very little if there is no clarity on where the responsibility lies for complying with them. That is why they tackle the crucial issue of the relationships between the institutions that hold the data being used in the research and the health researchers that carry out the research using that data. The rules and requirements in the Regulations are very clear especially when it comes to third party disclosures. Accordingly, all involved in a health research project must ensure that they know whether they are the data controller, a joint data controller or a data processor and comply fully not only with legal requirements but ethical ones too.
The consent declaration process provided for in the Regulations which is designed to facilitate publicly important health research where seeking consent is not possible -something found in other countries- is very tightly drawn and its criteria for when a consent declaration can be given is directed not only at GDPR considerations but also at the Common Law, Constitution and ECHR. That was done to ensure that all relevant factors must be addressed both in the application for a consent declaration and in the consideration of that declaration. It is the same reasoning that means that a declaration when granted can only ever extend to obtaining and using personal data required for the research or part of the research but such data cannot then be disclosed to anyone else without the consent of the data subject or a legal obligation to do so. It is also important to emphasise that a consent declaration cannot be given where a data subject has refused his or her consent to the use of his or her personal information for the research involved.
Everything that is provided for in the Health Research Regulations was subject to a series of discussions with the Data Protection Commission. The rigorous nature of that consultation process provided a very useful stress test. In particular, the Department and the Commission had careful regard to the issue of genetic data against the backdrop both of scientific developments in the genomics area and the GDPR requirement that genetic data, as a special category of sensitive personal data, is subject to strong safeguards.
Health research is indisputably important to better patient care and the development of innovative and life-saving therapies. As Minister for Health, I want to support health research and I believe most people do. I believe that the best way to do so is to promote and sustain greater public confidence in research through enhanced openness, transparency and patient empowerment so that no individual is surprised by who has access to his or her personal data and the uses, including research, to which it is put. Transparency and openness are especially important where it is proposed to share patient data with commercial third parties.
The Minister for Health does not have the power to give anyone permission to collect genetic data. If publicly funded or private health facilities collect such data for patient care and treatment they must do so in accordance with date protection law which means complying with the core data protection principles in Article 5, having a legal basis in Article 6 and meeting an appropriate condition in Article 9. They must also meet any ethical requirements.
If the facility wishes to use patient data collected for care and treatment for research to be carried out by the facility or to disclose it to a third party for that party to carry out research then they must also comply with the terms of the Health Research Regulations and explicit consent must be obtained and all the other safeguard required by the Regulations must be in place. It is a similar situation where the facility acts an agent or partner of a third party in collecting genetic data for health research.
Any publicly funded or private health facility holding patient data must ensure that it has proper governance in place that reflects and gives effect to its legal obligations. Failure to adhere to proper governance may have significant consequences under law for the institutions and any employees or agents involved. More widely, there will be collateral reputational damage affecting the health system generally.
To go back to a point I made early in this answer, I am mindful of the critical need to promote public confidence in how the health system treats all patient data but especially sensitive data like genetic data. Accordingly, as Minister, the collecting, use and disclosure of patient data is an area that I intend to keep under review and, in that regard, I will be mindful of legal and best practice developments at national and EU level that can be positively utilised to build confidence.