Balancing data protection and research needs in the age of the GDPR
Scientific journals and funding bodies often require researchers to deposit individual genetic data from studies in research repositories in order to increase data sharing with the aim of enabling the reproducibility of new findings, as well as facilitating new discoveries. However, the introduction of new regulations such as the EU General Data Protection Regulation (GDPR) can complicate this, according to the results of a study to be presented at the annual conference of the European Society of Human Genetics today (Monday).
The investigators collected experiences of the practical challenges that researchers face. «Their attempts to comply with the requirements of funders and journals to deposit data often clash with the GDPR,» says Dr Deborah Mascalzoni, Senior Researcher at Uppsala University in Sweden and at EURAC Research, Bolzano, Italy. “We need to follow along the path of open science while taking into account ethical and legal rules if we are to be able to comply with both the law and the funders’ requirements.”
According to the GDPR, participants in research studies have the right to withdraw consent for the further use of their data. To exercise this right, they must be informed about the processing of their data in research repositories, but the way in which some repositories are set up can make it difficult for researchers to comply with the law. And another challenge lies in the GDPR’s requirement for data processing to be limited to what is necessary to fulfil a study’s objectives, therefore ruling out the long-term retention of data for unspecified uses. The destruction of such data eliminates resources that may be useful in the future and therefore reduces research efficiency.
But solutions to the problem are readily available, say Dr Mascalzoni and her fellow researcher Heidi Beate Bentzen, LLM, from the University of Oslo in Norway. The current difficulties stem from the fact that legal and ethical design are not always embedded into the planning of a system from the beginning. This means that this is often added as an afterthought, a kind of ‘patch’ that fixes one case but is not a long-term solution. And while the GDPR needs to be interwoven into the everyday work of researchers, it is still a fairly new regulation.
“If you introduce a novel technique in the lab, you need to account for it and make it work with your existing systems, for example IT and other lab equipment. It is the same with the GDPR, that in essence is a good piece of law. What we are facing now with the repositories is that they are often based outside the EU or in in one EU member state (as the UK model) without taking into account all EU member state regulations,” says Dr Mascalzoni.
Researchers currently may face problems submitting their work to some journals due to legal restrictions preventing them from sharing individual-level genetic data in the journals’ repositories. They may be able to share data with reviewers and editors, and in some cases with other researchers who request the data for specific purposes, but not more widely. “Journals need to rethink their policies in these cases,” says Dr Mascalzoni. “Because participant trust is so crucial to the future of research, we were surprised to find that research repositories had not already changed their modus operandi and that journals and funders had not amended their policies to account for the GDPR.”
Another way is to recognise mutually equivalent policies, the researchers say. If a law prohibits a practice it is difficult to require individual scientists to either disobey or be excluded, so exceptions and waivers should apply.
“We hope that our work will showcase the urgency of setting up GDPR compliant research repositories and adapting the requirements of funding bodies and journals to the GDPR. If we are to operate in an open, efficient science environment, we need to build a safe place where researchers and patients can participate knowing human rights and research are taken seriously simultaneously”, Dr Mascalzoni concludes.
Chair of the ESHG conference, Professor Joris Veltman, Director of the Institute of Genetic Medicine at Newcastle University, Newcastle upon Tyne, UK, said: “Data sharing is essential for scientific progress, especially in the field of human genetics where we need to combine clinical and genetic data to learn about the clinical impact of millions of genetic variations present in each person’s genome. This study investigates how the new EU data protection regulations affect data sharing and what should be done to allow for this to be done in a safe and responsible manner.”
Abstract no: C22.6 Are requirements to deposit data in research repositories compatible with the GDPR?