What You Should Know About GDPR. What is the GDPR?

Transcription

1 What Yu Shuld Knw Abut GDPR What is the GDPR? The Eurpean Unin s General Data Prtectin Regulatin ( GDPR), effective May 25, 2018, is a far-reaching regulatin applicable t rganizatins with Eurpean Ecnmic Area ( EEA ) based peratins and certain nn-eea rganizatins that prcess persnal data f individuals in the EEA. The EEA includes the 28 states f the Eurpean Unin and three additinal cuntries: Iceland, Liechtenstein and Nrway. The GDPR aims t prtect individuals fundamental rights t data prtectin and the free flw f persnal data. What is cnsidered Persnal Data? Fr purpses f the GDPR, persnal data refer t any infrmatin that relates t an identified r identifiable natural persn (i.e., an individual, nt a cmpany r ther legal entity), therwise knwn as a data subject. Examples f persnal data include a persn s name, address, gvernment issued identifier, r ther unique identifier such as an IP address r ckie number, and persnal characteristics, including phtgraphs. There is a subset f persnal data, referred t in the GDPR as special categries f persnal data, which merit a higher level f prtectin due t their sensitive nature and assciated risk fr greater privacy harm. Special categries f persnal data include several items that are ften cllected as part f a research study, including infrmatin abut a data subject s health; genetics; race r ethnic rigin; bimetrics fr identificatin purpses; sex life r sexual rientatin; plitical pinins, religius r philsphical beliefs; r trade unin membership. What is the Territrial Scpe f the GDPR? The GDPR applies t rganizatins lcated within the EEA and rganizatins utside f the EEA if they ffer gds r services t, r mnitr the behavir f, EEA data subjects and applies t all cmpanies prcessing and hlding the persnal data f data subjects residing in the EEA, regardless f the cmpany s lcatin and whether the persn is a citizen. The GDPR is therefre a significant change because the territrial scpe f the regulatin is mre expansive than prir EEA privacy regulatins. Hw des the GDPR affect research? The GDPR may be applicable t a brad range f research activities. Fr example, the GDPR may apply when - A UR Investigatr cllects r receives persnal data f subjects in the EEA, e.g. as part f a clinical trial, thrugh participatin in a repsitry, database r research cnsrtium, r by receiving a research study data set - UR acts as a cre data facility r lead site fr a multi-natinal research study with EEA-based sites, - UR acts as a spnsr f research ccurring in EEA member states, r - UR cnducts research in which it transmits U.S. participant data t the EEA, e.g. t spnsrs, servers, r data cre facilities in the EEA. 1

2 GDPR cvers the persnal data f research staff as well as data subjects. Therefre, researchers may receive ntices frm EEA spnsrs r cllabratrs, disclsing that data such as the researcher s address is prcessed in the EEA. What if the study des nt invlve the cllectin f persnal data frm individuals? In shrt, GDPR wuld nt apply. Research studies may nt invlve the receipt f persnal data because the data received may nt relate t an identified r identifiable natural persn. Fr example, studies that d nt cllect infrmatin that is linked t a subject s identity, such as annymus surveys in which the identities f survey subjects cannt be traced, wuld nt invlve the receipt f persnal data. What if I am nly receiving cded data? The GDPR cnsiders key-cded data t be persnal data and still subject t GDPR. Keycded data is referred t as pseudnymized data under the GDPR. This is in cntrast t the psitin under many US research and privacy laws, such as the Cmmn Rule and HIPAA; pseudnymized data are regarded as identifiable persnal data and therefre remain subject t the GDPR s prtectins, even when in the hands f a persn wh lacks the key needed t link the data t the data subject s identity. Is it pssible t de-identify data s that GDPR des nt apply? The GDPR des nt apply t data that have been annymized. Hwever, fr data t be annymized, the GDPR requires that there be n key t re-identify the data. Fr example, if UR serves as the spnsr f a research study with a site lcated in the EEA and receives nly keycded infrmatin frm the EEA site, the key-cded data frm the EEA site remain persnal data in the hands f UR. This is the case even if UR has n access t the key needed t reidentify the cded data. Unlike in HIPAA, there is n safe harbr under the GDPR t which data can be rendered de-identified by remving a specific list f identifiers. Rather, annymizatin is judged n a facts and circumstances basis taking int accunt all the means 2

3 reasnably likely t be used, such as singling ut, either by the cntrller r by anther persn t identify the natural persn directly r indirectly. Given this definitin, annymizatin is an extremely high standard that is difficult t meet in practice. I have heard that subjects have additinal rights under the GDPR. Is that true? Yes, and hnring thse rights may require a change in UR prcesses and wrkflws. The GDPR creates a range f rights that are available t research subjects under certain situatins, and a right t claim cmpensatin thrugh EEA curts fr vilatin f their rights and misuse f their persnal data. This ptentially subjects UR t litigatin in the EEA. Sme f the rights under the GDPR include the right t access, rectificatin f data and an accunting f hw their data was shared. These rights are brader than in HIPAA. Research subjects als have the right t withdraw cnsent t further prcessing f their persnal data and t request that their data be erased (this is knwn as the right t be frgtten ). If these rights are exercised, ne can n lnger retain the persnal data fr the purpse f research, including in pseudnymized (key-cded) frm. Hwever, ne may retain the data if necessary fr legal cmpliance (i.e., fr adverse event reprting). Als, the researcher culd cntinue t prcess the data fr research purpses if the data have been fully annymized thrugh remval f all identifiers assciated with the data, including destructin f the key linking the subject s data t his r her identity (Please see previus nte n annymized data). What Infrmatin Security cntrls must be implemented t prtect persnal data cvered under GDPR and what are the requirements fr breach ntificatin? The cntrls required t hnr the subjects rights detailed abve are largely system dependent. Standard University security cntrls fr Legally Restricted data will adequately prtect the data at rest and in transit, but it is up t the researcher t implement the cntrls and ensure that systems are cnfigured apprpriately t allw e.g. identificatin, extractin and deletin f a particular user s data. The cntrls required fr Legally Restricted data can be fund here. The breach ntificatin requirements under GDPR are mre stringent than in the US, making quick respnse critical. Ntificatin must be made t the apprpriate supervisry authrity within 72 hurs f discvery f the breach, with updates thereafter. Data subjects must be ntified withut undue delay. What is a Cntrller and what is a Prcessr, and what are their respnsibilities? A Data Cntrller is a persn r entity that determines the purpses and means f the prcessing f persnal data. In research invlving several parties, the lead site likely will be the Cntrller. Sme situatins (e.g. certain cllabrative studies) will have jint cntrllers wh each are liable t the data subject. A Data Prcessr is a persn r entity that prcesses persnal data n behalf f the cntrller. This includes central labs, cre labs, and participating sites that cllect, rganize/analyze, r stre data, r perfrm ther activities that fall within GDPR s definitin f prcessing. 3

4 Cntrllers have mre respnsibilities than prcessrs, such as prviding ntices t data subjects, respnding t the exercise f subject rights, ntifying supervisry authrities and data subjects f breaches, and maintaining recrds f prcessing. Cntrllers are required t enter cntrllerprcessr cntracts that bind their prcessrs t cmply with GDPR. Jint cntrllers typically will apprtin respnsibilities amngst themselves via a cntract, but each remains individually liable t the data subject. Cntrllers need t ensure that there is a lawful basis fr prcessing persnal data, and that this lawful basis is cmmunicated t data subjects. In additin, if persnal data is being transferred frm the EEA t anther cuntry such as the U.S. which is deemed t lack adequate prtectin fr persnal data, then there needs t be a lawful basis fr transfer. One lawful basis fr transfer is the use f mdel cntract clauses that bind the parties t cmply with GDPR. Data subject cnsent can be the lawful basis fr prcessing and/r transfer, but GDPR requirements fr cnsent are ptentially prblematic in the research setting. In the abve multi-site trial example, cntracts amng the parties will be necessary as well: Example: US spnsr f multi-site study engages US cre lab t prcess data frm bth US and EEA participating sites: -US spnsr needs t enter cntrller-prcessr agreement with US cre lab -US spnsr needs t enter mdel cntract clauses with EEA participating sites r btain explicit cnsent f research subjects t the transfer f their data t a cuntry withut adequate prtectin. 4

5 What shuld I d t achieve GDPR cmpliance? Identificatin f affected studies. We have established a cllectin pint fr examples f studies that may be affected by GDPR. Further, situatin-specific guidance will be issued after review f these examples. If yu have a pending r prpsed study that ptentially falls within the scpe explained abve, r if yu have received any requests r ntices pertaining t GDPR, please prvide particulars via t Research- GDPR@rchester.edu. Please include: Data being cllected frm EEA residents, by whm, and in what frm (identified, cded, fully de-identified) Rle f UR with respect t that data, i.e. what des UR d with the data? See definitins f Cntrller and Prcessr, but please prvide specific facts Invlvement f EEA spnsr r participating site(s) RSRB # if applicable Seek supprt. If yu receive ntices, requests r ther dcumentatin (including cnsents r amendments t existing cntracts) that mentin GDPR r Eurpean privacy rules, in additin t apprising RSRB and ORPA in accrdance with usual prcesses, please cntact Kathleen Tranelli (kathleen_tranelli@urmc.rchester.edu) r Mark Wright (mark.wright@rchester.edu) and indicate GDPR in the subject line. Studies will need t be evaluated n a case by case basis. We d nt want UR t assume bligatins it des nt need t, r is unable t, hnr. Example f a prblematic request: EEA spnsr asks UR as participating site t send Ntices t US research subjects specifying nt nly that data will be transferred t the EEA Example fr prcessing, f a prblematic but that request: US subjects EEA spnsr may cmplain asks UR t as their participating lcal data prtectin site t send authrity Ntices t if US their research privacy subjects rights are specifying vilated nt and nly may that claim data cmpensatin will be transferred thrugh t the the curts. EEA fr prcessing, but that US subjects may cmplain t their lcal data prtectin 5