What does the EU’s update of data protection mean for medical research?

Posted on March 21, 2012 by


Medical research organisations, including AMRC, have supported a joint statement outlining how the EU’s plans to update data protection law may impact on the use of patient data for health research. Patient data is a valuable resource for health research. Some of the proposed changes are welcome and will support this research, but we have some concerns over the types of data that fall within the scope of the directive and how these will be regulated that need to be addressed to ensure other research is not inhibited.

This joint statement has been sent to the UK Ministry of Justice before they head to Europe to discuss the proposed changes to European data protection laws with other members states. It’s important they are aware of the impacts on health research when they discuss the changes.


Back in January, the EU published its plans to reform the data protection framework across Europe. This includes a regulation setting out a general EU framework for data protection and a Directive  on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.

Directives and regulations are slightly different. Once adopted, a directive must be transposed in each members state’s law but they can decide how they do that. Regulations come into force right across the EU directly. Or as it’s technically put in the treaty on the functioning of the European Union,

A regulation shall have general application. It shall be binding in its entirety and directly applicable in all Member States.
A directive shall be binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods.

The proposals in the regulation on data protection cover the use of all personal data so they will have implications for health research. Patient data is a valuable resource for health research (for more on how it is used go here).

The next step is for the regulation to go before the European Parliament for scrutiny and all the EU member states to get together and discuss the content of the regulation and what new data protection legislation will look like, before it can be adopted and come into force across Europe. In that time, there will be lots of debate and it could change considerably.

The UK Ministry of Justice called for evidence to inform them before they start this negotiating process in Europe. Medical research funders, including AMRC, have supported a joint statement outlining our major concerns and issues we would like to see tackled during the discussion of the regulation.

What does our joint statement say?

Our joint statement outlines why patient data is important to health research, including some great examples of projects which use different types of patient data  including Breast Cancer Campaign’s Tissue Bank, which aims to give breast cancer researchers access to biopsy samples.

It also covers public views on their data being used for research – public opinion appears broadly in favour of patient records being used for research. For example, of 1.2 million women contacted to take part on a trial of ovarian cancer screening, only 32 complained they had been contacted. And a poll of nearly 1000 adults in 2011 found that 72 per cent of respondents would like to be offered chances to take part in research trials, which can only be done if researchers can look at their data and identify whether they trial would be of interest to them.

The statement also identifies the specific concerns we have about the proposed changes to data protection.

What are our concerns about the changes to data protection?

Research derogations

The proposed new regulation recognises that patient data is valuable for  research and provides exceptions (or “derogations”) from some of the requirements of managing personal data when it is being used for scientific research.

There are a number of conditions the research has to satisfy which, if it does, enable the processing of personal data without consent and for personal data to be held for extended periods for research purposes. This cannot be done if anonymous data would be sufficient and, if possible, any identifying information should be kept separate from other information.

We think this strikes a good balance between support for research and the benefits it can bring, and protection of the interests of research participants. We are keen to ensure these derogations for scientific research do not get changed as the regulation is discussed. But we do think that the derogation could do with a little further clarification as it is discussed to ensure there is no confusion over how they should be interpreted which might lead to regulatory difficulties later.

Which types of data fall within the scope of the directive?

The regulation covers ‘personal data’. We need to be very clear over which types of data count as ‘personal data’ under the directive.

Anonymised data is not covered by the regulation. However it’s not clear whether the process of anonymising data – removing all personal identifiers – falls under the scope of the regulation. We recommend that it shouldn’t but re-identification of data that has been anonymised should be strictly prohibited.

The regulation is not very clear over whether pseudonymised data are intended to be included. Pseudonymised data is where the individual is not directly identified but can be re-connected to their data by a code if necessary, perhaps to update their record in a registry with new information or, if their tissue has been collected, to enable a researcher to access data on the samples when they study them. If pseudonymised data is included in the scope of the directive, this could massively increase the regulatory burden on using it. Measures are already in place to minimise the opportunity of re-identification. If Europe does specifically want to include it in the scope, it would  be important to push for further amendments to ensure projects using pseudonymised data – including UK Biobank and genetic data studies – can continue to go ahead (there are some good examples of the sort of projects that might be affected at the end of the statement).

We also need a bit more clarification over ‘genetic data’ and ‘data concerning health‘ to ensure this does not apply to all data or tissues samples but just personal data that falls within these categories.

What next?

Our joint statement makes a few recommendations to government of the issues that may affect health research which they should raise while they are discussing the proposed regulation. Following their debate in Europe, a legislative proposal will be developed which the European Parliament will have the opportunity to scrutinise. So we will need to keep monitoring the debate and feeding into the discussion as it goes forward.

Posted in: Policy