Due to the COVID-19 pandemic, there are currently scientific research efforts in the fight against the SARS-CoV-2, better known as the Corona virus, in order to produce research results as fast as possible. On the other hand, there are legal questions concerning the use of health data for these purposes. The European Data Protection Board (EDPB) has published the Guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak.
Below you can read the summary of the published Guidelines.
Data protection rules, such as the General Data Protection Regulation (GDPR), do not hinder measures taken in the fight against the COVID-19 pandemic. On the contrary, the GDPR provides special rules for the processing of health data for the purpose of scientific research. Those rules are also applicable in the context of the COVID-19 pandemic.
Legal bases required
The processing of health data for the purpose of health data for scientific research must be covered by one of the legal bases in Article 6 (1) or Article 9 of GDPR. The rules must be interpreted in the light of the principles pursuant to Article 5 GDPR (Data Processing Principles).
Responsibilities of the data controller
The data controller, in corporation and coordination with the data processor, must take care of data integrity and confidentiality (Article 5 (1) (f), security of data processing (Article 32 (1) and safeguards relating to processing for scientific research (Article 89 (1) GDPR. The data controller is also responsible for a Data Processing Impact Assessment (DPIA).
Maximum data storage periods
The storage periods (timelines) shall be set and must be proportionate. In order to define such storage periods, criteria such as the length and the purpose of the research should be taken into account. National provisions may stipulate rules concerning the storage period as well and must therefore be considered.
The data protection rules do not hinder measures taken in the fight against the COVID-19 pandemic. The data controller shall take into account 1) legal basis for the processing, and 2) data protection principles for processing health data for the purpose of scientific research in the context of the COVID-19 outbreak.
Do you need support with the implementation of the complex pricy rules regarding the processing of health data for the purpose as mentioned above? Or, do you need support with a Data Protection Impact Assessment? Feel free to contact us.