Applying GDPR Roles and Responsibilities to Scientific Data Sharing

25 Pages Posted: 27 May 2021

See all articles by Regina Becker

Regina Becker

University of Luxembourg

Adrian Thorogood

Universite du Luxembourg - Luxembourg Centre for Systems Biomedicine

Jasper Bovenberg

Legal Pathways Life Sciences Law

Colin Mitchell

University of Cambridge - PHG Foundation

Alison Hall

PHG Foundation - University of Cambridge

Date Written: May 01, 2021

Abstract

Where personal, usually pseudonymised, from health research or healthcare are made available for scientific purposes, especially across borders, it is unclear what GDPR roles apply. This is a persistent roadblock for accelerating data-driven scientific discovery or for establishing large research consortia.

The assignment of GDPR roles is a matter of form and function (unless roles are assigned by law). A controller determines the purpose and essential means of processing. Essential means include determining the types of data, the categories of data subjects, the parties having access to data, and the length of data retention. Joint controllers arise where two or more parties jointly determine the purpose and essential means of processing through a common decision or converging decisions.

We argue that a data user (research organisation) will normally be the sole controller for a research project accessing personal data, because the data user independently determines the purposes and means of the associated processing. A party that only provides data (hospital or research organisation) for the research project will not normally be a controller for the research project, unless it actively participates in the design of the research project or requires researchers to share ownership in derived intellectual property or enriched data. Data providers who require data users to remotely access data in a secure computing environment hosted by the data provider will generally be processors, not joint controllers.

Keywords: accountability, data sharing, data protection, health research, joint controller, scientific research

Suggested Citation

Becker, Regina and Thorogood, Adrian and Bovenberg, Jasper and Mitchell, Colin and Hall, Alison, Applying GDPR Roles and Responsibilities to Scientific Data Sharing (May 01, 2021). Available at SSRN: https://ssrn.com/abstract=3851128 or http://dx.doi.org/10.2139/ssrn.3851128

Regina Becker (Contact Author)

University of Luxembourg ( email )

CAMPUS BELVAL / House of Biomedicine II
6, avenue du Swing
Belvaux, 4367
Luxembourg

Adrian Thorogood

Universite du Luxembourg - Luxembourg Centre for Systems Biomedicine ( email )

2 Avenue de l'Université
Esch-sur-Alzette
Luxembourg

Jasper Bovenberg

Legal Pathways Life Sciences Law

Haarlem, 2111XS
Netherlands

Colin Mitchell

University of Cambridge - PHG Foundation ( email )

PHG Foundation
2 Worts Causeway
Cambridge, Cambridgeshire CB1 8RN
United Kingdom

Alison Hall

PHG Foundation - University of Cambridge ( email )

PHG Foundation
2 Worts Causeway
Cambridge, Cambridgeshire CB1 8RN
United Kingdom

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
101
Abstract Views
548
rank
333,895
PlumX Metrics