Secondary use of Personal Health Data: when is it 'Further Processing' under the GDPR, and What Are the Implications for Data Controllers?

20 Pages Posted: 15 Apr 2022

See all articles by Regina Becker

Regina Becker

University of Luxembourg

Davit Chokoshvili

Universite du Luxembourg

Giovanni Comandé

LIDER-Lab, Scuola Superiore Sant'Anna

Edward Dove

University of Edinburgh - School of Law

Alison Hall

PHG Foundation - University of Cambridge

Colin Mitchell

University of Cambridge - PHG Foundation

Fruzsina Molnar-Gabor

Heidelberg Academy of Sciences and Humanities

Pilar Nicolás

University of the Basque Country - Faculty of Law

Sini Tervo

Ministry of Social Affairs and Health, Finland

Adrian Thorogood

Universite du Luxembourg - Luxembourg Centre for Systems Biomedicine

Date Written: March 24, 2022

Abstract

Contemporary biomedical research heavily relies on secondary use of personal health data that was obtained in a different clinical or research setting. Under the European General Data Protection Regulation (GDPR), data controllers processing personal data must comply with the principle of purpose limitation, which restricts further processing of personal data beyond the purpose for which the data was initially collected. However, “further processing”, is not explicitly defined, resulting in considerable interpretive ambiguities as to whether “secondary use” of data by researchers constitutes “further processing” under the GDPR. This ambiguity is problematic, as it exposes researchers to potential non-compliance risks. In this article, we analyse the term “further processing” within the meaning of the GDPR, elucidate important aspects in which it differs from “secondary use”, and discuss the implications for data controllers’ GDPR compliance obligations. Subsequently, we contextualise this analysis within a broader discussion of regulating scientific research under the GDPR.

Note:
Funding Information: Work of RB was supported by ELIXIR-Luxembourg. Work of DC was supported by the European Union's Horizon 2020 research and innovation programme Coordination and Support Action HealthyCloud (grant agreement no. 965345) and the Innovative Medicines Initiative 2 Joint Undertaking Research and Innovation Action European Platform for Neurodegenerative Diseases (EPDN, grant agreement no. 101034344). Work of GC was supported by the Italian Health Ministry under the activity “Strategia Genomica italiana: istituzione di una cabina di regia a supporto dell’iniziativa europea 1+Million Genomes (1+MG) e Beyond 1+MG (B1MG) e del Coordinamento Interistituzionale per la Genomica in Sanità Pubblica” Work of FMG was supported by the European Union's Horizon 2020 research and innovation programme project EUCANCan: a federated network of aligned and interoperable infrastructures for the homogeneous analysis, management and sharing of genomic oncology data for Personalised Medicine (grant agreement no. 825835). Work of PN was supported by the Instituto de Salud Carlos III, Spain under “Infraestructura de Medicina de Precisión asociada a la Ciencia y Tecnología (IMPaCT) de la Acción Estratégica en Salud 2017-2020. IMP/00009”. Work of AT was supported by the European Union's Horizon 2020 research and innovation programme Coordination and Support Action Beyond 1 Million Genome (B1MG, grant agreement no. 951724).

Declaration of Interests: FMG is a member of the European Group on Ethics in Science and New Technologies. This paper is written in a purely private capacity and the views expressed here cannot be attributed to anyone other than the author(s). All others have nothing to declare.

Keywords: GDPR, further processing, secondary use, personal data, biomedical research, scientific research

Suggested Citation

Becker, Regina and Chokoshvili, Davit and Comandé, Giovanni and Dove, Edward and Hall, Alison and Mitchell, Colin and Molnar-Gabor, Fruzsina and Nicolás, Pilar and Tervo, Sini and Thorogood, Adrian, Secondary use of Personal Health Data: when is it 'Further Processing' under the GDPR, and What Are the Implications for Data Controllers? (March 24, 2022). Available at SSRN: https://ssrn.com/abstract=4070716 or http://dx.doi.org/10.2139/ssrn.4070716

Regina Becker (Contact Author)

University of Luxembourg ( email )

CAMPUS BELVAL / House of Biomedicine II
6, avenue du Swing
Belvaux, 4367
Luxembourg

Davit Chokoshvili

Universite du Luxembourg ( email )

L-1511 Luxembourg
Luxembourg

Giovanni Comandé

LIDER-Lab, Scuola Superiore Sant'Anna ( email )

Piazza dei Martiri della Liberta 33
56127 Pisa, 56100
Italy

HOME PAGE: http://www.lider-lab.eu

Edward Dove

University of Edinburgh - School of Law ( email )

Old College
South Bridge
Edinburgh, EH8 9YL
United Kingdom

Alison Hall

PHG Foundation - University of Cambridge ( email )

PHG Foundation
2 Worts Causeway
Cambridge, Cambridgeshire CB1 8RN
United Kingdom

Colin Mitchell

University of Cambridge - PHG Foundation ( email )

PHG Foundation
2 Worts Causeway
Cambridge, Cambridgeshire CB1 8RN
United Kingdom

Fruzsina Molnar-Gabor

Heidelberg Academy of Sciences and Humanities ( email )

Pilar Nicolás

University of the Basque Country - Faculty of Law

Sini Tervo

Ministry of Social Affairs and Health, Finland ( email )

Adrian Thorogood

Universite du Luxembourg - Luxembourg Centre for Systems Biomedicine ( email )

2 Avenue de l'Université
Esch-sur-Alzette
Luxembourg

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
124
Abstract Views
337
rank
312,722
PlumX Metrics