Should consent for data processing be privileged in health research? A comparative legal analysis

Edward S Dove, Jiahong Chen, Should consent for data processing be privileged in health research? A comparative legal analysis, International Data Privacy Law, Volume 10, Issue 2, May 2020, Pages 117–131, https://doi.org/10.1093/idpl/ipz023

Navbar Search Filter Mobile Enter search term Search Navbar Search Filter Enter search term Search

Introduction

Key Points

Several recently drafted data protection laws appear to afford a privileged position to scientific research, including health research. Provisions that might otherwise apply to data subjects and data controllers, including rights exercisable by data subjects against controllers, are lifted or lessened. For example, the EU’s General Data Protection Regulation 2016/679 (GDPR) 1 defines scientific research broadly, stating that:

… the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research. […] Scientific research purposes should also include studies conducted in the public interest in the area of public health. 2

The GDPR grants some exemptions from its requirements when personal data are processed for scientific research purposes. 3 Provided appropriate safeguards are in place and processing for scientific research has a basis in EU or Member State law, researchers can, among other things, keep health-related data stored for a long time, refuse to delete personal data even if the data subject withdraws their consent for participating in the research project, and use data from one research project for others. 4 Scientific research, it seems, faces a lighter data protection regulatory touch than would apply to other data processing activities, such as processing for commercial or marketing purposes. The policy rationale is that data protection law should protect the fundamental rights of data subjects but also facilitate scientific research and medical innovation to improve health and well-being. 5 By treating data processing for scientific research (eg biobanking, genomic research, epidemiological research) as equivalent to data processing for banking or digital marketing, citizens would suffer from slower research breakthroughs and translational research discoveries that bring new diagnostics, drugs, and devices to market.

At the same time, it should not be assumed that processing personal data for non-health research purposes faces an insurmountable legal barrier in the EU or other jurisdictions. Data protection laws are drafted, after all, with a view to balancing the need for protecting the fundamental rights of data subjects with the need for enabling the free flow of data within and across jurisdictions to facilitate economic development, protect national security, and promote general well-being. 6 A common misperception of modern data protection law, for example, is that data subject consent is a legal obligation for the controller to process the subject’s personal data. In other words, if a controller does not have a data subject’s consent to process their personal data, such processing is forbidden. In many countries, however, this is not the case. Instead, consent is but one of several ‘lawful bases’ to process personal data; 7 if there is an alternative lawful basis that a data controller can rely upon (eg compliance with a legal obligation to which the controller is subject), then consent of the data subject is not obligatory to process their personal data.

However, when it comes to considering whether consent should serve as the lawful basis for processing data in the health research context—that is, whether consent and only consent should be the basis for processing—a fair degree of policy and regulatory divergence emerges. This divergence seems to stem from a normative link that some draw between consent as a research ethics principle and consent as a lawful basis in data protection law. The normative claim goes that because research participants are often asked to consent before they participate in many (but certainly not all) types of health research studies, either on the basis of ethical principle (eg grounded in autonomy) or legal rule (eg an obligation for clinical trials), it would seem ethical, sensible, and practical to also ask them for their consent prior to processing their data. Not all scholars and policymakers agree with this position, though; a counterargument is that research ethics consent and data processing consent should not be conflated for ethical, legal, and methodological reasons. Moreover, for public organizations, consent is sometimes not a proper legitimate basis for data processing for research. 8 Thus, the counterargument’s main claim is consent may be appropriate as the lawful basis for processing data in a health research project, but it is context-dependent and should not be made an absolute requirement.

This divergence regarding the role of consent in health research is evident when looking at the legal landscape of several jurisdictions. In some, the privileges afforded to health research are readily apparent; in others, they seem to dissipate if not disappear. For example, we find that the GDPR establishes a regulatory framework with no apparent bias towards consent—in the scientific research context or otherwise. Whether one is processing (regular) personal data or sensitive data such as health data and genetic data, the GDPR does not mandate an organization to obtain the data subject’s consent: other lawful grounds to process data are permitted. But we also find that Member States within the EU or other countries with data protection laws inspired by the GDPR can impose a stricter regime than the GDPR. For example, Ireland’s Health Research Regulations 2018 stipulate that a data controller proposing to process or further process personal data for the purposes of health research must do so on the basis of explicit consent, or otherwise apply to a special committee for a declaration that the public interest in carrying out the research significantly outweighs the public interest in requiring the explicit consent of the data subject. Less strictly, South Africa’s Protection of Personal Information Act, 2013 (POPIA) affords consent a privileged role in the research context. Namely, health data for research purposes must be processed on the basis of data subject consent unless (i) the research purpose serves a public interest and the processing is necessary for the purpose concerned; or (ii) it appears to be impossible or would involve a disproportionate effort to ask for consent. Somewhat similarly, the United Kingdom’s Data Protection Act 2018 (DPA 2018) stipulates that consent for processing sensitive data for research purposes is not required provided that it is carried out in accordance with Article 89(1) of the GDPR (as supplemented by section 19 of the DPA 2018) and is in the public interest.

Ultimately, what do these variations in national laws regarding the role of data processing consent mean for health research? Is data protection regulatory divergence detrimental for international research collaboration? Might we see regulatory arbitrage emerge where health research is conducted more frequently and extensively in jurisdictions that are viewed as more research friendly from a data protection law standpoint? Should data controllers opt for (explicit) consent as the most suitable lawful basis to process data for health research, or, given the concerns some express about consent as the lawful basis for data processing in a good number of health research studies, might alternative legal grounds be afforded more weight? And what role, if any, should the public interest have to play in this assessment?

As many of these laws have only recently been drafted, now is an opportune time to consider the role of consent in processing data for health research. We do so in this article by conducting a comparative analysis of several recently enacted laws governing data protection. We first look at the EU GDPR. Under this framework, the requirements for a valid consent are sufficiently stringent (including in relation to consent being ‘freely given’) that it has been suggested, at least in relation to clinical trials, 9 that consent is not the most appropriate legal basis (under Article 6) or the most appropriate exception for processing special category data (under Article 9). Researchers are likely to gravitate towards provisions that allow for processing personal data on grounds other than consent, such Articles 9(2)(j) and 89(1). But, as we will argue, Article 89(1) allows for a bias towards consent within Member State law. Such bias may be exhibited in a number of ways. National laws, either implementing the GDPR or inspired by it, therefore, provide points of comparison. Regulatory favouritism towards consent may exhibit in various forms mirrored in South Africa’s POPIA, the UK’s DPA 2018, and Ireland’s Health Research Regulations 2018, the latter two of which are Member State-specific supplements to the GDPR.

Upon analysing these laws (along with other relevant laws and regulations that also govern health research), we then argue that there is some merit in privileging data processing consent, but that this nevertheless should be distinguished from research ethics consent for reasons of conceptual clarity. We come to advocate a middle-ground approach in data protection law for health research, which tacks closest to South Africa’s POPIA approach, ie one that does not mandate consent as the lawful basis for processing personal data for health research—but does strongly encourage it—and, in the absence of consent as the lawful basis, requires a public interest justification or justification of impracticability of obtaining consent if one is to avail themselves of advantageous research exemptions. As we will argue, this approach achieves the best balance for protecting data subject/research participant rights and interests and promoting socially valuable health research. In this article, we confine our analysis to the more common (or standard) scenario of an adult with capacity where data are being collected for research use in the future. We do not address other scenarios, such as secondary use of previously collected personal data, or research and data processing involving adults lacking capacity or children. 10

We begin our assessment by looking at the GDPR as an overarching regulatory framework before turning to a comparative analysis of the POPIA, the DPA 2018, and Ireland’s Health Research Regulations 2018, respectively.

The GDPR as overarching regulatory framework

The GDPR took full legal effect across the European Union (EU) on 25 May 2018, and subsequently, the European Economic Area (EEA). It has a number of implications for health research involving the collection, use, and cross-border sharing of people’s personal data (it does not, however, override pre-GDPR laws in Member States governing health research provided those laws do not contravene the GDPR rules). The GDPR seeks to change the ways in which organizations both within and outside Europe collect, use, and share personal data. The GDPR regulates the processing activities of two key actors—(i) data controllers, meaning persons or entities that determine the purposes and means of processing personal data, eg companies, researchers, universities, and (ii) data processors, which refers to persons or entities that process personal data on behalf of a data controller, eg cloud providers and research collaborators, in many circumstances. The GDPR protects and promotes the data protection rights of data subjects, who in the health research context are most likely to be research participants.

Under the GDPR, processing of personal data is lawful only if one has a lawful basis. The six permissive lawful bases are stipulated in Article 6, of which consent is but one (Article 6(1)(a)): ‘Processing shall be lawful only if and to the extent that at least one of the following applies: […] the data subject has given consent to the processing of his or her personal data for one or more specific purposes.’ The GDPR defines consent as ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’. 11 Article 6 should be read in light of Recital 50, which states that further processing for ‘scientific research’ purposes (which would include health research purposes) should be considered to be a compatible processing operation that requires no further or separate lawful basis.

While consent is one basis for processing, there are also other bases. And, indeed, where scientific research is carried out as a secondary purpose by the same data controller, then no further lawful basis is needed. 12 The GDPR does not privilege consent as a lawful basis in the scientific research context. Other, potentially more useful, lawful bases under GDPR Article 6 include legitimate interests (foremost applicable to commercial organizations) and tasks carried out in the public interest, the basis of which must be laid down by EU law or Member State law to which the controller is subject. Given this, several regulatory authorities, including the UK’s Health Research Authority, recommend that researchers process personal data on a lawful basis other than consent. 13

Moreover, under the GDPR, certain kinds of personal data are considered ‘special’—in other words, sensitive—and therefore deserving of even greater legal protection. Whereas with (regular) personal data, processing is lawful only where there is a lawful basis under Article 6, with special categories of data, processing is generally prohibited and will only be permitted if the processor meets one of 10 special category conditions (ie exceptions) listed in Article 9(2). What this means is that, at least according to common interpretation, processing ‘special categories’ of personal data requires two conditions: (1) the processing must have a lawful basis, ie one of the six lawful bases outlined in Article 6, and (2) it must fall within at least one of the 10 exceptions specified in Article 9(2). 14 A crucial consideration when processing ‘special categories’ of personal data under the GDPR such as genetic data and health data is the condition under Article 9(2)(j) that allows these data to be processed on the grounds of scientific research purposes, based on EU or Member State law and in accordance with Article 89(1). Processing these data on the grounds of scientific research purposes can enable organizations to work around the obligation to secure data subjects’ ‘explicit consent’ for processing, which is an alternative condition under Article 9(2)(a). 15

Thus, whether processing (regular) personal data or special category personal data such as genetic data and health data, the GDPR does not mandate an organization to obtain the data subject’s consent. Indeed, the requirements for a valid consent under the GDPR are sufficiently stringent (including in relation to consent being ‘freely given’) such that it has been suggested, at least in relation to clinical trials, 16 that consent is not the most appropriate legal basis (under Article 6) or the most appropriate exception (under Article 9). Instead, researchers are likely to gravitate towards Articles 9(2)(j) and 89(1). This flexible approach allows for a good deal of research promotion and medical innovation, but also, as we discuss below, arguably carries some drawbacks.

While there is a theoretical possibility that a controller might conduct health research directly under the safeguard requirements of GDPR Article 89(1), one would expect that most, if not at all, Member States have specific legislation governing the use of personal data in the context of health research. Some of this legislation has long pre-dated the GDPR, as will be discussed in the section on the UK. And, as we will see, the GDPR allows Member States the ability to legislate at the national level in certain areas, including processing of personal data for scientific research purposes. This flexibility has already led to regulatory divergence in the EU and EEA, including in some instances a tamping down on the ability to process personal data for health research on a lawful basis other than consent. More specifically, Article 89(1) GDPR allows for a bias towards consent within Member State law. Such a bias may be exhibited in a number of ways. National laws, either under the GDPR or inspired by it, provide points of comparison. We now turn to this.

A comparative legal analysis

South Africa’s Protection of Personal Information Act, 2013 (POPIA)

The Protection of Personal Information Act (POPIA) was adopted by South Africa in 2013, but the actual date for its entry into full force is yet to be announced at the time of writing. While certain provisions of the POPIA took effect in 2014 to enable the establishment of the Information Regulator, the main body of the Act is not yet in force. 17 The GDPR (specifically, earlier iterations of the law) has had influence on the drafting of the POPIA. 18 In the context of health research, the POPIA governs the processing of personal information for research; it is intended to complement already-existing ethics guidelines for conducting health research, 19 though the extent that it does so insofar as permitting ‘broad consent’ is concerned has been called into question. 20

Apart from the general rules on processing of personal data, the POPIA sets out additional restrictions on the use of ‘special personal information’. 21 Such special categories of personal information include those concerning a data subject’s ‘religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information’ or ‘criminal behaviour’. 22 Processing of such personal information is generally prohibited, unless legitimized by one of the exemptions provided by Section 27. In addition, Sections 28 to 33 provide further derogations regarding specific types of special personal information.

The five general legal bases (ie exemptions) provided by Section 27 include: (a) ‘consent of a data subject’; (b) ‘establishment, exercise or defence of a right or obligation in law’; (c) ‘an obligation of international public law’; (d) ‘historical, statistical or research’; and (e) ‘information […] deliberately […] made public by the data subject’. Processing of special personal information may be carried out where at least one of these exemptions applies.

However, it should be noted that the ‘historical, statistical or research’ exemption is subject to further conditions. Section 27(1)(d) stipulates that the exemption is applicable only to the extent that: (a) ‘the purpose serves a public interest and the processing is necessary for the purpose concerned’; or (b) ‘it appears to be impossible or would involve a disproportionate effort to ask for consent’. In either case, ‘guarantees [must be] provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent’.

It is clear that while research activities may generally benefit from the research exemption, the POPIA treats those serving a public interest differently from those not. 23 If the processing concerned proves to be necessary for a public interest, it would be authorized provided that safeguards are put in place. In the absence of a public interest, however, the general prohibition would be lifted only where it is impractical to obtain consent from the data subject.

In other words, where research activities do not have a public interest element, consent would be the privileged legal basis for processing sensitive data. The research exemption itself, in contrast, applies only when seeking consent proves unfeasible. To the extent that researchers are required to ask data subjects for consent as far as possible, consent enjoys a favoured position in the context of using sensitive data for research purposes that are not otherwise in the public interest.

For researchers whose use of sensitive data is subject to the POPIA, this means they will have to first establish whether their research activities serve a public interest. If so, they may choose to obtain consent from the data subject, or rely solely on the research exemption. If not, they must prioritize consent as the primary legal basis, and only when this turns out to be impractical can they rely on the research exemption.

Such a ‘two-track’ system perhaps mirrors the difficulty in striking a fair balance between protecting and promoting the privacy interests of data subjects, the public interests involved in scientific research, and the hybrid interests represented by privately-commissioned research activities. Indeed, the research exemption had gone through significant changes in the course of legislating the POPIA. A recommended proposal drafted by the South African Law Reform Commission as part of its 2005 Discussion Paper included a research exemption, but a highly restricted one. 24 It set out four conditions that had to be all fulfilled at the same time: (1) the research is in the public interest; (2) processing sensitive information is necessary for the research; (3) it is impractical to obtain explicit consent; and (4) safeguards are in place to protect the data subject’s privacy.

However, after a public consultation, the Commission removed this clause in its 2009 Final Report. 25 It is not clear why the research exemption was taken out, but in a different section addressing information concerning the data subject’s health and sex life, the Commission cited extensively materials from the World Medical Association, the British Medical Association, and the Canadian Medical Association to highlight the importance of consent in the context of medical research. 26

This changed position was adopted in the Government’s Bill tabled in the same year. 27 Yet, the research exemption was re-introduced in a later draft by a committee of the National Assembly. 28 In this version, however, the restrictions were somewhat watered down compared to the 2005 proposal. Under the amended bill (and the final version of the POPIA), the four conditions do not apply accumulatively anymore, but instead in a more selective manner: use of sensitive information can be based either on the public interest element—conditions (1) and (2)—or on the fact that it would involve an unreasonable effort to obtain consent—condition (3). Either way, guarantees must be given that the data subject’s privacy is not affected disproportionately—condition (4). These changes throughout the legislative process may be the result of the complicated balancing of various stakeholders’ interests. 29

The UK’s Data Protection Act 2018

Within the general framework of the GDPR, the UK has enacted its Data Protection Act (DPA) 2018 to give effect and clarification to a number of the former’s provisions, including the use of sensitive data for research purposes. 30 It should be noted that the DPA 2018 also implements the EU’s Law Enforcement Directive 31 and addresses issues outside the scope of EU law. 32 As far as the matters covered by the GDPR are concerned, the DPA 2018 is mostly aligned to the EU standard, including, for example, the definition of sensitive data (‘special categories of personal data’). While scientific and historical research remain an exemption to the general prohibition on processing of sensitive data, the DPA 2018 has laid down additional conditions upon which research activities may benefit from the exemption.

Schedule 1 makes provision about the conditions for lawful uses of sensitive data. Paragraph 4 of the Schedule covers research-related uses, and provides that processing of sensitive data is allowed only if the processing ‘(a) is necessary for archiving purposes, scientific or historical research purposes or statistical purposes, (b) is carried out in accordance with Article 89(1) of the GDPR (as supplemented by section 19), and (c) is in the public interest’. Points (a) and (b) are essentially a reiteration of what is already required under the GDPR, whereas point (c) has in effect imposed a new restriction beyond that set out by the GDPR. Unlike the GDPR, where the public interest requirement applies only to archiving purposes but not research or statistical purposes, the DPA 2018 mandates such a requirement for all three types of processing.

For health researchers wishing to use sensitive data for research purposes, this means a public interest must be established before they can rely on the research exemption. Otherwise, a different exemption (ie lawful basis) will need to be identified so as to justify their processing of sensitive data.

Neither the DPA 2018 itself nor the Information Commissioner’s Office (ICO) Guide on the GDPR provides further clarification on what would constitute a public interest in the context of research. However, the ICO’s Guide makes it clear that the research exemption ‘does not apply to the processing of personal data for commercial research purposes such as market research or customer satisfaction surveys’. 33 However, this should not be interpreted in too narrow a sense, considering that ‘substantial public interest’ forms a separate lawful basis for processing of sensitive data. 34

To the extent that the DPA 2018 provides special treatment to research activities in the public interest, it has effectively created a ‘two-track’ system akin to the one under South Africa’s POPIA. However, for research projects that do not serve a public interest, the DPA 2018 is clearly more stringent than the POPIA in that no further derogation is provided in cases where seeking consent from data subjects proves impossible or impractical. In other words, consent is treated as the privileged—or as the case may be, the only—legal basis for uses of sensitive data by research projects that are not in the public interest.

We note that there are other relevant laws in the UK that govern data for health research purposes and that the GDPR applies to long-standing domestic legal and regulatory schemes that govern the use of personal data and the common law duty of confidentiality. Data protection law operates closely with the law of confidentiality. Regarding the latter, healthcare professionals are under both ethical and legal duties to protect patients’ personal information from improper disclosure. Confidentiality is an important ethical and legal duty but it is not absolute. 35 Healthcare professionals may disclose personal (patient) data without breaching the duty of confidentiality when, among other justifications, the disclosure is permitted or has been approved under a statutory process that sets aside the common law duty of confidentiality.

Specifically, in England and Wales, Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 and Section 251 of the NHS Act 2006 (originally Section 60 of the Health and Social Care Act 2001) provides the statutory power to enable NHS patient identifiable information to be used for prescribed purposes without the consent of patients and without being in breach of the common law duty of confidentiality. The governance of this process is, at least in England and Wales, under the control of the Health Research Authority (HRA), which was formally established as an executive non-departmental public body under the Care Act 2014. Where confidential patient information is to be shared with patient consent, approval would normally be subject to an HRA-approved NHS research ethics committee (REC); use of NHS patient data for health research without patient consent would require a favourable NHS REC opinion and HRA approval through the guidance it receives from its Confidentiality Advisory Group. In Scotland and Northern Ireland, there are no specific laws governing use of patient data without consent; in these two nations, the common law dictates. Determinations are made by the Public Benefit and Privacy Panel for Health and Social Care in Scotland, and in Northern Ireland by Medical Directors of individual Health and Social Care Trusts on a case-by-case basis.

Another example of sector-specific legislation governing the use of personal data for research purposes in the UK is the Digital Economy Act (DEA) 2017. Under Chapter 5 of Part 5 of the DEA 2017, ‘personal information’ (which may include personal data 36 ) held by a public authority ‘may be disclosed to another person for the purposes of research which is being or is to be carried out’, provided that certain conditions are met. 37 Although such disclosure must not contradict the DPA 2018, 38 it is believed that the DEA 2017 has in effect provided a legal basis for qualified sharing of personal information and consent by the data subject is therefore not needed. 39

While some of these laws and arrangements set aside the common law duty of confidentiality, they do not set aside the need to comply with other legislation or the principles of data protection law. Even if a disclosure of otherwise confidential patient data, for example, is permitted under the common law, the disclosure must still satisfy the requirements of data protection law. This means that there also still needs to be a legal basis under the GDPR (and DPA 2018) for processing personal data—which necessarily in this context would not be consent of the data subject. More importantly, the DPA 2018 remains the primary legal baseline for processing of personal data for health research in the absence of lex specialis. Research projects that do not source ‘patient information’ from the NHS or ‘personal information’ from a public authority will be subject to the DPA 2018. Thus, our foregoing analysis in regards to the scope of and value placed on the lawful basis of consent under UK data protection law still applies, including in the context of processing patient data for health research. And in this sense, these long-standing laws are not superseded by the DPA 2018; indeed, they complement each other.

The Irish Health Research Regulations 2018

Ireland’s Data Protection Act 2018 gives national effect to aspects of the GDPR that are specific to Ireland, including conditions for data processing for research purposes. Section 36 of that Act enables the government to enact Regulations to, among other things, identify additional suitable and specific measures regarding the explicit consent of the data subject for the processing of their personal data for one or more specified purposes. To that end, the Health Research Regulations 2018, which came into force in August 2018, establish six key points regarding processing of personal data for health research. They:

  1. outline the mandatory suitable and specific measures for the processing of personal data for the purposes of health research (Regulation 3(1));
  2. provide a definition of health research for the purposes of the regulation (Regulation 3(2));
  3. provide for the possibility of applying for a consent declaration for new research (Regulation 5);
  4. provide for transitional arrangements in respect of the granting of consent declarations for health research that is already underway (Regulation 6);
  5. provide for the establishment and operation of a committee of persons to make decisions on applications for consent declarations, including an appeals process (Regulation 7-13 and Schedule); and
  6. include a number of miscellaneous provisions (Regulations 14–16).

Health research is defined broadly in the Regulations to include any of the following scientific research for the purpose of human health, and unlike the sector-specific UK legislation discussed above—namely the Health Service (Control of Patient Information) Regulations 2002, the NHS Act 2006, and the DEA 2017—is not limited to data held by a health service or public authority:

Unlike the GDPR, the Health Research Regulations 2018 privilege consent for data processing in the health research context by placing a rebuttable presumption on the data controller that explicit consent should be the operating legal basis. Specifically, Regulation 3(1)(e) states that:

A controller who is processing or further processing personal data for the purposes of health research shall ensure that the following suitable and specific measures are taken to safeguard the fundamental rights and freedoms of the data subject:

[…] explicit consent has been obtained from the data subject, prior to the commencement of the health research, for the processing of his or her personal data for the purpose of specified health research, either in relation to a particular area or more generally in that area or a related area of health research, or part thereof. 41

A relatively narrow carve-out is permitted for controllers to forego having to obtain a data subject’s explicit consent. 42 Regulation 5(1) states that:

A controller proposing to process or further process personal data for the purposes of health research […] may apply to the [Health Research Consent Declaration Committee …] for a declaration where he or she is of the view that the public interest in carrying out the research significantly outweighs the public interest in requiring the explicit consent of the data subject […].

A controller making an application to the Committee must, prior to making the application, (a) carry out a data protection impact assessment in accordance with Article 35(1) of the GDPR, and (b) obtain ethics approval of the health research from a research ethics committee. 43 Moreover, the controller must furnish to the Committee a great deal of information as part of the application, specifically:

  1. Written information that clearly identifies—

This means that a researcher may apply for a declaration that explicit consent is not required only if, in the case of a new health research project, the public interest of the research ‘significantly outweighs’ the public interest in requiring the explicit consent of the individual whose data are being processed (Regulation 5(1)). The language of ‘may’ rather than ‘must’ in Regulation 5(1) suggests that an application for such a declaration is not legally required, but evidences a strong assurance of compliance. Indeed, Regulation 3(1)(d) states that a controller who is processing or further processing personal data for the purposes of health research ‘shall’ ensure that ‘explicit consent has been obtained from the data subject, prior to the commencement of the health research, for the processing of their personal data for the purpose of specified health research, either in relation to a particular area or more generally in that area or a related area of health research, or part thereof’. Thus, it appears that the only way researchers can work around the requirement for explicit consent is to apply for a declaration from the Health Research Consent Declaration Committee.

Some commentators have expressed alarm that, given the onerous burden to obtain explicit consent in some large-scale data-intensive studies and the uncertainty of successfully obtaining a waiver from the Health Research Consent Declaration Committee, these Regulations will have a detrimental impact on several areas of health research in Ireland, including retrospective chart reviews, biobanks, and research with individuals who lack capacity to consent. 44 Moreover, researchers seeking to avail themselves of the exemption likely will find the task arduous, given the amount of information to be provided with the application to the Committee and the conditions to be fulfilled in advance of the application. Indeed, in our view, few research projects will be able to obtain a consent waiver from the Committee. A website has been set up for the Committee, explaining its remit as thus:

The [Health Research] Regulations make explicit consent the default position for processing personal data for health research. In other words, a health researcher planning to use an individual’s information for health research must obtain the explicit consent of the individual to do so. This is about empowering the patient in relation to his or her medical records.

However, it is recognised—as it is in other countries—that sometimes, in limited situations, obtaining consent will not be possible and that the public interest of doing the research significantly outweighs the need for explicit consent. It is in cases like this that HRCDC has a decision making role.

[…]

In order that such applications are carefully considered from a range of perspectives, the Health Research Regulations provide for an independent and representative committee to make decisions on those applications—that is the role of the HRCDC.

In everything that we do, our objective will be to seek to build Transparency, Confidence and Trust. 45

Time will tell whether the Health Research Regulations 2018 are successful based on generally agreed parameters of regulatory assessment. 46 In the following section, we argue that these Regulations fail to achieve a suitable balance among the interests of various stakeholders, foremost data subjects (research participants) and the research community, and mandate (explicit) consent to a disproportionate degree.

Consent for data processing: quo vadis?

Divergence across a spectrum of recent laws

The three national laws discussed in the previous section represent different approaches to regulating the use of sensitive data in the context of health research, and consequently have varying degrees of impact on projects involving collection and use of data. Under each of the POPIA, the DPA 2018, and the Irish Health Research Regulations 2018, scientific research may qualify as an exemption, parallel to data subjects’ consent, from the general prohibition on processing of personal data. In other words, at least some categories of health research activities involving the use of sensitive data, irrespective of the actual applicable law among the three, would be allowed even without (explicit) consent from the data subject. However, the differences in the conditions and restrictions imposed on the research exemption show a nuanced divergence of the policy choice regarding the extent to which consent should be treated as a favoured option.

As an overarching regulatory framework, the GDPR’s default position shows little regulatory preference (or ‘bias’) to consent as the appropriate protective measure in the case of research. Under Article 9(2), explicit consent is but one of the exemptions equally available to researchers. They can either rely on Article 9(2)(a)—by obtaining explicit consent from the data subject—or more likely on Article 9(2)(j)—by putting in place safeguards in accordance with Article 89(1) based on EU or Member State law. 47 There is almost no compliance incentive for researchers to choose consent over the research exemption to legitimize their processing of sensitive data under the GDPR.

Turning to national laws, we see that the Irish Health Research Regulations 2018 represent a starkly different approach that strongly favours (explicit) consent as the primary choice of safeguard. 48 As analysed above, explicit consent from data subjects for processing their data forms a mandatory part of the measures to be taken by health researchers. Such a requirement is exempted only if it can be established that the interest in seeking explicit consent is ‘significantly outweigh[ed]’ by the public interest in carrying out the research. To ascertain this is the case, researchers would need to apply for a declaration from the Health Research Consent Declaration Committee to expressly state such an overriding public interest. As noted above, the application process is onerous. This essentially creates a major motivation for researchers to seek explicit consent from data subjects so as to avoid the substantive and procedural burdens involved in the application for a consent waiver. For health research projects unable to demonstrate a compelling public interest, obtaining explicit consent would be the only option.

We also see more moderate options adopted by South Africa’s POPIA and the UK’s DPA 2018. Under both regimes, processing of sensitive data for research purposes are treated differently depending on whether a public interest can be identified. With a public interest element, such processing would be allowed, provided that certain safeguards are in place, with no need for explicit consent from data subjects or a formal consent waiver from a committee. Without such a public interest element, the research exemption would no longer apply and consent would be the only available compliance option. Consent therefore constitutes a privileged justification under both the South African and the UK legislation for uses of sensitive data for research purposes to the extent that it is required for research activities that are not in the public interest. Both regimes reflect the regulatory preference for consent, especially in the absence of a public interest element, although such a preference is not as strong as the one under the Irish Regulations. Yet, there is a further degree of divergence between the POPIA and the DPA 2018 when it comes to research activities that do not fulfil the public interest requirement. Under Section 27(7)(d) of the POPIA, such activities will be nevertheless exempted insofar as ‘it appears to be impossible or would involve a disproportionate effort to ask for consent’, a proviso not provided by the DPA 2018.

With the key differences embodied in the approaches of the three pieces of legislation compared above, it becomes evident how they represent a range of policy choices in terms of the privileged status of consent in safeguarding health research uses of personal data. Such differences are summarized in Table 1.

Comparison of recent data protection statutes regarding data processing consent for health research purposes

Legislation . Conditions for exemption from obtaining data processing consent 49 . Privileged status of data processing consent .
POPIA (South Africa)Public interest or impracticability to obtain consent (controller assessed)Moderately privileged
DPA 2018 (UK)Public interest (controller assessed)Moderately privileged
Health Research Regulations 2018 (Ireland)Significant public interest and consent waiver declaration (independently assessed by third party)Strongly privileged
Legislation . Conditions for exemption from obtaining data processing consent 49 . Privileged status of data processing consent .
POPIA (South Africa)Public interest or impracticability to obtain consent (controller assessed)Moderately privileged
DPA 2018 (UK)Public interest (controller assessed)Moderately privileged
Health Research Regulations 2018 (Ireland)Significant public interest and consent waiver declaration (independently assessed by third party)Strongly privileged

Comparison of recent data protection statutes regarding data processing consent for health research purposes

Legislation . Conditions for exemption from obtaining data processing consent 49 . Privileged status of data processing consent .
POPIA (South Africa)Public interest or impracticability to obtain consent (controller assessed)Moderately privileged
DPA 2018 (UK)Public interest (controller assessed)Moderately privileged
Health Research Regulations 2018 (Ireland)Significant public interest and consent waiver declaration (independently assessed by third party)Strongly privileged
Legislation . Conditions for exemption from obtaining data processing consent 49 . Privileged status of data processing consent .
POPIA (South Africa)Public interest or impracticability to obtain consent (controller assessed)Moderately privileged
DPA 2018 (UK)Public interest (controller assessed)Moderately privileged
Health Research Regulations 2018 (Ireland)Significant public interest and consent waiver declaration (independently assessed by third party)Strongly privileged

It should, however, be emphasized that certain specific requirements or exceptional cases in each of the statutes have been intentionally simplified for the purpose of comparison here. The general safeguards set out by Article 89(1) GDPR are specified differently under the Irish and UK implementations, and are clearly more detailed than the ‘sufficient guarantees’ required by Section 27(1)(d) POPIA. And, under Section 19(3) of the DPA 2018, research uses of personal data for ‘measures or decisions with respect to a particular data subject’ are allowed only if approved by a research ethics committee. The omission of such details in the discussion above does not mean that they are unimportant, but a simplified description of each of the regulatory models has the benefit of enabling us to highlight the principal differences in legislative approaches, as well as the underlying policy considerations regarding the merits of consent in research activities. Such a comparison would in turn provide a helpful analytical framework for us to reflect on the appropriate approach to achieve the best balance among the interests of various stakeholders, including data subjects, the public, and the research community.

Finding an appropriate balance among various stakeholder interests

As mentioned briefly in our introduction and section on the GDPR, there is some concern of a conflation between research ethics consent and data processing consent. Research ethics consent, often termed ‘informed consent’, is a powerful ethical-legal norm in most forms of health research involving human participants. It is considered to be the primary means by which researchers accord respect to participants, and in turn, it is seen as a manifestation of participants’ individual autonomy and a means to protect their dignity and bodily integrity. 50 Consider, for example, Article 7 of the International Covenant on Civil and Political Rights, which states that "no one shall be subjected without his free consent to medical or scientific experimentation." Through the consent form, participants signal in an evidentiary manner whether or not they choose to participate in a research project by, for example, providing biological samples and/or personal data. 51

But for the purposes of data protection law, we must, foremost for reasons of conceptual clarity, distinguish (informed) consent to participation in a research project from consent as the legal basis for processing personal data. In the former case, a research ethics committee likely will require that the researcher obtain the informed consent of participants prior to conducting the research, through, for example, provision of an information sheet and securing signature on a form. And, as mentioned, consent to participation may be a legal obligation in some jurisdictions for certain types of health research, such as clinical trials involving drugs or devices. Consent to process personal data, however, may not be a legal or ethical obligation per se under data protection law. We have some concern that failure to make this distinction between research ethics consent and data processing consent explicit will exacerbate a misconception among participants and researchers alike such that the participants’ consent to participate in a research project de facto equates to a consent to (also) process their personal data. We term this ‘consent misconception’, a scenario whereby because consent is the favoured mechanism and key ethico-legal norm in research ethics governance, it is perceived that it must also be the case for data protection purposes. While it may be the case that researchers will want to rely on consent as a lawful basis to process data (or as we see in Ireland’s case, it may have to be the case), nevertheless, for a variety of reasons, foremost scientific and methodological, but also ethical and legal, researchers may want to rely on another lawful basis if alternatives are available.

Indeed, the UK’s General Medical Council has opined that:

It will not always be appropriate for data controllers to rely on consent under GDPR as a condition for processing health data. For example, implied consent is an accepted concept under the law of confidentiality, but it is unlikely to be a sufficient basis for sharing personal data based on consent under Article 6(1)(a) of the GDPR, and will not be sufficient for sharing ‘special category data’ based on explicit consent under Article 9(2)(a) of the GDPR. However, the GDPR does provide alternative conditions for processing data which are likely to be more appropriate in a health context. This means that a doctor who is a data controller may be relying on different legal justifications for disclosing information under the common law duty of confidence and under the GDPR. 52

Similarly, the European Data Protection Board has commented in the context of clinical trials research that:

15. … the informed consent foreseen under the CTR [EU Clinical Trials Regulation No 536/2014] must not be confused with the notion of consent as a legal ground for the processing of personal data under the GDPR. […]

16. The obligation to obtain the informed consent of participants in a clinical trial is primarily a measure to ensure the protection of the right to human dignity and the right to integrity of individuals under Article 1 and 3 of the Charter of Fundamental Rights of the EU; it is not conceived as an instrument for data protection compliance.

[…]

20. However, it must be kept in mind that even though conditions for an informed consent under the CTR are gathered, a clear situation of imbalance of powers between the participant and the sponsor/investigator will imply that the consent is not ‘freely given’ in the meaning of the GDPR. As a matter of example, the EDPB considers that this will be the case when a participant is not in good health conditions, when participants belong to an economically or socially disadvantaged group or in any situation of institutional or hierarchical dependency. Therefore, and as explained in the Guidelines on consent of the Working Party 29, consent will not be the appropriate legal basis in most cases, and other legal bases than consent must be relied upon […].

21. Consequently, the EDPB considers that data controllers should conduct a particularly thorough assessment of the circumstances of the clinical trial before relying on individuals’ consent as a legal basis for the processing of personal data for the purposes of the research activities of that trial. 53

Moreover, even outside the clinical trials research context, many would see mandating or otherwise strongly privileging consent as the lawful basis in the health research context as problematic for at least two reasons. First, the interpretation of consent and what forms a valid consent and how it is to be recorded differs not only between the fields of data protection and research ethics, but also across countries (eg what is ‘informed’, how ‘broad’ can a broad consent be), potentially disrupting international research collaboration. 54 Second, the possibility of a withdrawal of consent for data processing (which is obligatory under Article 7 of the GDPR) will complicate the situation where data must be removed from a repository. If consent is used as the lawful basis for processing data and a research participant withdraws consent, the controller will no longer have a lawful basis to process personal data about them, unless the data are also processed for another purpose which justifies retention without consent. 55 This is distinct from consent for participation in a research project, where it is feasible that such withdrawal will not affect research activities already carried out and the use of data obtained based on consent before its withdrawal.

An added complication between research ethics consent and data processing consent is the demarcation of each in information sheets and consent forms. Article 7(2) of the GDPR states: ‘If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.’ This would oblige controllers to be particularly careful in distinguishing consent for participation in health research from consent for data processing during the consent process and in any information sheets and consent forms provided to participants/data subjects. 56 Arguably, there would also be a need to explicitly include the identity of all parties relying on the consent.

All this said, we nevertheless consider consent to be a manifestly stronger legal form for data subjects (and participants) to exercise their autonomy over the collection and use of their data, as well their participation in a research project more generally. Consent enables individuals to exercise some degree of control over their body and bodily integrity, of which personal data forms a crucial component. Enabling data subjects to provide consent demonstrates respect for them as data subjects and also establishes a communicative bond between the controller and the subject, whereby both can inform the other of their interests, rights, and duties. For these reasons, as a general principle, we think consent should be privileged to a degree in the research provisions of data protection law, but in a moderate and rebuttable form.

Thus, we do not support the current default data protection model in Europe, reflected in the GDPR, because in our view, it privileges the interests of those conducting health research to too great an extent. While it does limit the potential for consent misconception, as researchers may avail themselves of other lawful bases and must make the selected basis explicitly known to data subjects, there is concern that researchers will de facto resort to an alternative lawful basis even when it is relatively easy to obtain consent from the data subject. In our view, if obtaining consent is not onerous, is ethically appropriate in the research project at hand, and will not present serious methodological problems to the project, consent should be obtained. This is, in particular, the case when it comes to privately-commissioned research that may not serve a clear public interest. Under the GDPR’s broad definition of research activities, the indiscriminate authorization of processing sensitive data for research purposes may lead to potential abuses of this exemption by private entities. 57 Without any privileged position afforded to the lawful basis of consent under the GDPR, researchers likely will gravitate to the research provisions under Articles 9(2)(j) and 89(1).

For somewhat similar reasons, we also do not support the model espoused by Ireland’s Health Research Regulations 2018. Here, consent is privileged to too great an extent. We share the concern from many in the research community that by mandating explicit consent, subject only to a committee waiver whereby it is demonstrated that (among other things) the public interest in carrying out the research ‘significantly outweighs’ the public interest in requiring the explicit consent of the data subject, many health research projects will be subject to disproportionate, burdensome regulation that will dampen health research activity in the country. This will come at a cost to research competitiveness and patient access to innovative diagnostics, drugs, and devices. We see greater merit in self-assessment (and accountability to a regulator)—in other words, a framework under which the data controller/researcher undertakes an assessment of whether consent should be the lawful basis—than an independent third-party assessment that creates unnecessary bureaucratic burden. The rationale for promoting consent in data protection law for health research purposes is sound, but the means by which it is operationalized in Ireland are not. Consent is not the only means by which patients can be ‘empowered’ in relation to their medical records, and as we have stressed, the absence of consent does not necessarily contradict the values of ethical research. 58 Additionally, we note that data subject access rights to these records are provided for already in data protection law and are not contingent on consent as the lawful basis.

We support to a greater degree the approach taken by the UK’s DPA 2018, but consider it relatively difficult to make a public interest justification for health research in all instances. A benefit of the DPA 2018 compared to Ireland’s Health Research Regulations 2018 is that the determination of public interest is made by the controller (researcher), not an independent committee to which a number of materials must be compiled and submitted, which, as we have said, is in our view overly bureaucratic. If a controller deems research to be in the public interest when in fact it is not, the data protection authority (eg the UK’s ICO) is empowered to intervene. We think this approach is more sensible and proportionate: the research community should engage in this form of co-regulation, which demonstrates presumed trust by the regulator, rather than command-and-control regulation that demands relatively inflexible rules-based compliance by the research community.

Ultimately, the approach we advocate tacks most closely to that of South Africa’s POPIA. Under this middle-ground model, consent as the lawful basis would be privileged unless the research purpose serves a public interest (as determined by the controller) and the processing is necessary for the purpose concerned, or obtaining consent from data subjects appears to be impossible or it would involve a disproportionate effort to ask for consent. In either case, guarantees must be provided to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent. In our view, this model achieves the best balance between the various stakeholder interests at play. Data subjects (who are also research participants) are respected in that an obligation to obtain their consent is privileged—the operating assumption is that consent should be the lawful basis for processing their personal data. At the same time, consent is not mandated and subject to very narrow exemptions, as the Irish model would espouse. Rather, the onus is placed on the researcher (as data controller) to make an honest, informed determination about the burdens of obtaining consent or the public interest justifications for forgoing consent. This grounds data processing consent in self-assessment (and accountability to a regulator) rather than bureaucratic burden and submission to a third party, enabling the researcher to determine when consent is impracticable or the research purpose serves a public interest and the processing is necessary for the purpose concerned, thereby opening the door to seeking other lawful bases to process personal data.

This approach does not displace the possibility that there may be a requirement for consent under another legal duty (eg the English duty of confidence) or research ethics obligations. Nonetheless, our preference is to hold these requirements distinct from data protection law for reasons of conceptual clarity. We would be better served to limit the risk of conceptual confusion regarding the data protection requirement that processing be ‘lawful’ when considering, for example, the intersection of the law of confidence and data protection law, or the intersection with any requirements for consent from the perspective of research ethics.

We do not think South Africa’s approach is perfect. While it mandates guarantees from the controller to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent, it lacks requirements on procedural and substantive safeguards to protect data subject rights. A ‘South Africa+’ model would combine the choice it currently provides (public interest justification for forgoing consent or impracticability to obtain consent) with enhanced procedural and substantive safeguards, similar to those stipulated in the GDPR. These safeguards would include technical and organizational measures, such as strongly encouraging anonymization and pseudonymization where possible; having a data protection officer in circumstances where the core activities of the controller or the processor consist of processing genomic or health-related data on a large scale; and having a data protection impact assessment undertaken in circumstances where the processing involves new technologies, or, taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals. It should also include transparency in the decision-making process such that the controller makes clearly explicit the reasons for which data processing consent is deemed impracticable to obtain or the research purpose serves a public interest, thereby overriding the consent obligation.

Conclusion

In this article, we considered the role of consent in processing data for health research. As part of this analysis, we looked at several recent data protection laws—the EU GDPR, South Africa’s POPIA, the UK’s DPA 2018, and Ireland’s Health Research Regulations 2018—as well as other laws that impact the use of data for health research.

Among the various alternatives presented in the three national laws, we find that there is merit in distinguishing research ethics consent from data processing consent. Failure to do so enhances the risk of consent misconception. Data subjects (research participants) should be under no illusions—not created by their own doing—as to what they are consenting to and for what purposes. The research ethics norm of consent to participate in a project, and thereby agree to provide data and/or samples, is powerful and should be respected. The data protection lawful basis of consent is less powerful but should be privileged as well—to a degree. It symbolizes respect for the data subject and puts the data subject on a more symmetrical informational and communicative plane with the data controller. This analysis has led us to conclude that the regulatory framework under the GDPR and the national approach taken by Ireland both pull too far on opposite ends of the spectrum. One creates too great a risk to infringement of data subject rights and affords researchers too much leverage to avoid consent even in instances where it is appropriate; the other is overly burdensome, disproportionate, and detrimentally impacts health research. But, as the European Data Protection Board and other organizations have noted, there are compelling reasons why data processing consent may not be the appropriate lawful basis in the health research context, depending on the type of project. Context is crucial—and the consideration of context should, in our view, be assessed by the data controller/researcher rather than a third party, the latter of which risks disproportionate bureaucratic burden and undue tamping down of medical innovation.

Thus, we think a model that tacks closest to South Africa’s POPIA achieves the best balance among the various stakeholder interests for both protecting data subject/research participant rights and interests and also promoting socially valuable health research that can improve the lives of the community. Consent for data processing should be privileged in health research, but researchers also should be afforded an opportunity to forgo it in cases where it is impracticable for a given project or the research purpose serves a public interest and the processing is necessary for the purpose concerned—and at the same time, those (and all) researchers should have an obligation to make their reasons for forgoing consent transparent, and process individuals’ personal data with robust procedural and substantive safeguards in place.

Special thanks to the organizers of the workshop on ‘The Governance of Data Sharing for Genomic and other Health Related Data in Africa’ held on 4–5 February 2019 in Cape Town, South Africa. Thanks also to Mark Taylor, Himani Bhakuni, and Graeme Laurie for their insightful comments on an earlier draft. J.C. is supported by the Engineering and Physical Sciences Research Council [grant number EP/M02315X/1].

Footnotes

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1 [hereinafter, GDPR].