GDPR Article 89 and Appropriate Safeguards: Guidelines for biobanks for collection, use, and reuse of samples and personal data

Introduction

Genetic research requires access to large quantities of biological samples and data. The biobanks and databanks collect these samples and data directly from a research participant. This data is sensitive, and its use in research involves many fundamental rights of the research participant. 

The General Data Protection Regulation (GDPR) is the toughest and most widely used legal framework for collecting and using personal data. However, it provides many derogations and exemptions for research if appropriate safeguards are in place. But GDPR does not provide any guidance on these safeguards. 

This blog is based on a paper that aims to discuss the appropriate biobank and genetic research safeguards. The authors reviewed 14 legal and ethical instruments and listed six safeguards applicable to collecting, using, and reusing personal data in research. 

  1. Consent 
  2. Independent review and oversight
  3. Accountable processes 
  4. Clear and transparent policies 
  5. Security 
  6. Training and education 

The list of instruments analyzed is given in the table below: 

Consent

All the instruments stressed the importance of consent for collecting and using sample and participant data for research and the reuse in future research. 

Broadly, the discussion on informed consent covered five aspects: 

  • Consent must be prior, free, and informed. 
  • Specific vs. Broad consent models: Some stressed the use of specific consent models, and some also allowed the use of broad consent. The broadness of broad consents also varies in different instruments.
  • Right to withdraw: Participants must be informed of their right to withdraw consent. There should not be any descrimination based on their decision to withdraw. 
  • Acquiring consent from a legally acceptable representative (LAR) for participants unable to consent. Consent waivers should always be obtained from the Research Ethics Committee (REC). 
  • Community consultation: Obtain consent from community representatives where research is carried out in a community; however, it is not a substitute for individual consent. 

Independent Review and Oversight

The instruments broadly discussed four different types of review and oversight: 

  • Review and oversight in the establishment of a biobank and databank.  
  • Review and oversight of the research. 
  • Ethical review of the research
  • Review and oversight of the secondary use of samples and data.
“For all, the review must be independent.”

Accountable Processes

In general, the instruments require governance processes, with clear lines of accountability in the collection, use, re-use, and sharing of samples and data. An individual should be appointed responsible for the security and privacy of the collections and informing relevant individuals about their legal duties and responsibilities regarding the sample and data use.

  • Access requests (by a third party) should be subject to independent review and must include a research plan that is ethically and scientifically robust. 
  • The samples and data transfer should be accompanied by a legal agreement between the sender and recipient of the samples and data. 
  • The responsibilities of all parties must be specified, along with the sanctions in the event of non-compliance.

Clear and Transparent Policies and Processes

One of the common issues that all instruments emphasized was a need for clear and transparent policies on all aspects of collecting, using, and managing the samples and data, including secondary uses. The instruments did not detail the content of the policies but instead focused on what policies should be developed.

The research participant must be provided with the information specified as part of informed consent, and, in addition, they must be informed of any data breach. 

The instruments also point to the obligation to inform the general public. Any sources of funding must be disclosed publicly. A catalog of the resources available for research purposes must be made available.

Security

Protection of privacy highlights the importance of security, and it is the responsibility of those who process the data. All instruments were aware of the need for secure data.  

What can be done? 

  • Data should be anonymized.
  • Coding or de-linking of the sample and data is preferred as this enables the retrieval of the sample/data. 
  • The REC to review the security arrangements 
  • Before transferring data and samples, ensure the recipient has adequate security measures in place. 
  • Document all processes and protocols aimed at preserving the privacy and security of the research participants

Training and Education

Some of the instruments highlighted the need for training and education for those handling the biological samples and data. 

  • Research staff should have the necessary technical skills.
  • Training in Privacy and Security is a must for personnel handling samples and data.
  • Training should be according to the roles and responsibilities of the individual.
  • Ethics training for both REC members and researchers. 
  • Training should be ongoing.
  • A dedicated person should be assigned to test compliance with the relevant security and privacy standards and updates on the legal obligations related to the sample and data use.

Conclusion:

The GDPR provides an exemption from many of the strict processing requirements. Under Article 89, it is essential that appropriate safeguards are adopted, but there is limited guidance on what could be these safeguards. Such exemptions may leave research participants with limited rights in the absence of appropriate safeguards. The authors identified six possible safeguards for biobank, databank, and genetic research: Appropriately governed consents; independent review and oversight of biobanks and research; accountable processes; clear and transparent policies; adoption of security measures; and training and education of the personnel involved in the use and re-use of personal data in research. These safeguards should apply to collecting, using, and reusing personal data in research.   

Reference:

https://www.frontiersin.org/articles/10.3389/fgene.2022.719317/full?&utm_source=Email_to_authors_&utm_medium=Email&utm_content=T1_11.5e1_author&utm_campaign=Email_publication&field=&journalName=Frontiers_in_Genetics&id=719317

Written by: Sharvari Gokhale, OpenSpecimen Product Expert

For more details, email [email protected]