Over the years, a reading of the legislation on protecting personal data (erroneously equated with ‘privacy’) has become entrenched, hampering scientific research. There is room to interpret the law more correctly and allow scientists to work more effectively for the common good by Andrea Monti – Initially published in Italian by Scienza in rete
An order issued on 15 April by the Italian Data Protection Authority (DPA) fined a hospital doctor who used clinical data in a report presented at a conference without complying with the law. In particular, the Authority charged the doctor with using the patient’s data without the prior authorisation of its employer (the hospital, acting as a data controller). Moreover, it happened without the patient’s consent, who had given it to the hospital but not to the individual doctor.
Regardless of the hospital’s authorisation, the compliance with the EU General Data Protection Regulation (GDPR) was nonetheless necessary because the information relating to the patient used in the report submitted to the conference was such as to make him identifiable even in the absence of his details. It appears from the order that the study contained
The patient’s initials, age, sex, detailed anamnesis of the pathology suffered by the same, details of the admissions made … and the surgical operations undergone in that period, with an indication of the dates of admission and operations (in many cases the day, month and year of the same are given), the surgical unit which carried out the operations, the days spent in hospital, numerous diagnostic images (14), as well as 22 photographs showing the person concerned during the operations.
This order is an opportunity to talk once again about very delicate issues that have direct implications on medical research: the necessity and extension of the consent to the processing of personal data given by the patient and the possibility of using these data for research purposes, even in areas not related to the patient’s original consent.
The interpretative stiffness of the GDPR
In this specific case, DPA’s findings on the need to have the authorisation of the ASL to use the patient’s clinical data and on the need to inform the patient that his medical record would also be used for individual research are essentially correct. Similarly, and in principle, the reading of the GDPR made by the Authority is also correct. It also reminded the obligation to abstain from processing data that is excessive concerning the pursued purposes – in this case, those of medical research – which permit the patient’s identification.
However, the problem is precisely to understand the purposes involved in the research and whether their pursuit prevails over the interested party’s rights. It is why it is less acceptable the rigidity of the Commissioner on the prohibition of the reconstruction of the patient’s identity through data reported in a scientific publication, even if the patient’s personal details are omitted.
In other words: can individual confidentiality prevail over the researcher’s duty to make the result he has achieved inter-subjectively verifiable? Moreover, can the right of the patient to refuse consent to the processing of personal data prevent research into new systems of diagnosis and treatment?
The importance of research integrity
In many cases, it is clear that doctors who have direct access to medical records can publish studies without providing any indirect patient identification. However, other cases, such as rare diseases, make this approach less easy or impossible to achieve. Consequently, although it is difficult to establish a general rule, it would be up to the scientific societies to provide concrete indications in this respect, rather than leaving it up to the individual researcher to bear this burden.
Moreover, it is necessary to remember that the epistemological paradigm of the intersubjective verifiability of predicates also applies in medicine. Thus, when a physician discusses a paper, he must put the scientific community in a position to verify the stated conclusions independently. This procedure is essential to avoid cases (or suspicions) of scientific misconducts or the assumption of individual and public policy choices based on errors made in good faith by researchers.
The GDPR itself plays a fundamental role because rather than with ‘privacy’, it deals with data processing reliability and trustworthiness in relationship with the purpose to be pursued. Therefore, both in leading-edge research and research carried out in more restricted areas, doctors have a legal obligation to process all the data they need to obtain reliable results.
Back to square one, in this specific case, one can also discuss whether it was necessary to include all the data concretely included in the research sanctioned by the DPA and reported at the beginning of this article. However, in general terms, it is clear that to protect public health, all the data needed to corroborate the results of a study can and must be processed even without the data subject’s consent and without prejudice to his right to be informed.
A possible solution
It is not true that the Data Protection Regulation prohibits a less radical interpretation than that conveyed by the current narrative. The GDPR can be interpreted more flexibly when scientific and medical research needs are at stake. There is room to allow research based on data, especially anonymised data, without having to ask or seek consent from patients every time.
There are ways of making it possible, especially for research that does not need to experiment in corpore vivo, to use data more easily without encumbering the work of scientists. For example, in the clinical field, electronic medical records could already be anonymised so that that data can be shared with external research groups without the need for additional bureaucratic steps. Similarly, in observational research, the questionnaires administered to patients could already be structured in a ‘dual format’, with one anonymised for research purposes and one with patient identification that remains under the control of the healthcare facility to allow verification of the correctness of the data collected in the event of disputes of scientific fraud or the need to review the results.
To achieve this goal, the DPA must do what was asked of citizens in many quarters during the pandemic: trust science and scientists.
It means, first of all, concretely applying the principle contained in the GDPR that personal data protection is not an absolute right.
Secondly, there is an urgent need for the Authority to abandon an approach based on an a priori ban on processing specific data and the imposition of preventive bureaucratic burdens in the name of an unjustified precautionary principle. Especially when research works with anonymised data, the patient’s consent cannot be necessary or mandatory. Of course, there are cases in which even the indirect reconstruction of the patient’s identity could pose problems (e.g. if the research concerns diseases that carry a social stigma). In this case, it would be conceivable for the data in question to be entrusted to a trusted third party and made available only to other scientists and only to replicate the experiments. It should remain possible, in any case, to process all data needed for research with the greater flexibility highlighted here.
Lastly, scientists should be left free to conduct their research, subject to ex-post checks by the competent authorities. It would be more efficient to apply the method practised by US President Ronald Reagan during the Cold War: ‘trust but verify’.
At the same time, however, scientists should be acutely aware of the need not to abuse the increased freedom that comes with the public role attributed to scientific activity by the GDPR. Applying the rule more flexibly cannot become a way to avoid complying with it in substance, even before the form.
The law must serve the citizens and not vice versa. Therefore, regulatory requirements should always be interpreted to guarantee the improvement of people’s quality of life.
Research on large and small amounts of data is an essential resource for science and medicine. The GDPR can easily be interpreted in the sense of allowing such research without blocking or burdening the work of scientists. Institutions need to realise the need to change their attitude towards interpretations of ‘privacy’ that turn it from a flexible tool for protecting individual rights into a threatening totem from which they should keep their distance.
It is equally essential that the scientific community finally becomes aware of the need to contribute to this cultural change.