RES-Q GDPR COMPLIANCE

Based on consultation with legal personnel and regulatory compliance officers, both internally and externally, we have determined that RES-Q will be in compliance with GDPR before the May 25th deadline.  Currently RES-Q is in compliance in principle as detailed in points 1-5 below, however we need to make all relevant documents related to transparency available prior to the May 25th implementation date, as explained in point 6.

The relevant sections of GDPR and their application related to the operation of RES-Q are identified below.  The full text for the relevant sections can be found at the end of this document, or in the official GDPR document available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32016R0679 [Retrieved April 26th, 2018].

1.     The validity and importance of medical registries for research purposes in the public interest.

GDPR acknowledges that registries provide valuable, high-quality data, which serve a legitimate purpose that is in the public interest.  As such, personal data can be processed from registries for scientific research purposes, as long as appropriate safeguards are implemented (Recital 157). Safeguards are discussed in Article 89.1.

2.     The role of informed consent in registry data collection and processing for scientific purposes.

GDPR makes it clear that informed consent is not necessary for data processing to be lawful.  Lawful processing can be done “[…] on the basis of the consent of the data subject concerned [OR] some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law […]” (Recital 40).  A legal basis is therefore needed to necessitate collection of personal data.

At present, RES-Q has two legal bases for collection and processing of personal data.  These legal bases are related to public interest, and legitimate interest, as specified in Article 6.1 (e&f).  Processing of special categories of data, specifically health related data, is also permitted pursuant to Article 9.2 (h, i&j).

Given that these legal bases may be impacted by the future guidance of judicial decisions, or by interpretations or limitations imposed by individual EU member states as specified in Article 9.4, RES-Q reserves the right to review and amend these legal bases in accordance with these changes.

3.     Continued processing of existing RES-Q registry data.

Patient data which has already been contributed to RES-Q can continue to be kept and processed in keeping with our stated research goals of improving quality in stroke care. GDPR states that “Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations” (Recital 50).

4.     RES-Q Data Protection

RES-Q was designed with GDPR in mind, so many of the suggested data protection policies are already implemented. GDPR requires that appropriate organizational and technical safeguards are in place and that principles of data minimization are utilized. Pseudonymization can be used where necessary, and anonymization or aggregation should be used where possible. Finally, statistics data should not be regarded as personal data, but aggregate data, as it relates to no specific, natural person.  Recital 162 and Article 89.1 provide more details.

RES-Q is housed within the secure hospital IT infrastructure of St. Anne’s University Hospital in Brno, Czech Republic. All data is stored within this secure infrastructure, and it can only be accessed by authorized personnel. Web access is only possible for authorized users with verified credentials over a secure channel with encryption (HTTPS). Backups are performed regularly, and a disaster recovery procedure is in place.

Data minimization has been a central part of RES-Q since its initial development. Only data necessary to the research goal of improving stroke care quality is collected, with personal data limited to patient age and gender. Pseudonymization is also implemented, with all patients being assigned a randomly generated RES-Q ID, unless otherwise explicitly assigned by the site entering the data. RES-Q does not maintain a key mapping of RES-Q IDs to patient specific identifiers. If sites wish to maintain a mapping, they can add the RES-Q ID to the locally stored patient file. Finally, processed data is shared as aggregate statistical data, such that it is no longer categorized as personally identifiable.

5.     RES-Q National Coordinators, Professional Societies, Local Coordinators, and PIs

As RES-Q is an international, collaborative project, the participation and input of National Coordinators, National Professional Societies, Local Coordinators, and PIs is essential to GDPR compliance.  Given that each EU Member state is permitted to add limitations to the stated regulation, as specified in Article 9.4, RES-Q also relies on the compliance of participants with their own national legislation.  Users must confirm that they are authorized to submit data to the registry prior to being granted access to the registry.  The terms and conditions for RES-Q participation are clear and concise, and include compliance with applicable regulatory requirements.

6.     Regulatory Compliance Documentation

Currently, documentation required for compliance with GDPR is held internally.  However, prior to the May 25th implementation date, this documentation will be made available on the main RES-Q website (www.qualityregistry.eu) in accordance with Article 12.1. The documentation will cover the following areas:

  • Extended terms and conditions for RES-Q users, including information regarding data retention and removal to comply with the “right to be forgotten”.
  • Information regarding how to remove patient information from the registry.
  • Data protection, processing, retention, and destruction policies.
  • Data access request policies, specifically for raw data or aggregate data.
  • Data sharing policies, covering data transfer between hospitals, countries, and organizations.
  • Disaster recovery and data breach policies and procedures.

Relevant GDPR Sections – Full Text

1.     Recitals

(40) In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

(157) By coupling information from registries, researchers can obtain new knowledge of great value with regard to widespread medical conditions such as cardiovascular disease, cancer and depression. On the basis of registries, research results can be enhanced, as they draw on a larger population. Within social science, research on the basis of registries enables researchers to obtain essential knowledge about the long-term correlation of a number of social conditions such as unemployment and education with other life conditions. Research results obtained through registries provide solid, high-quality knowledge which can provide the basis for the formulation and implementation of knowledge-based policy, improve the quality of life for a number of people and improve the efficiency of social services. In order to facilitate scientific research, personal data can be processed for scientific research purposes, subject to appropriate conditions and safeguards set out in Union or Member State law.

(162) Where personal data are processed for statistical purposes, this Regulation should apply to that processing. Union or Member State law should, within the limits of this Regulation, determine statistical content, control of access, specifications for the processing of personal data for statistical purposes and appropriate measures to safeguard the rights and freedoms of the data subject and for ensuring statistical confidentiality. Statistical purposes mean any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results. Those statistical results may further be used for different purposes, including a scientific research purpose. The statistical purpose implies that the result of processing for statistical purposes is not personal data, but aggregate data, and that this result or the personal data are not used in support of measures or decisions regarding any particular natural person.

2.     Articles

(6) Lawfulness of processing

            1. Processing shall be lawful only if and to the extent that at least one of the following applies:

                        e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

                        f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

(9) Processing of special categories of personal data

            2. Paragraph 1 shall not apply if one of the following applies:

                        h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

                        i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

                        j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

(12) Transparent information, communication and modalities for the exercise of the rights of the data subject

            1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

(89) Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

            1. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymization provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.