What does the new data privacy regulation mean for research?

After the new General Data Protection Regulation (GDPR) entered into force July 20, 2018, there are some changes on how data on patients’ health have to be treated. It is not enough to just have ethical approval! It is of course still a prerequisite to get REK approal before you start your project. New is that REK approval does not include the permission to handle personal data. In addition, it is required that you are allowed to personal data according to article 6 and article 9 of the personal data protection law. So you still need to get ethical approval prior to starting your research project, but the institution has the additional responsibility that handling of personal data occurs in accordance to the new regulation.

That means that the foundation to get access to personal data has to be evaluated by the project leader, and has to be included in the ethical approval. This foundation is either consent or dispensation of this consent requirement according to the health research laws. The project leader has to show that the treatment of personal data follow the general principles of the personal data protection regulation, for example definition of aims, minimizing the amount of data, limitation of storage and responsibility.

More internal control responsibility is given. We have to assure that treatment of the personal data is according to the regulations, and perform Data Protection Impact Assessments – DPIA when required.

This means that the responsibilities have in collaboration projects have to be well defined and agreed upon, which is of importance when you want to share patient data with your collaborators, and make written agreements. This is not a new requirement, but of more importance now with the new GDPR.

Both the University of Bergen and Haukeland University Hospital have a Personal Data and Privacy commissioner – Janecke Veim and Christer Kleppe. If you are in doubt if you need an agreement with the hospital, contact Janecke or/and Christer (janecke.veim@uib.no, personvernombudet@helse-bergen.no).



Leave a Reply

Your email address will not be published. Required fields are marked *