In the age of big data and AI, the ability to extract knowledge and value from personal data is promising, especially for researchers and policymakers. The new findings based on the vast amount of data have the potential to save lives and reduce expenses for the whole society. However, processing sensitive data for a new purpose poses complex ethical, legal and technical challenges. The EU General Data Protection Regulation (GDPR) accounts for this challenge by allowing researchers to process and further use personal data under the ‘research exemption’. However, many aspects of this exemption would need further clarification: what level of public interest is necessary e.g., general, important or substantial, how the data should be de-identified and what kind of activities can fit in the definition of ‘scientific research’. The issue is elaborated through the GDPR and its implementation in England and Germany, focusing on the secondary use of health data.
Aitken, Mhairi, Jorre, Jenna de St. and Pagliari, Claudia, ‘Public responses to the sharing and linkage of health data for research purposes: a systematic review and thematic synthesis of qualitative studies’ (2016) 17(1):73. BMC Med Ethics 1–24.
Tassé, Anne Marie , ‘A Comparative Analysis of the Legal and Bioethical Frameworks Governing the Secondary Use of Data for Research Purposes’ (2016), Biopreservation and Biobanking 207–16.
Rouvroy, Antoinette , ‘“Of Data and Men”. Fundamental Rights and Freedoms in a World of Big Data’ (2016) Council of Europe, Directorate General of Human Rights and Rule of Law 1–38.
Anderson, James , ‘Social, ethical and legal barriers to e-health’ (2007) 76 Int J Med Inform. 480–83.
Article 29 Working Party , ‘Opinion 03/2013 on purpose limitation’ (2013) 28.
Article 29 Working Party , ‘Opinion 4/2007 on the concept of personal data’ (2007) 19.
Article 29 Working Party , ‘Opinion on Guidelines on the right to data portability’ (2017) 13.
Auffray, Charles, Balling, Rudi, Barroso, Inês and others, ‘Making sense of big data in health research: Towards an EU action plan’ (2016) 8:71 Genome Medicine 1–13.
Bahr, Anne and Schlünder, Irene, ‘Code of practice on secondary use of medical data in European scientific research projects’ (2015) 4 International Data Privacy Law 279–91.
Blair, Steven, Jacobs, David and Powell, Kenneth, ‘Relationships between exercise or physical activity and other health behaviors’ (1985) 100(2) Public health reports 172–80.
Burton, Paul et al., ‘Policies and Strategies to Facilitate Secondary Use of Research Data in the Health Sciences’ (2017) 46. 6 International Journal of Epidemiology, 1732–33.
Carter, Pam, Laurie, Graeme and Dixon-Woods, Mary, ‘The social licence for research: why care.data ran into trouble’ (2015) Journal of Medical Ethics 404.
Chassang, Gauthier , ‘The Impact of the EU General Data Protection Regulation on Scientific Research’ (2017) 11:709 Ecancermedicalscience 3–12.
Custers, Bart, Dechesne, Francien, Sears, Alan M. et al., ‘A comparison of data protection legislation and policies across the EU’ (2017) Computer Law & Security Review 2–12.
Deloitte , ‘International review: Secondary use of health and social care data and applicable legislation’ (2016) 7–8.
Hildebrandt, Mireille , ‘Slaves to Big Data. Or Are We?’ (2013) 17 IDP. Revista de Internet, Derecho Y Politica, 7–14.
Information Commissioner's Office , Anonymisation code of practice (2012) 11–18.
Institute of Medicine , ‘Best Care at Lower Cost: The Path to Continuously Learning Health Care in America’ (2013) Washington D.C. 91–133.
Ipsos, Mori , ‘The one-way mirror: Public attitudes to commercial access to health data’ (2016) 108.
Jones. Kerina et al., ‘The other side of the coin: Harm due to the non-use of health-related data’ (2017) 97 Int J Med Inform. 43–50.
M. Speakmana , Elizabeth, Burris B, Scott, Coker, Richard, ‘Pandemic legislation in the European Union: Fit for purpose? The need for a systematic comparison of national law’ (2017) 121 Health Policy 1021–24.
Oswald, Marion , ‘Share and Share Alike: An Examination of Trust, Anonymisation and Data Sharing with Particular Reference to an Exploratory Research Project Investigating Attitudes to Sharing Personal Data with the Public Sector’ (2014) 3 SCRIPTed 245–72.
Hintze, Mike , ‘Viewing the GDPR Through a De-Identification Lens: A Tool for Clarification, Compliance and Consistency’ (2018) International Data Protection Law 86–110.
Moerel, Lokke and Prins, Corien, ‘Privacy for the Homo Digitalis: Proposal for a New Regulatory Framework for Data Protection in the Light of Big Data and the Internet of Things’ (2016) 84–87.
Mourby, Miranda, Mackey, Elaine, Elliot, Mark et al., ‘Are ‘pseudonymised’ data always personal data? Implications of the GDPR for administrative data research in the UK’ (2018) 2 Computer Law and Security Review 222–33.
Narayanan, Arvind and Shmatikov, Vitaly, ‘Myths and Fallacies of Personally Identifiable Information’ (2010) 53 COMM. ACM 26.
National Data Guardian for Health and Care , Review of Data Security, Consent and Opt-Outs, (2016) 57.
NHS Digital , About the national data opt-out (2017 September) 2.
Pascal, Coorevits, Mats, Sundgren, Klein, Bahr et al., ‘Electronic health records: new opportunities for clinical research’ (2013) 274(6) J Intern Med. 547–60.
Pormeister, Kärt . ‘Genetic data and the research exemption: is the GDPR going too far?’ (2017) 2 International Data Privacy Law, 145.
Riordana, Fiona, Papoutsi, Chrysanthi and Reed, Julie, ‘Patient and public attitudes towards informed consent models and levels of awareness of Electronic Health Records in the UK’ (2015) 84(4) Int J Med Inform. 245–46.
Rumbold, John and Kierscionek, Barbara, ‘A critique of the regulation of data science in healthcare research in the European Union’ (2017) 18(1):27 BMC Medical Ethics 6–9.
Smith, Sarah, Sibal, Bharat, Linnane, John et al., ‘NHS and public health reorganization in England: health protection and emergency planning, preparedness and response perspective’ (2017) 2 Journal of Public Health, 40.
Sterckx, Sigrid and Cockbain, Julian, ‘The UK National Health Service's ‘innovation agenda’: Lessons on commercialization and trust’ (2014) 2 Medical Law Review, 227–28.
Stockdale, Jessica, Cassell, Jackie, and Ford, Elizabeth, ‘“Giving something back”: A systematic review and ethical enquiry of public opinions on the use of patient data for research in the United Kingdom and the Republic of Ireland’ (2018) 6 Wellcome Open Research 1–23.
van der Sloot, Bart and van Schendel, Sascha , ‘Ten Questions for Future Regulation of Big Data: A Comparative and Empirical Legal Study (2016) 7 JIPITEC 112–20
Van Velthoven, Michelle Helena, Mastellos, Nikolaos, Majeed, Azeem et al., ‘Feasibility of extracting data from electronic medical records for research: an international comparative study’ (2016) 16:90 BMC Medical Informatics and Decision Making 1–9.
Vayena, Effy and Tasioulas, John, ‘The Dynamics of Big Data and Human Rights: The Case of Scientific Research’ (2016) Philosophical transactions. Series A, Mathematical, physical and engineering sciences 374.2083 1–14.
Vezyridis, Paraskevas and Timmons, Stephen, ‘Understanding the care.data conundrum: New information flows for economic growth’ (2017) Big Data & Society 2.
Wyatt, David, Cook, Jenny and McKevitt, Christopher, ‘Perceptions of the uses of routine general practice data beyond individual care in England: a qualitative study’ (2018) 8:e019378 BMJ Open 1–8.
Zarsky, Tal , ‘Incompatible: The GDPR in the Age of Big Data’ (2017) 4(2) Seton Hall Law Review 1005–08.
Barbaro, Michael and Zeller Jr., Tom, ‘A Face Is Exposed for AOL Searcher’ (9 Aug 2006) N.Y. TIMES <http://www.nytimes.com/2006/08/09/technology/09aol.html?_r=0> accessed 15 Aug 2017.
Department of Health and Social Care , ‘Written statement to Parliament: Review of health and care data security and consent’ (2016) <https://www.gov.uk/government/speeches/review-of-health-and-care-data-security-and-consent> accessed 21 Aug 2017.
Felz, Daniel , ‘An English-Language Primer on Germany's GDPR Implementation Statute: Part 2 of 5’ (25 September 2017) <https://www.alstonprivacy.com/english-language-primer-germanys-gdpr-implementation-statute-part-2-5/> accessed 5 May 2018.
Maldoff, Gabe , ‘How GDPR changes the rules for research’ (April 19, 2016) <https://iapp.org/news/a/how-gdpr-changes-the-rules-for-research/> accessed 15 January 15 2017.
Information Commissioner's Office (ICO) , ‘Royal Free – Google DeepMind trial failed to comply with data protection law (03 July 2017) <https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/07/royal-free-google-deepmind-trial-failed-to-comply-with-data-protection-law> accessed 01 May 2018.
NHS Digital , ‘Your Data Matters to the NHS – patient handout’ (2018) <https://digital.nhs.uk/binaries/content/assets/website-assets/services/national-data-opt-out-programme/ndop-patient-handout.pdf> accessed 04 June 2018.
NHS Digital , ‘DAAG register of approved applications 2011–2014’ <https://digital.nhs.uk/services/data-access-request-service-dars/register-of-approved-data-releases/release-register-archive> accessed 12 May 2018.
NHS Digital , Your personal information choices (2017) <http://content.digital.nhs.uk/yourinfo> accessed 21 Nov 2017.