Mika Gissler (Institute for Health and Welfare (THL), Helsinki, Finland): How to survive GDPR?
The Nordic countries have been forerunners in register-based studies. There has been long tradition to collect population statistics (from the 18th century) and health statistics (from the 19th century). The personal identity codes have been available for decades (from 1947 Sweden, 1953 Iceland, 1964 Finland and Norway, and 1968 Denmark), which makes data linkages technically easy. Several studies have shown that the routinely collected registers are complete and most of their variables are recorded with high quality. People tend to trust authorities and their data processing. Finally, national data protection legislations have allowed the use of register data in research.
Since 1995, the EU and EEA countries have followed the EU legislation. The first one was the directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 5he Nordic countries continued to collect their registers after introducing a special legislation, but other countries interpreted this directive very differently. Therefore, this Directive was replaced by a mandatory regulation, and the GDPR (2016/679) was introduced in May 25, 2018.
The regulation requires that any processing of personal data has a lawful basis. Either the data subject has given consent to the processing of personal data or the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. These include for example health services, social welfare services, and public health. In addition, statistics and scientific research have given specific status. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes, as stated in Article 89.
There are several post-GDPR questions which have to be solved: How informed consent is interpreted? Can information on non-participants be used, e.g. when linking register data to existing cohort data? Are analyses on non-response allowed? How to interpret the principle of data minimization? Is collection of big data possible in the future? Can a registered person request to access to own data collected for statistical or research purposes? How the right to be forgotten is interpreted in scientific research?
It may not be evident that the interpretation of GDPR is the same across EU and EEA countries. It seems that data sharing is becoming more complicated, even across the Nordic countries, and anonymous or pseudonymised data are not freely moving between country borders. The national statistical offices have not been able to agree on arrangements how data sharing is done. Ownership of data in shared environments remains unclear. Researchers may not get access to total data or all variables, even though these would be essential for the research. These obstacles have to be solved so that the needs and requirements for science are acknowledged together with the research community.
Mika Gissler
THL Finnish Institute for Health and Welfare, Information Services Department, Helsinki, Finland
Karolinska Institute, Department of Neurobiology, Care Sciences and Society, Division of Family Medicine and Primary Care, Stockholm, Sweden
University of Turku, Research Centre for Child Psychiatry, Turku, Finland