Data concerning health are sensitive data, which have additional requirements. GDPR prohibits processing of sensitive data, unless it is for medical care, public health, or research purposes, and is only possible when explicit consent has been given OR it is in the interest of the data subject or another person OR it is necessary for the purposes of preventive medicine or public health.
GDPR requires research and healthcare institutions to have a data protection officer, appropriate security measures and be transparent to the patients about what data are stored, for how long and for what purposes.
According to the GDPR, the consent must be:
These requirements, although justified in many other contexts, in case of rare diseases create obstacles for reusing and sharing data in research, diagnosis and development of new therapies. This, in consequence, is harmful for the patients.
In response to the new legislation, RD-Connect is engaged in the ongoing collaborative effort on the Code of Conduct for data sharing in biomedical research.