We have recently completed comprehensive research on the impact of the GDPR on genomic data processing in healthcare and scientific research which we would like to submit as part of the further evidence base. We hope this work is useful in delineating some aspects that may be best addressed at a cross-sector level and those which require much more sector (i.e. the health sector), or sub-sector (i.e. genomics sector) specific focus.
There are two particular aspects of the roadmap and European strategy for data that we would like to comment on from our perspective as specialists in health and genomic data:
First, we agree that support is needed for technologies and new services which empower individuals to exercise their data rights and facilitate voluntary data sharing. Patients and research participants in the genomics field are often highly knowledgeable, active and keen to ensure that their data is available for the advancement of medical knowledge. The improvement and development of services and technologies to support increased patient control could lead to considerable gains for healthcare and medical research. Moreover, as we considered in our research, there is significant potential for new services to manage complex genomic data and apply state of the art de-identification and security methods to facilitate the use of this data for healthcare and research.
Second, we welcome the recognition that a range of policy options could be used to reduce transaction costs in data sharing and standardise aspects of governance and regulation. In particular, as our research discusses, there is significant potential for codes of conduct and certification to be developed by sectors and sub-sectors (for example genomics researchers) or by categories of data processors and controllers (for example, third party genomic data services) to reduce barriers to data sharing across the EU-EEA and even globally. We encourage the development of both informal codes and certification to develop consensus on the appropriate application of laws and governance standards, as well as targeted development of more specific codes and
certification for approval under the GDPR as more formal means of demonstrating compliance with the Regulation. We are aware that work has begun on a code of conduct for health data and that there is further work led by BBMRI-ERIC on a code of conduct for scientific research. We hope that many further, potentially more specific, codes and certification mechanisms will be developed for approval and that the relevant authorities are adequately supported to help develop and assess them in a timely manner. In our view this is the most promising way that ambiguity and uncertainty about the sectoral application of the General Data Protection Regulation can be addressed to unblock data sharing and contribute to the development of common European data spaces.
Date of submission: 29 July 2020