POLICY AND PRACTICE REVIEWS article
Sec. ELSI in Science and Genetics
Volume 12 - 2021 | https://doi.org/10.3389/fgene.2021.711614
Recommendations for Creating Codes of Conduct for Processing Personal Data in Biobanking Based on the GDPR art.40
- 1Department of Comparative Civil Law, Faculty of Law and Administration, University of Warsaw, Warsaw, Poland
- 2BBMRI.pl Consortium, Wroclaw, Poland
- 3Biobank Laboratory, Department of Molecular Biophysics, Faculty of Biology and Environmental Protection, University of Lodz, Łódź, Poland
- 4Department of Humanities and Social Medicine, Medical University of Lublin, Lublin, Poland
Personal data protection has become a fundamental normative challenge for biobankers and scientists researching human biological samples and associated data. The General Data Protection Regulation (GDPR) harmonises the law on protecting personal data throughout Europe and allows developing codes of conduct for processing personal data based on GDPR art. 40. Codes of conduct are a soft law measure to create protective standards for data processing adapted to the specific area, among others, to biobanking of human biological material. Challenges in this area were noticed by the European Data Protection Supervisor on data protection and Biobanking and BioMolecular Resources Research Infrastructure–European Research Infrastructure Consortium (BBMRI.ERIC). They concern mainly the specification of the definitions of the GDPR and the determination of the appropriate legal basis for data processing, particularly for transferring data to other European countries. Recommendations indicated in the article, which are based on the GDPR, guidelines published by the authority and expert bodies, and our experiences regarding the creation of the Polish code of conduct, should help develop how a code of conduct for processing personal data in biobanks should be developed.
The last few decades have seen a dynamic development of biobanks collecting human biological material and data that broaden knowledge about genetic, behavioural, and environmental determinants of many diseases, support the development of new biomarkers and drugs and improve medical care toward more personalised medicine (De Souza and Greenspan, 2013; Paskal et al., 2018; Malsagova et al., 2020). Biobanks are defined as collections of human biological material and data (McNally and Cambon-Thomsen, 2005; OECD, 2009; Taipei, 2016), and thus data collecting, processing and sharing constitute a vital part of human biological material (HBM) biobanking for scientific research purposes (Molnár-Gábor and Korbel, 2020). The processed data can sometimes make it possible to identify a natural person who submitted their material to biobanks, and so data protection in this respect poses a particular challenge (Boonen et al., 2019). That is why respecting privacy, confidentiality and data protection is among the most significant ethical and legal challenges for this activity (Towned et al., 2009; Bledsoe, 2017). The risk of privacy breach is among the most common and significant concerns reported by research participants and mentioned in public opinion surveys (Kaufman et al., 2009; Gaskell et al., 2013; Domaradzki and Pawlikowski, 2019). The strongly reverberated concerns are that the government, insurance companies, and employers could have access to such information, which might result in discrimination of the donors and their families (Porteri et al., 2014; Shabani et al., 2014). Data protection is of primary significance for building social trust, which is pivotal for the development of biobanks and their social perception (Levitt and Weldon, 2005; Toccaceli et al., 2009; Critchley et al., 2012; Domaradzki and Pawlikowski, 2019; Neethu, 2019).
The entering into force of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR) contributed to the development of an international discussion on complete harmonisation of the personal data law protection principles in reference to various market branches. The GDPR rules shall apply to any personal data processing, regardless of its purpose, scope and processing method. The need to standardise the rules regarding natural persons’ protection was recognised much earlier, when the value of data, including personal data, increased as a subject of trade (Kuner, 2020). The acquisition of GDPR in Europe resulted in the simultaneous adoption of its rules in non-European countries (Takayuki, 2020), which facilitates data transfer between the member states and third countries (Kuner, 2020). The harmonisation is critical in scientific research, including but not limited to research on human biological samples and their related data.
It shall be emphasised that the reference harmonisation on the European Union (EU) level progresses in stages and gradually, and the GDPR was not the first community instrument in this respect (Bárd, 2009). The Directive on personal data protection of 1995 (Directive, 1995) was supposed to attain a similar objective. The legal nature and implementation method are the key differences between the Directive and the GDPR. The Directive is a legal act that sets the objectives to be achieved by the EU countries but attaining the objectives through the Directive’s implementation into the national laws depends on each country’s decision. In practice, it meant considerable differences between personal data protection systems in each country. The GDPR entered into force in all European Union states with no need to implement it. It turned out that complete standardisation of the data processing rules has not been achieved because of the generality of the GDPR provisions. Due to the fact, that the GDPR was intended as a law of general applicability that would offer protection to personal data when processed in all sectors of the EU economy there is need to further refine its provisions in the field of conducting important biomedical and genetic research (Peloquin et al., 2020). That seems why the GDPR developers predicted the possibility of further supplementing the regulation and consequently the development of bottom-up and sector-based regulations of the codes of conduct based on GDPR art. 40.
The paper aims to formulate and discuss recommendations concerning the development of a code of conduct based on GDPR art. 40, on the example of the Polish code of personal data processing by biobanks in Poland (hereinafter called the Polish code). In May 2021, the draft code (the Polish Code of Conduct) was adopted by the General Assembly of Biobanking and BioMolecular Resources Research Infrastructure in Poland (BBMRI.pl) and submitted to the President of the Polish Personal Data Protection Office.
The study should provide inspiration and assistance to code developers in other countries, including those where biobanking is already subjected to regulations of law and those where no special regulations apply.
GDPR and Data Processing for Scientific Research Purposes in Biobanks
The GDPR concerning data protection for scientific research purposes is quite general and accounts for many inclusions for the member states. In practice, in some countries, including Poland, after the GDPR came into force, the previously applicable national regulations on data processing were discharged, which resulted in legal uncertainty as to the rules of data processing for scientific purposes. The problem turned out to be vital for biobanks, i.e., entities that collect, process and make available large databases of personal data for scientific research purposes.
Indeed, the GDPR was perceived as an up-and-coming solution. The standardisation of data exchanged fitted the open science concept and enabled the development of international research using personal data (Kaye, 2015). One of the GDPR’s objective was to promote free and safe data flow across borders. The date of the GDPR’s coming into force triggered a discussion basically in all European countries on the need to adapt national regulations to the GDPR, and the fines related to non-application of the GDPR standards resulted in the perception of personal data processing for scientific purposes as business burdened with legal and financial risks. The problem became particularly evident in biobanks which are mainly the bodies of medical universities and hospitals. Many doubts emerged as to the GDPR interpretation (Befring, 2021) and the possibility of its adaptation to the specificity of personal data processing by biobanks. The EU member states’ law referring to biobanks has been harmonised for years, e.g., developing common research infrastructures and templates of Material Transfer Agreements and Data Transfer Agreements (Chadwick and Strange, 2015).
The problems presented above can be solved by adopting the codes of conduct on the national and European level. The GDPR created the previously unknown harmonisation mechanisms such as codes of conduct. The codes became a tool to balance privacy and research interests (Hansson, 2021). They enabled the use of soft law measure for technical and organisational measures within data security and rules of data access (Shabani et al., 2021). Most importantly, it enabled the creation of sector regulation by data processing entities.
One should remember that the GDPR was developed as a protective mechanism for consumers whose data are processed for commercial purposes, and so not all the above-mentioned regulations are easily applied. The codes of conduct offered the opportunity to implement the GDPR principles for processing the data for scientific purposes in the biobanking area. The issue was also recognised in the Preliminary Opinion of the European Data Protection Supervisor (EDPS) on data protection and scientific research of 6 January 2020 (Preliminary Opinion 2020). The European Inspector for Personal Data Protection indicates that codes of conduct on data processing for scientific research purposes should be adopted in this respect. A similar approach was presented in the comments to Digital health data and services–the European health data space developed by Biobanking and BioMolecular Resources Research Infrastructure–European Research Infrastructure Consortium (BBMRI. ERIC) (BBMRI-ERIC, 2021).
It is highlighted that member states affect the GDPR’s flexibility in reference to data processing for scientific purposes (Slokenberga, 2021). On the other hand, an analysis of each member state’s legislation reveals the discrepancies in such fundamental issues as the legal basis for data processing by biobanks or the concept of public interest (Tzortzatou et al., 2021).
The codes of conduct can be developed for different purposes, depending on their application range. Generally, according to GDPR art. 40, the codes can be divided into two categories. The first category applies to the European codes based on GDPR art. 40 section 7, namely those that regulate personal data processing in several member states. Such a code, in accordance with GDPR art. 40 section 9, after the issuance of an executive act by the European Commission, becomes a generally applicable EU law. The codes are developed to harmonise the rules of personal data processing between the member states and, consequently, facilitate data transfer between EU countries. The other group includes national codes, i.e., those which regulate personal data processing on a sector level in one member state. The BBMRI. ERIC Code of Conduct for Health Research (BBMRI-ERIC, 2019) is an example of a European project concerning data processing for scientific research purposes. The Polish code of conduct can be quoted as an example of a national initiative.
The GDPR art. 89 is the critical initiative for research on biological samples, where an exception is made concerning easing the GDPR requirements on data processing for scientific purposes. According to the regulation, exceptions can be stipulated in the national law concerning data processing for scientific research purposes by limiting the right of access (GDPR art. 15), right to rectification (GDPR art. 16), right to restriction of processing (GDPR art. 18), and right to object (GDPR art. 21). Such a reference offers the opportunity for the emergence of differences between the member states in the data processing principles. It should be highlighted that the exceptions stipulated in GDPR art. 89, section 2 are acceptable only based on the national law and not the established codes of conduct. However, the code provisions fulfil an essential role because the code describe exceptions acceptable by the national law and situations in which the laws are likely to prevent or hamper the implementation for specific scientific purposes. An example of such exception the regulation of the Polish code of conduct on the right to rectification of the data included in the medical documentation can be given as an example. Essentially, such laws in Poland are limited by the provision of the Act on the Patients’ Rights and the Commissioner for patient’s rights (patient’s rights act) and the Medical Profession and Dental Profession Acts (medical profession act), and the text of the Polish code of conduct refers to those acts and describe the consequences of such regulations for biobanking.
The codes can fulfil a fairly important role for GDPR harmonisation with the national law concerning the operation of biobanks or carrying out scientific research using human biological samples. It would be an unfavourable situation to maintain different governing laws and principles applying to scientific research. It matters particularly when the domestic law is more stringent than the GDPR for personal data processing in research on human biological samples or when domestic regulations are dispersed and non-standardised (Hoppe, 2021).
There are no comprehensive studies on the development of codes on conducts, including but not limited to national ones. That is why the authors would like to present their recommendations developed based on GDPR, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 Version 2.0, issued by the European Data Protection Board (EDPB) (probably including the ISO standards), and our experiences from the code development). The following recommendations should be made:
1) Determination of the code application purpose and scope.
2) Determination of the minimum technical regulations for data processing safety.
3) Broad social consultations including different stakeholders’ groups.
4) Clear layout and understandable language.
5) Taking into consideration different guidelines on scientific research bioethics and ethics.
The development of codes of conduct complying with the GDPR art. 40 is a challenge on the European and national level. The very process of developing the codes raises many controversies. This part of the paper presents the opinions most common in the discussion on the development of codes.
Identification of the Code’s Purpose and Application Scope
Undoubtedly the codes of conduct help particular sectors or institutions to better protect personal data according to the GDPR. The objectives resulting from the GDPR are quite general, and that is why they should be specified by the code developers, adapting the code to the specificity of the national market and the national laws’ environment. When developing the code, one should consider the specificity of the existing processing entities. The great majority of biobanks in Poland are public entities operating at medical universities and hospitals, so the code is addressed to them (Sak et al., 2012).
The sectoral nature of the code for the specific administrators’ category also results from the GDPR Recital 98. The code development aims to facilitate the GDPR application, including the adaptation of the data controllers’ and entities’ obligations to the risks of violating the natural persons’ rights or freedoms due to data processing. The details of the obligations resulting from GDPR, according to GDPR art. 40, should be provided mainly for the criteria enumerated in GDPR art. 40, section. 1, i.e., reliable and transparent processing (GDPR art. 5, section 1, letter a); legitimate interests pursued by the controllers in specific contexts (GDPR art. 6 section 1 letter f); personal data collection (GDPR art. 4 item 5); informing public opinion and the persons that the data apply to (GDPR art. 12–14); executing their rights by the persons that the personal data apply to (GDPR art. 15–23); children’s information and protection and the methods of acquiring the consent of a person with the parental authority or providing childcare (GDPR art. 8); measures and procedures mentioned in GDPR art. 24, 25 and 32; reporting any personal data breach to the supervisory body (GDPR art. 33 and 34); data transfer to third countries and international organisations (GDPR art. 44–49); dispute settlement proceedings (GDPR art. 77 and 79). The enumerated examples are only illustrative, and they shall not limit the code developers in providing broader recommendations. For instance, the Polish code includes regulations concerning dead persons’ data (it results from analyses of the Polish market (Pawlikowski et al., 2011); or particular recommendations if a biobank is closed down. The explanation lies in the fact that harmonisation of data processing principles, e.g., health or genetic data, should be among the key objectives of the codes (Phillips, 2018). In this respect, an important issue from the point of view of biobanking and conducting research on human biological material is to decide whether biological material should be treated as genetic data. In the absence of clear provisions in the Regulation concerning biological samples, one way to achieve clarity is to code of conduct. It is also necessary to emphasize that there is no unequivocal interpretation in this respect. Some point out that is since the ultimate intention of the Regulation is to protect personal data, a broad interpretation should be applied, which could allow for the inclusion of all sources, including biological samples that contain genetic data (Shabani and Borry, 2018). Others argue that due to the concept of data used by the GDPR, it is impossible to identify biological material with data (Hallinan and De Hert, 2016). Code development can be of pivotal importance for such countries as Ireland, where the previous health research laws were more liberal than the GDPR (Kirwan et al., 2021).
When determining the code’s objective, it shall be indicated whom the code should apply to, i.e., whether it should apply both to public and private entities. Public biobanks differ from private ones (Morente et al., 2017). The trend is evidenced in the scope of data processing and protection as well as their use (Quinn, 2021). The issue seems particularly relevant for national codes. Private biobanks tend to be parts of international pharmaceutical corporations, which means that they process the collected data in different member states. Their covering by the scopes of different national codes may cause constraints for harmonising data processing principles in the EU.
Moreover, social research reveals that the level of trust in private and public biobanks, both domestic and international, varies. The research participants accept data processing in their country and in public entities more than in foreign and private entities (Hung- En and Hau Tai, 2009; Masui, 2009). Although the European codes should apply to the broadest possible group of stakeholders, due to their objective of harmonising processing the data for scientific research purposes in the community, the national codes can be limited in this respect.
Determination of the Minimum Technical Regulations for Data Processing Safety
The GDPR art. 32 is devoted to personal data processing safety aspects. The general guidelines included in the article apply to information safety management in data processing. Biobankers underestimates the importance of data security (Rychnovská, 2021) and consequently there are only a few dedicated recommendations in this area (BBMRI-ERIC, 2016; GA4GH, 2016). Therefore, the code developers should specify the general GDPR, including other international standards (e.g., ISO 27001 on information safety management system, ISO 27002 including guidelines on safety improving technical measures, ISO 27701 containing guidelines on personal data protection, and–to a minor extent–ISO 20387 that provides general requirements for biobanking) (ISO 20387; ISO 2013a; ISO 2013b) and national regulations. No general collection of rules or guidelines exists, describing the mechanisms to be implemented and how to manage them. It results from the differences between biobanks–the organisation context, legal environment, business environment and the data processing scope. That is why before adequate protection mechanisms and technical security measures are selected, a risk analysis shall be carried out. The analysis shall take into account the risks related to the processed data leak and the resultant consequences for the person whose data leaked. In addition to the biobank staff, the representatives of the unit within whose structure the biobank operates, e.g., a university or hospital, should be involved in the risk estimation. The point is to provide the persons responsible for data processing in the organisations where the biobank operates, e.g., information and communication technologies (ICT) and Personal Data Protection services, with the knowledge and potential to influence the scope and method of data processing in the biobank. The biobank operation continuity has to be ensured in the area of personal data processing, data safety backup procedures and verification of their correct execution.
ISO 2018, ISO 27000 and ISO 20387 as well as Polish regulations on the Information Safety Management Systems (Regulation of the Council of Ministers of 12 April 2012 on the National Interoperability Framework, minimum requirements for public registers and electronic information exchange and minimum requirements for the ICT systems) are included in the Polish code. The above-mentioned national regulations assume that the information safety management system ensures an adequate safety level for public administration bodies if implemented based on ISO 27001. Unfortunately, not all biobanks have the resources to manage information safety this way. That is why minimum requirements were proposed that have to be fulfilled for data processing by biobanks to be considered safe. Pseudonymisation was proposed in the Code as the primary means of securing the data. Attention was also paid to the biobank operation continuity maintenance in the personal data processing area, and guidelines were provided for the data backup procedures and verification of their correct execution. It was emphasised that the decision on the backup frequency should not result from the central plans developed regardless of the data processing place but should derive from an analysis of the risk and biobank business processes.
Moreover, the Code includes the general requirements on the safety management system, Information Technology (IT) systems used for personal data processing, data management and access, guidelines on Local Area Network (LAN) security measures, and cloud solutions. It is not only a list of requirements. Selected issues were specified in the areas that raised the most interest in the social consultation stage, and good practices were provided for each area.
The authors intended to construct the code to enable the selection of data security measures (minimum or higher level) depending on the organisation’s capabilities. The availability of adequately qualified resources, data processing scope and the analysis mentioned above were the premises for leaving the final decision on the organisation’s safety measures’ implementation. An attempt to implement too many security mechanisms at a too low staff number to handle them renders a result opposite to the expected–by dispersing the resources or assigning them to the areas that do not bear the highest safety risk.
Broad Social Consultations Including Different Stakeholders’ Groups
According to GDPR art. 40, the associations and other entities representing specific data controller categories or data processing entities can develop codes of conduct. Organisations that associate biobanks under national and international structures naturally become the entities authorised to develop a code for biobanking (Hansson, 2021; Guidelines 1/2019). Different development rules can be adopted depending on the code. The process always consists of many stages, and social consultation should constitute its fundamental element (Guidelines 1/2019).
The BBMRI.ERIC draft code is, for instance, developed by the group responsible for its writing and then subjected to internal consultations under a Forum consisting of representatives of biobanks, organisations that associate private and public data processing entities and other stakeholders, and finally submitted for external consultation. The rules of the code development in this respect are available to the public and were the subject of many presentations in international conferences and webinars.
Guaranteeing the participation in the code development to the broadest possible group of stakeholders seems the critical issue in this respect. The consultations should involve not only the data processing entities but patients’ organisation. The code must be consulted with public authority bodies, ombudspersons and Non-Governmental Organizations (NGOs). With regard to the industry specificity, medical universities and private pharmaceutical companies should also partake in the consultations. The consultation forms should include submitting the code version for opinion, organising workshops, conferences etc. To that end, collaboration with the body that approves the code is vital. The consultations not only affect the content of the provisions but also enable broader code promotion. This applies in particular to information actions performed by the office on the codes under development. Such a collaboration facilitates control and harmonisation of actions between different entities developing the codes for related industries, e.g., health care and biobanks. They pose the most significant challenge for the code developers. Indeed, the entities participating in the consultations might have conflicting interests. This issue is controversial and suggests that a conflict between the freedom of scientific research and the right to privacy might occur in this respect (Bédard et al., 2016; Krekora-Zając, 2018; Hansson, 2021). Conducting broad and multiple social consultations, involving both patients and NGOs dealing with privacy protection, as well as entities wishing to gain access to data as much as possible seems to be the way to solve the conflict through constructive dialogue.
Broad and multi-stage social consultations were carried out for the Polish code. The initial draft code was developed under the Ethical, Legal and Societal Issues (ELSI) and IT group and was then subjected to internal consultations with the BBMRI. Pl consortium members and sent for external consultations. Between 2017 and 2020, the draft code was submitted for consultation to over thirty entities representing central administration bodies, universities, industry representatives and NGOs operating in the area of medical law, human rights and patient representation, e.g., to the Ministry of Health, the Ombudsman, National Centre for Tissue and Cell Banking, Ministry of Science and Higher Education, National Chamber of Laboratory Diagnosticians, National Pharmaceutical Chamber, Centre of Bioethics of the Supreme Medical Council, Commissioner for Patient’s Rights, Polish Bioethics Committee, Conference of Rectors of Academic Medical Universities, and NGOs [representing patients, monitoring the observance of human rights, patients’ foundations and commercial (pharmaceutical) entities]. After the draft code was translated into English, it was consulted with foreign experts working for ELSI at BBMRI.ERIC in Graz. Meetings were also held with the Personal Data Protection Office representative to discuss the code acceptance issues.
The code was presented many times in public during conferences and meetings of the Polish Biobanking Network, and it was available for the public at the bbmri.pl website (for comments). The main assumptions and essential standard solutions were presented during international and Polish conferences for the interested communities.
Clear Layout and Understandable Language
The rule of transparency in data processing in biobanks is the supreme rule resulting from OECD guidelines, principles 1F, 1G and 1H for human material biobanking (OECD, 2009) and ISO (ISO 20387). It is also among the supreme rules of biobanks’ operation (Krekora-Zając, 2019).
In reference to the codes’ provisions, reliable and transparent processing rules should be implemented by demonstrating good practices/recommendations implying the need to determine transparent data processing procedures and informing the person whose data are processed about their data protection purpose, duration and method. It shall be emphasised that the very fact of the code development fosters the rule implementation since the code is meant to be publicly available. The code form and language are of pivotal importance in this respect. Only if the document is formulated in a way understandable for its addressees, i.e., for the entities that carry out scientific research using the data and for the research participants, will it be possible to demonstrate that the rule is followed. The use of language that is understandable for scientists who are not lawyers poses an enormous challenge for the developers of the code of conduct. A clear layout of the code contributes to attaining this objective.
In the Polish code of conduct, each chapter is divided into three units: principles, recommendations and explanations. Principles relate to legal provisions regarding the processing of personal data (resulting from the GDPR and national law). Recommendations indicate how biobanks should comply with the principle. Explanations describe how the principles and recommendations can be implemented in biobanking practice.
According to the GDPR, a code does not require a form typical of normative acts. That is why the text of the code shall include sample explanations enabling the practical application of the recommendations in the biobanking practice.
Broad Consideration of Different Guidelines on Research Ethics
The code of conduct development within personal data processing shall also include other ethical, legal and social issues related to privacy protection in the context of human biological material biobanking. From the bioethics perspective, personal data protection is primarily related to respecting the rule of confidentiality and non-malfeasance. In the bioethics literature, attention is often paid to the scope of informed consent, access policies, biosharing, commercial use of samples and data, ownership issues, children involving, returning results or incidental findings (Pawlikowski et al., 2010; De Clercq et al., 2017; Klingstrom et al., 2018; Boonen et al., 2019; Mikkelsen et al., 2019; Prictor et al., 2019). The respective guidance is included in the Declaration of Taipei of the World Medical Association (Taipei, 2016), providing details for the biobanking area to the general ethical principles for medical research included in the Declaration of Helsinki (World Medical Association, 2013). We should be aware that the code of conduct is created to protect the people from whom the data come. Therefore, it is important to respect in the code of conduct the rights of donors, to predict procedures for cooperation with other authority when request is submitted to the data controller of biobank or to design benefit sharing system that relate to Data Processing.
Many detailed guidelines were also published by the BBMRI.ERIC (BBMRI-ERIC), Council for International Organisations of Medical Sciences (International Ethical Guidelines for Health-related Research Involving Humans, 2016), International Society for Biological and Environmental Repositories (ISBER) (2012 best practices for repositories collection, storage, retrieval, and distribution of biological materials for research international society for biological and environmental repositories., 2012), The European Data Protection Board and (Statement on the processing of personal data in the context of the COVID-19 outbreak, 2020) other organisations (Sugano and Regulatory and Ethics Working Group, 2014). Acts of the European and international law other than the GDPR regulating the ethical and legal aspects of scientific research are also vital (Convention of Biomedicine, 1997; International Declaration on Human Genetic Data, 2003; CM/Rec, 2016). The developed code should include selected regulations directly or indirectly related to data processing such as: obtaining consent, informing about data processing purpose, scope and rules, respecting the right to not to know; it may also cover the issues of informing about the research results or incidental findings management when it is related to data processing (e.g., that after data anonymization it will not be possible to provide feedback). The development of IT tools and the possibility of adapting the dynamic consent models based on them shall be considered. In ethnically diversified societies, the regulation of fair access to biobanking and research results can become a significant challenge. The rules enable regulation of the issues of processing data from vulnerable groups, e.g., children. The Polish code specifies the details of the requirements for obtaining the data processing consent, the right not to know, and processing children’s and dead persons’ data. The above bioethical issues are not directly related to art. 40 GDPR. However, these questions may be regulated in a code to improve the biobanking data processing governance.
The development of the codes of conduct can improve the harmonisation of scientific data processing by biobanks. It will undoubtedly facilitate data transfer and guarantee to respect the rights of the persons that the data apply to. From a long-term perspective, it will contribute to higher trust in biobanks and research on human biological samples. In the data processing scope, the codes of conduct based on GDPR art. 40 provide an unprecedented possibility of the sector self-regulation, enabling a real influence on the adopted regulations to all stakeholders. That is why the BBMRI.Pl initiated works on the code in the area of data processing by biobanks in Poland, while BBMRI.ERIC focused on the European code. We hope that the recommendations given in the paper will inspire a discussion on the codes’ development in other European countries and accelerate the works on the European code.
DK-Z–conception, writing, BM–writing, edition JP–conception, writing, edition, funding.
The project is supported by the Polish Ministry of Science and Higher Education (decision No. DIR/WK/2017/01) “Organization of Polish Biobanking Network within the Biobanking and Biomolecular Resources Research Infrastructure BBMRI-ERIC” and National Science Center (decision No. 2016/23/D/HS5/00411).
Conflict of Interest
The authors declare that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.
All claims expressed in this article are solely those of the authors and do not necessarily represent those of their affiliated organizations, or those of the publisher, the editors and the reviewers. Any product that may be evaluated in this article, or claim that may be made by its manufacturer, is not guaranteed or endorsed by the publisher.
The authors express their thanks to BBMRI. PL members and other stakeholders for their contribution in the consultations, development of codes and valuable remarks.
Author Anonymous (2012). 2012 Best Practices for Repositories Collection, Storage, Retrieval, and Distribution of Biological Materials for Research International Society for Biological and Environmental Repositories. Biopreserv Biobank 10, 79–161. doi:10.1089/bio.2012.1022
Bárd, P. (2009). “Genetic Databases in the Forensic Context : A European Perspective,” in New Challenges For Biobanks: Ethics, Law And Govenance (Intersentia), 167–180.
BBMRI-ERIC (). BBMRI-ERIC Policy for Access to and Sharing of Biological Samples and Data. Available at: https://www.bbmri-eric.eu/wp-content/uploads/AoM_10_8_Access-Policy_FINAL_EU.pdf.
BBMRI-ERIC (2019). Code of Conduct 2019. Available at: http://code-of-conduct-for-health-research.eu (Accessed May 17, 2021).
BBMRI-ERIC (2021). Digital Health Data and Services – the European Health Data Space. Available at: https://www.bbmri-eric.eu/news-events/european-health-data-space-response/.
BBMRI-ERIC (2016). Security and Privacy Architecture.
Bédard, K., Wallace, S., Lazor, S., et al. Wallace, S., Lazor, S., and Knoppers, B. M. (2016). “Potential Conflicts in Goverenance Mechanism Used,” in Principles and Prractive in Biobanking Goveranace. Editors J. Kaya, and M. Stamger (Abingdon-on-Thames, Oxfordshire: Routledge), 217–228.
Befring, A. K. (2021). “Norwegian Biobanks: Increased Complexity with GDPR and National Law,” in GDPR and Biobanking: Individual Rights, Public Interest and Research Regulation across Europe. Editors S. Slokenberga, O. Tzortzatou, and J. Reichel (Cham: Springer International Publishing), 323–344. doi:10.1007/978-3-030-49388-2_18
Bledsoe, M. J. (2017). Ethical Legal and Social Issues of Biobanking: Past, Present, and Future. Biopreservation and Biobanking 15, 142–147. doi:10.1089/bio.2017.0030
Boonen, K., Hens, K., Menschaert, G., Baggerman, G., Valkenborg, D., and Ertaylan, G. (2019). Beyond Genes: Re-identifiability of Proteomic Data and its Implications for Personalized Medicine. Genes 10, 682. doi:10.3390/genes10090682
Chadwick, R., and Strange, H. (2015). “Biobanking across Borders: The Challenges of Harmonisation,” in Ethics, Law And Governance Of Biobanking: National, European and International Approaches. Editor D. Mascalzoni (Dordrecht: Springer Netherlands), 133–138. doi:10.1007/978-94-017-9573-9_10
CM/Rec (2016). Recommendation CM/Rec(2016)6 of the Committee of Ministers to Member States on Research on Biological Materials of Human Origin. Available at: https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=090000168064e8ff.
Convention of Biomedicine (1997). Convention for the protection of Human Rights and Dignity of the Human Being with Regard to the Application of Biology and Medicine: Convention on Human Rights and Biomedicine (Adopted by the Committee of Ministers on 19 November 1996). Council of Europe Convention of Biomedicine. Hum. Reprod. 12, 2076–2080.
Critchley, C. R., Nicol, D., Otlowski, M. F. A., and Stranger, M. J. A. (2012). Predicting Intention to Biobank: a National Survey. Eur. J. Public Health 22, 139–144. doi:10.1093/eurpub/ckq136
De Clercq, E., Kaye, J., Wolf, S. M., Koenig, B. A., and Elger, B. S. (2017). Returning Results in Biobank Research: Global Trends and Solutions. Genet. Test. Mol. Biomarkers 21, 128–131. doi:10.1089/gtmb.2016.0394
De Souza, Y. G., and Greenspan, J. S. (2013). Biobanking Past, Present and Future. AIDS 27, 303–312. doi:10.1097/QAD.0b013e32835c1244
Directive (1995). Directive 95/46/Ec of the European Parliament and of the Council of 24 October 1995 on the protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31995L0046.
Domaradzki, J., and Pawlikowski, J. (2019). Public Attitudes toward Biobanking of Human Biological Material for Research Purposes: A Literature Review. Ijerph 16, 2209. doi:10.3390/ijerph16122209
GA4GH (2016). Standards and Implementation Practices for Protecting the Privacy and Security of Shared Genomic and Clinical Data. Available at: https://www.ga4gh.org/wp-content/uploads/2016May10_REV_SecInfrastructure.pdf (Accessed May 17, 2021).
Gaskell, G., Gottweis, H., Starkbaum, J., Gerber, M. M., Broerse, J., Gottweis, U., et al. (2013). Publics and Biobanks: Pan-European Diversity and the challenge of Responsible Innovation. Eur. J. Hum. Genet. 21, 14–20. doi:10.1038/ejhg.2012.104
Guidelines 1 2019 (2019). Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 | European Data Protection Board. Available at: https://edpb.europa.eu/our-work-tools/documents/public-consultations/2019/guidelines-12019-codes-conduct-and-monitoring_pl (Accessed May 17, 2021).
Hallinan, D., and De Hert, P. (2016). “Many Have it Wrong - Samples Do Contain Personal Data: The Data Protection Regulation as a Superior Framework to Protect Donor Interests in Biobanking and Genomic Research,” in The Ethics of Biomedical Big Data. Editors B. D. Mittelstadt, and L. Floridi (Cham: Springer International Publishing), 119–137. doi:10.1007/978-3-319-33525-4_6
Hansson, M. G. (2021). “Striking a Balance between Personalised Genetics and Privacy Protection from the Perspective of GDPR,” in ” in GDPR and Biobanking: Individual Rights, Public Interest And Research Regulation Across Europe. Editors S. Slokenberga, O. Tzortzatou, and J. Reichel (Cham: Springer International Publishing), 31–42. doi:10.1007/978-3-030-49388-2_3
Hoppe, N. (2021). “The Regulation of Biobanking in Germany,” in GDPR and Biobanking: Individual Rights, Public Interest And Research Regulation Across Europe. Editors S. Slokenberga, O. Tzortzatou, and J. Reichel (Cham: Springer International Publishing), 277–290. doi:10.1007/978-3-030-49388-2_15The Regulation of Biobanking in Germany
Hung- En, L., and Hau Tai, T. (2009). Human Genetic Biobanks in Asia: Politics of Trust and Scientific Advancement. Abingdon-on-Thames, Oxfordshire: Routledge, 27–39.Public Trust, Commercialisation, and Benefit Sharing : towards a Trustworthy Biobank in Taiwan
International Declaration on Human Genetic Data (2003). International Declaration on Human Genetic Data.
International Ethical Guidelines for Health-related Research Involving Humans International Ethical Guidelines for Health-Related Research Involving Humans (2016).
ISO (2018). ISO 20387 ISO 20387:2018 Biotechnology — Biobanking — General Requirements for Biobanking.
ISO (2013a). ISO 27001 ISO/IEC 27001 Information Technology — Security Techniques — Information Security Management Systems — Requirements.
ISO (2013b). ISO 27002 ISO/IEC 27002 Information Technology — Security Techniques — Code of Practice for Information Security Controls.
Kaufman, D. J., Murphy-Bollinger, J., Scott, J., and Hudson, K. L. (2009). Public Opinion about the Importance of Privacy in Biobank Research. Am. J. Hum. Genet. 85, 643–654. doi:10.1016/j.ajhg.2009.10.002
Kaye, J. (2015). “The Tension between Data Sharing and the Protection of Privacy in Genomics Research,” in Ethics, Law And Governance Of Biobanking: National, European and International Approaches. Editor D. Mascalzoni (Dordrecht: Springer Netherlands), 101–120. doi:10.1007/978-94-017-9573-9_8
Kirwan, M., Mee, B., Clarke, N., Tanaka, A., Manaloto, L., Halpin, E., et al. (2021). What GDPR and the Health Research Regulations (HRRs) Mean for Ireland: "explicit Consent"-A Legal Analysis. Ir J. Med. Sci. 190, 515–521. doi:10.1007/s11845-020-02331-2
Klingstrom, T., Bongcam-Rudloff, E., and Reichel, J. (2018). Legal & Ethical Compliance when Sharing Biospecimen. Brief. Funct. Genomics 17, 1–7. doi:10.1093/bfgp/elx008
Krekora-Zając, D. (2019). Legal Aspects of Biobanking HBS for Scientific Purposes in Poland. Studia Prawnicze Instytut Nauk Prawnych Polskiej Akademii Nauk 4. Available at: http://czasopisma.inp.pan.pl/index.php/sp/article/view/1981/krekora-zajac_legal_aspects_of_biobanking_hbs_for_scientifc_purposes_in_poland_10.5281_zenodo.369491.
Krekora-Zając, D. (2018). The Rights of Donors to Autonomy and Privacy as the Basis for the Functioning of Biobanks in Times of Big Data. Warsaw: Studia Iuridica.
Kuner, C. (2020). The EU General Data Protection Regulation: A Commentary. Oxford University Press. Available at: https://global.oup.com/academic/product/the-eu-general-data-protection-regulation-gdpr-9780198826491?lang=en&cc=us.
Levitt, M., and Weldon, S. (2005). A Well Placed Trust?: Public Perceptions of the Governance of DNA Databases. Crit. Public Health 15, 311–321. doi:10.1080/09581590500523186null 15
Malsagova, K., Kopylov, A., Stepanov, A., Butkova, T., Sinitsyna, A., Izotov, A., et al. (2020). Biobanks-A Platform for Scientific and Biomedical Research. Diagnostics 10, 485. doi:10.3390/diagnostics10070485
Masui, T. (2009). Human Genetic Biobanks in Asia: Politics of Trust and Scientific Advancement. Abingdon-on-Thames, Oxfordshire: Routledge, 40–65.Trust and the Creation of Biobanks: Biobanking in Japan and the UK
McNally, E., and Cambon-Thomsen, A. (2005). 25 Recommendations on the Ethical, Legal and Social Implications of Genetic Testing. Available at: http://op.europa.eu/en/publication-detail/-/publication/53d84d00-5153-498e-9492-47f1fcae5d27 (Accessed May 14, 2021).
Mikkelsen, R. B., Gjerris, M., Waldemar, G., and Sandøe, P. (2019). Broad Consent for Biobanks Is Best - provided it Is Also Deep. BMC Med. Ethics 20, 71. doi:10.1186/s12910-019-0414-6
Molnár‐Gábor, F., and Korbel, J. O. (2020). Genomic Data Sharing in Europe Is Stumbling-Could a Code of Conduct Prevent its Fall?. EMBO Mol. Med. 12. doi:10.15252/emmm.201911421
Morente, M. M., Salvaterra, E., and Corfield, J. (2017). Advances in Biobanking Practice through Public and Private Collaborations, 1–9. Sharjah, U.A.E: Bentham e Book.Public-Private Partnerships in Biobanking: Current Practices
Neethu, R. (2019). Governing Intellectual Property Rights within Publicly Funded Biobanks. Alphen aan den Rijn: Wolter Kluwer.
OECD (2009). Guidelines on Human Biobanks and Genetic Research Databases.
Paskal, W., Paskal, A. M., Dębski, T., Gryziak, M., and Jaworowski, J. (2018). Aspects of Modern Biobank Activity - Comprehensive Review. Pathol. Oncol. Res. 24, 771–785. doi:10.1007/s12253-018-0418-4
Pawlikowski, J., Sak, J., and Marczewski, K. (2011). Special Report Biobank Research and Ethics: the Problem of Informed Consent in Polish Biobanks. aoms 5, 896–901. doi:10.5114/aoms.2011.25568
Pawlikowski, J., Sak, J., and Marczewski, K. (2010). The Analysis of the Ethical, Organizational and Legal Aspects of Polish Biobanks Activity. Eur. J. Public Health 20, 707–710. doi:10.1093/eurpub/ckp202
Peloquin, D., DiMaio, M., Bierer, B., and Barnes, M. (2020). Disruptive and Avoidable: GDPR Challenges to Secondary Research Uses of Data. Eur. J. Hum. Genet. 28, 697–705. doi:10.1038/s41431-020-0596-x
Phillips, M. (2018). International Data-Sharing Norms: from the OECD to the General Data Protection Regulation (GDPR). Hum. Genet. 137, 575–582. doi:10.1007/s00439-018-1919-7
Porteri, C., Pasqualetti, P., Togni, E., and Parker, M. (2014). Public's Attitudes on Participation in a Biobank for Research: an Italian Survey. BMC Med. Ethics 15, 81. doi:10.1186/1472-6939-15-81
Prictor, M., Lewis, M. A., Newson, A. J., Haas, M., Baba, S., Kim, H., et al. (2019). Dynamic Consent: An Evaluation and Reporting Framework. J. Empirical Res. Hum. Res. Ethics 15, 175–186. doi:10.1177/1556264619887073
Quinn, P. (2021). Research under the GDPR - a Level Playing Field for Public and Private Sector Research?. Life Sci. Soc. Pol. 17, 4. doi:10.1186/s40504-021-00111-z
Rychnovská, D. (2021). Anticipatory Governance in Biobanking: Security and Risk Management in Digital Health. Sci. Eng. Ethics 27, 30. doi:10.1007/s11948-021-00305-w
Sak, J., Pawlikowski, J., Goniewicz, M., and Witt, M. (2012). Population Biobanking in Selected European Countries and Proposed Model for a Polish National DNA Bank. J. Appl. Genet. 53, 159–165. doi:10.1007/s13353-012-0082-4
Shabani, M., Bezuidenhout, L., and Borry, P. (2014). Attitudes of Research Participants and the General Public towards Genomic Data Sharing: a Systematic Literature Review. Expert Rev. Mol. Diagn. 14, 1053–1065. doi:10.1586/14737159.2014.961917
Shabani, M., and Borry, P. (2018). Rules for Processing Genetic Data for Research Purposes in View of the New EU General Data Protection Regulation. Eur. J. Hum. Genet. 26, 149–156. doi:10.1038/s41431-017-0045-7
Shabani, M., Chassang, G., and Marelli, L. (2021). “The Impact of the GDPR on the Governance of Biobank Research,” in GDPR and Biobanking: Individual Rights, Public Interest and Research Regulation across Europe. Editors S. Slokenberga, O. Tzortzatou, and J. Reichel (Cham: Springer International Publishing), 45–60. doi:10.1007/978-3-030-49388-2_4The Impact of the GDPR on the Governance of Biobank Research
Slokenberga, S. (2021). “Setting the Foundations: Individual Rights, Public Interest, Scientific Research and Biobanking,” in GDPR and Biobanking: Individual Rights, Public Interest and Research Regulation across Europe. “Setting the Foundations: Individual Rights, Public Interest, Scientific Research and Biobanking. Editors S. Slokenberga, O. Tzortzatou, and J. Reichel (Cham: Springer International Publishing), 11–30. doi:10.1007/978-3-030-49388-2_2
Statement on the processing of personal data in the context of the COVID-19 outbreak Statement on the Processing of Personal Data in the Context of the COVID-19 Outbreak (2020).
Sugano and Regulatory and Ethics Working Group (2014). International Code of Conduct for Genomic and Health-Related Data Sharing, G. A. for G. & H. Hugo J. 8, 1. doi:10.1186/1877-6566-8-1
Taipei (2016). World Medical Association. Declaration of Taipei on Ethical Considerations Regarding Health Databases and Biobanks. Available at: http://www.wma.net/en/30publications/10policies/d1/index.html.
Takayuki, K. (2020). Reflections on the GDPR Adequacy Assessment and Strategy of Japan: For the Enhancement of Transborder Data Flows. Glob. Privacy L. Rev., 156–163.
Toccaceli, V., Fagnani, C., Nisticò, L., D'Ippolito, C., Giannantonio, L., Brescianini, S., et al. (2009). Research Understanding, Attitude and Awareness towards Biobanking: a Survey Among Italian Twin Participants to a Genetic Epidemiological Study. BMC Med. Ethics 10, 4. doi:10.1186/1472-6939-10-4
Towned, D., Taylor, M. J., Wright, J., and Wickins-Draziova, D. (2009). Principles And Prractive In Biobanking Goveranace. Abingdon-on-Thames, Oxfordshire: Routledge, 137–160.Privacy Interests in Biobanking : A Preliminary View on a European Perspective
Tzortzatou, O., Slokenberga, S., Reichel, J., da Costa Andrade, A., Barbosa, C., Bekaert, S., et al. (2021). “Biobanking across Europe Post-GDPR: A Deliberately Fragmented Landscape,” in ” in GDPR and Biobanking: Individual Rights, Public Interest And Research Regulation Across Europe. Editors S. Slokenberga, O. Tzortzatou, and J. Reichel (Cham: Springer International Publishing), 397–419. doi:10.1007/978-3-030-49388-2_22
World Medical Association (2013). World Medical Association. Declaration of Helsinki – Ethical Principles for Medical Research Involving Human Subjects. Available at: http://www.wma.net/en/30publications/10policies/b3/index.html.
Keywords: code of conduct, biobanking, genetic data, recommendations, GDPR Poland
Citation: Krekora-Zając D, Marciniak B and Pawlikowski J (2021) Recommendations for Creating Codes of Conduct for Processing Personal Data in Biobanking Based on the GDPR art.40. Front. Genet. 12:711614. doi: 10.3389/fgene.2021.711614
Received: 18 May 2021; Accepted: 18 October 2021;
Published: 12 November 2021.
Edited by:Nut Koonrungsesomboon, Chiang Mai University, Thailand
Reviewed by:Chih-Hsing Ho, Academia Sinica, Taiwan
Tossapon Tassanakunlapan, Chiang Mai University, Thailand
Copyright © 2021 Krekora-Zając, Marciniak and Pawlikowski. This is an open-access article distributed under the terms of the Creative Commons Attribution License (CC BY). The use, distribution or reproduction in other forums is permitted, provided the original author(s) and the copyright owner(s) are credited and that the original publication in this journal is cited, in accordance with accepted academic practice. No use, distribution or reproduction is permitted which does not comply with these terms.
*Correspondence: Dorota Krekora-Zając, email@example.com