Ethics and data protection in medical and health research
The conduct of medical and health research is regulated by the Health Research Act, while the processing of personal data is governed by data protection regulations.
Requirement for ethical pre-approval
Medical and health research requires ethical pre-approval from the Regional Committee for Medical and Health Research Ethics (REK) before the project can commence, as stipulated in Section 33 of the Health Research Act. This also applies to research involving pilot studies and experimental treatments.
REK conducts an ethical assessment of all aspects of the project, including data protection considerations.
Content of the ethical assessment
Although REK’s ethical pre-approval (under GDPR) does not serve as a legal basis for processing personal data, it still has significance for data protection. This is because REK's evaluation covers the same principles that must be met under GDPR Article 5, ensuring compliance with data protection principles.
1. Lawfulness, fairness, and transparency
Ensures that the requirements for valid consent (which is the main rule in medical and health research) are met, or that REK has the authority to grant an exemption from confidentiality obligations.
2. Purpose Limitation
Ensures that personal data is processed in accordance with the purpose for which it was collected and within the scope of any given consent.
3. Data minimization
Ensures that personal data is adequate, relevant, and limited to what is necessary for the stated purpose.
4. Accuracy
Ensures that personal data is correct and up to date.
5. Storage limitation
Ensures that personal data is stored in a way that prevents identification of individuals for longer than necessary for the research purpose. If data needs to be retained for longer periods for scientific or historical research purposes (under GDPR Article 89(1)), appropriate technical and organizational measures must be implemented.
6. Integrity and Confidentiality
Ensures that information security requirements are met to protect personal data from unauthorized access, unlawful processing, accidental loss, destruction, or damage through appropriate technical and organizational measures.
7. Accountability
Ensures that research is properly organized, with a responsible research institution and a project leader. The institution responsible for the research has the overall responsibility for the project and must meet the obligations outlined in Section 4(e) of the Health Research Act.
Legal basis for processing under data protection regulations
The term "personal data" includes health and genetic information.
The processing of personal and health data in medical and health research must have a lawful basis under GDPR Article 6 (for general personal data) and Article 9 (for special categories of personal data).
For general personal data, at least one of the legal bases under Article 6 must be met:
- Article 6(1)(a): Consent
and/or
- Article 6(1)(e): Public interest
For processing conducted in the public interest, Article 6(3) requires additional legal basis in national regulations, such as laws, regulations, or administrative decisions with a legal foundation.
If REK grants an exemption from confidentiality obligations or waives the consent requirement, the legal basis under GDPR will be Article 6(1)(e): Public interest. REK’s exemption decision serves as the necessary supplementary legal basis under both Article 6 and Article 9.
For special categories of personal data, such as health and genetic information, an additional legal basis under Article 9 is required:
- Article 9(2)(a): Explicit consent
- Article 9(2)(j): Scientific or historical research purposes, in accordance with Article 89(1), with supplementary legal basis in national legislation
If REK grants an exemption from confidentiality or waives the consent requirement, the legal basis will be Article 6(1)(e) (public interest), with REK’s decision providing the necessary supplementary legal basis under both Article 6 and Article 9.
The processing of health data from consent-based health registries will also be based on public interest, with supplementary legal basis in regulations concerning population-based health studies, as participants have not provided specific consent for the given research project.
Data protection impact assessment (DPIA)
Under GDPR Article 35, an assessment must be conducted to determine whether a Data Protection Impact Assessment (DPIA) is necessary. This is required if the data processing is likely to pose a high risk to the rights and freedoms of the individuals involved.
Procedures for health research
UiB’s procedures for medical and health research provide detailed administrative guidelines and templates. These procedures form an integral part of the university’s internal control system.
The research procedures include guidance and references to the relevant processes at different stages of a project.
The procedures are developed in collaboration with Helse Bergen. The guideline on defining responsibilities in collaborative projects ensures that the responsible research institution is clearly identified and that the project is properly organized.
Once a research project has received pre-approval from REK, it must be approved by the responsible research institution before the project can commence.
The project manager must submit an application with a research protocol to REK via REK’s application portal, in accordance with REK’s requirements. The responsible research institution must be involved before the application is submitted.