Partners in the TeNDER project are developing an integrated care model to manage co-occurring chronic illnesses in patients with Parkinson’s Disease, as well as Alzheimer’s and other forms of dementia. To create a personalised experience for all users, the TeNDER system will gather personal and medical information from patients, using various technologies including health bands and sensors. Through the development of this system, the project aims to support users through their entire clinical journey and to help improve their quality of life and of those who surround them.
Why is it important to consider data protection?
The concept of data protection stems from the right to privacy. Both are vital, not only to safeguard and promote fundamental rights and values, but also in the exercise of other fundamental rights and freedoms. [1] Nevertheless, they are separate rights. While the right to privacy “consists of a [more] general prohibition on interference,” the right to protection of personal data is generally viewed as a more modern and active right, “putting in place a system of checks and balances to protect individuals whenever their personal data are processed.” [2]
The protection of personal data is considered a fundamental right. The collection and use (or processing) of personal information, including about their health, in a project such as TeNDER might therefore have an effect on the fundamental rights of the research participants and eventual users of the TeNDER system. While acknowledging the importance of protecting privacy and personal data, there can be reasons that justify the processing of personal data. In order to ensure that such processing of personal data respects the fundamental rights of those of whom data is collected, it may only take place under strict compliance with necessary safeguards.
How is the protection of data regulated in the EU?
In addition to a number of European and EU instruments that lay down the right to the protection of personal data, [3] the General Data Protection Regulation (GDPR) is one of the most important sources for data protection in the EU. [4] The GDPR harmonises the rules related to data protection across Europe, while leaving room for Member States to adopt their own (complementary or stricter) national rules in certain areas.
Article 1 sets out the GDPR’s two main objectives, namely i) to protect fundamental rights and freedoms of persons, in particular their right to the protection of personal data, and ii) the free movement of personal data within the EU. These are the overarching principles that should always be taken into consideration in the application of the GDPR.
What is personal data and what are the basic principles for data processing?
What does the term personal data mean? In Article 4, the GDPR defines personal data as “any information relating to an identified or identifiable” person, meaning anyone who can be identified, directly or indirectly, for instance by reference to a name, an identification number, location data or other identifiable information. The processing of this type of information is protected by the GDPR. The term ‘processing’ here refers to, among others, the collection, recording, organisation, storage, alteration, retrieval, consultation, dissemination, erasure or the destruction of personal data.
The GDPR, in Article 5, sets out a number of principles that always need to be taken into account when processing personal data. Compliance with these principles will ensure the safe handling of personal data that respects the fundamental rights of those of whom data is processed.
One of those basic principles is that of lawfulness, which requires that all processing of personal data shall be based on one or multiple legitimate grounds set out in Article 6 of the GDPR. For special categories of personal data which are, by their nature, particularly sensitive (e.g., personal data revealing racial or ethnic origin, biometric data, data concerning health), processing is in principle prohibited, unless it is based on one or multiple legitimate grounds set out in Article 9 of the GDPR.
Another principle, that of purpose limitation, requires that personal data shall be collected for specified, explicit and legitimate purposes and may not be processed further in a manner incompatible with the original purpose. Moreover, according to the principle of data minimisation, no more personal data shall be collected than what is necessary for the realisation of the purpose for which they are processed. For example, collecting data that is not strictly necessary for the realisation of the TeNDER project would breach the data minimisation principle.
The principle of storage limitation requires that personal data is kept in a form which allows identification of the individual for no longer than is necessary for the purpose for which they are processed, though it may potentially be stored for longer periods in cases of processing solely for, e.g., archiving purposes in the public interest or scientific research purposes.
Together with the remaining principles (fairness and transparency, accuracy, integrity and confidentiality, and accountability) set out in Article 5, they form the basis of safe data processing under the GDPR and ensure that the fundamental rights of those of whom data is processed are protected.
TeNDER and data protection
With the TeNDER system intending to gather personal and medical information from its users, the consortium will ensure that processing of such personal data will comply with the rigorous legal guidelines set out above and in the GDPR as well as relevant ethical guidelines. This will guarantee that the fundamental rights of the research participants and eventual users of the TeNDER system are protected.
References
[1] European Data Protection Supervisor, Data Protection (website), see https://edps.europa.eu/data-protection/data-protection_en.
[2] European Union Agency for Fundamental Rights and Council of Europe, Handbook on European data protection law, 2018 edition, p. 19, see https://op.europa.eu/en/publication-detail/-/publication/5b0cfa83-63f3-11e8-ab9c-01aa75ed71a1/language-en.
[3] Article 8 of the Charter on Fundamental Rights of the European Union (7 December 2000); Article 16 of the Treaty on the Functioning of the European Union (25 March 1957).
[4] EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), see https://eur-lex.europa.eu/eli/reg/2016/679/oj