In its recent Opinion 03/2013 on purpose limitation (the “Opinion”), the Article 29 Data Protection Working Party, an EU advisory body on data protection, comprised of representatives of the Member States’ supervisory authorities, the European Data Protection Supervisor and the European Commission, analyzes the principle of purpose limitation and provides guidance for its practical application. The principle of purpose limitation is one of the key data protection principles of the EU Data Protection Directive, requiring that personal data be collected for:
i. specified, explicit and legitimate purposes, and
ii. not further processed in a way incompatible with those purposes.
The Opinion is of importance to all controllers, as it discusses what the Working Party generally considers “an essential condition to processing personal data”. However, companies in the pharmaceutical sector should read it particularly carefully because it also contains several statements which are specifically relevant to them.
In particular, the Opinion discusses the specific provision on further processing for ‘historical, statistical or scientific purposes’ in Article 6(1)(b) of the Directive, which allows for further processing for these purposes if the controller implements appropriate safeguards. In particular with respect to scientific purposes, the Working Party distinguishes between access to different kinds of data, stating that “research results should, as a rule, be possible in such a way that only aggregated and/or otherwise fully anonymi[z]ed data will be disclosed”, and discusses different types of safeguards that might be required by different scenarios, including:
- Full anonymization as the most definitive solution. At the same time, the Working Party cautions that “anonymi[z]ation is increasingly difficult to achieve with the advance of modern computer technology and the ubiquitious availability of information”. Companies should also watch out for further guidance on anonymization techniques more generally which the Working Party plans to issue in the course of 2013.
- Partial anonymization, including key-coding, which will however often need to be complemented by other safeguards, such as data minimization and security measures. It is in this respect that the Working Party advises against the use of initials and date of birth as coding mechanisms in clinical trials because this method (in contrast to randomly allocated numbers) would allow for a fairly easy identification of patients. Although the Working Party does not seem to question the use of initials and date of birth in other instances, for example, in the context of pharmacovigilance, where it may even be legally required, it stresses (in line with its previous Opinion on the concept of personal data)
“that key-coded or otherwise pseudonymi[z]ed data, or partially anonymi[z]ed personal data – so long as the possibility of re-identification exists, with reasonable means, to be applied by the controller or a third party – continues to be considered personal data, and thus, requires appropriate protection.”
Many of the additional safeguards beyond anonymization which the Working Party also mentions in its Opinion, such as specific security measures (for example, encryption), restricting access on a need-to-know basis and obtaining consent, are already standard practice in the pharmaceutical sector.
Companies in the pharmaceutical sector will also be interested to know that the Opinion also discusses the relevant provisions concerning further use for scientific research purposes in the proposed General Data Protection Regulation which the European Commission published in January last year to replace the Directive. Similar to the present rules, these articles, namely Article 6(2) and 83 of the proposed Regulation, also require anonymization or at least some degree of de-identification. However, as the Working Party criticizes, these provisions do not mention any further safeguards and no longer impose the same restrictions (in particular a general multi-factor compatibility assessment) on the further use as is currently the case. To address these concerns the Working Party proposes some amendments to the proposed General Data Protection Regulation.
For further details about the Opinion, including the compatibility assessment, see Article 29 Working Party Releases New Opinion on Purpose Limitation, InsidePrivacy, April 15, 2013.