The future of EU privacy regulations on biobanks and iPSC research
A key feature of the banking of human biomaterials for research in the field of regenerative medicine is the collection of associated information and data: technical details regarding cells and tissue samples, personal information about sample donors, and research datasets generated from the use of human bioresources. Balancing the need to protect the privacy of individual donors or research participants with the facilitation of effective research is an ongoing challenge. The new EU General Data Protection Regulation, while aiming to provide better safeguards for individuals’ personal data may also have significant implications for data protection practices of researchers, industry, and biobanks around the globe.
What questions & challenges are raised?
The new EU General Data Protection Regulation (GDPR) that takes effect in May 2018 aims to make privacy policies more consistent across the EU (including the UK) for all ‘sensitive personal data’, data that might identify individuals. This includes personal data that is used, collected or stored by researchers, such as genetic information and clinical information from medical records. Researchers who use a type of stem cells known as induced pluripotent stem cells (iPSCs) may want access to sensitive personal data. This is so they can use these cells to study diseases, test new drugs and develop new medical treatments. This will also affect large cell storage facilities, called biobanks, which are becoming important resources for sharing stem cells, data and other biological tools. Dr Michael Morrison from the University of Oxford and his colleagues recently published an article discussing the implications of the GDPR for iPSC research and stem cell biobanks. They show that the new regulations will create problems for stem cell researchers, donor consent, recordkeeping, institutional accountability, minimisation of data access and restrictions on international data transfers. The authors point out that in order to adequately address these issues it is essential to both secure the privacy of tissue donors and patients, facilitate the accessibility of biobank resources, and exchange of data that is conducive to the expansion of research and development related to iPSC technologies and regenerative medicine.
What background and points are discussed?
The writers explain some of the requirements of the new GDPR that will affect iPSC research and biobanks. The new rules for explicit and detailed consent will require donors to sign several individual statements for the collection, manipulation, use, storage and distribution of cell samples and personal details. The GDPR requires that organisations that have personal data from EU citizens must follow European law, no matter where the data is stored or used. Also, organisations and researchers using personal data must keep records of who holds the data, how it is processed, what types of data are held, who has been given the data, for how long and how the data has been kept safe. Organisations holding large amounts of personal data or with more than 250 employees will be required to have a ‘Data Protection Officer’ (DPO) to make sure everything is done correctly and to keep records up to date. The new law means that only data that is necessary for the task should be collected and it should only be held for a short time. Transfer of cell samples and data to countries that have not ratified the GDPR is prohibited, unless an exception by a relevant Supervisory Authority is made. This will only happen if a foreign country shows that they have the same standard of rules to protect personal privacy and data.
What insight and direction does this give for research policies?
The writers say that this new law will create big challenges for iPSC research and biobanks. It is difficult to only collect ‘relevant data’ when the aim of a project is to create resources for future studies that we don’t know about now. Biobanks and other researchers may wish to get broad consents from donors, collect large amounts of information and then only give biobank users what is needed for their studies. On the other hand, data from patients might be obtained often, only requesting information and obtaining permissions as needed. Organisations that regularly transfer samples and data internationally should be aware that the new law establishes new responsibilities and restrictions as to what countries the data of European citizens can be stored in or transferred to. A full list of countries that are allowed for data transfer is still not yet available, and it is not clear whether currently used methods for transferring material and data will be sufficient. The appointment of DPOs to maintain and update large amounts of data and contact information is supported by the writers, who state that it is unrealistic to think that individual scientists, clinicians, managers or other non-designated staff will be able do this. In regard to donor consents, the authors suggest that explicit consents should be obtained for: sample donation; iPSC reprogramming; collecting and using biometric and genetic data; and the distribution of data and biological materials to the wider research community. Additionally, researchers and biobanks should consider consents for materials and data generated several years down the line, such as iPSCs and their associated data. When implementing the GDPR there is also the issue of costs; addressing the above issues and other challenges will likely increase operating costs for biobanks and other institutes. Morrison and colleagues emphasise that addressing these issues is critical to ensure the growth of iPSC research and biobanks as well as bolster public trust in iPSCs and regenerative medicines.