The European General Data Protection Regulation (GDPR)

The European General Data Protection Regulation (known as the GDPR) requires all countries in the European Union to adopt the same standard laws that protect the data privacy of European citizens. This European Regulation came into force in May 2018. It requires each member country to pass laws that enforce its principles, and more detailed rules about how certain of these principles should be enforced. All European countries have now adopted the GDPR into their national legislation, and some are now adopting laws for particular areas, including areas such as using data for research.

Clarity on how health data is protected

The obligations of the GDPR apply to all organisations that collect and use information about European citizens as part of their activities or business.

It therefore applies to healthcare organisations and to research organisations, both in the public and private sector. All organisations have to decide and make clear to their patients or research participants what data they need, why they need it, how they wish to use it, how long they will keep it and how they will protect it. If they want or need share information with other organisations they work with, and they need to be very clear about why and how they do this.

The organisations who collect information are known as Data Controllers, because they have controlling responsibility over the data they collect and use. The people that the information is about are known as Data Subjects.

Legal justification for collecting data

Data Controllers must be able to show that they have a legal justification for collecting data. This is sometimes the consent of the data subject, but it could also be because they have to collect the data for another legal reason such as completing a contract, complying with legal rules, or if they are a healthcare organisation or professional, providing healthcare services to the person.

The GDPR also allows for the use of data for research, if the data is needed for the research and the research is undertaken by a body following publicly accepted rules on ethical research and is protecting the data properly. The diagram shows the main principles that are defined by the GDPR, and the corresponding obligations on Data Controllers.