Abstract
This article traces the journey of Nordic health data requested for developing a healthcare algorithm. We focus on the legal requirements and highlight that differences in the legislation of Denmark, Norway and Iceland, and the interpretation thereof by responsible bodies, can pose a barrier for scientific researchers. In addition, non-legal institutional requirements or practices may hamper data access. First, despite some European harmonization, the mandate of research ethics committees and the data protection authorities vary in the three countries. Second, domestic institutions impose tailored requirements, sometimes only allowing domestic or affiliated researchers to access data sets. Third, the manner in which a dataset is collected, catalogued and stored has implications for data access. We make several recommendations for increasing transparency in Nordic data access, such as, increasing knowledge sharing regarding interpretation of General Data Protection Regulation (GDPR) criteria, adopting clearer regulations and pursuing greater citizen engagement in secondary use of health data.
Introduction
Nordic health research is promising and collaboration has the potential to bring scientific breakthroughs that may not be possible alone. 1 Moreover, Nordic countries are highly digitized, depending on electronic health records and a centralized personal identification number that connects information about the individual, spanning demographic and health data. 2 With universal, tax-funded access to healthcare, rich, curated datasets are available, such as national patient registries, prescription and laboratory registries, and comprehensive biobanks that can be coupled with other health data. For this reason, several national and Nordic initiatives have been proposed for improving access to health data for research purposes. 3
Despite this promise, previous research has identified legal barriers to Nordic research. Obtaining access to data has long been described as slow and complicated. 4 Varying legal requirements mean that pan-Nordic research continues to require legal expertise in the relevant countries. 5 The difficulties of gaining access to sensitive data have been brought to the fore with the entry into force of the General Data Protection Regulation (GDPR), 6 to which scientists have needed to ‘adapt’. 7 Although an aim of the GDPR is to improve cross-border data flows, faced with the prospect of large institutional fines for non-compliance, researchers describe an ‘extra burden’ of compliance. 8
The GDPR has led to health data governance fragmentation, as Member States implement the legal basis for research differently. 9 Furthermore, ethics regulation forms a separate but important part of this landscape. As Høyer describes it, ‘today, data create intense anxieties as people seek to balance competing interests and value registers, and . . . ethics regulation is part of the negotiation’. 10
The aim of this article is to trace the journey of Nordic health data requested for the purpose of developing an algorithm. The article approaches the topic from the perspective of an ongoing Nordic research project, PM Heart, which combines data and researchers based in Denmark, Norway and Iceland. The objective of the project is to develop and eventually clinically implement personalized medicine (PM) in cardiology with the purpose of avoiding over treatment, as well as under treatment, in ischemic heart disease (IHD). The project combines existing and prospective Nordic health data to differentiate between different subgroups of IHD and potentially identify the cause of the IHD in the individual patient. Using machine learning, researchers aim to create a clinically integrative IHD algorithm that will estimate the risk of future complications in the individual patient based on all available and relevant data rather than only a few routinely applied parameters. The algorithm-generated risk estimate will later be used clinically as a decision support tool to improve patient management.
Our premise is that the differences in the requirements in the legislation of Nordic countries, and the interpretation thereof by responsible bodies, can pose a barrier for scientific researchers. In addition, there may be non-legal institutional requirements or practices that hamper access to data. This suggests that researchers must fulfil various legal and practical requirements imposed by legislatures, data controllers and institutions in each country.
The paper seeks to contribute to the literature in several ways. First, it provides an early evaluation of how the GDPR’s research provisions are being interpreted and implemented. Second, it provides socio-legal insights by drawing on legal doctrinal method and interviews with (non-legal) researchers to also reflect the law through their eyes. Third, the article offers insights into three Nordic jurisdictions where limited practice and literature is available in English.
Methods
To establish the legal and practical requirements imposed in Denmark, Norway and Iceland, we rely on legal doctrinal method. We furthermore undertook semi-structured interviews (September 2020–January 2021) with researchers (clinicians and bioinformaticians) who are part of the research project and other selected specialists to inform the discussion section. The interviewees were selected because they had requested data for the purposes of the project. A questionnaire was sent prior to the interviews, which formed the basis for the online discussions. Follow up-interviews were conducted with national experts to clarify issues not publicly available in Iceland, where limited research is found on this topic.
Sources of data used in the project
In this section, we introduce the data sources used in the project that will be explored in this article, such as, routinely obtained clinical and research data, biobank data, and electronic health records. We outline the types of data and where they are held.
Access to registries is decentralized in the three countries. In Denmark however, access to many clinical quality registries is standardized and researchers can apply through the health care system Regions’ Clinical Quality Programme (RKKP). 11 Still, according to researchers, not all data received is of high quality and sometimes sets are missing variables. 12 Furthermore, through ‘the researcher machine’ (forskermaskinen), hosted by the Danish National Board of Health, researchers can access confidential, pseudonymised data from national clinical registries online. The available analysis tools are R, SAS and Stata. Aggregated data may also be downloaded but individuals should not be identifiable. 13 As discussed in 3.1. below, in Norway, researchers experience long delays before access to registry data is approved and available. 14 In Iceland, the researchers mainly work with data that was received in the context of prior studies to avoid similar delays. 15
The clinical data includes imaging data (coronary angiographies and echocardiographies) from Denmark, Norway and Iceland. These data form part of the patient’s (EHR) in Denmark, which is held by the Regions, and in Norway it is held by the treating hospital. 16 In Iceland, researchers have requested updates to already collected data from Landspítali—The National University Hospital—, the Directorate of Health and the Primary Health Care of the Capital Area. In addition to the coronary angiographies and echocardiographies, these data include electrocardiograms, blood test results, patients’ measurements including height and weight, and drug prescription information. 17
Danish researchers have furthermore access to raw data, including medical record notes from EHRs from two of the five Regions (Capital Region and Zealand Region), which contain records on 2.6 million Danish patients (1996–2006). 18 Access to EHRs was previously granted by the Danish Patient Safety Authority, but this competence has now been transferred to the Danish Regions. 19
In Denmark, biobanks are not fully centralized but some have agreed to centralized access procedures through the biobank unit at the Capital Region. 20 For this project, researchers have access to the Copenhagen Hospital biobank, which contains approx. 425,000 leftover blood samples from inpatients and outpatients of hospitals in the Capital Region. Under Danish law, these samples can be stored and reused for, inter alia, research purposes, as long as the patient does not opt out. 21 That is, without patients’ prior explicit consent but with research ethics approval. 22 Researchers also have access to the Danish Blood Donor Study, where blood donors aged over 18 years have consented to their samples being stored in the biobank as part of a research project. 23
Norwegian researchers have access to the HUNT (Helseundersøkelsen i Nord-Trøndelag) cohort, a population based study of approx. 150,000 persons living in Trøndelag County, spanning questionnaire data, clinical measurements, interviews and biological samples from residents of Trøndelag since 1984. 24 Participants are invited based on residence and must give informed consent to take part (this consent shapes the future use of their data, see section 3.2). HUNT is one of the largest longitudinal population health studies ever performed. 25
An important distinction between health data (e.g. EHRs) and samples stored in biobanks is that the latter is a finite resource, whereas the former are reusable. At the same time, once samples have been sequenced, the genetic data once embedded in the samples are reusable. The project has access to genetic data from Denmark and Norway through the above biobanks and in Iceland through deCODE Genetic’s biobank.
In general, the project avoids the transfer of identifiable health data across borders, although some samples from Denmark were sent to Iceland for genetic analysis. Generally, the intention of the project is that the algorithm will ‘move’ and be validated on domestic data. This already is one means by which transferring sensitive datasets is avoided, thereby circumventing certain regulatory hurdles. It should be noted that transfer of data between the countries under study (as well as third countries which must also comply with Chapter 5 GDPR) is possible under the GDPR but may require a data processing agreement/may result in the research institutions becoming joint data controllers. 26 Furthermore, in the context of health research, while transfer may be legally permitted, it can be ethically problematic if the participant has not given consent to international data transfers. However, cross border transfer of data is not addressed in detail in this paper as it falls outside the scope of the research project.
Finally, the project does not include interventional clinical trials or data from children, and therefore these aspects are also excluded.
Patient perspectives on secondary use of health data
The above data sources are a mix of routinely gathered clinical data and data gathered with informed consent to a research project. For example, blood tests and angiograms are collected and stored for the primary purpose of treating the specific patient (for example, per Article 9(2)(h) GDPR). Legislation furthermore requires the storage and maintenance of patient records as a prerequisite for treatment to protect patient safety. 27 In practice, the patient often neither asks nor is informed as to what happens to routine clinical data. Subject to the laws and legal practices discussed below, these patient ‘goods’ can be repurposed and converted into products for research, which the legislation frames as a societal/ public good (see below).
When asked, Europeans seem to express generally positive views on secondary use of health data for research purposes. However, most published studies have been conducted in the United Kingdom. 28 Skovgaard et al furthermore note that awareness of secondary use is low. 29 Likewise, Snell and Tarkkala have questioned the rhetorical use of the assumption that Nordic (predominately Finnish) populations are ‘willing’ and ‘engaged’ in relation to biobanking given the chasm between positive attitudes and actual participation. 30 In 2017, Holm et al asked Danish patients about their views regarding secondary use of health data, as well as trust in health professionals. The 994 responses revealed positive views regarding use of health data in research. At the same time, participants wished to have control over their data and felt ownership over the data. 31
We underline that transparency and information are central elements of European health law and the GDPR. 32 We consider them important components in maintaining trust and public commitment to scientific health research. Legislation and practices should seek to uphold these values as individual rights and duties.
Legislative framework in Denmark, Norway, Iceland
The legislative frameworks of Nordic countries governing the processing of health data for research purposes resemble each other in several ways. This is to be expected as some aspects are harmonized at European Union (EU)/EEA level, including through the GDPR. While Norway and Iceland are not members of the EU, the GDPR is applicable in countries that are members of the EEA Agreement, such as Iceland and Norway. 33 Furthermore, the three countries have ratified common international treaties, including the Council of Europe Biomedicine Convention and the European Convention on Human Rights. 34 Moreover, traditionally, Nordic countries are often inspired by each other’s legislative approaches to healthcare to the extent that in some areas, we refer to ‘Nordic law’. 35 Similarities include universal access to healthcare driven by the welfare state, commitment to patients’ rights and use of personal identification numbers to link data.
At the same time, there is divergence for several reasons, meaning that there are important differences in national legislation and practices. International treaties and regional regulations, including the GDPR, but in particular human rights treaties like the Biomedicine Convention, leave room for discretion when it comes to implementation at national level. 36 While the GDPR is hailed for harmonization in some respects, in scientific research it has caused fragmentation or as Tupasela calls it ‘interpretive regulatory dissonance’. 37 In addition, a wealth of non-binding international and regional level recommendations leave it to states to decide how or whether to legislate in the sphere of biotechnology and which laws or policies to implement. 38 Based on this, gatekeeper institutions, like research ethics committees (RECs) or research institutions, are free in some situations to develop varied policies and practices.
In the next section, we present the rules and practices governing access to the data sources presented in section 2 in Denmark, Norway and Iceland. We divide our analysis into REC approval and GDPR criteria based on a close reading of the relevant legislation, as well as publicly available policies and practices. Our semi-structured interviews with researchers from the project and other specialists also shed light on the experiences of scientists working with data access.
Research ethics committee approval
A central feature of the governance of health data for research purposes is whether the research project must be approved by a regional/national REC. In such cases, the project is subject to a specialized regulatory regime and under the mandate of a committee that reviews ethical and scientific aspects. RECs are important gatekeeper institutions; in his detailed empirical study on UK RECs, Dove observes that ‘RECs have come to hold tremendous power over how research is shaped and thus, what knowledge is produced’. 39
The forthcoming analysis shows that despite similarities, there are fundamental differences among the mandates of Nordic RECs, meaning that in some cases Nordic research projects may need to apply to a REC in one country but not the other. The mandate of Nordic RECs is also in a state of flux in light of the changing uses of health data for research purposes, as discussed below.
In this section, we outline the aims, remit and consent requirements of Danish, Norwegian and Icelandic RECs.
Denmark
The purpose of the Danish REC system is defined by law as to ensure that health science research and health data research is conducted in a scientifically responsible manner. The Danish Research Law was originally drafted to regulate the ethical assessment of biomedical research projects, that is, health science research. 40 While the legislation, including its title, was updated in 2020 to include a limited number of health data research projects, its central principles remain unchanged, thereby reflecting a bodily integrity perspective, which renders some provisions ill-suited to health data research.
Under Danish law, REC approval is required for research closely connected to a person or parts of their body, including, inter alia, living persons, cells, tissue and clinical research on medicines. Since June 2020, research projects processing sensitive bioinformatics data, where there is a risk of significant health-related secondary findings, must also receive REC approval. 41 This has expanded the mandate of the Danish RECs to include projects exclusively based on data within genetics and imaging.
Researchers planning to carry out the above types of projects must seek approval from a regional REC or, if the project relates to a complex area, the National REC, to whom researchers can also appeal if their applications are unsuccessful. 42 Research projects using (health) data falling outside these categories, such as surveys and register research, are not required to obtain permission from a national or regional REC. Instead, the data controller will need to assess whether the data can be provided, following the Health Act/ GDPR rules (see 3.2). 43 In addition, research on data from patient files needs permission from the Regional Council, which reflects the special status of patient files and the confidential relationship between the patient and health care professionals. 44
Regarding consent, the basic rule is that research subjects should give informed consent to take part in health research projects. 45 However, a REC can dispense with consent if the project is exclusively based on biobank samples and does not include health-related risks or in any other way create hardship for the research subject. It is also possible to dispense with consent if it is impossible or disproportionately difficult to gain consent. 46 However, patients can always register an ‘opt out’ to research on their biological samples gathered during treatment or to (some) genetic data through the Tissue Use Register. 47
It is not immediately clear how certain provisions should be applied to health data research. For example, the REC shall weigh the foreseeable risks and disadvantages of the research with the benefits for the research subjects and current or future patients, including whether pain, discomfort, fear and other foreseeable risks are minimized in relation to the subject’s disease and stage of development. 48 As Evans observes in the US context, ‘in informational research that uses a person’s data, the principal risks . . . are privacy and dignitary risks related to data disclosure’. 49 Furthermore, Elster and Feiring highlight in the Nordic context that research on already gathered data does not contain risks to life and health but could result in discrimination and stigmatization. 50
In a big data research context, ‘creating hardship’ for participants is another unclear standard that is difficult to foresee. 51 In guidelines from the National REC, this is interpreted to relate to violations of privacy and integrity, as well as harm and violation of autonomy associated with risk of secondary findings, which may be returned to patients/research participants. 52
While there have been recent amendments to Danish law to modernize it in light of the changing nature of health research, the law’s ethos continues to focus on bodily integrity, including concepts like hardship, health risks and safety. These terms do not fit the big data landscape, where violations of privacy and stigma or discrimination seem to provoke greater concern.
Norway
The objective of the Norwegian Health Research Act is to encourage good and ethically responsible research. 53 It is underpinned by two principles: proportionality and autonomy. 54 Following the Act, research should be based on ‘respect for the human rights and human dignity of the research participants’. As under Danish law and the Biomedicine Convention, the welfare and integrity of participants shall precede the interests of science and society. 55 The research manager shall ensure, inter alia, that medical and health research is carried out in a way that safeguards adequate ethical, medical, health, scientific, privacy and information security conditions. 56
The remit of the Norwegian Regional Committees for Medical and Health Research Ethics is broader than the Danish equivalent. Research projects that include medical and health research on humans, human biological material or health information must be approved in advance. 57 Processing of health information for medical and health research purposes requires prior approval from a Regional Committee for Medical and Health Research Ethics. 58
Gjertrud Bøhn Mageli highlights difficulties that can arise when RECs are called upon to decide applications involving new technologies. 59 In one example, researchers applied for permission to use free text from patient records to develop an algorithm. The Regional REC denied this request, determining that it was unclear whether developing machine learning algorithms was research or outside the REC’s mandate. The National REC disagreed and returned the application to the Regional REC for reconsideration, which then approved it. For our purposes, this illustrates the differences in how RECs interpret their mandates and how this can undermine new health science research methods. In Copenhagen, text mining of electronic health records has been approved by RECs for many years. 60
In Norway, clinicians have criticized the rules governing access to health registries for research purposes for many years, in particular due to long waiting times. While research on registers established under the Health Registry Act do not require ethical approval, 61 several executive orders establishing specific registers require REC approval, such as the Norwegian patient register. Furthermore, as the data stored in the Norwegian Institute of Public Health (NIPH)’s health registries and health surveys is confidential, an exemption from the duty of confidentiality must be obtained. Exemptions may be obtained through the consent of the data subject or from a regional REC. To receive identifiable registry data, the researcher must submit ethical approval and a Data Impact Assessment Plan (DPIA). 62
The Norwegian Parliament has therefore recently passed amendments to the Health Registry Act. 63 The aim of the amendments is to give increased, easier and more secure access to health data and information in health registries for use in statistics and research. In the bill, the Ministry of Health acknowledged the time and resource demands of accessing information in registers. The amendment aims to streamline access to data by establishing a national Health Analysis Platform and an access portal through the Health Data Service (Helsedataservice), which will process health register data requests. The conditions and rules for receiving data will also be made clearer. Furthermore, there will be less need to transfer personal data and better opportunities to analyse data in a secure manner, as one can in Denmark through forskermaskinen (see section 2). 64
Finally, in terms of consent, the Regional REC may decide that health information can or shall be provided by health personnel for research, and that it may occur despite confidentiality, that is, without patient consent. This can only happen if such research is of significant interest to society and the participants’ welfare and integrity is protected. 65 The role of consent in Norway is seen as protecting patients from losing control over their data and how it is used. 66 As in Denmark, individuals can opt out of their data being reused for research, although the remit is broader in Norway, while in Denmark only biological samples and (some) genetic data are covered. Furthermore, in 2014, the Data Protection Authority (DPA) found that between 2009 and 2013, University Hospital of North Norway had not informed patients that their data could be used for research and how to opt out. The Authority decided that data gathered during that period could not be used for research unless the patient re-consents or is informed. 67
The remit of the Norwegian REC is broader than the Danish equivalent. There are also differences in the conditions per which data can be provided without consent.
Iceland
In Iceland, the most relevant legislation for the work of the National Bioethics Committee is the Act on Scientific Research in the Health Sector and Act on Biobanks and Health Data Registries. 68 The objectives set out in Article 1 of the Act on Scientific Research in the Health Sector are to promote the quality of scientific health research while safeguarding the interests of the participants. As in Denmark and Norway, scientific health studies shall furthermore be based on respect for the human dignity of participants and human rights shall never be sacrificed for the interests of science and society. According to Article 4, the planning and conduct of scientific health research shall also ensure that ethical and scientific perspectives are respected and privacy safeguarded.
The purpose of the Act on Biobanks and Health Data Registries is laid out in Article 1, stating that the use of samples or data for scientific health research shall be undertaken in such a way that privacy and interests of individuals are safeguarded. Utilization of health data shall furthermore serve scientific and medical purposes for the promotion of public good. In addition, the interests of science and society should never be placed above the interests of individuals who shall furthermore never be discriminated against based on information from their biological samples or health data. Rules regarding research on health data or biological samples—but without human subjects—are stipulated in a specific chapter of the Act on Scientific Research in the Health Sector (Chapter VI), in addition to the general rules which are applicable to all studies also laid out in the same legislation. 69
Scientific health research cannot usually take place unless the Icelandic National Bioethics Committee (Icel. Vísindasiðanefnd), equivalent to the Danish and Norwegian REC, has approved the research in advance. 70 The Icelandic National Bioethics Committee handles applications to undertake clinical trial studies involving human subjects and applications for scientific research using health data or biological samples, such as is the case in this project.
However, when a study takes place fully and solely within a health institution and related university, approval from the institutional review board of Landspitali University Hospital or Akureyri Hospital (HREC of Landspítali University Hospital HREC of Akureyri Hospital) may suffice. 71 The HRECs of the institutions are bound by the Act on Scientific Research in the Health Sector, which means that their reviews are based on the same criteria as the Bioethics Committee and are subject to the same rules of procedure. 72 Decisions made by the HRECs can be appealed to the Bioethics Committee.
The Bioethics Committee evaluates applications for studies using health data or biological samples without human subjects. Access to samples or health data is, however, also subject to the consent of the party responsible for the data or biobank. 73 As health data are decentralized, the researcher must contact each data controller and seek approval to access the data. 74 This may reflect the right to medical confidentiality when the data controller is responsible for access to clinical data of a patient. For the research permit to be approved, the use of data or samples shall furthermore be in accordance with the research plan and the Act on Personal Data Protection and the Processing of Personal Data No. 90/2018. Following Article 26, the data shall be sufficient, relevant and not in excess of what is necessary to achieve the purpose of the study.
When access is granted to biological samples for scientific research, the samples shall be provided without personal identification. In exceptional circumstances, it is permissible, with the approval of the Data Protection Authority, to provide biological samples with personal identification. The board of the Biobank can furthermore, subject to certain conditions and with the permission of both the Data Protection Authority and the Bioethics Committee, allow the use of biological samples for different purposes than scientific studies, quality control, method development and teaching. 75
In both cases, that is, whether the application concerns human subjects, or only data or biological samples, the Bioethics Committee sends the research application to the Data Protection Authority (DPA). Within 10 business days, the DPA evaluates data protection issues, such as data retention periods, and whether the data will be shared with personal identification. 76 If the DPA does not consider it necessary to further assess the application, the Bioethics Committee can issue a research permit. If however, the DPA considers it necessary, the DPA notifies the Bioethics Committee that it will further assess the research application. The Bioethics Committee is then bound to wait for the DPA to give its opinion on the application. Such an opinion can, for example, entail recommendations on how the research data should be processed. The DPA can however, also conclude that the research would violate the Data Protection Act. In that case, the National Bioethics Committee is bound by the DPA’s opinion and may not approve the research application. 77
Finally, the National Bioethics Committee, which oversees applications for scientific research in the health sector, requires that applicants are affiliated with an Icelandic institution. As in Norway and Denmark (see below), this requirement does not have a clear legal basis. This practice is, however, considered a necessary precondition for the applicant to carry out their supervisory role, to ensure compliance with Act no. 44/2014 on Scientific Research in the Health Sector, and rules that potentially restrict data transfer between countries. 78
The Icelandic regulation of research ethics approval differs to those presented above. First, it contains more complete specialized rules on health data research projects. Second, there is the possibility to have an institutional ethics review, instead of going through the national REC system. Furthermore, the DPA forms an integrated part of the ethics review, as discussed in more detail below.
Permission from the data controller: GDPR criteria
Research ethics approval is only one step in accessing health data for research purposes. As Dove observes, RECs rely on trust: ‘there is limited power for a REC to monitor researchers following initial approval of the project’. 79 In contrast, if the data falls with the remit of the GDPR (i.e. is not anonymised), 80 the data controller must determine whether to provide the data in line with the Regulation.
There are textual differences in how the three countries have implemented the GDPR in the context of scientific research. Furthermore, given that many provisions of the GDPR are framed broadly, there may be differences in how terms are interpreted by data controllers. Under the previous data protection legislation, research projects on personal data needed permission from the Data Protection Authority to process health data, but this is no longer the case. 81 The RECs also do not have the competence to assess the researcher’s compliance with GDPR. 82 This is primarily a matter for the data controller. As explained in section 3.1, this differs in Iceland.
This section does not attempt to provide a complete account of GDPR compliance in health research but instead to identify areas of divergence in national law. We note that Article 5 GDPR outlines a list of principles that will not be discussed in detail below: lawfulness, fairness and transparency; data must be collected for specified purposes; data minimization; accuracy; identifiable for no longer than necessary and processed with integrity and confidentiality. Below, we focus on how the central GDPR rules related to health research relevant to the project have been implemented in the three countries, as well as non-legal practices that have emerged.
Denmark
Having received ethical approval (or bypassing this step if the project falls outside the remit of the REC), the researcher applies to the relevant entities, which in some cases is centralized, for example, for samples in the Danish National Biobank, its scientific committee, and for quality databases, the Health Data Agency. 83 The data controller assesses whether access can be granted, relying on data protection law.
Compared to Iceland, the Danish DPA is not overtly involved. However, the DPA must give permission if the request includes a data transfer to a third country, biological material or happens for the purpose of publishing (identifiable) results in a recognized scientific journal. 84 In those cases, when granting permission, the DPA specifies ‘appropriate technical and organizational measures’, such as, that transportation and storage of biological material must take place with appropriate safety conditions. 85 Having reviewed these decisions, only one refusal was found, where a University requested to send patient images to a scientific journal. The DPA held that transfer should, as a starting point, only take place in pseudonymised form. Although the data subjects’ faces would be blurred, their features and characteristics could be attributed. As a result, the DPA could not rule out that the publication thereof could have consequences for the data subject. 86 Although the DPA’s involvement is minimal at the access stage, after the researcher receives the data, the DPA, as per Chapter 6 of the GDPR, can become involved by its own volition or based on a complaint.
Following section 10(1) DBL, the central legal tests governing the processing of health data for research purposes are whether the research is of significant societal importance and the necessity of the data transfer. 87 The reliance on this terminology has been criticized by, for example, the Danish doctor’s association, for lacking transparency. 88 The necessity criterion poses a particular challenge for researchers, as they must justify requesting specific variables, or risk their application being rejected. Information received that is not necessary for the research must be deleted, destroyed or returned as soon as possible. 89
Unlike in Norway, a Data Impact Assessment (DPIA) is not mandatory to receive registry data. Instead, the guidelines from the Danish DPA reiterate the criteria found under article 35(1) GDPR, namely that a DPIA is only obligatory if the processing ‘is likely to result in a high risk to the rights and freedoms of natural persons’. 90 Following Article 35(4), the European Data Protection Supervisor has issued a list of processing operations that are likely to result in high risks, which includes health and genetic data, data processed on a large scale (in terms of the number of people or the amount of data) and innovative use of data, such, as machine learning. If two or more of the criteria are present, a DPIA should be conducted. 91 This suggests that the Norwegian Registry approach is more restrictive than may be required by GDPR and could thereby inhibit research.
Although the Danish DPA’s practice regarding scientific research and the GDPR is so far limited, the DPA has clarified that when a researcher (or student) employed at a hospital or university processes sensitive personal data for use in a research project, the University/hospital becomes the data controller and data processor. 92 Therefore, there are often internal requirements placed on researchers by their home institution to try to ensure compliance with GDPR. For example, researchers at the University of Copenhagen intending to process personal data for a research project must apply to the Faculty Secretariat, submitting a risk assessment and details of the project. 93 In this way, data controllers develop various policies in pursuit of compliance. However, there is a risk that this leads to varying implementation, such as, creating difficulties in data access or conversely that data subjects’ rights are given inadequate protection.
In addition, for access to certain research collections based in Denmark, practice (not law) dictates that the researcher must be part of or affiliated with a Danish research environment. For example, for access to registry data, researchers must be affiliated with a research institution authorized by the Health Data Authority. By way of illustration, Statistics Denmark holds socioeconomic data on the Danish population and requires affiliation with a Danish research institution to transfer micro data. The justification given is: ‘Statistics Denmark is not able to enforce a contract effectively abroad’. 94
Norway
As in Denmark, the processing of health information in medical and health research shall be in accordance with the principles set out in Article 5 GDPR and shall have explicitly stated purposes. The health information must be relevant and necessary to achieve the purpose of the research project. The degree of personal identification of health information shall not be greater than is necessary to achieve the purposes.
The test for processing sensitive personal data for research purposes differs from the Danish legislation as such data ‘may be processed without the consent of the data subject if the processing is necessary for purposes related to scientific research and the public interest clearly exceeds the disadvantages to the individual’. Public interest is not specifically mentioned in the Danish equivalent; instead, emphasis is placed on the societal importance of the research. The processing shall be subject to the necessary guarantees in accordance with Article 89 (1) GDPR. Furthermore, the Data Protection Officer (DPO) must be contacted prior to processing or a DPIA must be conducted; a requirement that is not present in Danish law. 95 Befring describes how this has led to conflict in Norway, where health researchers have objected to what they view as hospital DPOs’ overly strict interpretation of the GDPR. 96
Beyond the legal criteria set out in the Data Protection Act, the data controller may also impose their own conditions on access to data. For example, all applications for use of HUNT samples are considered by HUNT’s Data Access Committee, which assesses whether the intended use is consistent with the purpose of The HUNT Study. The following aspects are part of this assessment (although not explicitly required by law, they seek to respect the individual’s initial consent):
Potential utility of the project: Is the project likely to lead to new knowledge about health and disease? Projects considering health issues that are relevant for many or that shed light on more serious health issues will be prioritized above those who do not.
Quality of the project’s protocol and research team.
Feasibility: practical and financial.
Overall assessment of the project:
Will the project contribute to a good use of the HUNT material?
Is the project in line with participants’ consent and expectations?
Is it expected that the project will contribute positively to HUNTs reputation?
97
These conditions go beyond data protection law and instead reflect a form of ethical review beyond that already conducted by the REC (see 3.1.).
As in Denmark, there are limitations on access for international researchers. Researchers associated with Norwegian research institutes can apply for access to HUNT data and samples (provided REC approval has been given). Researchers from other countries can also apply in cooperation with a Norwegian Principal Investigator. The stated reasons for these requirements are twofold: To comply with the original consent given by the participants and to facilitate review by lay members of the REC who perhaps do not speak English (REC applications must be in Norwegian). 98
Iceland
As in Norway and Denmark, Iceland allows for personal data to be processed if it is necessary for scientific research and provided that data protection is ensured by certain measures as appropriate and in accordance with the Data Protection Act. 99 Certain measures refer here to actions such as the encryption or deletion of personal identifiers, as well as other necessary security measures to which the processing may be subject. 100 In addition, the processing should be carried out on the basis of legislation which provides for appropriate and specific measures to protect the fundamental rights and the interests of the individuals from whom the data stems. The processing furthermore needs a legitimate basis in Article 9 of the Data Protection Act (corresponding to Article 6 of the GDPR).
Both the Act on Scientific Research in the Health Sector and the Act on Biobanks and Health Data Registries repeatedly refer to the Act on Personal Data Protection. As described in section 3.1, the DPA assesses the data protection aspects of applications filed with the Bioethics Committee. 101 If necessary, the DPA undertakes further evaluation of the research application on the basis of the Data Protection Act. 102 This entails an evaluation of whether the principles and legal requirements laid out in Articles 8 and 9 of the Data Protection Act, corresponding to Articles 5 and 6 of the GDPR, are fulfilled. In addition, the DPA assesses the security of processing, as per Article 27 of the Data Protection Act and Articles 32-34 GDPR. Security of data processing is further outlined in rules 622/2020, which the DPA can take into account in their assessment. 103 Based on the DPA’s evaluation, the DPA can either make recommendations as to how to improve the application with regards to data protection, or deny the research permit if it considers that the research would violate the Data Protection Act. 104 This process can avoid later enforcement actions but is resource intensive (as discussed below).
Outside the process directly linked with research applications on health data, the DPA has also issued general guidelines on the processing of health data. 105 On 26 June 2015, the DPA issued, for example, guidelines on the processing of health data for scientific research taking place with Íslensk Erfðagreining (deCODE) as a data processor. 106 These guidelines lay out the DPA’s recommendations on how the data processor should guarantee data protection when undertaking scientific research using either health data or biological samples. 107 The guidelines were issued due to the number of research projects taking place within ÍE (deCODE) and had an expiry date (Jun 26, 2017). 108 In addition, individuals can bring their cases before the DPA in relation to scientific research with their health data. 109 The DPA has, however, not ruled on any such cases since the GDPR was implemented into Icelandic legislation. 110
Discussion
In this article, we have reviewed legal and non-legal processes governing access to certain data sources, such as genetic, imaging and registry data, as well as biological material, for the purposes of developing a cross Nordic healthcare algorithm. A patchwork of intersecting, sometimes varying, laws govern access. Certain rights are shared by virtue of common EU and European law, like data protection, integrity and confidentiality. At the same time, there are also differences in the overarching governance framework, such as the role of data protection authorities and RECs.
First, the mandate of RECs and the data protection authorities vary. From an individual rights’ perspective, the absence of an ethical assessment in Danish registry projects can be critiqued. Similarly, a DPIA is not mandatory as in Norway. On the other hand, simplified access may enable scientific research with ‘low risk’ data and avoid time consuming regulatory hurdles. The relatively minor role of the Danish and Norwegian Data Protection Authorities in controlling access to research data compared to in Iceland can be viewed through a similar lens. While Iceland is a smaller country (356,991) where a review by the DPA may be feasible in each case, in Norway (5.3 million) and Denmark (5.8 million), this could cause long delays and administrative headaches if adequate resources are not provided.
There is a risk that GDPR criteria, like necessity, will be assessed to different standards, especially in the first years of GDPR implementation, if there is inadequate sharing of practices among institutions. Furthermore, the relevant authorities may misunderstand their legal obligations, for example, a data controller or data processor will erroneously infer that REC approval includes an assessment of GDPR compliance. We therefore highlight the data controller’s central obligations to safeguard personal data under the GDPR and RECs’ concurrent duties to review ethical aspects.
Second, the manner in which a dataset is collected, catalogued and stored has implications for data access. Datasets that are established by law and accessed through a centralized authority, like Danish quality registries, are often easier to identify and access than clinical datasets stored under a broader legal basis. For example, patient imaging data may be difficult to locate and thereby access for research purposes as it is gathered for treatment without research purposes in mind. Rich cohorts and speciality biobanks like HUNT take time and effort to be developed into a useful resource that is ready to be used by researchers. Meanwhile, unstructured clinical data, while promising, may be delivered with missing variables or have slow access procedures due to lack of personnel or infrastructure. This can hamper the foreseeability of a project, as a researcher may not know the worth of the data until they have received it. With structured research data, the available data is clearer. From a legal perspective, this is important because researchers must satisfy the requirement of necessity: they should only receive the data necessary for carrying out the processing purpose. Without clarity as to which data are available, doing so is an added challenge for researchers. Literature underscores that quality health data is a resource and we echo this finding. 111
Third, certain institutions in all the countries participating in the project require that the researcher applying for health data access is affiliated with a domestic institution. This requirement seems to be based on practice, without any clear legal basis, but allegedly to ensure compliance with legal requirements (such as rules on data transfer or consent). This practice encourages cooperation between researchers and institutions of different countries, as it prevents a single individual or entity from seeking health data from other countries than its own. However, it is problematic for the free flow of data and the prospects of a European Research Area. While we recognize the importance of fully analysing the legal basis of this practice, we consider that analysis to be outside the scope of this paper.
Ultimately, we find that the decision to give a researcher access to a dataset can go beyond access for a single project. For big data research, it can make the researcher an attractive collaboration partner as they already have access to data that in some circumstances may be reused without completely new permissions. 112 Furthermore, the researcher gains experience with the access procedures and thereby knows which sets are accessible/valuable. In this manner, a single access request can open up multiple research possibilities, while a refusal can have long lasting consequences.
Finally, we consider that there are a number of organizational issues surrounding access to Nordic research data that would benefit from clearer regulation. For example, in Denmark, there is no biobank law and thereby no comprehensive list of approved biobanks. Similarly, potentially valuable research collections like patient imaging are not mapped, meaning that this resource remains subject to word of mouth, which naturally benefits physicians from the treating hospital. All three countries would benefit from centralized access to data. The current position leads to an absence of clarity regarding which resources are available and to whom.
We propose that Nordic research could benefit from increased transparency in several areas. The first area in need of clarification is how GDPR criteria are being applied by data controllers in the various health agencies and bodies making determinations. This could be pursued through annual reports with statistics and general results, as well as interagency meetings. Here the Norwegian Data Protection Authority’s new initiative – a regulatory sandbox for artificial intelligence innovation – can be mentioned as an attempt to explore and discuss difficult ethical and legal issues. 113
Second, a more transparent legal framework, as has been proposed in Norway for health registries is recommended. This would facilitate access and awareness of available data sets.
Third, greater citizen engagement in the aims and uses of health data, for example, through better informing individuals as to how their health data is being used should be considered. In this regard, Denmark could learn from Norway. This could encompass providing routine information to patients when accessing health services, as well as societal engagement with secondary use of health data, through, for example, advertising and public campaigns. However, we acknowledge that societal engagement has limitations and should not be used as an argument to erode consent.
Conclusion
We set out to trace the journey of health data in an ongoing research project, PM Heart, which aims to create an algorithm to treat IHD. We described two features common to the legal and practical frameworks of Denmark, Norway and Iceland, that is, REC approval and application of the GDPR criteria. We discussed the different roles that RECs and data protection authorities play in the participating countries, and how this influences the journey of health data. We furthermore noted how the quality of datasets affects whether researchers can fulfil the GDPR requirement of necessity and the impact of the (non-legal) requirement that researchers applying for access need to be affiliated with a domestic research institution. We acknowledge the significance of individual researchers or institutions that already hold access to health data through applications or collections gathered for previous projects. While it facilitates access to important health data, such as in this project, it can also limit which researchers and research entities are invited to take part in new studies.
By tracing the journey of health data used for the project through the legal and practical requirements applicable in Denmark, Norway and Iceland, we have shown that researchers often face difficulties in accessing high-quality data and that various hindrances can negatively affect scientific cooperation between these countries, despite their shared legal traditions. Nordic health research initiatives could thereby benefit from increased transparency. We highlight the importance of recent initiatives aimed at simplifying the applicable legal frameworks. More specifically, we propose further transparency in relation to how GDPR criteria is assessed and applied and further engagement of Nordic residents as to how health data is and should be used. Ultimately, however, we acknowledge that non-legal factors cannot be addressed by legal reforms alone given that institutional culture features in determinations on data access.
Footnotes
Acknowledgements
We are grateful to our colleagues in PM Heart for sharing their experiences and reading an earlier draft, in particular, PI Professor Henning Bundgaard and Professor Kristian Hveem. Any mistakes or omissions remain solely attributable to the authors.
Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: KÓC and MH’s contribution is supported by Innovation Fund Denmark (IFD) and NordForsk through funding to PM Heart, project number 90580. HDG is supported by a grant from the Collaborative Research Programme for Biomedical Innovation Law, a scientifically independent collaborative research programme supported by a grant NNF17SA0027784 from Novo Nordisk Foundation.
1
See, Deloitte Legal for Nordic Innovation, Bridging Nordic Data - Legal Overview of Possibilities and Obstacles for Secondary Use of Health Data for Innovation and Development (Oslo: Nordic Council of Ministers, Nordic Innovation, 2020).
2
A. Tupasela, K. Snell, H. Tarkkala, ‘The Nordic Data Imaginary’, Big Data & Society 7 (2020), pp. 1–13.
3
NordForsk, The Nordic Commons: A Vision of a Nordic Secure Digital Infrastructure for Health Data (Oslo: NordForsk, 2019).
4
J.F. Ludvigsson et al., ‘Ethical Aspects of Registry-Based Research in the Nordic Countries’, Clinical Epidemiology 7 (2015), pp. 491–508.
5
J. Maret-Ouda et al., ‘Nordic Registry-Based Cohort Studies: Possibilities and Pitfalls When Combining Nordic Registry Data’, Scandinavian Journal of Public Health 45(17) (2017), pp. 14–19.
6
Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ (General Data Protection Regulation) [2016] OJ L119/1.
7
T. Greene, G. Shmueli, S. Ray, and J. Fell, ‘Adjusting to the GDPR: The Impact on Data Scientists and Behavioral Researchers‘, Big Data 7(3) (2019), pp. 140–162.
8
N. Clarke et al., ‘GDPR: An Impediment to Research?’, Irish Journal of Medical Science 188 (2019), pp. 1129–1135. For example, Østfold HF Hospital was fined NOK 750,000 for breaching patients’ data protection. The Data Protection Authority, Administrative fine to Østfold HF Hospital (2020) available at 
9
10
K. Høyer, ‘Ethics as a Form of Regulation in Relation to Data and Bodily Materials’, in M. Jacob and A. Kirkland, eds., Research Handbook on Socio-Legal Studies of Medicine and Health (Cheltenham: Edward Elgar Publishing, 2020), pp. 333–347, p. 346.
11
12
Interview with Project Researcher (Denmark, September 2020).
14
15
Interview with PM Heart researcher (Iceland, January 2021).
16
Interview with PM Heart researcher (Norway, November, 2020).
17
Interview with PM Heart researcher (Iceland, January 2021).
18
The method of text mining electronic health records is described in P.B. Jensen, L.J. Jensen and S. Brunak, ‘Mining Electronic Health Records: Towards Better Research Applications and Clinical Care’, Nature Reviews Genetics 13 (2012), pp. 395–405.
19
The Danish Health Act, Bekendtgørelse af Sundhedsloven, LBK nr 903 af 26/08/2019 (Sundhedsloven), § 46(2).
21
22
See further, K. Ó Cathaoir, ‘In Search of Solidarity: Personalised Medicine in Denmark’, Nordisk socialrättslig tidskrift 21–22 (2019), pp. 65–95.
24
S. Krokstad et al., ‘Cohort Profile: The HUNT study Norway’, International Journal of Epidemiology 42(4) (2012), pp. 968–977.
25
26
See, inter alia, European Data Protection Board, Guidelines 07/2020 on the concepts of controller and processor in the GDPR (version 1.0, 2 September 2020).
27
See, for example, BEK nr 530 af 24/05/2018 Bekendtgørelse om autoriserede sundhedspersoners patientjournaler (journalføring, opbevaring, videregivelse og overdragelse m.v.)
28
L.L. Skovgaard, S. Wadmann, K. Hoeyer, ‘A Review of Attitudes Towards the Reuse of Health Data Among People in the European Union: The Primacy of Purpose and the Common Good’, Health Policy 123(6) (2019), pp. 564–571.
29
Ibid.
30
K. Snell and H. Tarkkala, ‘Questioning the Rhetoric of a ‘willing population’ in Finnish Biobanking’, Life Sciences, Society and Policy 15(4) (2019), pp. 1–11.
31
S. Holm, T.B. Kristiansen, T. Ploug, ‘Control, Trust and the Sharing of Health Information: The Limits of Trust’, Journal of Medical Ethics. Epub ahead of print 25 August 2020. DOI: 10.1136/medethics-2019-105887.
32
M. Mourby, K. Ó Cathaoir and C. Bjerre Collin, ‘Transparency of Machine Learning in Healthcare: The GDPR and European Health Law’, Computer Law and Security Review (in press).
33
Agreement on the European Economic Area (as amended) OJ L 1, 3.1.1994, pp. 3–522.
34
Convention for the Protection of Human Rights and Fundamental Freedoms, Rome, 1950 Council of Europe European Treaty Series 5; Convention for the Protection of Human Rights and Dignity of the Human Being with regard to the Application of Biology and Medicine: Convention on Human Rights and Biomedicine, Oviedo, 4.IV.1997 ETS 164.
35
E. Rynning, M. Hartlev (eds) Nordic Health Law in a European Context (Leiden: Brill Nijhoff, 2011).
36
O. Tzortzatou et al., ‘Biobanking Across Europe Post-GDPR: A Deliberately Fragmented Landscape’ in S. Slokenberga, O. Tzortzatou and J. Reichel, eds., GDPR and Biobanking, Vol. 43 (Cham: Springer, 2021), pp. 397–419.
37
Ibid. and A. Tupasela., ‘Tensions Between Policy and Practice in Finnish Biobank Legislation’, Biopreservation and Biobanking 13(5) (2015), pp. 379–381.
38
39
E.S. Dove, Regulatory Stewardship of Health Research (Cheltenham: Edward Elgar, 2020), p. 32.
40
Lov om et videnskabsetisk komitesystem og behandling af biomedicinske forskningsprojekter nr 503 af 24/06/1992.
41
Komitéloven, § 2(1)-(4).
42
Ibid. § 15(1).
43
Ibid. § 14(2).
44
Sundhedsloven, § 46(2).
45
Ibid. § 3(1).
46
Ibid. § 10(1).
47
Sundhedsloven, § 29. Only applies to genetic data stored in the National Genome Center.
48
Lov om videnskabsetisk behandling af sundhedsvidenskabelige forskningsprojekter og sundhedsdatavidenskabelige forskningsprojekter LBK nr 1338 af 01/09/2020 (Komitéloven), § 18(3)
49
B. J. Evans, ‘Big Data and Individual Autonomy’, in I.G. Cohen, H. Fernandez Lynch, E. Vayena and U. Gasser, eds., Big Data, Health Law, and Bioethics (Cambridge: Cambridge University Press, 2018), pp. 19–29.
50
J. Elster and E. Feiring, ‘Når er registerbasert helse- og helsetjenesteforskning uten samtykke etisk forsvarlig?’ in A. Kjersti Befring and I.J. Sand, eds., Kunstig Intelligens og Big Data i Helsesektoren Rettslige Perspektiver (Copenhagen: Gyldendal, 2020), pp. 452–474.
51
A. McMahon, A. Buyx, B. Prainsack, ‘Big Data Governance Needs More Collective Responsibility: The Role of Harm Mitigation in the Governance of Data Use in Medicine and Beyond’, Medical Law Review 28(1) (2020), pp. 155–182.
52
53
Lov om medisinsk og helsefaglig forskning, Lov-2008-06-20-44 (Helseforskningsloven), § 1.
54
Helseforskningsloven, § 1. A.K. Befring and A. Syse, ‘Enkelte viktige særlover’ in A. K. Befring, M. Kjelland and A. Syse, eds., Sentrale Helserettslige Emner (Copenhagen: Gyldendal, 2016), p. 250.
55
Helseforskningsloven, § 5.
56
Forskrift om organisering av medisinsk og helsefaglig forskning, FOR-2009-07-01-955, § 5(a).
57
Helseforskningsloven, § 2, § 9.
58
Helseforskningsloven, § 33(1).
59
G. Bøhn Mageli, ‘Deling av Helseopplysninger til Maskinlæring: Gjeldende Rett og Forslag til Endringer’, in A.K. Befring and I.J. Sand, eds., Kunstig Intelligens og Big Data i Helsesektoren Rettslige Perspektiver (Copenhagen: Gyldendal, 2020), pp. 376–377.
60
Jensen, Jensen, Brunak, Note 18.
61
Helseforskningsloven, § 33(2) (health regulations established by the secondary instrument, registries established with consent or without directly identifiable characteristics, statutory health registers).
62
Helsedirektoratet, ‘Norsk pasientregister (NPR)’ available at https://www.helsedirektoratet.no/tema/statistikk-registre-og-rapporter/helsedata-og-helseregistre/norsk-pasientregister-npr/sok-om-data-fra-npr; (accessed 1 April 2021).
63
Vedtak til lov om endringer i helseregisterloven m.m. (tilgjengeliggjøring av helsedata) Innst. 74 L (2020–2021), jf. Prop. 63 L (2019–2020). Parts of the Act entered into force 1 June 2021.
64
Helse- og omsorgsdepartementet Prop 63 L (2019–2020) Endringer i helseregisterloven mm (tilgjengeliggjøring av helsedata), Proposisjon til Stortinget (forslag til lovvedtak).
65
Helseforskningsloven, § 35.
66
B. Ohnstad, ‘Taushetsplikt og Kommunikasjion i Helsevesenet fra Hippokrates til Big Data’, in A. K. Befring and I.J. Sand, eds., Kunstig Intelligens og Big Data i Helsesektoren: Rettslige Perspektiver (Copenhagen: Gyldendal, 2020), p. 201.
67
68
No 44/2014 (Icel. Lög um vísindarannsóknir á heilbrigðissviði); No 110/2000 (Icel. Lög um lífsýnasöfn og söfn heilbrigðisupplýsinga).
69
See chapters 1-3 and 7-9 of the Act on Scientific Research in the Health Sector No 44/2014.
70
Article 10 and 12, Act on Scientific Research in the Health Sector No 44/2014.
71
Article 11, Act on Scientific Research in the Health Sector No 44/2014.
72
Regulation 1186/2014 on Research Ethics Committees in the Health Sector (Icel. Reglugerð um siðanefndir heilbrigðisrannsókna).
73
Art. 26 (1) of the Act on Scientific Research in the Health Sector No 44/2014, and Art. 9(2) of Act on Biobanks and Health Data Registries No 110/2000. Responsible party can here refer to a supervisor of medical records, a board of a Biobank or Health Data Base or; the Directorate of Health if the data is kept in the registries which the Directorate keeps according to Art. 9 of Act on the Directorate of Health and Public Health No. 41/2007.
74
75
Art. 9(6) of Act on Biobanks and Health Data Registries No. 110/2000.
76
77
78
Act no. 90/2018 on Data Protection. Correspondence with Eiríkur Baldursson, CEO of the National Bioethics Committee, 23 February 2021. Email from the Icelandic National Bioethics Committee, 1 March 2021.
79
Dove, Note 36, p. 16.
80
For an analysis of anonymization under GDPR see M. Mourby, ‘Anonymity in EU Health Law: Not an Alternative to Information Governance’, Medical Law Review 28(3) (2020), pp. 478–501.
81
Persondataloven L 2000-05-31 nr 429.
83
Statens Serum Institut, ‘Vejledning i adgang til biologisk materiale og data fra Danmarks Nationale Biobank’, (7 September 2016) available at (accessed 8 March 2021). Prior to providing data, The Health data agency (Sundhedsdatastyrelsen) must offer the public authority who acts as the data controller for the relevant database an opportunity to be heard, Bekendtgørelse om indberetning til godkendte kliniske kvalitetsdatabaser og videregivelse af data til Sundhedsdatastyrelsen BEK nr 585 af 28/05/2018, § 3(5).
84
Lov om supplerende bestemmelser til forordning om beskyttelse af fysiske personer i forbindelse med behandling af personoplysninger og om fri udveksling af sådanne oplysninger, LOV nr 502 af 23/05/2018 (databeskyttelsesloven), § 10(3). BKG 2019-12-18 nr 1509 Videregivelse af personoplysninger omfattet af databeskyttelseslovens § 10, stk. 1 og 2.
85
86
87
Databeskyttelsesloven, §10(1). See further, P. Blume and H.M. Motzfeldt, ‘Databeskyttelse og Udvikling af Kunstig Intelligens - Svømmer Databeskyttelsesretten over sine egne Bredder?’, Revision og Regnskabsvæsen 10 (2020), p. 14; M. Hartlev, ‘Balancing of Individual Rights and Research Interests in Danish Biobank Regulation’ in S. Slokenberga, O. Tzortzatou and J. Reichel, eds., GDPR and Biobanking (Cham: Springer, 2021), pp. 215–226.
88
89
90
91
Decision of the European Data Protection Supervisor of 16 July 2019 on DPIA Lists Issued Under Articles 39(4) and (5) of Regulation (EU) 2018/1725.
93
Policy is available upon request.
94
Statistics Denmark, ‘The Danish System For Access to Micro Data’ (2014) available at https://www.dst.dk/Site/Dst/SingleFiles/GetArchiveFile.aspx?fi=645846915&fo=0&ext=forskning (accessed 22 April 2021).
95
Lov om behandling av personopplysninger (personopplysningsloven) LOV-2018-12-20-116, §9.
96
A.K. Befring, ‘Norwegian Biobanks: Increased Complexity with GDPR and National Law’ in S. Slokenberga, O. Tzortzatou and J. Reichel, eds., GDPR and Biobanking (Cham: Springer, 2021), p. 340.
97
98
Interview with PM Heart Researcher (Norway, January 2021).
99
Act on Data Protection and the Processing of Personal Data (Icel. Lög um persónuvernd og vinnslu persónuupplýsinga) No 90/2018, Art. 11(10).
100
Alþingistíðindi (Frumvarp með lögum um persónuvernd og vinnslu persónuupplýsinga, Um 11. gr.).
101
Note however, that researchers may be basing their data processing on a permission received from the Bioethics Committee in relation to earlier studies involving the same data, (interview with PM heart researcher (Iceland, January 2021).
102
103
Email from the Icelandic Data Protection Authority, 25 February 2021.
104
Article 13 of the Act on Scientific Research in the Health Sector.
105
Art. 13(3) of Act on Scientific Research in the Health Sector.
106
Íslensk erfðagreining (deCODE) is the Icelandic partner of the PM Heart project.
107
108
109
110
As of February 15, 2021, email from the Icelandic Data Protection Authority, 15 February 2021.
111
C. Pinel, B. Prainsack, C. McKevitt, ‘Caring for Data: Value Creation in a Data-Intensive Research Laboratory’, Social Studies of Science 50(2) (2020), pp. 175–197.
112
See generally, C. Pinel, ‘Renting Valuable Assets: Knowledge and Value Production in Academic Science’, Science, Technology & Human Values 46(2) (2021), pp. 275–297.