Sharing data safely - even after GDPR - and also outside Europe

- Despite the attention given GDPR over the past year, some major challenges for international research collaboration have been ignored, says Giske Ursin, Director of the Cancer Registry of Norway.
NB! This page is older than 3 years. The information could be out of date.

Published: November 8, 2019

- We need better transfer mechanisms for sharing data with third countries and international organizations, she adds.

Ursin, together with Executive Director Gun Peggy Knudsen of the Norwegian Institute of Public Health (NIPH) and 17 other leading professionals from 9 European countries, have described the problem in a letter to the editor in the scientific journal Lancet.

They point out that there are no easy transfer mechanisms in GDPR that countries outside Europe, and in particular the US federal institutions, can accept. Thus, researchers are not able to collaborate effectively and exchange research data.

Photo: Gun Peggy Knudsen and Giske Ursin.

- A number of research projects are now threatened because the work cannot be carried out, says Knudsen.

She explains that this applies to projects where data or biological samples must be shipped out of Europe for analysis, for example as part of large international collaborative projects.

Ursin adds that this harms European research institutions.

- But first and foremost, it harms European residents if our data are not included in studies where the goal is to shed new light, and gain new knowledge, for instance on how and why cancer develops, she says.

Ongoing projects put on hold

The researchers point out that new research projects can include informed consents with the appropriate GDPR language that specifies that the data will be shared with researchers outside of the European economic area.

- For the data and the hundreds of thousands of samples that have already been collected in large existing studies, however, it is essentially impossible to obtain new consents, says Knudsen.

Need secure ways to share data

At the same time, the researchers stress that the data must be shared safely. In another letter also published in the Lancet today, the same researchers and leaders caution against sharing large amounts of data openly.

The risk of identifying and recognizing someone in a data set increases, as technology allows for more data to be linked and combines. Technological advancements also make it easier to find and assemble data.

- Data must be securely shared in secure repositories with access control. The large datasets researchers increasingly use cannot be openly shared as excel files. These data are pseudonymized, and  not anonymous according to GDPR definitions , says Ursin.

Ursin and Knudsen emphasize that if good transfer mechanisms that researchers can use in GDPR do not emerge, there is a risk that someone will choose "simple and creative" solutions - sharing data openly, even if the amount of detail potentially could pose a threat to privacy.

- This must be avoided, they emphasize.

The two also emphasize that Norwegian health data is an important and unique resource that must be safeguarded in a secure and sound way, in order to maintain public confidence and to ensure research of high scientific value.

- We want more data sharing, also with institutions outside Europe. But this has to be done with the highest standards with regards to safely and privacy, conclude Knudsen and Ursin.