On 3 July 2007 Law 14/2007 on Biomedical Research was approved and published in the Spanish Official Gazette. This legislation is a response to ethical and legal concerns about the use of Biomedical Research. The growth in the use of Biomedical Research and changes to the way it is used has made a review of the legal framework surrounding this type of research necessary in order to guarantee the protection of individual rights.
For the purpose of this legislation the term Biomedical Research covers research conducted through invasive proceedings on individuals and research with biological samples. It does not include clinical trials with medicinal products or medical devices as these are subject to separate regulations.
This article reviews the interesting data protection elements that have been introduced in this legislation.
Anonymised, anonymous and key-coded data
Article 2 and 3 of the legislation distinguishes between anonymous, anonymised and key-coded data.
Anonymous data is defined as data registered at source without any link or connection to an identified or identifiable person.
Anonymised data (or irreversibly dissociated data) is data that cannot be linked to a person, because all information that would identify them and the link to that information has been destroyed, or would require unreasonable effort (that is a disproportionate use of time, expense and work) to link the data to the person.
Key-coded data (or reversibly dissociated data) is defined as data that is not linked to a person due to the fact that the information identifying the individuals has been removed by means of a code. This process could be reversed.
Articles 2 and 3 echo the “holistic approach” of the Spanish Data Protection Agency regarding anonymised data in its Annual Report in 2000. The Spanish Data Protection Agency’s view was that anonymised data would be personal data if decodification is possible without unreasonable efforts.
Article 5 addresses data protection and confidentiality guarantees. Under this Article express written consent is required before disclosing data to any third parties, other than to parties carrying out a health care activity or biomedical research. However, the article suggests that, if the disclosure of the data is carried out between parties carrying out a health care activity or biomedical research, the data subject’s express and written consent may not be required.
Use of genetic data
Articles 47 onwards set out a number of provisions concerning the use of genetic data for research purposes. Under this legislation where data that is not key-coded or anonymised is used for genetic analysis for clinical search purposes, the patient must be told who will have access to the data from the analysis.
Where genetic data is accessed by health care personnel the data can be used for epidemiologic, public health, research or training purposes as long as the patient has given express written consent or that the data has been previously anonymised. The use of key-coded genetic data may be authorised in exceptional cases of public health interest. However, in order for this approval to be given it is necessary to ensure that the data cannot be associated or linked with the subject of the data. Additionally a favourable report from the Spanish Data Protection Agency and authorisation from the relevant authority is required.