The rise of “precision medicine”, the personalization of medical treatments based on large volumes of health data, has led to the increased use of automation. Advancements in data analytics and automated decision-making (ADM) technologies, which analyse vast genomic datasets to pinpoint personalised treatment strategies, have been game changers in the clinical trials space.
Courts and Data Protection Authorities (DPAs) have robustly protected the rights of individuals against ADM, particularly with sensitive data involved. A notable 2021 case saw the Stockholm Administrative Court uphold a 200,000 SEK (approximately 20,000 EUR) fine on a school for using automated facial recognition to monitor students during a test.
With an increasingly digitised approach to keeping us all healthier, companies must ensure they respect personal privacy.
Automated decision-making under the GDPR
Under Article 22 of the GDPR, data subjects have the right not to be subject to certain decisions based solely on automated processing. Such decisions include those made by machine-learning models and other forms of algorithmic processing.
For Article 22 to apply, three conditions must be satisfied.
- The decision is about an individual;
- The decision relies on automation, with no active human intervention; and
- The decision has legal or similarly significant effects on the individual.
Although the GDPR does not define “legal” or “similarly significant”, guidance from the European Data Protection Board (EDPB) suggests that access to credit, health services, employment, and other serious impacts are covered by Article 22.
There are three exceptions that permit the lawful use of ADM under the GDPR if certain conditions are met. These include instances where ADM is:
- Necessary for entering into or performing a contract;
- Mandated or authorised by EU or member state law; or
- Explicitly consented to by the data subject.
Implications for Precision Medicine
Precision medicine is intrinsically data-driven, often involving the processing of highly sensitive health data via sophisticated algorithms. These algorithms interpret vast amounts of genetic data to recommend tailored treatments. While these automated processes can enhance efficiency, the resulting decisions risk violating Article 22 of the GDPR unless certain safeguards are put in place.
While obtaining explicit consent might be plausible for some ADM processing, the European Commission and the European Data Protection Supervisor (EDPS) highlight that informed consent for medical treatment differs from consent for data processing under GDPR. Under data protection law, individuals must be able to refuse consent without detriment. In healthcare, a patient refusing or withdrawing consent to data processing can often lead to delayed or denied essential treatment, potentially making associated consent invalid.
Under the GDPR’s transparency requirements, controllers must provide “meaningful information about the logic involved” in automated decisions. Data subjects may also request access to personal data used to train machine-learning models and provide precision medicine services.
Remaining compliant when collecting individual data:
- Data inimization: Limit the collection and processing of personal data to that which is adequate, relevant, and necessary for its intended purpose (providing precision medicine).
- Transparency: Offer clear explanations of how data drives decisions and how outcomes could affect the individual.
- Data Protection Impact Assessments (DPIAs): Conduct a comprehensive DPIA to identify potential risks and ensure data protection from the outset.
- Human oversight: Even with advanced automation, having a “human-in-the-loop” is critical. ADM must be overseen by someone with the authority and knowledge to affect decisions. Human involvement must be active, genuine, and meaningful.
- Audit trails: Establish thorough audit systems to monitor every ADM action, including datasets, algorithms, and decisions. Regular audits provide traceability and accountability.
Where precision medicine and data protection intersect, healthcare companies play a pivotal role. Embracing data-driven healthcare requires strict compliance with data protection laws, ensuring privacy and building trust. By adopting transparent algorithms, data inimization, and robust human oversight, companies can navigate this landscape with confidence.
As a B Corp Data Protection Office, HewardMills is dedicated to assisting clients to address internal data privacy concerns and business practices. If you have any concerns relating to your clinical trials’ compliance with data protections laws, or any other global data privacy issues, we can support your team.