Public authorities and private entities have different legitimate grounds to process health data under the GDPR. The GDPR allows joint controllers, which depends on who “determine the purposes and means of the processing of personal data”.[1] Notably, controllers who process the data for original purposes are not necessarily the controllers for subsequent research purposes.

The free virus test aims at “preventing and controlling” COVID-19, which includes detecting positive diagnosis cases and collecting data for health research. For virus testing, the government is the controller, as the public health authority determines the purpose and method of collecting saliva samples. With a contract, the government instructs laboratories to examine samples within a certain period; therefore, these laboratories are seen as processors.

However, if there is a subsequent research purpose, the public health authority may not be the controller.[2] In fact, this depends on who determines the processing of health data for research purposes.[3] For instance, if the health research is determined by a private entity (e.g., testing companies, pharmaceutical companies, or university research teams), they will be the health research controllers, and vice versa. The public health authorities are processers if they assist private entities in processing the data. Alternatively, private entities and the government could be joint controllers if both parties process the data and develop techniques in health research for vaccine development. 

A.             Public Health Authorities

The EDPB clearly states that consent is not the best pathway for the government to collect and process health data, since consent may not be freely given to the government if the health data is collected by the public health authority for health-related issues. The data subject may give consent based on pressure from the authorities, or believe that it is a condition in return for medical treatment.[4] As discussed above, this is an imbalance of power. Given that the participants can opt out at any time, it raises the concern that participants may wish to withdraw their consent after testing positive. As such, it would be detrimental to the goal of “preventing and controlling” COVID-19.

Alternatively, the government can process the health data under the legal basis of “public interest”[5] and “vital interests of the data subject” [6] for “monitoring epidemics and their spread”.[7] It is also necessary for the government to have a special exemption category to process health data in response to the global health crisis. Public health authorities can rely on the basis of “substantial public health”[8], “preventive or occupational medicine for health or social care”[9] and “public interest of public health including cross-border threats to health”[10]. Alternatively, the government can rely on informed consent. In this instance, the participants would be able to withdraw at any time during the health research. However, this raises the concern of whether the health data could be revoked freely if they have been re-used for shared research purposes with other entities.[11] As such, domestic health regulations should provide safeguards to process sensitive data for multiple health research purposes, which would allow the relevant authorities to monitor and control the use of health data.

B.             Private sector

Private organisations (e.g., testing companies , pharmaceutical companies, university research teams, etc.) may not be able to rely on public interest as lawful grounds to process health data. This is because private entities receive licensing revenue from patenting and distributing vaccines; therefore, it would be difficult to show that they have clear intentions for public health. As such, “legitimate interest” under Article 6(1)(f) is an option. In this instance, private entities can rely on legitimate interests to process health data by adopting a three steps test. The controllers need to fulfil the three steps test and prove that there is legitimate interest to process the health data, which also takes into consideration the necessity and balance test.[12]

Private entities might be able to process health data if there is a justified purpose to process health data. Legitimate interests may include tracing and monitoring to determine whether an individual is infected or in a high risk zone.[13]However, Recital 47 explains that private entities are required to have “reasonable expectations of data subjects based on their relationship with the controller” to avoid overriding the legitimate interest of an individual.[14] The controllers still need to harmonise with the government and obtain approval from the data subject in addition to the lawful basis of legitimate interests.

Given that health data falls within the scope of special category data, private entities are also required to meet the requirements under Article 9 in addition to Article 6.[15] However, the scope of legitimate interest is broad. Article 9 specifics ten special category requirements, but legitimate interests are not mentioned. Controllers should consider these conditions to process health data together with safeguards to minimise the detriment to the rights and interests of an individual.[16]

[1]GDPR of 2018, Article 4(7).

[2] UKRI Medical Research Council “Current thinking on Controllers and Processers in health research – GDPR Guidance note 6: Controllers and Processors” (4 November 2019) at < https://mrc.ukri.org/documents/pdf/gdpr-guidance-note-6-current-thinking-on-controllers-processors-in-health-research/> p1.

[3]GDPR of 2018, Article 4(7).

[4]GDPR of 2018, Recital 43.

[5]GDPR of 2018, Article 6(1)(e).

[6]GDPR of 2018, Article 6(1)(d).

[7]GDPR of 2018, Recital 45.

[8]GDPR of 2018, Article 9(g).

[9] GDPR of 2018, Article 9(h).

[10] GDPR of 2018, Article 9(i).

[11] Fida K. Dankar, Marton Gergely and Samar K. Dankar “Informed Consent in Biomedical Research” Comput Struct Biotechnol J. 2019; 17: 563-474 (25 March 2019) at < https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6458444/>.

[12] UK Information Commissioner’s Office “When can we rely on legitimate interests?” at <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-legitimate-interests/> [accessed on 30 October 2020].

[13] Laura Bradford, Mateo Aboy and Kathleen Liddell “COVID-19 contact tracing apps: a stress test for privacy, the GDPR, and data protection regimes” Journal of Law and the Biosciences, Volume 7, Issue 1, January-June 2020, Isaa034 (28 may 2020) at < https://academic.oup.com/jlb/article/7/1/lsaa034/5848138>.

[14] GDPR of 2018, Recital 47. See also UK Information Commissioner’s Office “What is the Legitimate Interests Basis?” at < https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/#what_counts> [accessed on 30 October 2020].

[15] Ibid.

[16] Ibid.