AI Sigil Logo
Contact Us
Back to all insights
A locked filing cabinet

Sections

Key GDPR Considerations for Using Patient Data in AI-Driven Research

Re-use of Patient Data in Scientific Research to Train AI Systems: Important GDPR Considerations

The integration of artificial intelligence (AI) into the realm of scientific research has opened up new avenues for innovation, particularly in the identification of potential new medicines for clinical trials. However, the use of patient data to train these AI systems raises significant legal and ethical questions, particularly in light of the General Data Protection Regulation (GDPR).

Understanding the Applicability of GDPR

In instances where an organization develops its AI system internally without utilizing patient data, the AI Act does not apply, allowing for a research exemption. This exemption arises because no personal data is processed in such scenarios. However, the landscape shifts dramatically when patient data is involved. Under these circumstances, the GDPR becomes applicable, requiring organizations to navigate a complex web of regulations.

Patient data can be sourced from various avenues, including:

  • Healthcare records collected by institutions, such as the NHS
  • Voluntary registries where patients consent to share their data for research
  • Data obtained from prior clinical trials

It is crucial to note that these datasets were originally collected for specific purposes, necessitating a thorough assessment to determine their compatibility for repurposing in AI training.

Assessing Compatibility for Secondary Use of Patient Data

The GDPR enshrines a purpose limitation principle, mandating that personal data must be collected for a specific, explicit, and legitimate purpose. If the data is to be reused for a different objective, a compatibility assessment is required. Several factors influence this assessment:

  • Link between the initial and secondary purposes: The closer the connection, the more likely it is to be deemed compatible.
  • The context and the reasonable expectations of data subjects: If data subjects were informed at the time of collection about potential secondary uses, reuse is more likely to be justified.
  • Nature of the data: The more sensitive the personal data (e.g., health data), the narrower the scope for compatibility.
  • Consequences for data subjects: Both positive and negative consequences must be evaluated.
  • Existence of appropriate safeguards: Measures like encryption, pseudonymization, transparency, and opt-out options should be considered.

The purpose limitation principle aims to maintain individuals’ control over their data and prevent unauthorized repurposing. Scientific research is generally considered a compatible secondary use, provided that appropriate safeguards are in place.

Scientific Research and GDPR Compliance

While the GDPR does not explicitly define ‘scientific research’, Recital 159 suggests a broad interpretation, encompassing technological development, fundamental and applied research, and both privately and publicly funded studies. The European Data Protection Board (EDPB) advises that scientific research must adhere to established ethical and methodological standards. Both the discovery phase and clinical research typically follow strict methods or protocols and thus should qualify as scientific research.

Despite plans for the EDPB to issue guidance in 2021 on defining scientific research and appropriate safeguards, such clarity has not yet materialized. Therefore, organizations should not assume automatic compatibility but instead conduct a thorough compatibility assessment.

Compatibility Assessment Outcomes

If the secondary use is found to be incompatible with the initial collection, the data cannot be reused for the secondary purpose unless:

  • Such processing is based on the explicit consent of the data subject.
  • A Union or Member State law safeguards important objectives of general public interest (e.g., public health).

If the secondary use is compatible with the initial collection, organizations may rely on the legal basis used for the original data collection. Nonetheless, all other data protection principles must still be respected, including informing data subjects about further processing and their rights, as well as conducting a data processing impact assessment if necessary. The compatibility assessment and adopted measures must be documented to fulfill the accountability principle.

Exceptions Under Article 9 of the GDPR for Processing Health Data

Even when a secondary use is considered compatible, an additional exception is required under Article 9 of the GDPR for processing health data. Potential exceptions include:

  • Explicit consent (art. 9(2)(a)).
  • Reasons of public interest in the area of public health based on Union or Member State law (art. 9(2)(i)).
  • Scientific research based on Union or Member State law with the adoption of appropriate safeguards (art. 9(2)(j)).

Conclusion

The use of patient data for developing or training AI systems in scientific research necessitates careful regulatory consideration. When patient data is involved, compliance with the GDPR becomes paramount. Organizations must assess the compatibility of secondary data use while adhering to all GDPR principles and obligations to ensure ethical and legal integrity in their research practices.

More Insights

A shield with a digital pattern

CII Advocates for Strong AI Accountability in Financial Services

April 24, 2025 AI,AI Governance,AI Regulation,Artificial Intelligence Regulation
The Chartered Insurance Institute (CII) has urged for clear accountability frameworks and a skills strategy for the use of artificial intelligence (AI) in financial services. They emphasize the...
Read More
A regulatory checklist

Regulating AI in APAC MedTech: Current Trends and Future Directions

April 24, 2025 AI,AI Regulation,Medtech Innovation,Regulatory Compliance
The regulatory landscape for AI-enabled MedTech in the Asia Pacific region is still developing, with existing frameworks primarily governing other technologies. While countries like China, Japan, and...
Read More
Light bulb

New York’s AI Legislation: Key Changes Employers Must Know

April 24, 2025 AI,AI Regulation,Artificial Intelligence Regulation,Regulatory Compliance
In early 2025, New York proposed the NY AI Act and the AI Consumer Protection Act to regulate the use of artificial intelligence, particularly addressing algorithmic discrimination in employment...
Read More
A circuit board with a warning sign

Managing AI Risks: Effective Frameworks for Safe Implementation

April 24, 2025 AI,AI Governance,AI Regulation
This article discusses the importance of AI risk management frameworks to mitigate potential risks associated with artificial intelligence systems. It highlights various types of risks, including...
Read More
A compass to signify guidance and direction in navigating the AI landscape.

Essential Insights on the EU Artificial Intelligence Act for Tech Companies

April 24, 2025 AI,AI Ethics,AI Regulation,European Union AI Governance
The European Union has introduced the Artificial Intelligence Act (AI Act), which aims to manage the risks and opportunities associated with AI technologies across Europe. This landmark regulation...
Read More
1. A robot figurine 2. A circuit board 3. A book titled "AI Ethics"Selected: A book titled "AI Ethics"

South Korea’s Landmark AI Basic Act: A New Era of Regulation

April 24, 2025 AI,AI Governance,AI Regulation
South Korea has established itself as a leader in AI regulation in Asia with the introduction of the AI Basic Act, which creates a comprehensive legal framework for artificial intelligence. This...
Read More
A blueprint

EU AI Act and DORA: Mastering Compliance in Financial Services

April 24, 2025 AI,EU AI Compliance
The EU AI Act and DORA are reshaping how financial entities manage AI risk by introducing new layers of compliance that demand transparency, accountability, and quantifiable risk assessments...
Read More
A lock and key set representing security and access

AI Governance: Bridging the Transatlantic Divide

April 24, 2025 AI,AI Governance,AI Regulation,International Policy
Artificial intelligence (AI) is rapidly reshaping economies, societies, and global governance, presenting both significant opportunities and risks. This chapter examines the divergent approaches of...
Read More
A toolbox

EU’s Ambitious Plan to Boost AI Development

April 24, 2025 AI,AI Regulation,Global AI Policy,Regulatory Frameworks
The EU Commission is launching a new strategy to reduce barriers for the deployment of artificial intelligence (AI) across Europe, aiming to enhance the region's competitiveness on a global scale. The...
Read More

Ready to become AI compliant?

Take the first steps in your transformation towards international AI compliance.

Book a Discovery Call See Frameworks

Explore

Need More Assistance?

Our expert sales team is here to answer your questions, just leave your email and we’ll get in touch.

Research & Market Studies
A digital energy meter
AI Safeguards: A Step-by-Step Guide to Building Robust Defenses
As AI becomes more powerful, protecting against its misuse is critical. This requires well-designed "safeguards"...
A light bulb
Algorithmic Audits: A Practical Guide to Fairness, Transparency, and Accountability in AI
Algorithmic auditing is crucial for ensuring AI systems are fair, transparent, and accountable. A comprehensive...
A compass
AI Explainability: A Practical Guide to Building Trust and Understanding
As AI systems exert increasing influence over our lives, understanding how they arrive at conclusions...
A shield symbolizing protection against unregulated AI practices.
AI Governance: Transparency, Ethics, and Risk Management in the Age of AI
AI is rapidly transforming society, creating both opportunities and risks. A proposed AI governance framework...
Latest News on AI Compliance
A broken shield
Assessing the High-Risk Landscape of AI in Insurtech
The Insurtech sector is increasingly intersecting with AI regulations, particularly regarding the classification of AI...
A compliance checklist
Essential Insights on the EU AI Act for Machine Builders
The EU AI Act, which defines four levels of risk for AI systems, aims to...
A robot arm
Revamped Federal AI Policies: A New Era of Innovation and Efficiency
On April 3, 2025, the OMB released two revised policies aimed at guiding federal agencies...
A magnifying glass highlighting the importance of scrutiny and clarity in regulations.
EU Seeks Stakeholder Input on Upcoming AI Guidelines
The European Commission is inviting stakeholders to provide input on upcoming guidelines for general-purpose AI...

© 2023 AI Sigil

Medium Envelope