Persónuvernd (Iceland) - 2020061951
Persónuvernd (Iceland) - 2020061951 | |
---|---|
Authority: | Persónuvernd (Iceland) |
Jurisdiction: | Iceland |
Relevant Law: | Article 5(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 29.11.2021 |
Published: | |
Fine: | None |
Parties: | Íslenskrar erfðagreiningar National University Hospital of Iceland |
National Case Number/Name: | 2020061951 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Icelandic |
Original Source: | Personuvernd (in IS) |
Initial Contributor: | n/a |
The Icelandic DPA ruled that processing of blood samples in connection with Covid-19 research by a genetic company was unlawful because the data subjects were not informed beforehand about the further processing of their personal data for that purpose.
English Summary
Facts
The National University Hospital of Iceland (NUH) decided to engage a genetic company (the Company) to perform blood sample analysis in connection with scientific research on the SARS-2 Covid-19 virus. All patients admitted to the NHU between the 3rd and the 7th of April 2021 and who were diagnosed with the virus had submitted blood samples that were initially processed for clinical purposes. The blood samples were then sent to the Company for scientific research purposes. The competent authorities had authorised the scientific study on the 7th of April, after which the patients were asked to consent to the further processing of the already submitted samples for scientific purposes.
The Icelandic DPA launched an investigation regarding the lawfulness of the processing.
Holding
The Icelandic DPA first highlighted that the use of the blood samples for scientific research had been planned before the study was finally approved. The data subjects were however not informed of this possible use of the blood samples until after the approval of the study, when they were asked to consent to further processing.
The Icelandic DPA therefore concluded that the processing did not take place in a legitimate, fair and transparent manner in accordance with Article 5(1)(a) GDPR. Due to the specific circumstances surrounding the outbreak of the Covid-19 pandemic, no administrative fines were imposed on the NHU or on the Company.
Comment
This case is part of a bigger case complex - see cases 202112772 and 2020061954.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
Individuals FAQ complete FAQ electronic monitoring general privacy right to be forgotten right to information about their genotype What is processing? A new privacy legislation 2018Almennt the new legislation other interesting stuff educational booklet: Privacy children's booklet: Private youth booklet: public companies and administration asked and answered all the questions and answers electronic monitoring general privacy access right controllers, processors and vinnslusamningarÁbyrgðarskyldaVinnsluskrárNý Privacy legislation 2018FræðsluefniLög and reglurLög privacy rules and regulations other sacrificed rules and guidelines operating international and European law Solutions Solutions Reviews Licensing Various letters Privacy function Privacy News Mega political process personal data my campaign? How to process personal data in election campaigns? Staff and management for media requests for promotional events policy and gi ldiAnnual Reports201620152014201320122011201020092008200720062005200420032002200120001999Other ContentPrivacy PolicyLegal DisclaimerAccessibilityService DeskTwitterEnglishDecisions in EnglishContactLearningTo reportTopic Enter keywords SolutionsReviewsLicensingMiscellaneous letters Search for solutions Year from: Year to: Search Obtaining the consent of COVID-19 patients for the use of blood samples for research by Icelandic Genetics Case no. 2020061951 11/29/2021 The Data Protection Authority has completed its own initiative study on obtaining the consent of COVID-19 patients at Landspítali for the use of their blood samples for the benefit of the scientific study Epidemiology of the SARS-CoV-2 virus and the effect of genetics and underlying diseases on the COVID-19 disease it causes. It is the conclusion of the Data Protection Authority that the processing of personal information by Landspítali and Íslensk erfðagreining in the run-up to the scientific study in question was not in accordance with the Data Protection Act. The Data Protection Authority's investigation was initiated in connection with recommendations for taking blood samples at Landspítali according to instructions given on 3 April 2020. According to the recommendations, these were samples taken from all COVID-19 patients who were admitted or came to Landspítali's outpatient department for COVID-19. during a certain period and which were subsequently sent to the genetic research company Íslenskir erfðagreining. It was also stated in the suggestions that the blood samples were sent to Icelandic Genetics before an addition to a scientific study by the company, i.e. The study "Epidemiology of the SARS-CoV-2 virus and the effects of genetics and underlying diseases on the COVID-19 disease it causes" was approved, but the Scientific Ethics Committee granted permission for the addition on April 7, 2020. In a letter from the Scientific Ethics Committee to Icelandic Genetics, dated . sd, states that the committee has reviewed the report and makes it a condition that a limited informed consent be obtained from the individuals who are qualified to give such consent before a sample is obtained from them for scientific purposes. from 3.-7. April 2020 from individuals with COVID-19 disease who had been admitted to Landspítali or visited the hospital's outpatient department due to the disease, and this had been before informed consent for additional research had been signed. This was done in accordance with the instructions of the medical director and involved clinical work. The staff of Landspítali took the samples, but the staff of Íslensk erfðagreiningar took care of their processing and dosing. Antibody tests were performed by Icelandic Genetics and their results were sent to Landspítali. It states that after the Scientific Ethics Committee's permission for the supplement was granted on April 7, 2020, only samples from those COVID-19 patients who had signed informed consent for participation were prepared separately, dosed and transferred to the company. Landspítali's responses state that the chief physician of the Infectious Diseases Department has decided, e.g. due to the planned addition to the scientific study The epidemiology of the SARS-CoV-2 virus and the effects of genetics and underlying diseases on the COVID-19 disease it causes, to start the blood collection in collaboration with Icelandic Genetics as the study's responsible doctor and send the company a sample. Sampling and transmission were also used for clinical purposes, but were ultimately used exclusively for scientific research. In the conclusion of the Data Protection Authority, e.g. traced that according to the Act on Scientific Research in the Health Sector, the Data Protection Authority monitors the processing of personal data in such research. It is clear from the Act that the processing of personal data for the purpose of scientific research in the field of health may not begin unless the Ethics Committee's permission is available, in addition to the data subject's consent as required by law and the Ethics Committee's permission. It is also stated that in the case it is clear that the research supplement in question was approved by the Scientific Ethics Committee on 7 April 2020 or after blood samples were taken for the benefit of the supplement. In view of this, as well as how explanations in connection with the blood sampling conflict with each other, it was the conclusion of the Data Protection Authority that the processing of personal data by Landspítali and Íslensk erfðagreining in the run-up to the scientific study was not in accordance with data protection law. Decision On 23 November 2021, the Data Protection Authority made the following decision in case no. 2020061951: I. Proceedings 1. Outline of the case - Request for clarification and data due to COVID-19 and they were sent to the genetic research company Íslensk erfðagreiningar. s.d., applying for the Committee's authorization in addition to the study Epidemiology of the SARS-CoV-2 virus and the effects of genetics and underlying diseases on the COVID-19 disease it causes. The application stated that […], the director of Icelandic Genetics, would be responsible for the study. Co-researchers would include […] the Chief Epidemiologist, […] the Medical Director of Health, […] the Chief Physician of Landspítali's Department of Pathology and Virology, […] the project manager of the study and other researchers at the company. In addition, […], the chief physician of Landspítali's infectious disease department, would be a co-investigator as well as being the doctor responsible for the study. due to the disease to measure antibodies, with the informed consent of these individuals when they had recovered. Only then would they be invited to participate. The Data Protection Authority issued its opinion by e-mail on 3 April 2020, stating that the institute did not comment on the fact that the Science Ethics Committee dealt with the matter substantively. He also said that the Data Protection Authority would not take a position on whether the conditions of Article 24 Act no. 44/2014, on scientific research in the field of health, should apply, regarding the acquisition of consent in emergency cases, but the institute relied on the fact that the Science Ethics Committee accepted that assessment. s.d., states that the committee has reviewed the application and sets the condition that a limited informed consent be obtained from those individuals who are qualified to grant such consent, cf. Paragraph 1 Article 22 Act no. 44/2014, before samples are obtained from them for scientific purposes. Samples may be obtained from those who are not qualified to make an informed decision due to illness, provided that the conditions of the first paragraph are met. Article 23 Act no. 44 / 2014.According to [the suggestions received] Privacy, the blood samples taken were sent to Icelandic Genetics before the above supplement was approved by the Science Ethics Committee on 7 April 2020 and approval was obtained from the relevant individuals afterwards. In view of the above, the Data Protection Authority decided to initiate on whether the processing of personal information in question had been lawful, fair and transparent to the data subject, cf. 1. tölul. Paragraph 1 Article 8 Act no. 90/2018, on personal protection and the processing of personal information, cf. point a of the first paragraph. Article 5 Regulation (EU) 2016/679. Icelandic Genetics and Landspítali were notified of this by letter dated. October 7, 2020. The letter also requested specific explanations as outlined in Sections I.2.1 and I.2.2 below. The Data Protection Authority did not receive a response from Icelandic Genetics within the prescribed deadline and the agency's message was therefore repeated by letter dated. 26 November 2020. Among the documents available in the case is a processing agreement that the epidemiologist made with Landspítali on 21 December 2015, as well as a processing agreement that the hospital made with Íslenska erfðagreining as a sub-processor, dated. March 12, 2020.2.Replies to the Data Protection Authority's message2.1.Replies on behalf of LandspítaliIn Landspítali's reply letter to the Data Protection Authority, dated November 10, 2020, an answer was given to the following question that had been directed to the hospital and Icelandic Genetics in a letter from the Data Protection Authority, dated. October 7, 2020: "Blood samples were taken from patients who had been diagnosed with COVID-19 disease and were admitted to Landspítali or were admitted to the outpatient department due to the disease due to the above supplement to the scientific study of Icelandic Genetics before the Scientific Ethics Committee approved the supplement 7. April 2020? ”Landspítali's reply states that the director of the hospital had inquired about the above from parties within the hospital who might be competent to give instructions such as those received by the Data Protection Authority [suggestions] that they had been given on 3 April 2020. Landspítali could not find out whether the instructions in question were given. However, […], the medical director, sent an order that day by e-mail to […] the chief physician at the hospital's research department. Copies have been sent to the study's responsible doctor and […] doctor, as well as the director of Landspítali. In the e-mail, the medical director requests that it be ensured that samples of COVID-19-infected individuals' blood (and those suspected of being infected if possible) are stored on behalf of Landspítali. This will be done in such a way that a certain employee (possibly on behalf of Icelandic Genetics or in collaboration with the company) will take care of performing the blood sampling and he will not comment on it. It is also stated that they discussed the goal that each patient could receive important proteins measured from their sample, if the situation arose in the future that the results of such a measurement could have a decisive effect on the treatment and vaccination of patients. Finally, the e-mail states that the other utilization of the COVID-19 samples that will be obtained in this way on behalf of Landspítali, such as for scientific research, is subject to rules on scientific research. For technical reasons, it has not been possible to collect the samples in question and as a result it has not been possible. In the aforementioned letter from the Data Protection Authority, dated October 7, 2020, there were four questions in addition to the one outlined above. They were not answered by Landspítali as they were based on the fact that question no. 1 would be answered in the affirmative. The same questions were sent to Icelandic Genetics and are published before the company's answers to them in section I.2.2. 2.2. Answers on behalf of Icelandic Genetics In a reply letter from Icelandic Genetics to the Data Protection Authority, dated 11 December 2020, there were responses to the letter from the Data Protection Authority, dated October 7, s.á. The questions from the letter are listed below, as well as answers to each and every one of them: Genetics before the Science Ethics Committee approved the supplement on April 7, 2020? April 2020 from individuals with COVID-19 disease, who had been admitted to Landspítali or visited the hospital's outpatient department because of it, and this was before informed consent for additional research had been signed. This was done in accordance with the instructions of the medical director and involved clinical work. The staff of Landspítali took the samples, but the staff of Íslensk erfðagreiningar took care of their processing and dosing. Certain doses of the samples have been stored for further service measurements and for possible measurements for scientific research after obtaining permission from the Science Ethics Committee. Antibody tests were performed by Icelandic Genetics and their results were sent to Landspítali, as such results could have been useful in assessing the patient's condition and deciding on treatment. In addition, the results of antibody tests were sent to the epidemiologist, as were the results of antibody tests from all individuals who had been screened by Icelandic Genetics for antibodies against the SARS-CoV-2 virus. It is also stated that the line between clinical work and scientific research is always somewhat blurred when dealing with an unknown disease. Finally, it states that after the Scientific Ethics Committee's approval for the supplement was granted on April 7, 2020, only samples from those COVID-19 patients who had signed informed consent for participation were specially prepared, dosed and transferred to the company. 2. "If so, [as in point 1. article], what education was provided and how? April 2020, had been obtained for services, no education had been provided, apart from the education provided by doctors to patients they care for. 3. "If so, as in point 1. Did any of those blood samples be used for the scientific study and on what basis? -disease and were admitted to Landspítali or had been admitted to the COVID-19 outpatient department. Those who have decided to take part in the study and have signed informed consent have been informed by the study doctor responsible to show that they may have been obtained in the previous days for services in accordance with the instructions of the Medical Director at Landspítali on 3 April 2020. confirmed to him that they wanted their samples to be used for scientific research as well. It states that on 12 April 2020, after receiving an oral inquiry from the director of the Science Ethics Committee about the sampling at Landspítali, the representative of Icelandic Genetics' communication with the Science Ethics Committee and the Data Protection Authority sent him answers about the sampling by e-mail. In the e-mail, Íslensk erfðagreining also asked about the committee's position on the preservation and use of samples that had been taken before the committee granted permission on 7 April 2020 for a supplement to the study in question. It was also stated that if the Science Ethics Committee considered that samples obtained without consent for services at Landspítali and the Epidemiologist (with the possibility of research use later) should be deleted, they would be deleted. In connection with this, the Icelandic Genetics' response to the Data Protection Authority states that the director of the Science Ethics Committee had confirmed by e-mail on 15 April 2020 that the company's answers to his oral question had been forwarded to the committee and saved with case documents. On the other hand, no answer had been received from the committee on the issues that Íslensk erfðagreining had asked about in parallel with the provision of the answers. 4. "How was the approval obtained for the blood sampling after the Scientific Ethics Committee gave its approval on 7 April 2020? What education was provided and how? ”The Icelandic Genetics response states that the study's doctor in charge of the study introduced it to patients with COVID-19 disease who had been admitted to Landspítali with an introductory letter and answered their questions. He received the declaration of consent of those who chose to sign it. The supervising physician of the COVID-19 outpatient department obtained participants in the same way. 5. "If the participation of any of the patients is based on Article 23. Act no. 44/2014, how were the conditions of that article of law observed? ”The response from Íslensk erfðagreining states that no consent was obtained on the basis of the aforementioned provision. The conclusion of the letter states that all involvement of Icelandic Genetics in sampling, diagnosis and other assistance to Landspítali and the health authorities was primarily for clinical purposes to assist the authorities in disease control measures. The fact that these measures would also be useful in possible scientific research that would later be implemented was a pure secondary issue in this context. 3. Further correspondence With regard to the above-mentioned answer from Icelandic Genetics, where it is stated that a sample was taken at Landspítali on days 3-7. April 2020, despite the hospital's assertion to the contrary, the Data Protection Authority sent a new letter to Landspítali, dated 11 March 2021, and requested further explanations as set out in Section I.3.2. Then the agency sent s.d. letter to the Science Ethics Committee and requested the explanations listed in section I.3.1.3.1.Replies of the Science Ethics CommitteeIn the Science Ethics Committee's reply to the Data Protection Authority, dated March 16, 2021, the committee's answers to the following questions were stated: 1. "Is there a position of the Scientific Ethics Committee that Icelandic Genetics called for in an e-mail on April 12, 2020?" -7. April 2020 had been taken for therapeutic purposes and they were then used in a scientific study as available data. Therefore, there was no reason to have further contact with Icelandic Genetics out of the case. The committee is not in a position to issue instructions on the deletion of clinical samples. 2. "Why was the Data Protection Authority not given the opportunity to comment on the storage of samples taken before 7 April 2020?" Act no. 44/2014 on scientific research in the field of health and if the institution has not commented on the committee accepting the matter for substantive discussion.3.2. Landspítali's replies In Landspítali's reply to the Data Protection Authority, dated On 24 March 2021, the hospital's answers to the following questions were stated: 11 December 2020, that a blood sample was taken at Landspítali on days 3-7. April 2020, and sent to Icelandic Genetics? ”Landspítali's response states that it was planned to take samples from the blood of COVID-19 infected individuals and those suspected of being infected if possible and to store them on behalf of Landspítali. This was not due to technical reasons, as previously stated by the hospital. The investigation also revealed that the chief physician of the Infectious Diseases Department and the investigating physician in charge of the study, had decided, on the one hand based on the e-mail of the Chief Medical Officer to the chief physician in the research ward, and on the other due to a planned scientific study with Icelandic Genetics. send it the samples. It is stated that the final position of the chief physician in the research department on the department's ability to comply with the medical director's instructions was not available until 6 April 2020. This sample was therefore ultimately used only for scientific research. "If a blood sample was taken on the days in question, what is Landspítali's assessment of whether the hospital or ÍE is considered to be [responsible for] the processing of personal data?" Landspítalinn's answer states that in light of answer to question no. 1, the hospital does not consider itself responsible for the processing of personal data carried out on the samples in question, but rather that they are preserved and processed for the benefit of the scientific study Epidemiology of the SARS-CoV-2 virus and the effects of genetics and underlying diseases on the COVID-19 disease it causes. . "If a blood sample was taken on the days in question, whether Landspítali's privacy officer was involved?" Landspítalinn's reply states that the hospital's privacy officer was not involved. With regard to Landspítali's answer to question no. 1 above, the Data Protection Authority sent another letter to the hospital, dated June 22, 2021, where the question is repeated. In Landspítali's reply letter to the Data Protection Authority, dated 1 September this year, it is stated that the hospital can not provide information on the differences between the hospital's responses and Icelandic Genetics. Landspítalinn does not know that answers have been received by the hospital related to patients' ID numbers and does not know that such answers have been entered in the medical records of individual patients. blood samples were taken on days 3-7. April 2020 at Landspítali and used for the benefit of the scientific study Epidemiology of the SARS-CoV-2 virus and the effects of genetics and underlying diseases on the COVID-19 disease it causes, before the Science Ethics Committee granted Icelandic Genetics permission to supplement the study on 7 April 2020. therefore, this case is a matter of obtaining the consent of COVID-19 patients at Landspítali for the use of their blood samples for the benefit of the aforementioned scientific study, and it therefore falls within the scope of Act no. 90/2018, on the protection of personal data and the processing of personal data, and Regulation (EU) 2016/679, as defined in the first paragraph. Article 4 of the Act, cf. Points 2 and 4 Article 3 of the Act and points 1 and 2. Article 4 of the Regulation. According to the first paragraph. Article 39 of the Act, the matter also falls within the competence of the Data Protection Authority. Act no. 44/2014 on scientific research in the field of health, the Data Protection Authority monitors the processing of personal data in such research. 2. Responsible party - Processing party - Processing agreements A person who is responsible for the processing of personal information in accordance with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 Act no. 90/2018 refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with another purpose and methods of processing personal information, cf. 7. tölul. Article 4 Regulation (EU) 2016 / 679. The processor is an individual or legal entity, government authority or other party that processes personal information on behalf of the responsible party, cf. 7. tölul. Article 3 of the Act, cf. 8. tölul. Article 4 of the Regulation. The guarantor has an obligation to ensure that processing takes place in accordance with Act no. 90/2018 and Regulation (EU) 2016/679. Part of ensuring this is that the processor conducts processing in accordance with the guarantor's instructions. Those instructions are required, according to para. Article 28 of the Regulation, to be registered in a contract specifying the subject and duration of the processing, the nature and purpose of the process, the type of personal information, categories of registered individuals and the obligations and rights of the responsible party. March 2020, Landspítali entered into a processing agreement with Íslenska erfðagreining as a sub-processor. The latter agreement stipulates that Icelandic Genetics' processing of personal information for Landspítali involves the collection and screening for the COVID-19 virus in biological samples that the company collects itself or receives from the hospital. On behalf of Landspítali and Íslensk erfðagreiningar, it is claimed that the blood samples taken on 3-7. April 2020 at Landspítali was initially taken for clinical purposes, although the hospital's response states that the study's doctor in charge also determined the blood sampling, taking into account the planned addition to the scientific study. -the disease it causes. Íslensk erfðagreiningar's response states that the company carried out antibody tests and sent their results to Landspítali, as they could be useful in assessing the patient's condition and in deciding on treatment. It must be considered that such antibody measurements by Icelandic Genetics for Landspítali fall within the parties' processing agreement, dated. 12 March 2020. Based on Landspítali's explanations that the sampling was carried out for the benefit of treatment, it is clear that the necessary information about the sampling was recorded in the medical records of the data subjects, cf. 7. tölul. l. mgr. Article 6 Act no. 55/2009 on medical records. It is also clear that when sending samples that are sent for research, the necessary information for identifying the samples must be provided. Landspítali is considered to be responsible for the processing of personal information contained in the above-mentioned registration, as well as the processing of the identification information in question. On the other hand, Íslensk erfðagreining is considered to be responsible for the processing of personal information that took place for the benefit of the above-mentioned supplement. The parties' processing agreements will not be examined further in this context, but it should be noted that they are discussed in the decision of the Data Protection Authority, dated. 23 November 2021, on screening in Iceland for the SARS-Cov-2 virus causing the COVID-19 disease (2020061954), as well as in the Agency's decision, dated s.d., on the security of personal information at the part of the Department of Pathology and Virology at Landspítali that was located at the office of Icelandic Genetics (2020112772). The responses from Landspítali and Íslensk erfðagreiningar state that the blood samples were also used for the benefit of the aforementioned scientific study. It will therefore be examined in Chapters 4 and 5 below how the arrangement that was used complies with Act no. 90/2018 and Act no. 44/2014 on scientific research in the field of health, cf. Regulation no. 230/2018. 3. Legality of processing All processing of personal information must be covered by one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. In general, the processing of personal information for the benefit of scientific research has been considered to be based on the consent of the data subject, cf. 1. tölul. Article 9 of the Act, cf. point a of the first paragraph. Article 6 of the Regulation, or the public interest, cf. 5. tölul. the same articles of the Act, cf. point e of the same article of the regulation. In addition, the processing of sensitive personal information, as it is defined according to Art. point b of point 3. Article 3 of the Act, cf. Paragraph 1 Article 9 of the Regulation, to comply with any of the additional conditions of para. Article 11 of the Act, cf. Paragraph 2 Article 9 of the Regulation. It may be mentioned that the processing of sensitive personal information is permitted if it takes place on the basis of the data subject's unequivocal consent for the processing for the benefit of one or more specific projects, cf. 1. tölul. Paragraph 1 Article 11 of the Act and point a of the second paragraph. Article 9 of the Regulation. The processing of sensitive personal information is permitted if it is necessary for scientific research, provided that it is carried out on the basis of legislation which provides for appropriate and specific measures to protect the fundamental rights and interests of the data subjects, cf. Number 10 Paragraph 1 Article 11 of the Act, cf. paragraph 2 (j) Article 9 of the Regulation. In this connection, reference is made to Act no. 55/2009 on medical records and Act no. 44/2014 on scientific research in the field of health. In addition to the authorization according to the above, the processing of personal information must comply with all the principles of the first paragraph. Article 8 Act no. 90/2018, Coll. Paragraph 1 Article 5 Regulation (EU) 2016/679. In this case, the principle is challenged that personal information shall be processed in a lawful, fair and transparent manner towards the data subject, cf. 1. tölul. Paragraph 1 Article 8 of the Act, cf. point a of the first paragraph. Article 5 of the Regulation, which is discussed in more detail in Chapter 4 below. The principle of a clear demarcation of purpose through processing is also tested, cf. 2. tölul. Paragraph 1 Article 8 of the Act and point b of the first paragraph. Article 5 of the Regulation, to the effect, among other things, that personal information shall be obtained for clearly stated, legitimate and objective purposes. Among them is the rule that when processing personal information, care shall be taken to ensure that it is processed in a lawful, fair and transparent manner towards the data subject, cf. 1. tölul. Paragraph 1 Article 8 Act no. 90/2018, on personal data protection and the processing of personal data, and item a of the first paragraph. Article 5 of Regulation (EU) 2016 / 679. The requirement for transparency entails the educational obligation of the responsible party towards the data subject, cf. Article 17 of the Act and Articles 13-14. of the Regulation, which must be observed in all respects, with certain exceptions, however. The requirement of legality and fairness includes e.g. that when processing is based on the consent of the data subject, the consent shall be informed and unforced. Education according to the above must therefore be acceptable. Furthermore, consent must be given voluntarily and voluntarily, which means e.g. that there must be no clear difference of position between the data subject and the responsible party. of Regulation (EU) 2016/679, cf. Article 17 Act no. 90/2018, there are heavy obligations on the responsible party in the collection of personal information from a registered individual. It is stated on the one hand in the first paragraph. of the provision that the data subject shall be informed of e.g. the name and contact details of the responsible party; on the contact information of the Privacy Officer, if applicable; and on the purpose of the proposed processing of personal data and on its legal basis. The guarantor shall also, according to 2. mgr. Article 13 of the Regulation, provide the data subject with further information to ensure fair and transparent processing, e.g. á m. how long personal information will be stored or, if that is not possible, the criteria used to determine it; that there is a right to request from the responsible party access to personal data, to have them corrected, deleted or restricted for processing by the data subject or to object to processing, in addition to the right to transfer own data; that there is a right to withdraw its consent at any time, without prejudice to the lawfulness of processing on the basis of the consent until the revocation; and on the right to lodge a complaint with a supervisory body in the field of personal data protection. In addition to the provisions of Act no. 90/2018 and Regulation (EU) 2016/679 on the educational obligation of the responsible party shall comply with Chapter V of Act no. 44/2014 on scientific research in the field of health when obtaining consent for the processing of personal data in such research. Rules no. 230/2018, which are set on the basis of the law on how people can be selected and approached to participate in scientific research in the field of health and what education must be provided to them before their approval is sought. In Article 2 of the Rules states that their aim is to ensure that a thorough procedure is followed that promotes the protection of privacy and respects the right of human self-determination when obtaining informed consent in scientific research in the field of health. Act no. 44/2014, consent shall be in writing and granted voluntarily after the participant has received adequate information about the study, the risks that may accompany it, the potential benefits and what the participation entails. The participant shall be informed that he or she can refuse participation in a scientific study and stop participating at any time, without explanation, after it has begun. In Article 7 rules no. 230/2018 states that the healthcare professional or institution that has provided the treatment in question or made a diagnosis examines the patient's willingness to participate in a scientific study in the field of healthcare. Then it says i.a. in Article 8. of the Regulation that patients' willingness to participate in scientific research may be examined orally. Prospective participants may not be directly or indirectly pressured to participate. This should be especially taken care of when a healthcare professional to whom a patient may consider himself obligated presents the study to his patient. According to Art. rules no. 230/2018, before requesting an individual to agree to participate in a scientific study in the field of health, he or she shall be provided with further specified information in writing which shall be based on the needs and abilities of the prospective participant and shall be explained in more detail orally if necessary. This information includes the name, job title and workplace of the person responsible for the study and the names of the co-investigators (item a); what the purpose of the study is, how it will be carried out in broad outline and what its potential usefulness is (point b); who is collaborating with the person responsible for the study and to whom information will be provided (point c); what information will be used in the study, incl. whether biological samples will be used or whether information will be collected from medical records or other official records (point (e)); and the licenses on which the scientific research and collection of information is based (point (i)). 5. The conclusion of the Data Protection Authority As described above is stated in Landspítali's reply, dated March 24, 2021, that the chief physician of the Infectious Diseases Department has decided, i.a. due to the planned addition to the scientific study The epidemiology of the SARS-CoV-2 virus and the effects of genetics and underlying diseases on the COVID-19 disease it causes, to start the blood collection in collaboration with Icelandic Genetics as the study's responsible doctor and send the company a sample. Sampling and transmission were also used for clinical purposes, but were ultimately used exclusively for scientific research. The answers from Icelandic Genetics state that the blood sample in question was used for the benefit of the aforementioned scientific study. It is stated that the supplement was introduced to COVID-19 infected individuals after the Science Ethics Committee's permit was granted on April 7, 2020. Everyone confirmed to the study's doctor in charge that they wanted the samples to be used for the study and signed informed consent. . Of the first paragraph Article 12 Act no. 44/2014, it is clear that the processing of personal data for the purpose of scientific research in the field of health is not permitted unless the ethics committee's permission under the Act is available, in addition to the data subject's consent as required by the Act. Furthermore, it is clear that taking a biological sample initially served a clinical purpose and later it was decided to use it for the benefit of scientific research, such use is permitted under the same conditions. When consent is required, it must be in writing and given voluntarily after the participant has received adequate information about the study. In this case, it is clear that the research supplement in question was approved by the Scientific Ethics Committee on 7 April 2020 or after blood samples were taken for the benefit of the supplement. In view of the above, as well as how the explanations in connection with the blood sampling conflict with each other, it is the opinion of the Data Protection Authority that the processing of personal data in question did not meet the requirement that personal data be processed in a lawful, fair and transparent manner. , sbr. 1. tölul 1. mgr. Article 8 Act no. 90/2018, Coll. point a of the first paragraph. Article 5 of Regulation (EU) 2016/679, as well as the requirement for a clearly stated purpose of processing, cf. 2. tölul. Paragraph 1 Article 8 of the Act and point b of the first paragraph. Article 5 of the Regulation. As outlined above in this decision, the director of Landspítali responded to this in his letter to the Data Protection Authority, dated. November 10, 2020, that he could not have found out that instructions had been given at the hospital that blood samples should be taken from all COVID-19 patients who were admitted or came to the outpatient department of Landspítali for COVID-19 and sent to Icelandic Genetics . It was not until after his further investigation within the hospital and after the Data Protection Authority had sent a letter for the second time on 11 March 2021 and requested certain explanations that it became clear that the instructions in question had been given and the institution was notified by letter from the hospital, dated . 24. s.m. It was also stated in the same letter from Landspítali to the Data Protection Authority that the hospital's data protection officer had not been involved in the case. According to this, it is clear that Landspítali lacks an overview of what took place in connection with the blood samples taken on days 3-7. April 2020 in the hospital and used for the benefit of the scientific study Epidemiology of the SARS-CoV-2 virus and the effects of genetics and underlying diseases on the COVID-19 disease it causes. when obtaining consent. Article 8 shall be considered here. rules no. 230/2018, which states that prospective participants in a scientific study in the field of health shall not apply direct or indirect pressure to get them to participate in a study, and special care shall be taken when a health professional to whom a patient may consider himself obligated presents the study to his patient. It is known that the chief physician of the Infectious Diseases Department and the person responsible for the study presented it to COVID-19 patients and obtained the consent of those who were admitted to Landspítali. In the first paragraph. Article 10 Act no. 44/2014 stipulates the role of the Science Ethics Committee to evaluate scientific research in the field of health in order to ensure that it is consistent with scientific and ethical considerations. According to this, this is a matter for the committee. It is further stated in this decision that the representative of the communication between the Science Ethics Committee and the Data Protection Authority sent an e-mail to the Secretary General of the Science Ethics Committee and asked about the committee's position on the preservation and use of samples taken before the committee granted permission on 7 April 2020. The Data Protection Authority points out that it would have been in accordance with good administrative practice for the Scientific Ethics Committee to have specifically warned the institute about the question of Icelandic Genetics in light of the role that the institute plays in this area. In the answers of Icelandic Genetics, it has been stated that the line between clinical work and scientific research is always somewhat blurred when dealing with an unknown disease. In this regard, the Data Protection Authority points out that the implementation of scientific research in the field of health applies to Act no. 44/2014 and that such legislation must be complied with despite the fact that a pandemic is raging as stated in the guidelines of the European Privacy Council (EDPB) no. 3/2020, on the processing of personal data for the benefit of scientific research in connection with the spread of COVID-19, which were published on 21 April 2020. However, the Data Protection Authority also states that the agency is aware of the threat posed by COVID-19 disease in Icelandic society since the beginning of the epidemic and the pressure that the Icelandic health authorities have been under. In view of these special circumstances, this case has not been put on trial, cf. Paragraph 1 Article 47 Act no. 90 / 2018. Key words: Processing of personal information by Landspítali and Íslensk erfðagreining in the run-up to the study Epidemiology of the SARS-CoV-2 virus and the effects of genetics and underlying diseases on the COVID-19 disease it causes, which was approved by the Science Ethics Committee on 7 April 2020, did not comply with Act no. 90/2018, on personal protection and the processing of personal information, cf. Regulation (EU) 2016/679. Privacy, 29 November 2021Olafur Garðarsson ChairmanBjörn Geirsson Sindri M. StephensenVilhelmína Haraldsdóttir Þorvarður Kári Ólafsson Privacy PolicyLegal DisclaimerAccessibilityService DeskTwitter