Persónuvernd (Iceland) - 2020123091

From GDPRhub
Revision as of 15:23, 27 September 2022 by Gauravpathak (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Iceland |DPA-BG-Color= |DPAlogo=LogoIS.png |DPA_Abbrevation=Persónuvernd |DPA_With_Country=Persónuvernd (Iceland) |Case_Number_Name=20201230...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Persónuvernd - 2020123091
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 4 GDPR
Article 28 GDPR
Type: Investigation
Outcome: No Violation Found
Started: 12.12.2020
Decided: 08.09.2022
Published: 22.09.2022
Fine: n/a
Parties: deCode Genetics
National Case Number/Name: 2020123091
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Icelandic
Original Source: Persónuvernd (Iceland) (in IS)
Initial Contributor: gauravpathak

The Icelandic DPA negated the claim that deCode Genetics while working for a Danish research project had gone beyond its role as a processor, and held that the processing was as per the GDPR.

English Summary

Facts

On 12 December 2020, the Icelandic DPA received a complaint from a Danish organization named Patientforeningen, representing a data subject. The complaint stated the data subject received a letter from the Danish Biobank, which said that the body tissues collected from the data subject were sent to deCode Genetics in Iceland., where the genetic information from the tissues would be processed and stored by deCode Genetics. The complaint stated that as per the website of the research project under which the tissues were collected, the Capital Region of Denmark is the controller and deCode Genetics is the processor.

The complaint contended the following: 1. That the procession of personal data in Iceland is without authorization. 2. The personal data in question is outside the scope of data protection impact assessment (DPIA) carried out in Denmark. Moreover, it is unclear whether deCode Genetics carried out any DPIA. 3. The genetic information is processed without the permission of the Central Scientific Ethics Committee in Iceland. 4. The processing of genetic data is done without permission from the Icelandic DPA.

The complaint claimed that although the agreement between Danish Biobank and deCode Genetics stated deCode Genetics to be the processor, it was in fact acting as a controller and thus had to be responsible for the obligations of a controller. This claim was on the basis that the articles published regarding the research identified individuals from deCode Genetics as first and last authors, and usually in the scientific community, the first author is the real contributor, and hence taking all the decisions.

In reply, deCode Genetics claimed that it is the Danish DPA which has the jurisdiction as the data for the most part is registered in and stored in Denmark and also because the data subject is Danish. deCode Genetics submitted that the Danish DPA was already looking into similar cases and hence is the most appropriate authority. deCode Genetics cited its other collaborative research projects and claimed that it was recognized as a processor in them. It claimed that this project, for which it is the processor, was approved by the Danish Scientific Ethics Committee. It also stated that it had carried out its obligations as a processor as mentioned in Article 28 GDPR, and had submitted the requisite information to the appropriate blood bank in the Capital Region of Denmark. With respect to the lack of approval from Icelandic authorities, deCode Genetics claimed that in multinational research, permission is sought from those authorities where the research population and the person responsible for research are located. It submitted that this principle is applicable even when a part of the processing is carried out in another country.

Holding

The Icelandic DPA held the following:

Although the data in question is associated with artificial identifiers, it is known that at the blood bank of the capital region of Denmark, it is possible to connect artificial identifiers with real individuals, and hence the data is personal data as per Article 4(1) GDPR. Personal data of the data subject was processed by deCode Genetics for two studies, for which the Capital Region of Denmark had entered into processing agreements with deCode Genetics. The research had received permission from the Danish Scientific Ethics Committee, and Danish law allowed scientific research in collaboration with others. Accordingly, personnel of deCode Genetics, working on a research project allowed by the Danish authorities will be governed by Danish law for that particular project. Accordingly, persons who study data and draw conclusions from it cannot be impliedly held responsible for its processing. Also, a person responsible for medical research, might not be the responsible person under the data protection law. The agreement of the Capital Region of Denmark with deCode Genetics identified deCode Genetics as the processor. The fact that personnel of deCode Genetics are authors of scientific articles pertaining to the research will not make deCode Genetics a controller. deCode Genetics carried out its duties as a processor, and the DPIA as per Article 35 GDPR has to be carried out by the controller and not the processor. Thus, the processing of personal data, in this case, is compatible with GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details. 

Solutions

Ruling on the processing of personal data for Danish research projects

Case no. 2020123091

22.9.2022

Personal Protection has ruled in a case regarding a complaint about the processing of personal data by Íslenskri gegenyður ehf. for the benefit of Danish research projects. The processing has taken place with reference to the processing agreements that the Capital Region of Denmark has made with the company, and the complaining company believed that they had gone beyond their role as a processor and therefore themselves became responsible for illegal processing. Personal Protection considered that the data of the case did not reveal this, and the result was therefore that the processing was in accordance with the law.

Ruling

On September 8, 2022, Personal Protection issued the following ruling in case no. 2020123091:

i
Procedure
1.
Outline of a case

On December 12, 2020, Personal Data Protection received a complaint from the Danish organization Patientdataforeningen on behalf of […] (hereinafter referred to as the "complainant") regarding the processing of personal data by Íslenskri gegenyður ehf. (IE). The complaint states that on November 3, 2020, the complainant received a letter of information from the Danish Biobank, Region Hovedstadens Biobank, to the effect that tissue samples from it had been sent to the private company deCODE Genetics in Iceland, i.e. ÍE, where extensive genetic information would be processed from them and then stored by the company. In this regard, it is pointed out that according to the data on the project on the website of the Capital Region of Denmark, the Capital Region is the responsible party, while ÍE is the processor, that the project falls under the Capital Region's general assessment of the impact on personal protection, and that it has also decided to make a special assessment of that kind due to the cooperation with IE. In this regard, the following four grievances are identified:

1. That information in Iceland is processed without authorisation, as the division of roles between ÍE and the Danish Capital Region Biological Museum is in fact such that ÍE is the responsible party for genetic information in Iceland and that a processing agreement cannot therefore be considered to include authorization.

2. That information in the project does not fall under the general assessment of the Capital Region of Denmark on the impact on personal protection, but before information processing was implemented such an assessment should have been formulated for the project separately. In addition, it is unclear whether ÍE has prepared such an assessment for the project.

3. That genetic information is processed without the permission of the central scientific ethics committee in Iceland.

4. That genetic information is processed without the authorization of the Icelandic Personal Protection Agency and that it therefore did not have the opportunity to provide feedback on such processing to the relevant Scientific Ethics Committee.

2.
More about the complaint

In relation to the above, the complaint deals with the division of responsibility according to the General Data Protection Regulation, (EU) 2016/679, in individual areas of personal data processing that involve more than one party. Says that the definition of who is considered a responsible party depends on the parties' roles. It is necessary to take a position on who has control over the information, since it is the person who decides on the purpose and methods of processing personal information who is the responsible party. Depending on their role, individual parties in a research collaboration have different obligations regarding privacy rights. In other words, the responsible party is the person who is directly responsible for the processing of personal information and who in daily activities has the right to dispose of the information that will be part of the processing.

It also says, among other things, that in light of the nature of research work, collaborative projects are a creative process that develops over time. This can be especially tested in long-term collaborative research projects. Of course, it is challenging in relation to how to comply with laws and regulations in the field of privacy rights in the partnership. Failure to take the necessary steps to build cooperation on as fair a basis as possible should not be regarded as compensation. The fact that legal and ethical obstacles stand in the way of cooperation should never lead to the fact that projects are somehow mixed up so that they can receive approval without reflecting the actual arrangement of the cooperation and the division of roles.

In addition, it says that from many research collaborations, in full accordance with the so-called Vancouver rules for good research practices, the person who was responsible for the project and carried out the analyzes has the right to be named as the first author of the published academic article, as well as in in many cases the right to be identified as the last author. For clarification, it is explained that responsibility for a project refers to the determination of its purpose and that implementation of analyzes refers to the determination of methods. It also says that the above should be taken into account when roles are divided.

The complaint also reviews the rules on the controller's obligation under Regulation (EU) 2016/679 to assess the risk of processing personal data and to assess the impact on personal protection. Reference is also made to the fact that violations of the regulation may result in administrative fines.

3.
Notes IE

By letter, dated On March 18, 2021, ÍE was given the opportunity to comment on the complaint in the case. They responded with a letter dated 7 May s.á. As regards what is said in the complaint about a long-term collaborative research project, where the arrangement of cooperation and division of roles is not properly reflected, a case is referred to due to a suggestion to Personal data protection from the Patientdataforeningen on July 6, 2020 (case no. 2020072030 at the institution). The tip referred to a legal opinion from June 19, 2020 prepared by the law firm Kammeradvokaten for the Ministry of Health and Elderly Affairs in Denmark (d. Sundheds- og Ældreministeriet), but according to the opinion there was a possibility that ÍE was the responsible party due to a specific investigation in Danish biological samples despite the fact that the company was registered as a processor. Sent Personal Protection ÍE a letter on the occasion of the suggestion, dated December 3, 2020, where an explanation was requested for the above. As a result, a letter was received from ÍE, dated 17. p.m., and in his letter, dated On May 7, 2021, the company reiterates the explanations provided there.

More specifically, ÍE refers to the company's previous explanations to the effect that the opinion contained the results of an audit of the processing of personal information and biological samples at its partner in Denmark, Statens Serum Institut (SSI), although it is OK to transfer such information to Stanford University in the United States as seems to have been the reason for the audit. Collaboration projects between SSI and several entities within the EEA region were also discussed, including ÍE, and it has therefore been considered whether ÍE should possibly be considered a co-responsible party in the research project "Genetic study of diverticular disease", even though nothing has been confirmed and all safety precautions have been taken. It was also stated in the opinion that the responsible party SSI considered ÍE only to have the status of processor as stipulated in the processing agreement between ÍE and SSI. The complainant therefore draws too broad a conclusion from the opinion and, in addition, is faced with inconvenient claims about ÍE's cooperation with responsible parties.

In addition, the complaint refers to a discussion of the right of the person responsible for a study to be identified as the first or last author. Says that the complainant's claim to that effect is nowhere substantiated with reference to case law or guidelines of privacy authorities within the EEA. This is therefore only the opinion of the complainant and not a valid argument.

Following this, it is requested that the complaint be dismissed, as the subject of the complaint belongs to the Danish data protection authority, Datatilsynet. In support of that, it is said that all registered persons in Denmark or at least for the most part, as well as that the person responsible for said processing is Danish. The authorities should therefore be the Danish Personal Protection Agency, as well as the Danish Scientific Ethics Committee, National Videnskabsetisk Komité, due to the respective research projects.

Furthermore, in connection with the rejection request, it is said that a case of the same root and complaint is already being processed by the Danish Personal Protection Agency and was previously processed by the Danish Scientific Ethics Committee. If she has sent the person responsible for the project specified in the complaint, i.e. biological sample collection of the Capital Region of Denmark, a presentation with a request that an account be given of the collaboration with Icelandic genetic analysis and the processing of personal information as a result. Following answers from the museum, the committee expressed its position that privacy legislation was respected and the necessary agreements were in place, but that it was up to the Danish Privacy Agency to take a position on whether certain provisions of the legislation were being complied with. On March 12, 2021, the museum received a letter from that organization regarding an information letter in November 2020 to those who had blood samples taken for treatment at one of the hospitals in the Capital Region. It is the same information letter that came with the complaint and the museum provided answers to that letter on April 8, 2021. SSI has also recently informed ÍE that the Danish Personal Protection Agency is examining a research project of its own. If no comment was made there that ÍE is a processor of SSI.

Because of the rejection claim, it also says that the Danish Personal Protection Agency should be the lead administrative authority in the sense of point b of section 23. Article 4 of Regulation (EU) 2016/679 and taking into account guidelines at the pan-European level in the run-up to the entry into force of the regulation, i.e. section 2.3 of the instructions of December 13, 2016 (revised on April 5, 2017) on the delimitation of leadership authority from a working group according to Article 29. of directive 95/46/EC. In addition, it is claimed that, according to the regulation, it is forbidden to submit a case to more than one personal protection institution (e.g. forum shopping), and in this regard, reference is made to section 2.2 of the said instructions. In light of the fact that the representative of Patientdataforeningen has in the Danish media been wary of the investigations carried out by the responsible party, it is appropriate to investigate whether the case, which was being processed by the Danish Scientific Ethics Committee in 2020, arose from a complaint from him or another client of the association. It also says that there is a high probability that the organization's complaint to Personal Protection was sent to the organization as the governing authority in the country where the alleged violation took place, cf. Paragraph 1 Article 77 of Regulation (EU) 2016/679, simultaneously with the fact that a complaint on behalf of the association was submitted in Denmark on the basis that the complainant had a permanent residence there. In this regard, it is noted that the provision of the regulation that it is sufficient to submit a complaint in one place (e. one stop shop) was not designed so that the same case could be started with more than one institution and they should be brought together, but so that simplify the procedure, especially due to the controller's communication with the data protection authority, and promote harmonization of the implementation of the regulation within the EEA. Proceedings like this must therefore be stopped immediately, as they are not compatible with the nature of the regulation.

Next, the ÍE comments in relation to the four grievances specified in the complaint, cf. Chapter 1 above. In terms of ÍE working with information as a responsible party without authorization, it is noted that the company is a processor as defined in the processing agreement between the company and the blood bank of the Capital Region of Denmark. A research project, in which the company participates according to the contract, has received the approval of the Danish Scientific Ethics Committee and ÍE has no knowledge of who the others are.

In connection with the fact that processing at ÍE falls outside the general assessment of personal protection in the Capital Region, Denmark says that it is up to the responsible party to assess whether such an assessment needs to be made and to answer questions in that regard. The responsible party has informed ÍE that he has answered such a question from the representative of Patientdataforeningen, but according to the answer, it has been decided to make an assessment as discussed here on the basis of processing agreements for individual research projects. Then ÍE, in accordance with point h of paragraph 3. Article 28 of regulation (EU) 2016/679 and at the request of the responsible party, made an assessment of the impact on personal protection due to the processing of foreign biological samples and sent that information to the blood bank in Copenhagen, which is part of the blood bank in the Capital Region of Denmark.

Regarding the fact that information is processed without the permission of the central scientific ethics committee in Iceland, it is noted that this is a research project in accordance with Danish law, that it has received the approval of the Danish scientific ethics committee and that the Icelandic one does not have jurisdiction here, cf. Paragraph 1 Article 2 Act no. 44/2014 on scientific research in the field of health, provided that the responsible party is Danish and the research population is entirely Danish.

As far as genetic information is processed without the authorization of the Icelandic Privacy Agency, so that it has not had the opportunity to provide feedback on such processing to the relevant Scientific Ethics Committee, it is referred to as a principle in multinational research that permission is obtained in the country where the research population and the person responsible for the investigation is located. This applies even if a limited part of the processing takes place in a third country. Does this principle apply to EU grants for research and innovation, cf. Article 34.2 of Directive (EU) 1290/2013, and that directive does not require that ethics committees of several countries deal with scientific research carried out in one country and with a research population from the same country. Furthermore, it is stated that Personal Protection and the Icelandic Scientific Ethics Committee do not have jurisdiction over the research projects in question and that the jurisdiction lies instead with the National Videnskabsetisk Komité and Datatilsynet in Denmark.

Following this, ÍE answers questions about certain issues that were raised in the letter from the Personal Protection Agency to the company, dated March 18, 2021. What is stated in the answers is mostly of the same content as the aforementioned comments in relation to the complaint in the case. In light of that, it is not necessary to track here each and every question from the Personal Protection Agency and ÍE's answers to them. In addition to what has already been explained, however, it can be mentioned that according to the responses in question, biological samples from the complainant have been used for the benefit of three research projects (but according to later explanations, they were the only ones fewer, as it had become clear that the complainant was not among the participants at one of these projects, cf. chapter 5 below). In this regard, it is noted that there is a processing agreement for each of them, which the blood bank of the Capital Region of Denmark made with ÍE, and copies of said processing agreements were omitted with ÍE's explanations. Furthermore, reference is made, among other things, to the cooperation agreement, dated 1 August 2017, and a provision in the annex to the agreement, to the effect that the Danish partners have received the necessary permission from Datatilsynet in Denmark and are waiting for permission from the Danish Scientific Ethics Committee, as well as that they are responsible for obtaining the necessary permissions that may later prove to be needed. It also says that ÍE has received information that such permits have been obtained, but that there is a lack of authority to disclose them. Personal protection is encouraged to contact the authorities in question to gain access to them or to advise the data subject to do so.

4.
Comments Patientdataforeningen

By letter, dated On June 18, 2021, Personal Data Protection gave Patientdataforeningen the opportunity to comment on the above explanations of ÍE. They responded with a letter dated July 6, 2021. It says that ÍE's comments cause concern to the organization. The company works with some of the most sensitive information imaginable and is apparently not very interested in securing the interests of the data subject. When a processor works with genetic information of more than 400,000 patients, and when the processing is based on new information technology, i.e. on m. artificial intelligence, in the case of processing which, by definition, involves a high risk for the rights of the data subject.

In the ÍE's comments, however, the emphasis is not at all on the rights of the data subject. Instead, she is tasked with defending herself against criticism of the company. In the opinion of Patientdataforeningen, it is offensive and wrong. Patientdataforeningen's concerns also seem to offend ÍE. Instead, the company should be grateful that the spotlight is directed at flaws and unclear points so that the data subject's rights can be guaranteed. It should be for everyone's benefit. However, ÍE's explanations do not seem to reflect the slightest appreciation for being able to use the very sensitive genetic information of individuals in question for the benefit of their own research goals and with their own research resources.

An assessment of the impact on personal protection must be available when it is likely that a certain type of processing may entail a high risk for the rights and freedoms of registered individuals, i.e. on m. protection of personal information. The risk assessment must therefore relate to the risk for the data subject and not the risk of the person who works with the information. In order to ensure the rights of the data subject, it is crucial that in projects such as the one in question, an assessment of the impact on personal protection is carried out before processing begins. This is done, among other things, to define exactly who is the processor and who is the responsible party.

If it is brought to the attention of anyone, as a controller or processor, that they have acted in connection with the preparation of a privacy impact assessment, all access to the information should be stopped immediately, as well as all research projects. ÍE cannot turn a blind eye to the lack of an impact assessment on personal protection, regardless of whether the company is a data controller in accordance with the position of Patientdataforeningen or a processor working under instructions from a data controller. If such an assessment has been carried out, contrary to what the organization assumes, ÍE should also be able to easily present it to the Icelandic authorities.

It is correct that in addition to Personal Protection, Patientdataforeningen has sent a message to the Danish authorities. However, Datatilsynet has decided not to initiate a case based on a report from the association. Considering, among other things, that ÍE is actually the responsible party for genetic information in Iceland, it is also the organization's position that only the Icelandic personal protection authorities should be contacted here. That is why the Patientdataforeningen reported to Datatilsynet in Denmark that there was no longer a request for that institution to discuss the association's mission. It is their position that the Icelandic data protection authorities should, of course, concern themselves with cases where the extensive genetic information of the complainant, as well as information on, among other things, 400,000 other Danes, is processed in Iceland without a legally required assessment of the impact on personal data protection and apparently with authorization in a processing agreement that does not reflect actual situation. This means that it could be one of the most far-reaching international health data scandals ever, especially as it could potentially also overshadow IE's processing of English genetic data.

Regardless of what Datatilsynet in Denmark does, the data protection authorities in Iceland and ÍE should take action due to the lack of assessment of the impact on data protection and doubts about sources. ÍE is fully aware that the company uses Danish genetic information in the interest of its own research goals and without instructions on the procedure for the processing. In addition, Patientdataforeningen believes that ÍE's responsibility for genetic information in Iceland is shaped by the fact that copies of the same information are found in Denmark.

Patientdataforeningen's understanding is that a copy of the genetic information in Denmark can be found on the supercomputer Computerome at Danmarks Tekniske Universitet (DTU) in Risö under artificial identifiers. There, two database administrators have an authentication key. All operations on Computerome are recorded and the Danish researchers are the responsible party. Genetic information stored on Computerome is separated from samples from Danish patients in Iceland. It is ÍE that paid for the analysis of genetic material on those samples, as stated in a letter from Rigshospitalet in the Capital Region of Denmark to the representative of Patientdataforeningen, dated 14 July 2020, but a copy of the letter was omitted with Patientdataforeningen's responses. Samples sent for analysis at ÍE will receive new identification numbers and will then have a double pseudo-identification. Only the aforementioned database administrators have the encryption key. When genetic information is analyzed from Danish samples at ÍE, a copy of the information is sent to Computerome in Denmark, but as before, a copy will also be saved at ÍE. In this way, it will be possible to carry out genetic tests at will at ÍE on an individual basis, even if artificial identifiers are used. In Iceland, there is no access to Danish social security numbers (CPR numbers) or the code used to analyze samples in Denmark in Computerome. All of this would need to be addressed in a privacy impact assessment.

In continuation of this, issues are listed which Patientdataforeningen believes lead to ÍE having the status of a responsible party due to the analysis of the samples in question. It is noted in this regard:

1. That ÍE has paid 80 million Danish kroner for the Danish information, as stated in the aforementioned letter from Rigshospitalet, dated July 14, 2020. ÍE ignores this in its explanations.

2. That according to the parties' joint memorandum (e. Memorandum of Understanding), which was included with Patientdataforeningen's answers, the research group that is responsible for a research project should also be given the specified first and last author. This means that the responsible research group can either be in Denmark and use genetic information there or in Iceland and similarly use genetic information there. ÍE ignores this in its explanations.

3. That ÍE publishes scientific articles derived from research and calculations in Iceland on the Danish information. At the same time, the company receives the specified first and last author in scientific articles for the work, as can be seen from the article "Genetic variability in the absorption of dietary sterols affects the risk of coronary artery disease", a copy of which was avoided with the answers of Patientdataforeningen. ÍE ignores this in its explanations.

4. That according to this, ÍE uses information for the benefit of its own research goals and makes independent decisions about procedures, and when the company uses the Danish information for the benefit of such goals, it is therefore not according to instructions from Danish researchers. Patientdataforeningen considers that when researchers in Denmark start research projects in that country, for which they are responsible, research analyzes are carried out in the Computerome supercomputer, and that when researchers in Iceland start research projects in that country, for which they are responsible, research analyzes are carried out until then by ÍE. ÍE ignores this in its explanations.

5. That when registered persons in Denmark communicate to Danish researchers that they no longer wish to participate in a research project, the information is not deleted in Iceland. If ÍE was only a processor, the information should be simultaneously deleted by the company, but this is impossible in practice as it has no access to Danish social security numbers. Therefore, Patientdataforeningen's position is that, despite the fact that the complainant withdrew from the study in Denmark, her genetic information is not deleted in Iceland and can therefore still be accessed in that country. ÍE ignores this in its explanations.

6. That in Denmark the registrants enjoy the protection that they can block access to the copy of genetic information that is preserved in that country, by registering on the so-called Web Usage Register (d. Vævsanvendelsesregister). When a researcher in Denmark accesses genetic information stored there, he must first look up the identity number of the person concerned in this register to find out if he wishes to block access. This does not happen when ÍE uses information that is stored in Iceland but is the same as in Denmark, but a lookup is then impracticable since ÍE has no access to Danish social security numbers. ÍE ignores this in its explanations.

According to this, ÍE is actually the responsible party for genetic information stored in Iceland. A copy of the same information is kept in Denmark and there is no doubt that Danish researchers are the responsible parties there. Without this division of responsibility, the dual storage of extensive genetic information in two countries, regardless of the basic principle of minimizing data and circumstances in the case, is meaningless.

5.
The case was put in a pan-European channel - Further explanations ÍE

On December 21, 2021, the case was put into a pan-European channel on the basis that it concerned the processing of information about registered individuals in more than one country within the EEA. Was this done by entering information about the case into the IMI system, i.e. joint information system of the EU and EEA privacy protection institutions. Individual organizations were given the opportunity to report their position on whether and how they considered the issue to be relevant to their field of work, i.e. whether they should be considered the leading supervisory authority or the relevant supervisory authority, cf. Article 60 of regulation (EU) 2016/679. Given that the case concerns the processing of information from Denmark, the Danish personal protection agency, Datatilsynet, was also informed separately about the case by letter dated 21 December 2021, and a reply from her was received in the IMI system on 18 January 2022, to the effect that she considered herself to have the status of the relevant supervisory authority.

In addition to the case being placed in the aforementioned channel, Íslenskri geðiräði ehf. sent letter, dated December 21, 2021, where the company was given the opportunity to comment on Patientdataforengen's letter, dated July 6, 2021. The answer was given with a letter dated February 15, 2022. It says that the contractor ÍE, the blood bank of the Capital Region of Denmark, informed the company about it in January this year. that the chairman of Patientdataforeningen has several times requested data from the blood bank about the project "The Danish Blood Donor Study" and "Copenhagen Hospital Biobank", focusing on, among other things, the relationship between the responsible party and the processor. As far as ÍE can find out, his claims on that subject before the Danish Scientific Ethics Committee and the Bio-sample and Genetic Bank of Denmark (now Regionernes Bio- and Genombank) have subsequently been rejected. Claims similar to those raised in this case have therefore been resolved many times in Denmark.

It is also noted that in 2021 there was an ongoing audit by the Danish Personal Protection Agency of the Statens Serum Institut (SSI), a research institute in the field of health sciences run by the Danish government. In the summer of 2021, SSI would have requested an update of the processing agreement between the parties and it would have been granted. The audit therefore confirmed the role structure of ÍE as a processor, while ÍE carries out the same type of work for SSI and for blood banks in the Capital Region of Denmark.

In relation to the complainant's comments about the lack of assessment of the impact on personal protection, what is stated in the letter ÍE, dated May 7, 2021, that ÍE has made an assessment of the impact on personal protection due to the processing of foreign biological samples and sent that information to the blood bank in Copenhagen, which is part of the blood bank in the Capital Region of Denmark. It is also protested as absurd and completely wrong that ÍE paid 80 million Danish kroner for information from Denmark and that no payments were made between the parties, as stated in Rigshospitalet's letter dated July 14, 2020, to the chairman of the Patientdataforeningen, a copy of which was withheld by the association's letter, dated July 6, 2021.

It is also stated in ÍE's letter that a memorandum referred to in Patientdataforeningen's letter in connection with the identification of the first and last author of scientific articles covered the project "Danish Blood Donor Study" (DBDS). According to the information that ÍE has received from the responsible party, information about the complainant is not processed for that project and the processing of personal information about her is only related to the blood bank of the Capital Region of Denmark. Regarding this definition, however, it is noted that researchers who perform genome-wide association studies (GWAS) often meta-analyze non-personally identifiable results for the entire study population. (e. summary statistics) from their own research and compare with other published research or with data from scientific collaborations that focus on the same phenotype. Complete results for the entire study population that have been published in peer-reviewed scientific journals are almost always made available to other researchers. The same applies to the overall results of the meta-analysis. With its introduction, and thus larger datasets with more statistical power than individual collections alone, considerable progress has been made in detecting common genetic variation. Both ÍE and the relatives of DBDS have participated in the meta-analysis and in some scientific articles, which have appeared as a result, have neither the first nor the last author. In other articles, on the other hand, ÍE had the first and/or last author, and in still others it was the relatives of DBDS who received such an author's designation, cf. e.g. "Joseph Dowsett et al. Eleven genomic loci affect plasma levels of chronic inflammation marker soluble urokinase-type plasminogen activator receptor". It is therefore not possible to draw any conclusions from the arrangement of authors in a scientific article about who is responsible for the processing of personal information. It depends on the scientific contribution of each individual researcher and is based on international standards, e.g. The Vancouver Criteria ("Recommendations for the Conduct, Reporting, Editing, an Publication of Scholarly Work in Medical Journals"). In other respects, regarding the definition of the authors, refer to the comments in the previous letter of ÍE, dated May 7, 2021.

In addition, ÍE's letter states that false and unsubstantiated concealments are being made, as it is emphasized in Patientdataforeningen's letter that the company works with information in defiance of and without instructions from the responsible party. Therefore, in order to confirm compliance with the contractual obligations, it is possible to refer to an audit by an independent external party that the responsible party has obtained for the project. More specifically, BDO, an accounting firm in Copenhagen, has twice, in 2020 and 2021, conducted an audit according to the ISAE 3000 standard on the security of personal data processing at ÍE. The audits confirmed that ÍE's processing on behalf of the responsible party was in accordance with the law and that all the work processes that ÍE had promised to implement in the processing agreement with the responsible party were followed. If the collaboration is still ongoing and ÍE works in accordance with the processing agreement and research plan according to the licenses issued to it by the competent Danish scientific ethics committees.

As for the fact that the information is not deleted in Iceland, it is noted that this is a case of misrepresentations on the part of Patientdataforeningen and pure cover-ups. ÍE regularly receives a list from the responsible party of sample numbers (Alias) of participants who have withdrawn from the study, i.e. on m. of those who have registered in "vævsanvendelsesregisteret". Subsequently, the process "Process for withdrawn consent" starts at ÍE, where the person's biological samples are deleted and the PN numbers for the relevant sample numbers at ÍE are disconnected (Alias-PN connection broken), thereby preventing is working with the numbers in further research. Sent ÍE to confirm this to the responsible party. Had this practice been taken out without comment in the aforementioned BDO audits.

6.
ÍE's notes on communication with the company as processor

With a letter to ÍE, dated On April 8, 2022, Personal Protection referred to the reason for the case, which had been stated by the complainant in an email to the organization on September 16, 2021, that if ÍE was a processor, there should be an example of investigators in Copenhagen sending the company instructions about the purpose of processing and methods of her by email, letter or phone. The Data Protection Agency gave the company the opportunity to comment on this cause of action and also requested data on communications such as the one in question that may be with the company.

They responded with a letter dated April 28, 2022. It refers to the processing agreements of the Capital Region of Denmark with ÍE that were annexed by the company's letter dated May 7, 2021, and noted that the attached appendices to the agreements contain instructions on how personal information should be handled. One of these contracts is for the "Danish Blood Donor Study" project, but in chapter 5 above, ÍE explains that according to information from the person responsible for that study, the complainant is not among the participants in it. The other agreements are due to the project "Genetics of pain and degenerative musculoskeletal diseases - a Genome Wide Association study on repository samples from Copenhagen Hospital Biobank" (agreement, dated April 24, 2019), and on the other hand due to the project "Genetics of osteoporosis and fractures – the disease trajectories" (agreement, dated 23 September 2019). The aforementioned annexes can be called in both cases "Data processing instructions" and "Joint Regional Information Security Policy". The latter document contains a general policy on information security and the delimitation of responsibility for the implementation of appropriate security and related factors. The former contains a description of various measures to be used to ensure the security of information.

In addition to the above agreements, ÍE refers to three letters from Rigshospitalet in Denmark, dated March 11, 2020, with instructions to ÍE to carry out genetic analysis, quality control and statistical analysis of phenotypes in individual projects. ÍE also refers to an email chain that covers the period from 30 July to 8 August 2019 and contains instructions from Rigshospitalet to delete information about certain individuals in the research sample, email communication from 16 December 2020 with such instructions from Rigshospitalet to ÍE, an email message from Rigshospitalet to ÍE from 7 September 2021, also with such instructions, as well as an email message from ÍE to Rigshospitalet from 19 January s.á. with confirmation that such instructions have been followed.

It is stated in ÍE's letter that with this data, which was included with the letter, it is further demonstrated that ÍE is a processing party for the blood bank of the Capital Region of Denmark and is enforcing the instructions of the responsible party. It also says that ÍE does not think it is necessary to dwell further on the complaint in the case and encourages Personal Protection to issue a ruling in the case that is compatible with the actual and written practice that has been established between the responsible party and the processor ÍE. As ÍE has specified in previous explanations regarding the case, the company always relies on its foreign partners having obtained the necessary permits from public bodies in the respective country for the aspects of research cooperation that pertain to ÍE in accordance with the laws of that country, as well as that those laws have been followed entirely in the preparation process. This guarantees the partners vis-à-vis ÍE and the processing agreements stipulate that the forum is in the country from which the research data originates.

7.
Assessment of the impact on Personal Protection

In a letter to ÍE, dated On May 30, 2022, Personal Protection referred to consideration in the company's letter, dated May 7, 2021, on the assessment of the impact on personal protection due to the processing of foreign biological samples and requested a copy of it. They responded with a letter dated June 7, 2022, but four documents on the assessment of the impact on personal protection were avoided. It involves an assessment of the impact on privacy due to a broad genome search that includes both national and foreign information, an assessment of the impact on privacy due to the transmission of the results of genetic analysis on foreign samples, an assessment of the impact on privacy due to the collection of phenotypes and the processing of foreign samples and an assessment of the impact on personal protection due to the collection of samples and genetic analysis, which includes both domestic and foreign information and samples. Among the things stated in these documents is that work is carried out on the basis of ethics committee permits, domestic or foreign, and that no processing takes place unless it is compatible with such a permit, that foreign responsible parties guarantee that a permit was obtained as a result of foreign research, that ÍE is there processor, that information is identified with artificial identifiers and that there is a special process for withdrawing consent from participants in foreign research. It is also recorded that the documents were created on February 24, 2021 and last modified on March 25, 2021. It is stated in the letter of ÍE, dated June 7, 2022, that they were sent to the blood bank of the Capital Region of Denmark by letter, dated April 12, 2021.

8.
Data request and further comments Patientdataforeningen

In an email to Personal Protection on 31 May 2022, Patientdataforeningen requested access to the aforementioned letter from ÍE, dated 28 April s.á In light of the caveat in the letter that the supporting documents could contain information that would be exempt from the parties' right to information, cf. Article 17 administrative law no. 37/1993, Personal Protection gave the company an opportunity to comment on the request, i.e. in an email on June 3, 2022. The answer was given in an email on the 5th s.m. and it was stated that no comments were made regarding the granting of access by erasing email addresses in the accompanying documents, but they were also sent to Personal Protection again and then changed. One document was missing, however, and Personal Protection drew ÍE's attention to it in an email on June 9, 2022. A reiteration was sent on the 15th s.m. received a reply from the company by e-mail, i.e. the 20th p.m., but in the attachment the document in question was found with deletions of e-mail addresses. Patientdataforeningen was subsequently granted access to the requested data, i.e. by email on June 24, 2022.

In continuation of this, Patientdataforeningen made comments regarding the mentioned letter of ÍE, i.e. in an email on July 3, 2022. It says that communication between the responsible party in Denmark and ÍE, which can be seen in the accompanying documents with the letter, is limited and asks whether before and after certain dates Danish information was processed without the researchers in Denmark has determined the purpose of processing and its methods. Reference is also made to the scientific discipline specified in item 3. listed in chapter 4 above and asked if there is documentation that Danish partners have made decisions related to it, as well as whether it is possible that employees at ÍE, i.e. on m. the first, second and last author of the article, have made those decisions. It also says, among other things, that if processing has taken place at ÍE that violates Icelandic privacy legislation, it is up to the Personal Protection Agency to investigate that processing and determine penalties.

In addition to the above, Patientdataforeningen Persononvernd sent a suggestion in an email on 12 August 2022 about a decision from the Danish Personal Protection Agency, cf. news on her website from 25 March s.á. The decision imposed a fine for the processing of genetic information without prior consultation with the institution, and it is stated that the complainant believes that this resolution may have significance in relation to this case.

9.
Response in pan-European channel

As mentioned earlier, i.e. in chapter 5 above, this case was put into pan-European channel on 21 December 2021, more specifically by entering information about the case into the IMI system, i.e. joint information system of the EU and EEA privacy protection institutions. In connection with this procedure, the Personal Protection Agency entered the draft decision in the case into the system on June 28, 2022, and those data protection institutions within the EU and the EEA who considered it necessary were given the opportunity to comment on the draft, which should be received no later than July 26. .on., cf. Paragraph 4 Article 60 of regulation (EU) 2016/679. Following this, a notification from the Danish Personal Protection Agency was received in the system, i.e. on the 22nd p.m., to the effect that no comments were made on the draft. Other data protection agencies did not comment on them.

II.
Assumptions and conclusion

1.

Scope of law no. 90/2018 and Regulation (EU) 2016/679

Scope of law no. 90/2018 on personal protection and processing of personal data and Regulation (EU) 2016/679, and thereby the authority of the Personal Protection Agency, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partially or fully automated and the processing by methods other than automated of personal data that is or is to become part of a file, cf. Paragraph 1 Article 4 of the Act and paragraph 1 Article 2 of the regulation.

Personal information is information about an identified or identifiable person, and a person is considered identifiable if it is possible to identify him, directly or indirectly, with reference to his identity or one or more factors that are characteristic of him, cf. Number 2. Article 3 of the Act and number 1 Article 4 of the regulation.

By processing is meant an operation or series of operations where personal data is processed, whether the processing is automatic or not, cf. Number 4. Article 3 of the Act and number 2 Article 4 of the regulation.

This case concerns the processing of information about the complainant in the course of scientific research being carried out at Íslenskri gegenyður ehf. It is understood that information in these studies is identified with artificial identifiers. It is also known that at the blood bank of the capital region of Denmark, it is possible to connect the artificial identifiers to the real personal identifiers of a person. For that reason, it will be considered that the processing of personal data is covered by personal data protection legislation.

2.
Responsible party and processor – Conclusion

The person responsible for the processing of personal data is referred to as the responsible party, which refers to an individual, legal entity, government authority or other entity that alone or in cooperation with others determines the purposes and methods of processing personal data, cf. Number 6. Article 3 Act no. 90/2018 and No. 7 Article 4 of regulation (EU) 2016/679. This means that the person concerned has decision-making power regarding the processing of personal information, the method of processing, the purpose of the processing, what the software used is supposed to do, as well as the disposition of the information in other respects, as stated in the aforementioned number 3 of Article. of the law.

The responsible party can agree with another party to handle the processing of personal information on its behalf, and that party is then called the processing party. More specifically, it refers to an individual, legal entity, government or other entity that works with personal data on behalf of the controller, cf. Number 7. Article 3 Act no. 90/2018 and No. 8 Article 4 of regulation (EU) 2016/679.

As stated in paragraph 1. Article 25 of the law, cf. Paragraph 1 Article 28 of the regulation, the responsible party shall only seek processors who provide sufficient guarantees that they take appropriate technical and organizational measures so that the processing meets the requirements of the regulation and that the protection of the data subject's rights is guaranteed. Furthermore, Article 29 states of the regulation that the processor and every person who acts on behalf of the controller or processor and has access to personal data, must therefore only work with it on the instructions of the controller, unless otherwise required by European legislation or the laws of a member state.

In addition, paragraph 3 states Article 25 of the law, cf. beginning of paragraph 3 Article 28 of the regulation, that processing by the processor must be based on a contract or other legal act according to law that binds the processor towards the responsible party and specifies the subject and duration of the processing, its nature and purpose, the type of personal information, categories of registered persons and the obligations and rights of the responsible party. Then in the 3rd paragraph provision of the regulation to find a list of the topics that must be specified in the contract with the processor, i.e. a so-called processing agreement, or another type of legal document that is used. Among these topics is that the processor only works with personal data according to the documented instructions of the responsible party, unless he is otherwise required by European legislation or the legislation of a member state to which he is subject, in which case he must inform the responsible party about it (paragraph a); that he takes all necessary security measures in light of Article 32 of the regulation (section c); that he assists the controller, to the extent possible, in responding to requests from the data subject when he seeks to exercise his rights (point e); and that he deletes or returns, at the choice of the responsible party, all personal information to him after the provision of services related to processing ends, in addition to that he deletes all copies unless European legislation or the laws of a member state require otherwise (section g).

According to the documents of the case, personal information about the complainant has been processed at ÍE for the benefit of two scientific studies, i.e. on the one hand the study "Genetics of pain and degenerative musculoskeletal diseases - a Genome Wide Association study on repository samples from Copenhagen Hospital Biobank" and on the other hand the study "Genetics of osteoporosis and fractures - the disease trajectories". It is understood that the Capital Region of Denmark has entered into processing agreements with ÍE for these studies, i.e. contract, dated April 24, 2019, due to the aforementioned investigation and agreement, dated 23 September 2019, due to the latter, cf. also written instructions, dated March 11, 2020, based on both agreements.

On the part of the complainant, it is claimed that ÍE has gone beyond its authority as a processor, and in this connection it is referred to that in articles about the results of research, which the company has worked on for the Capital Region of Denmark, researchers from the company have been specified as the first and last authors.

Personal Protection believes that Danish legislation on scientific research in the field of health must be considered here, but it is known that the aforementioned research has received permission from the central Danish scientific ethics committee, Dansk Videnskabsetisk Komité, cf. overview on the committee's website of approved studies in the first quarter of 2019, p. 57 in the annual report of the Danish Scientific Ethics Committees 2019 (d. De Videnskabsetiske Komiteers fæls årsberetning 2019), as well as an overview (d. sagsoversigt) from the Danish Health Information Agency, Sundhedsdatastyrelsen, of research in 2020 where data from it has been used. The licenses in question are based on the law that has been enacted in Denmark on the scientific ethical evaluation of scientific research in the health field (d. lov om videnskabsetisk behandling af sundhedswiedenskabe forskningsprojekter). In that law, it is laid down that an investigation is carried out in accordance with a special investigation plan, i.e. a document that describes the objectives and implementation of research as defined in more detail in section 10. Article 2 of the law, and that plan shall be attached to the report to the ethics committee regarding the investigation, cf. Paragraph 1 Article 16 of the law. Also, significant changes to the research plan must be approved by the ethics committee as stated in paragraph 1. Article 27 of the law.

According to the law in question, the responsibility for carrying out an investigation rests with a person called the person responsible for the investigation (d. den føringsansvallige), cf. Number 7. Article 2 of the law. Is it a similar arrangement to that according to the Norwegian law no. 44/2014 on scientific research in the field of health, which provides for a special person responsible for each and every scientific research, i.e. a person who is responsible for carrying out research according to a research plan that has been approved by the Scientific Ethics Committee or the Health Research Ethics Committee, cf. Number 10. Article 3 of the law.

Within this arrangement, it has been established that, depending on the circumstances, the responsible person works on scientific research in collaboration with others, and it can be mentioned that researchers other than the responsible person, as well as research employees, are provided for in paragraph 2. Article 17 Act no. 44/2014. It must be assumed that the same applies in Denmark and in this country, so that the person responsible for an investigation usually works on an investigation according to the laws there, together with other investigators.

An arrangement that has not been considered to result in each and every researcher having the status of a person responsible for the processing of personal information in the sense of the privacy legislation. This means that the application of scientific methodology alone, where data is studied and conclusions drawn from it, does not inevitably imply responsibility for such processing. Also, it is not always the case that the person responsible for research in the sense of the legislation on scientific research in the field of health is at the same time considered the person responsible according to the personal protection legislation. More specifically, it must be considered that according to both Danish and Icelandic law, the person responsible for an investigation must always be an individual, but depending on the circumstances, he can play that role in light of his position as an employee of a particular legal entity. It may then be more appropriate to consider that legal entity as the person responsible for the processing of personal data rather than this particular individual.

It can be assumed that it is because of this that the Capital Region of Denmark, and not a person with the position of responsible person for scientific research, is specified as the responsible party in the processing agreements with ÍE for the aforementioned research. It then examines whether ÍE has also been granted the status of the person responsible for the processing of personal information in connection with the research. As is the case here, it will be considered possible to happen if the company itself makes such decisions about the goals and execution of the research that would call for changes to the research plan for which the approval of the ethics committee would have to be obtained. In the complaint, the understanding that ÍE went beyond its role as a processor and at the same time became the responsible party for processing that goes beyond the ethics committee's permission for the research, as can be seen from the description of the company's employees who report their results to the first and last authors. In this regard, it should be noted that Personal Protection considers the involvement of individual ÍE employees in the scientific implementation of the research, so that they are specified among the authors of scientific articles, does not necessarily lead to ÍE receiving the status of a responsible party in light of the current legislation and then regardless of where in the order authors they are named.

If, on the other hand, ÍE has gone beyond the approved research plan, so that the company's processing activities do not fit within the Danish Ethics Committee's permits, the company itself has become responsible for the processing, in accordance with the provisions described above.

It can be clear that it is primarily the responsibility of the central Danish Scientific Ethics Committee (National Bioetisk Komité), which has granted the permission in question, to assess whether the approved research plan has been exceeded. The committee's decisions on that matter are not available. There are no other indications of this, such as that ÍE has obtained information for the benefit of the research in question without consultation with the holder of the research license or is using data from the research to explore phenotypes other than those covered by the licenses. According to this, it will be based on the fact that ÍE has not been granted the status of a responsible party due to the research in question, as well as that the company's processing is within the framework of the agreements that the Capital Region of Denmark has made with it as a processor.

Furthermore, in relation to the complainant's comments about the lack of assessment of the impact on personal protection, it should be noted that, according to the available data, ÍE has carried out such an assessment due to the processing of information for the benefit of foreign research, where the company has the status of processor. The date of the documents on this assessment implies that they were created some time after the complaint in this case was received. In this regard, it should be noted that the obligation to assess the impact on personal protection, cf. Article 29 Act no. 90/2018 and Article 35 of Regulation (EU) 2016/679, is imposed on the controller and not the processor.

In addition, it should be noted what concerns the complainant's comments that ÍE cannot comply with requests for the deletion of Danish information and show that, according to what is stated in the documents of the case, such requests are handled satisfactorily, cf. Paragraph 1 Article 20 of the Act and Article 17 of the regulation, which can be referred to, among other things, in Chapter 6, Part I above. In other respects, it has not been shown during the handling of this case that ÍE's handling of information and samples from Denmark has violated the law

In relation to Patientdataforeningen's comments at the last stages of this case, where it is indicated that there may be a need for further data on the relations between the Capital Region of Denmark and ÍE due to the aforementioned research, reference is also made to what is previously reported on data relating thereto, especially available processing contracts and written instructions based on them. This is the data that is required by law and it will not be seen that there is a special reason for collecting data beyond what has already taken place in the case.

In light of the above, the conclusion of the Personal Protection Authority is that the processing of personal information about the complainant at ÍE was compatible with the personal protection legislation.

Ruling:

Processing of Icelandic genetic analysis ehf. as a processor of personal information about […] when carrying out research on behalf of the Capital Region of Denmark complied with Act no. 90/2018 on personal protection and processing of personal data, as well as regulation (EU) 2016/679

Privacy, September 8, 2022

Ólafur Garðarsson

chairman

Björn Geirsson                   Sindri M. Stephensen

Vilhelmína Haraldsdóttir         Þorvarður Kári Ólafsson
Retrieved from "https://gdprhub.eu/index.php?title=Persónuvernd_(Iceland)_-_2020123091&oldid=28262"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki