The new legal framework that will regulate the use of big databases for biomedical research in Spain

Guest post by Roberto Bilbao from BIOEF

The BIGDATIUS group ( organized at Bilbao a workshop about the opportunities and legal implication of health big data. BIOEF is member of BIGDATIUS group.

Multidisciplinary professionals (lawyers, researchers, data protection officers and ethics committee members) exposed their vision related to the implementation of the new General Data Protection Regulation (GDPR) ( and the new coming National Data Protection Law that will be passed, hopefully, by the end of 2018.

In general, the impression was positive among the participants representing the Spanish scientific and legal community. In summary, the requirement of informed consent to use clinical data for biomedical studies will be more flexible if privacy is taken in consideration from the design of the study.

The quality of the research that will request data for big data analysis will have to be reviewed by international standards agreed across Europe. In this regard, the role of ethics committees will be relevant to evaluate the requested databases and the objectives of the study. Furthermore, the honest broker figure will be of relevance to assure transparency as it provides data from clinical and research sources for research use only and in accordance with policies that prohibit re-identification. They will bridge the gap between protecting personal health data and clinical research efficiency.

The pseudoanonimization will be a key element to provide data without informed consent for scientific research. The process of a correct pseudoanonimization will be done by the honest broker however, it will be needed to clarify the methodology to achieve this goal. In order to guarantee the correct use of the data, agreements between data providers and data receivers will have to cover all the privacy issues. Another key element to be observed is the amount of personal data that can be requested. The researchers will have to design from the beginning of the study the minimum information to be analyzed that will generate significant results.

Moreover, in the performance of his or her tasks, the data protection officer will be pivotal regarding the analysis of the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

In conclusion, the paradigm of how research will be managed in Spain will changed in few months.  It will not be the case for the use of biological samples which will remain at it is nowadays. However, it can be settled that it will be a feasible and flexible law that requires a more proactive attitude for all involved sides.