New patient consent forms in Germany cover the use of patient care data and clinical and biomedical research.
German Data Protection Commission DSK has approved a revised version of forms that the so-called Medical Informatics Initiative of the Federal Ministry of Education and Research had produced in order to comply with data protection laws. The forms, released on April 29, 2020, specifically cover the use of data for patient care and for clinical and biomedical research. The forms focus on a clinician’s duty to inform patients and on the consent of patients to the use or processing of their data. The DSK had advised the initiative on the adaptation of the forms (such as new patient consent forms in German), and now considers the forms to be in conformity with data protection laws.
Under the Article 9 of the EU General Data Protection Regulation (GDPR), the processing of health data requires special legal safeguards as “special categories” of data. In addition, Sections 22 and 27 of the German Federal Data Protection Act regulate the processing of health data on the basis of Article 89 of the GDPR. These provisions, together with additional rules in the German Medicines Act, also cover the use of patient data for clinical trials, as well as technical and organizational measures to protect patients’ data.
The DSK is a body on the national level that consists of data protection experts from the various independent state data protection agencies. The opinions and recommendations of the DSK are not legally binding in a strict sense, but are widely accepted. The DSK’s working groups, Science and Research and Health and Social Affairs, have accompanied the initiative and given their advice on how to create and improve the new forms and an information memo explaining the issues to patients.
The Medical Informatics Initiative is a national consortium that the German Federal Ministry of Education and Research funds and supports. It brings together medical doctors, computer scientists, and scientists from other disciplines at German university hospitals who work together through the exchange and use of data from patient care as well as clinical and biomedical research beyond the boundaries of institutions and locations. The initiative’s goal is to make the best possible use of the opportunities offered by digitization in medicine for care and research, while networking with university hospitals and partner institutions. It also aims at improving IT solutions for specific medical applications, which demonstrates the possibilities of modern digital services and infrastructures in the German health sector.
The new forms cater to the urgent needs of the industry to have reliable and still flexible forms of patient consents for clinical research and other medical purposes. Within the European Union, obtaining valid patient consents remains cumbersome because many national regulators and local ethics committees have their own ideas of what wording should be in a patient consent. The current forms available in the European Union vary and often do not provide for sufficient flexibility to make changes. Having forms on at least a national level is thus helpful.
The Medical Informatics Initiative’s new forms reflect various changes to the earlier drafts that the DSK had recommended. Their privacy-related recommendations are now incorporated into the forms (version 1.6d of the consent forms, consisting of patient information and a template declaration of consent, and 0.9d, the info memo for the patients). The forms also cover the use of coded biomaterials and the data flows to and from the German health insurance (if necessary), which is positive. The patient’s consent is valid for five years and is revocable at any time.
The new patient consent form and info memo to the patient (in German) are very detailed, but they do not address the processing of patient data for research that is shared with sponsors or research organizations outside of Germany. The documents only state that “[y]our patient data [if applicable: and data from the analysis of your biomaterials] can also be merged with your data from the databases of other research partners (e.g. other hospitals, institutes or registers) – under the condition that you have consented in this use with the relevant research partners.”
The patient would further confirm in the consent form that “the scientific analysis and use of my encoded patient data by third parties such as other universities/institutes/researching companies . . . may also include a transfer abroad for research projects provided that European data protection law applies in these countries or the European Commission has confirmed an adequate level of data protection.”
This wording in the consent form alone is likely insufficient for sponsors to rely on as an informed consent to transfer patient data to the United States under Article 49 of the GDPR, as this provision poses high hurdles for informed consent to serve as a legal basis for data transfers out of the European Economic Area. These hurdles can be overcome, for instance, by adhering to the EU/US or Swiss/EU Privacy Shield, standard contractual clauses, and potentially joint controller agreements.
Therefore, sponsors and contract research organizations outside the EU that will receive relevant data from the EU will likely need to amend these forms so that they properly disclose the actual data flows and the role of the various parties involved, and fully inform the patient before his/her consent or rely on other provisions under the GDPR and the BDSG (German Data Protection Act) to transfer data.
It would be helpful if the European institutions adopted similar forms on an EU-wide level in various languages. Until then, seeking valid patient consents remains an arduous endeavor for non-EU sponsors and international research organizations.