A Code of Conduct for Health Research

The development of new medical treatments, new drugs, new vaccines, new cures, new ways to treat and prevent old and new diseases is only possible through health research.

While health care is the way in which doctors treat illnesses or injuries and try to make people feel better, health research goes beyond the immediate and direct benefits: it aims to learn more about current treatments and improve them.

For doing so, health research needs informed and trustful research participants, citizens or volunteers, biological/genetic samples, health and personal data, secure infrastructures and databases, etc. And it also needs clear rules that could be easily understood by researchers. 

For any research study or project, researchers have plans and procedures to follow, and these are usually known with the term ‘protocols’. Such protocols entail the compliance with general rules, and these rules should take into account, on the one hand, researchers’ needs to professional secrecy and integrity of research results (having the aim of ensuring that research results are traceable, plausible, reproducible, robust and comprehensible), and on the other hand participants’ privacy and autonomy, including the needs of data minimization, i.e. the need of ensuring that data collected and processed are not held or further used, unless it is essential for supporting data privacy.

Among the rules that European researchers have to follow there is the EU General Data Protection Regulation (GDPR). This regulation has direct effect in Member States. It aims to strike a good balance between both the protection of personal data of individuals and the free movement of personal data. However, it is complex to interpret for researchers, and in particular provisions related to research are fuzzy and vague, leaving space for National States’ different interpretation and thus making harmonization difficult to achieve.

Considering the complexity of the GDPR, a code of conduct (meant as a set of rules, produced from the bottom up and sector-specific to health research) could be a proper instrument to ‘translate’ into practice the GDPR provisions.  

As a regulatory instrument, established bottom-up and scrutinised by the stakeholders concerned, the code of conduct for health research (as described in articles 40 and 41 of the GDPR) can simplify the implementation of the GDPR and interlinked ethical standards in a transnational environment whilst striking the balance between data flow and protection.

Our Initiative

The initiative for drafting a code of conduct for health research starts in 2015 when scientific and legal experts of BBMRI-ERIC, the research infrastructure for biobanks and biomolecular resources, began assessing the draft text of the GDPR, while it was still discussed in the Council and European Parliament.

With the belief that the aims of the code have to go beyond the context of biobanks and extend to clinical trials, studies, cohorts, registries, genome databases’ data for harmonized data sets and electronic health records, BBMRI-ERIC looked for partners who shared the ambition to develop a code for the highly intertwined health research sector, comprising representatives from academia, industry, patient organisations, as well as other biomedical sciences and life sciences research infrastructures.

By 2017, BBMRI-ERIC began to exchange with policy makers, fellow research infrastructures as well as other stakeholders from academia and industry concerned with human research data and patient advocacy groups, such as EFPIA, ESR, ECRIN, EURORDIS, or CESSDA about the orientation and feasibility of such a code.

Representatives started gathering for defining key topics and focus areas and around 2018 the drafting action effectively started.

At the beginning of 2020, many points were already discussed and drafted, but Covid-19 emergency needs arrived and took precedence. Indeed, due to Covid-19, the initiative had been on hold, and many experts were asked to focus on pandemic national legislations or projects enabling data exchange. However, it is clear that the pandemic experience has provided for some interesting case studies for the code and has pushed the willingness of stakeholders to contribute on the top of the list.

So far, more than 160 individuals representing roughly 90 organisations in the field of health research indicated their interest and general support for the code.

The initiative is a non-exclusive one and it is still open to any possible interested organisation (while being interested does not mean to be obliged to endorse the code).

The Development Process

Trying to gather as many stakeholders as possible at possible but at the same time to deliver a comprehensive draft, the development process has been planned in waves:

  1. Define the Code’s scope, aims, focus areas and key topics via a forum of key stakeholders
  2. Assess the interest and needs of stakeholders and start penning ideas on paper in a drafting action
  3. Engage data protection experts and stakeholders from research, asking them to review the draft version on an individual level (especially use cases on a case-by-case basis)
  4. Consult experts from specific fields on specific sections of the code via reference groups (several rounds)
  5. Present the code to a wider audience in form of a public consultation process
  6. Submit the code to a competent supervisory authority that confirms European scope (transnationality) according to Art. 40.9 GDPR
  7. Submit the code to the European Data Protection Board (EBPB), so that it can evaluate if the code has a European wide relevance
  8. Once the EDPB has recognized the transnationality of the code, submit it to the European Commission, which decides that the code has general validity in the European Union