Table 1 Variations in Data Protection for Medical Research between the seven EU Countries
From: A critique of the regulation of data science in healthcare research in the European Union
France | Germany | Greece | Italy | Nether-lands | Sweden | UK | |
|---|---|---|---|---|---|---|---|
Is informed valid consent sufficient? | YES | YES | YES | NO - also requires approval by the Garante | NO – professional duties of confidentiality may override consent | YES | YES |
Is broad consent permissible? | YES | YES | YES | NO | NO | NO | YES |
Definition of anonymization | All means available to controller or other person must be considered (CNIL approve means of anonymisation) | Identification not possible without disproportionate time and effort | No definition in statute, but supervisory authority applies Recital 26 definition | Identification not reasonably likely, no identification numbers | Identification reasonably excluded | Cannot be identified by someone even with considerable time, effort or other resources | Defined by ICO – currently the ‘motivated intruder’ test |
Is pseudonymised dataa treated as anonymised? | CNIL guidance suggests if key code kept secret, YES | Only for third parties without the key code | Probably YES | Probably for third parties without the key code | YES | NO | Only for third parties without the key code |