Data protection laws and policies

There are a number of resources available that can help you understand which laws and regulations are applicable in which geographies (your jurisdiction), for example:

• The Assessment of the EU Member States’ rules on health data in the light of GDPR report explains how data protection regulations are applied for European citizens. The EU's General Data Protection Regulation (GDPR) is an extraterritorial legislation, meaning it is applied to any entity in any country that is managing the data of European citizens, even if that entity does not have an office or base in Europe.

• The International Association of Privacy Professionals’ (IAPP) privacy law mapping chart maps describes data protection laws globally.

• The United Nations Conference on Trade and Development's data privacy regulation trackers are also useful for understanding the key provisions of data protection legislation in each country.

Key questions to ask:

• In which countries will the project collect, access, use or share data? How many jurisdictions will the project cover? Will data be stored or processed in a different jurisdiction from where the organisation is located?

• What are the main privacy or data protection laws, policies and regulations that may impact the collection, access, use or sharing of personal data and/or anonymised data between different organisations in your jurisdiction or across jurisdictions?

• Which organisations are responsible for enforcing data protection laws and other laws that might affect the use of health data? For example, the Information Commissioner's Office (ICO) in the UK.

• What consent or legal basis is needed to collect, access,use or share existing health data? Are there conditions under which data may be shared without explicit consent, for example for public health emergencies or for non-profit research?

Useful resources:

• The DLA Piper database of data protection laws of the world.

• OneTrust DataGuidance resources for privacy and regulatory context research.

• A video describing the ‘personal health train’, and defining data protocols and considerations based on FAIR principles and securing privacy.