Committed to the drafting of a Code of Conduct for the sector of health research according to Art. 40 GDPR, our initiative is advancing slowly but steadily. Throughout Europe, national jurisdictions differ to a great deal in their interpretations of the GDPR, especially in regard to its application in health research. This is due to some quite vague provisions (public interest, not incompatible clause) as wells as to numerous exemption/derogation clauses concerning the use of health data for research purposes, which encourage States to set up national rules – enhancing fragmentation. Notably, a Code of Conduct can help to bridge the harmonization gaps that may exist between Member States in their application of data protection law. On a practical level, a code is potentially a cost-effective method to achieve greater levels of consistency of protection as well as a mechanism to demonstrate compliance with the GDPR. By spring 2020, several hundred individuals representing around 90 organizations in the field of health research have indicated their interest and support for the Code of Conduct for Health Research. At this stage, this does not yet indicate an endorsement but means that they see a benefit in the development of such a code and are interested in partaking in the process. Additionally, several exchanges take place with national and sectoral codes in order to use synergies and finds ways for collaboration. This webinar is intended to inform you about the latest results. The CINECA webinar series aims to discuss ways to address common challenges and share best practices in the field of cohort data analysis, as well as distribute CINECA project results. All CINECA webinars include an audience Q&A session during which attendees can ask questions and make suggestions. Please note that all webinars are recorded and available for posterior viewing. CINECA webinars include an audience Q&A session during which attendees can ask questions and make suggestions. This webinar took place on 1st October 2020 and is part of the CINECA webinar series. It is best viewed in full screen mode using Google Chrome. For previous and upcoming CINECA webinars see: https://www.cineca-project.eu/webinars

1. This project has received funding from the European Union’s Horizon 2020 research and
Innovation programme under grant agreement No. 825775
Status Update Code of Conduct:
Teaming up & Talking about it
Presenter: Michaela Th. Mayrhofer (BBMRI-ERIC)
Host: Marta Lloret Llinares (EMBL-EBI)

2. This webinar is being recorded

3. Audience Q&A Session
Please write your
questions in the
questions
window of the
GoToWebinar
application

4. The challenges:
Stay
informed
@CinecaProject
www.cineca-project.eu
Common Infrastructure for National Cohorts
in Europe, Canada and Africa
This project has received funding from the European Union’s Horizon 2020 research and
Innovation programme under grant agreement No. 825775
Accelerating disease research and
improving health by facilitating
transcontinental human data exchange
The vision:
This project has received funding from the Canadian Institute of Health
Research under grant agreement #404896

5. Today’s presenter
Michaela Th. Mayrhofer is a political scientist and historian by training. She
was educated in Vienna, Louvain-la-Neuve, Essex and Paris. In 2010, she
earned her PhD from both the Ecole des Hautes Etudes en Sciences Sociales
and the University of Vienna, which was shortlisted by the Austrian Society for
Political Science for 'best thesis 2010'. Prior to her involvement in BBMRI-ERIC,
she was investigator in several national and international research projects
focusing on the politics of biotechnology and the life sciences, especially the
governance of biobanks.
Her academic career led to various positions in Austria, the UK and Switzerland. Since 2019, she serves as the
Head of ELSI Services & Research of BBMRI-ERIC, was co-Interim Director (Feb-Aug 2020) and coordinates the
Code of Conduct for Health Research initiative.

6. STATUS UPDATE CODE OF CONDUCT:
TEAMING UP & TALKING ABOUT IT
MICHAELA TH. MAYRHOFER
1. OCTOBER 2020 - VIRTUAL

7. § 40 GDPR
Mayrhofer
1) The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of
codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific
features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.
2) Associations and other bodies representing categories of controllers or processors may prepare codes of
conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation,…
1.10.2020 7

8. § 40 GDPR
Mayrhofer
2) …such as with regard to:
a) fair and transparent processing;
b) the legitimate interests pursued by controllers in specific contexts;
c) the collection of personal data;
d) the pseudonymisation of personal data;
e) the information provided to the public and to data subjects;
f) the exercise of the rights of data subjects;
g) the information provided to, and the protection of, children, and the manner in which the consent of the
holders of parental responsibility over children is to be obtained;
h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of
processing referred to in Article 32;
i) the notification of personal data breaches to supervisory authorities and the communication of such personal
data breaches to data subjects;
j) the transfer of personal data to third countries or international organisations; or
k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers
and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to
Articles 77 and 79.
1.10.2020 8

9. 9
A CODE OF CONDUCT FOR HEALTH RESEARCH
Mayrhofer
BBMRI-ERIC represents such a category of controller or processor as described under Article 40(2) in the
sector of health research and opted from the start for a broad inclusion of and collaboration with others (in line
with recital 99).
For the development of our code, we thus collaborate with:
• Industry (EFPIA)
• International and research societies (EORTC)
• Patient representatives (EURORDIS)
• medical associations (ESR)
• International organizations (EMBL)
• International societies (GA4GH)
• Other code initiatives (EUCROF)
• BMS RIs (esp. ECRIN, EATRIS, ELIXIR), connection via:
ü Our code builds largely on previous Best Practice
Codes, namely:
• RD Connect Code of Practice
• IMI Code of Practice for Secondary Use of
Medical Data in Scientific Research Projects
ü Authors of these Best Practice Codes are members of
the current drafting group
9

10. LEVELS OF INVOLVEMENT
2017-2020
SECTOR: HEALTH RESEARCH
*
1.10.2020
Dialogue with
other groups
drafting a code
(European &
nationally)
Forum: comprised of 350+ individuals & 90+
organizations interested in the Code’s aims.
Drafting Group: Members provide legal
and research expertise and experience in the
field. Representatives from:
• All European biomedical science research
infrastructures RIs
• Pharma industry
• European patient advocacy groups,
• European Medical associations,
• International Organizations
Reference Groups: include experts
consulted on an ad-hoc basis to inform the
drafting of specific sections.
Mayrhofer 10

11. 11
SCOPE
• Health research today takes place at the intersection of machine learning and
health care; especially in relation to the secondary use of data.
• Our code initiative started with biobanks and extended to clinical trials, studies,
cohorts, registries, genome databases’ data for harmonized data sets. It also
needs to consider links to patient(owned) data and electronic health records.
• This contributes to the improvement of prevention, diagnosis, drug
development and therapies to foster personalized medicine.
• Consequently, the secondary use of health care data is included.
• An enlargement to primary use currently out of scope but conceivable.
26.02.2020
Mayrhofer / Schlünder

12. KEY TOPICS
1.10.2020 Mayrhofer
• Legal basis/consent
• Personal data/anonymisation
• Controller/joint controller/processor
Ø Our code does not promote one legal
basis over another, as the decision is
context dependent and might have a
specification in national law (country
derogation).
Ø Anonymisation: context dependent
12

13. STRUCTURE
§ Am I handling personal and sensitive data?
§ What am I doing with the data exactly?
§ What is then my role?
§ What are my duties?
§ What is my legal basis?
§ How do I anonymise, pseudonymise data?
§ What are the information obligations?
§ What do I have to do to enable research participants to exercise their rights?
§ What do I have to do in order to protect the privacy of the research participants?
§ How long can I retain the data?
§ Can I reuse the data?
§ Who owns thedata?
§ With whom can I share my data?
§ What about data security?
Ø Uses non-legalistic language
Ø Builds on the questions that
arise in the workflow for a
researcher/data controller
(FAQ style)
1.Question
1.1.Rule/Recommendation
1.2 Explanation
1.3 Example
1.10.2020 Mayrhofer 13

14. EXAMPLE: PERSONAL DATA
1.10.2020 Mayrhofer
Rule: Data may (only) qualify as personal data due to additional information,
that is available for identification.
Explanation: The status of data as personal data depends on who gets to know the data
and what other information is available to him.
Example: The name “Peter Smith” is not enough information to identify somebody
globally, but it would be sufficient in a classroom.
The same research data set might be considered anonymous, if access is controlled and
the data only available for research projects, which have undergone an ethical scrutiny,
whereas it might be considered personal data, if it is published in an open access
database on the web. This is due to the fact, that the more people have access to data,
the more likely it is, that some people with additional information or other means for
identification at hand will access them.
14

15. GOVERNANCE/MONITORING
1.10.2020
Options under consideration:
• In-house (with guaranteed operational
independence)
• Society (set up for the purpose)
• Outsourced (e.g., Scope Europe – provides
monitoring for e-health code)
• Joint oversight committee
Mayrhofer
Key Focus:
Øindependence of governing
body & acceptance of
governance body by community
ØGuiding principles: ensuring
acceptance of and adherence t o
the code
15

16. 16
JOINING FORCES WITH OTHER COMPLEMENTARY CODES
• BBMRI’s for health research
• ESOMAR’s Code of Conduct for the market, opinion and
social research and data analytics sector aims to
harmonise ethical & operational requirements in Europe
covering all kinds of market, social and opinion research.
• EUCROF is a non-profit entity representing the interests
of CROs in Europe and prepares a code of conduct for
‘service providers’ (e.g. classical CRO’s and IT solution
vendors).
• GEANT Code of Conduct describes an approach to meet
the requirements of the EU Data Protection Directive in
federated identity management.
• National code initiatives from NL, NO, BE, PL, IT.
1./2. OCTOBER 2019, BRUSSELS
Schlünder/Bahr

17. TIMELINE
1.10.2020
→ consolidating first draft sections, discuss with experts (ongoing)
→ formalizing involvement, focus on European Scope (started)
→ decision on governance (2021)
→ consultation with experts/reference groups (2020/2021)
→ revision and public consultation rounds (2021)
→ submission (2021/2)
Mayrhofer 17
subject to change

18. QUESTIONS? GET IN TOUCH!
contact@bbmri-eric.eu
www.bbmri-eric.eu
@BBMRIERIC
BBMRI-ERIC
Michaela Th. Mayrhofer, PhD | Head of ELSI Services & Research
@mtmayrhofer | michaela.th.mayrhofer@bbmri-eric.eu
1.10.2020 Mayrhofer 18

19. Questions?
Title: Status Update Code of Conduct: Teaming up & Talking about it
Presenter: Michaela Th. Mayrhofer
Please write your questions in the
questions window of the GoToWebinar
application

20. Next CINECA webinar
Title: Data Gravity in the Life Sciences: Lessons learned from the Human Cell Atlas and
other federated data projects
Presenter: Tony Burdett (EMBL-EBI)
Date: Thursday 12 November 2020
Time: 16:00 CET
Registration and details: https://www.cineca-project.eu/webinars