Frequently asked questions
Frequently asked questions - privacy
1. Why does the Biobank Ethics Review Committee (in Dutch: TCBio) assess how researchers handle data?
In the UMC Utrecht a lot of personal data, including patient data, are being handled. To protect patient privacy, the UMC Utrecht needs to adhere to the applicable laws and regulations. The UMC Utrecht Biobank Regulations require that the TCBio reviews whether the collection of human biological material and associated data for scientific research, and subsequent use of the data in research, meets all legal requirements.
More information regarding the biobank governance system in the UMC Utrecht can be found on the TCBio website: Biobanks UMC Utrecht - Toetsingscommissie Biobanken. You can also download the UMC Utrecht Biobank Regulations there. Articles 7, 8 and 10 describe the review criteria, including those for the protection of patient privacy.
2. Which rules and regulations should I take into account?
The GDPR (General Data Protection Regulation) came into effect in the European Union in May 2018, and therefore also in The Netherlands. As a result, the Dutch Personal Data Protection Act (in Dutch: Wet bescherming persoonsgegevens - Wbp) no longer applies.
Because the data that are being handled in the UMC Utrecht mostly concerns patient data, the Medical Treatment Contracts Act (in Dutch: Wgbo) also applies in most cases.
The Code of Conduct for Health-related Research 2022 provides further explanation of these laws in practice.
More information on the Code of Conduct is available on the Coreon website: Gedragscode Gezondheidsonderzoek - Coreon.
3. Where can I find definitions of frequently used terms, such as personal data, and further clarification about privacy rules?
A list of Definitions of Terms is now part of the Release protocol including terms related to privacy rules. Also check the AVG-FAQ on the UMC Utrecht intranet (Connect).
In addition, in section D of the Release protocol, containing questions regarding handling of data, instructions are available for most of the questions. Careful reading of these instructions is advised before completing section D.
4. The biobank information letter and consent form that we still use to enroll new donors was approved before the EU General Data Protection Regulation (GDPR) came into effect. Do we need to update these documents?
The GDPR contains several new requirements about what information needs to be provided regarding the handling of personal data. When still including new donors, existing sub-biobanks also need to adhere to these requirements. Therefore, the biobank information letter and consent form need to be updated and the new versions need to be reviewed and approved by the reviewing committee. Please refer to the information on the TCBio website on how to update the biobank information letter and consent form to the applicable legal requirements.
5. Can I use data without a patient’s consent?
The GDPR requires that, in principle, consent is obtained from the patient for the use of his or her data. In exceptional circumstances only, deviation from the legal requirements is possible and only when certain criteria are met.
In these cases, based on the answers in section D of the Release protocol, the committee will evaluate if the request fulfills the legal exceptions. The considerations that play a role in this evaluation are summarized in a decision tree, which you can find here.
6. I would like to use residual material from routine care that was obtained under the no-objection rule of the UMC Utrecht, anonymously. Is TCBio review required in this case?
In most cases, no consent has been obtained for the use of residual material from routine care in scientific research. In these cases, the researcher appeals to the so-called no-objection arrangement.
An independent review by the TCBio is part of this arrangement. The review applies, regardless of whether or not the residual material is used coded or anonymously. Yet, it is important to note that nowadays human biological material can almost never be qualified as anonymous.
Of note: Coding is not the same as anonymizing. A code can be reversed by using a code list (or key to the code). Even if the researcher has no access to the key to the code, but for instance the treating physician who coded the material does, the researcher still handles coded human biological material. Only when there no longer is a code list with which the identity of the patient can be traced, can human biological material be qualified as anonymous. However, even when using anonymized material, a patient can sometimes be identified on the basis of the research results. This might, for example, be the case for certain DNA/RNA analyses.
For all use of residual material from routine care, an independent review by TCBio is required.
7. Why does it seem as if certain questions in the Release protocol are asked twice?
Sections C and D deal with different issues. Section C concerns questions related to the human biological material that will be used in the study. Section D deals with questions related to the handling of data that will be linked to the material. The review criteria for human biological material are laid down in the UMC Utrecht Biobank Policy. The handling of data will be reviewed according to the rules laid down in the GDPR (General Data Protection Act, in Dutch: AVG), the Medical Treatment Contracts Act (in Dutch: Wgbo) and the Code of Conduct for Health-related Research 2022. This explains why these questions are part of separate sections and concern human biological material on the one hand and data on the other.
8. Are all the questions in the Release protocol necessary?
To allow careful consideration of the different aspects of the study, it is necessary to answer all the questions as complete as possible. The committee will review all information in the Release protocol according to the applicable rules and regulations, such as the GDPR (in Dutch: AVG), the Medical Treatment Contracts Act (in Dutch: Wgbo), the UMC Utrecht policy, and other relevant scientific and ethical standards. Therefore, the Release protocol is not a checklist. All the information is taken into consideration. The result of these considerations, also referred to as review, depends on the context of the research study. See also question 9 below.
9. The answer to a question in section D (Data) that was previously accepted in an approved Release protocol did not suffice in a subsequent Release protocol. What can be the reason for this?
For every Release protocol, the privacy aspects are assessed on a case-by-case basis in the context of the study under review (see also question 8 above). Therefore, the researcher is advised to evaluate the privacy issues for every new study before submitting the Release protocol for review. For most questions, an explanation has been added in the template Release protocol. In order to avoid unnecessary questions from the committee, please read the explanations carefully.
10. I only use coded data in my study. How can a person still can be identified based on these data?
Even when data have been coded, it may be possible that by the nature of the data someone can be recognized by the person handling the data. This may happen if e.g. data from several sources are combined. In addition, a person can be identified in the case of a rare disease or a specific inherited mutation. When there is a chance that combinations of coded data can lead to the identification of a person, you are handling personal data. And when you are handling personal data, the person’s consent is in principle required.
11. Why are there no drop-down menus and standard texts in the template Release protocol, in particular in section D (Data)?
The template Release protocol is aimed at the review of a wide variety of research types and associated information. Standard texts cannot cover all possible scenario’s. In addition, it is important that the researcher formulates the information for each individual study in a way that fully matches with that specific research. Therefore, it is important that for each question a researcher carefully considers which information fits with the respective study.
12. The questions in Release protocol section D (Data) appear to overlap with questions in the UMC Utrecht template Data Management Plan (DMP). Can I just refer to the DMP and provide it as an attachment?
No. The Data Management Plan is a separate requirement of the UMC Utrecht. It is not reviewed by the TCBio and therefore not part of the TCBio file. The Release protocol should allow reading and reviewing by the TCBio as a standalone document. However, information from the DMP can be used to answer questions, for instance in the case of question D7.