Legal Q&A: What is a researcher allowed to do with biobanked human samples?

BBMRI.at Legal Helpdesk answers

The BBMRI.at Legal Helpdesk Service – operated by legal experts from BBMRI.at partner UNIVIE – answers questions on legal and regulatory matters around biobanking and/or using biological samples and data. This service is offered to BBMRI.at partners to support them, as biobanking and research using biological samples and data (e.g. human, animal/veterinary, microbial, etc.) may raise legal questions. All answers are published in the BBMRI.at Knowledge Base.

QUESTION:

Legal Q&A: What a researcher is allowed to do with biobanked human samples?

ANSWER:

1. Introduction

Biobanks must adhere to strict legal and regulatory requirements concerning compliance with data protection rules, ethics guidelines and quality as well as safety measures. The legal framework for biobanking in the EU was covered by Question no. 5 answered by the Legal Helpdesk and is published on the Legal Knowledge Base of BBMRI.at. From the moment a researcher discovers a dataset through one of the biobank collections, for example, the BBMRI-ERIC Directory, and decides to request access to the data, the researcher needs to comply with several legal and ethical requirements pertaining to terms of access to the samples, data protection, incidental findings and related matters.

2. Terms of Access 

Biobanks require legal documentation to be submitted with each project request for access to samples. The OECD (Organisation for Economic Co-operation and Development) Recommendations on Human Biobanks and Genetic Research Databases clarify that each access request should include a ‘scientifically and ethically appropriate’ research plan.[1] The terms of access to samples and specimen collected in a biobank should be set out in an appropriate contractual agreement between the biobank and the researcher, for example in the form of a Material Transfer Agreement.[2] Terms of access should include information on how the samples are to be handled and stored, [3] including requirements pertaining to data protection. Additionally, an approval from an ethics committee is usually a requirement.

For instance, the biobank of Med Uni Graz requires the following documents to distribute specimen to other researchers:[4]

1. An informed consent form signed by the patient,
2. A positive decision on the submitted project from the Ethics Committee,
3. The approval of the biobank representative,
4. For researchers not from Med Uni Graz: a signed cooperation agreement.

Researchers should inform themselves what the specific requirements are for their relevant biobank and for accessing the samples they are interested in. Once a researcher gains access to the samples or datasets from a biobank, they can only process and use them for the specific purposes which are prescribed by the access terms.

3. Data Protection

In addition to general terms of access, researchers must comply with the applicable data protection laws. In the EU, the applicable law is the General Data Protection Regulation (GDPR)[5] as well as respective national data protection laws.

In the context of biobanking, when researchers submit their own research plans for research projects, they typically become joint controllers as they, jointly with the biobanks, determine the means and purposes of processing personal data included in the samples they wish to access.[6] This means that they need to conclude a joint controllership agreement which outlines the obligations and responsibilities of each controller with regards to the protection of personal data and data subject rights.[7] Additionally, researchers might be required to submit a Data Protection Impact Assessment (DPIA) in accordance with Article 35 GDPR.

As (joint) controllers, researchers must comply with the following general data processing principles:[8]

1. Principle of lawfulness, fairness and transparency,
2. Principle of purpose limitation,
3. Principle of data minimisation,
4. Principle of accuracy,
5. Principle of storage limitation,
6. Principle of integrity and confidentiality,
7. Principle of accountability.

Some of the principles have specific provisions for processing personal data for scientific research purposes. For instance, personal data may be stored for longer periods insofar as they will be processed solely for scientific research purposes.[9] To maintain security and integrity of the biobanked samples, researchers have an obligation to ensure, as per the agreement reached with the biobank, to maintain data confidentiality by state-of-the-art pseudonymisation methods or by anonymisation of samples.[10] In case of a data breach, researchers should follow the rules provided by the GDPR and where appropriate inform the data subjects, other controllers and the national supervisory authority.[11]

In addition to this, controllers must comply with data subjects’ rights (as detailed in the answer to Question no. 19). Also in this case, special provisions exist when processing personal data for research purposes. For example, the obligation to provide information on processing to data subjects is limited in some cases where the controller did not collect the data directly from the data subject and recontacting them would be impossible or involve disproportionate effort.[12] The controller must also ensure to comply with the GDPR before sharing the biobanked samples with any processors or third parties, subject to specific contractual arrangements.[13]

In short, when dealing with biobanked samples that involve personal data, a researcher must observe the applicable rules and principles of data protection laws.

4. Incidental Findings

The handling of biobanked samples during a research project may also involve the management of possible incidental findings. The BBMRI-ERIC ELSI Knowledge Base reports on some of the key issues when dealing with incidental findings.[14] Scholars define incidental findings as “‘findings’ (findings) that concern a specific research participant, but which are not directly related to the primary or secondary objectives of the project in question (incidental). This includes information which there was no plan to find during research or diagnostic practices, such as information on on-going diseases or predispositions to diseases, or information concerning biological parentage and so on.”[15]

When faced with incidental findings while handling biobanked samples, researchers should take into account the following issues, as reported by BBMRI-ERIC:

1. ‘the duty to disclose or not disclose,
2. informed consent and participant preferences,
3. privacy and confidentiality,
4. resource allocation and costs,
5. legal and regulatory implications.’[16]

Informed consent forms in biobanking might contain the preferences as to whether data subjects/patients wish to be informed about any incidental findings relating to their health. Additionally, legal and regulatory landscapes concerning how to handle incidental findings may vary per country. The European Health Data Space (EHDS) Regulation also foresees that data subjects must be informed about significant findings relating to their health unless they expressly asked not to be informed.[17]

5. Human Cells and Tissues

Next to requirements concerning the protection of personal data, biobanks as well as other research institutions which are involved in the processing, storage and distribution of human cells and tissues must observe the EU Human Tissue Directive as well as the Austrian Tissue Safety Act, including the accompanying ordinances.[18] These laws prescribe rules on standards of quality and safety for human tissues and cells intended for human application. National competent authorities are responsible for overseeing these activities. Each tissue establishment must comply, among others, with rules on confidentiality as well as put in place a quality system based on the principles of good practice.[19]

Researchers handling human cells and tissues which they obtained from a tissue establishment, e.g. a biobank, must adhere to the arrangements and requirements conferred in the Material Transfer Agreement and terms of access with regards to all aspects concerning processing and handling of such cells and tissues.[20]

6. Additional Requirements

The provided overview of some of the legal requirements concerning what is allowed when handling biobanked samples is not complete as specific measures might differ per country, per biobank as well as depend on the samples in question, for example, whether they include personal data or not.

Therefore, it is generally advised that researchers ask for and receive advice from their institutional legal departments and carefully read and follow any agreed upon terms of access.

Additional resources that may be helpful:

Legal:

1.  Organisation for Economic Co-operation and Development (OECD), ‘Recommendation of the Council on Human Biobanks and Genetic Research Databases’ OECD/LEGAL/0375 (adopted on 22 October 2009),

Other

1. Valentina Colcelli, Roberto Cippitani, Christoph Brochhausen-Delius, Rainer Arnold (eds), GDPR Requirements for Biobanking Activities Across Europe (Springer 2023),
2. – BBMRI-ERIC, ELSI Knowledge Base < https://www.bbmri-eric.eu/elsi-knowledge-base/>.