Optimising cohort data in Europe

context, safeguards are often centred on preventing unauthorised data use and promote data stewardship that would comply with the necessity and proportionality principles (Slokenberga et al., 2021). A way to implement safeguards compliant with the GDPR principles of proportionality and necessity principles is to ensure that informed consent or/and ethical approval covers all potential data uses (Ducato, 2020). GDPR offers detailed specifications on the subject in Article 6.1, Recital 62 and Recital 33 on the obligation to inform study participants. Personal data use can be justified on two legal grounds namely (i) informed consent (with subsequent approval from ethical review boards) and (ii) approval from an ethical review board based on the designation of the research project as being in the area of public interest. Recital 62 is of particular interest for retrospective (cohort) research where data subjects can no longer be contacted for renewed consent: there is no obligation to inform data subjects if these subjects already possess study-related information and if the provision of information to study participants requires a disproportionate effort (Ducato, 2020). The GDPR is thus more favourable to cohort research than previous directives on data protection (Duguet et al., 2021). For instance, Recital 33 opens the possibility of broad consent arguing, “It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection”. Data subjects can thus, give their consent according to the intended purpose of the research. This does not relieve researchers of the obligation to inform subjects and to provide a detailed description of the research purpose (cf. Recital 33). This description can be more general if the purpose for personal data processing cannot be fully outlined from the onset (Peloquin et al., 2021). For cohort research, the assumptions of the GDPR regarding the right of information and broad consent focus around a core distinction between research projects whose purposes are general (e.g. rare disease research) and research projects where the designs and the level of processing may involve possible risks and privacy breaches for the data subjects (Hansson, 2021). For the former, a general description of the research purpose is sufficient while for the latter, descriptions of the research purposes have to include information about the data controller, the nature of research, the parameters of data sharing (e.g. whether data will be shared across borders), partnerships frameworks (e.g. with commercial partners, the implementation of results feedback (including incidental findings), measures for data protection concerning unauthorised use and potential linkages to registry data (Stommel and Rijk, 2021). (b) Practical implementation of the necessity and proportionality principles of data processing Information governance in biobanks and repositories in datasets are generally first contextualised locally in terms of geographic region or/and legal systems (e.g. UK