Blockchain technology is increasingly discussed as a solution for storing medical data, whether in the context of electronic patient records or facilitating scientific research. However, while this technology may offer exciting prospects for the healthcare and life sciences sector, businesses must ensure that the operation and architecture of any system complies with data protection laws, which may be increasingly difficult with the advent of the EU General Data Protection Regulation 2016/679 (GDPR).

Blockchain uses blocks of data and encrypted operations to create an immutable, transparent, real-time digital register of transactions between participants in a network. The distribution of the ledger means there is no central “controlling” entity and, in public blockchain, anyone can participate. The identity of the participant is pseudonymised and the data may or may not be concealed. To facilitate privacy, “private” “permissioned” blockchain solutions have developed where only certain entities can be granted (revocable) permission to participate in, view and amend the blockchain. Many of these attributes are particularly attractive in the context of electronic patient records and clinical data where data needs to be up to date, capable of access by multiple parties, trusted and tamper-proof. It certainly presents a possible solution to the current fragmented and siloed approach to electronic patient records.

With a blockchain-based solution, a complete medical record could be accessed, viewed and added to, via the internet by all stakeholders. Health data from other sources, such as consumer health wearables and diet and exercise apps, could also be added directly to the record, providing a holistic view. The potential effects of being able to access such information for scientific research could be significant. Mining these data sets on a large scale may facilitate (i) the identification of causes of disease; (ii) the identification of early symptoms of a disease to allow earlier intervention and treatment; (iii) the tracking of disease outbreak to apply resources appropriately; (iv) remote post-marketing vigilance and non-interventional studies without the need to engage with a specific healthcare institution; or (v) analysing treatment options based on outcomes.

Access to this blockchain-based medical data could be provided in different ways, such as: (i) via an application programming interface (API) to mine data; (ii) acting as a node in a blockchain system where mining is rewarded with aggregated anonymous patient data; or (iii) having a separate blockchain solution for the storage of aggregated patient data purely for research purposes.

However, unless such data is truly anonymised1 (which in practice is very difficult to achieve), the storage and processing of this sensitive personal data will need to comply with GDPR. Where that sensitive data is stored and processed on a blockchain achieving compliance may be difficult and will require careful thought when designing the architecture of any such system.

Issues which will need to be navigated include: (i) ensuring that the participating nodes in the blockchain can be categorised as data controllers or data processors and their relationship papered accordingly; (ii) identifying where, when, and to whom, data is transferred; (iii) ensuring that the nodes can remove data from the blockchain (in response to an erasure request or otherwise); (iv) ensuring compliance with the data minimisation and storage limitation principles; (v) ensuring there is a relevant legal justification for the processing of the data; and (vi) ensuring that fair processing notices shared with individuals correctly and clearly explain the data processing being carried out.

First, it will be necessary to understand who is the data controller and data processor of the relevant data in order to identify the applicable obligations and ensure that these are complied with. For example, ensuring obligations on data controllers to inform data subjects of their rights in respect of that data are complied with.

However, in the context of a public blockchain, it may be difficult to confirm the identify of all nodes who receive the data, the activities each node perform, and under whose direction a node is processing the data, which make it challenging to determine who is a data controller. It is likely some nodes will be controllers of some data, while all nodes will process data. Even if the nodes can be identified and categorised, obliging a node to follow the instructions of another participant arguably offends the fundamental concept of blockchain: that there is no one central controlling entity.

Further, in the context of a public blockchain, nodes might be located anywhere in the world. As such, personal data may be being sent outside the EEA; however, the data controller may not know to where or when such transfer takes place. This model makes it difficult for a data controller to comply with its obligations to ensure that there are appropriate legal requirements in place governing that transfer to ensure that the data continues to attract an equivalent level of protection to that offered in the EEA.

Under the GDPR a data subject may (in certain circumstances) request to have all data held about him/her erased. This clearly presents an issue in the context of an immutable distributed ledger – one of its main strengths is that the record cannot be altered after the event or data removed. Unless each node can rely on an exception under the GDPR, such that it is not required to erase data on request, it is difficult to see how a public blockchain solution might work unless a technical solution is provided.2 Whether an exception might apply will depend on the legal basis relied on to process the data. Ordinarily, a business might seek to rely on the data subject’s consent to process its sensitive personal data; however, if the data subject withdrew their consent and requested that their sensitive personal data is erased, the business would need to comply. In order to be able to legally refuse to comply with an erasure request, the business would need to be able to rely on an exception under Article 17(3), such as: (i) the retention of the data is for reasons of public interest in the area of public health (e.g. for medical diagnosis or treatment or ensuring high standards of quality and safety in healthcare or of medicines/medical devices); or (ii) the data is for scientific research purposes and erasure is likely to render impossible or seriously impair the achievement of the objectives of the processing (i.e. the research).

Even if the business is able to rely on an exception, the data minimisation and storage limitation principles will apply. Therefore, unless the legal grounds for processing the relevant medical data continue indefinitely (which may be difficult to demonstrate3), the immutable nature of blockchain technology is likely to present an issue.

Many data protection issues may be alleviated by a private permissioned blockchain. The controlling entity can identify the participants, their location, whether they are a controller or processor, and paper their obligations appropriately. The issues around erasure, data minimisation and storage limitation would continue to apply, but there may be practical “work arounds” available to private blockchains which, while not ensuring GDPR compliance, might alleviate the issue. Equally, the controlling entity might adopt an “off-chain” approach (where the bulk of data is stored “off chain” with only a hash of data on the chain which points to the “off chain” record) to limit the amount and quality of the data which could not be erased.

Interestingly, the EU Commission has launched an EU Blockchain Observatory and Forum to (amongst other things) monitor developments, analyse trends, address emerging issues and become a knowledge hub on blockchain. The EU has also funded the MyHealthMyData consortium which aims to develop a blockchain based solution for the sharing of health data, as well as calling for tender4 on a feasibility study to assess the opportunity to pilot a “EU Blockchain Infrastructure (EuroChain) for the advent of an open, innovative, trustworthy, transparent, and EU law compliant data and transactional environment.” It may be that, as the EU looks into the opportunities offered by blockchain for medical data and identifies the difficulties presented by the GDPR, it will issue guidance endorsing certain “work arounds” (such as removing all permissions to a blockchain) as GDPR compliant or change its position on hashing.

Lydia Torne and Sophie Sheldon from Simmons & Simmons LLP

1 For example, hashed data may still be considered “personal data” or “sensitive personal data” on the basis that hashing constitutes pseudonymisation only according to the Article 29 Working Party’s Opinion 05/2014.

2 E.g. an ability to erase data

3 It might be possible in the context of an NHS “cradle to grave” record to claim that data must be maintained for the life of the data subject, however this may be more difficult in a private healthcare scenario where a data subject may choose to cease to use the private provider’s services.