Tutorial: Data protection in medical research

IDDay | TimeLanguageSpeakersInstitution
ID134Sun 08.09.24 | 1.30-6 pmDJ. Drepper,
M. Steiner
TMF – Technology and Methods Platform for Networked Medical Research e. V., Berlin


First, different types of research projects with their different use cases are presented. The focus is on projects in the field of clinical research in which the right to informational self-determination of the participants (patients or healthy test subjects) must be protected. This does not apply to basic research projects that do not involve patients or healthy comparison subjects.

The current legal foundations of data protection in research in Germany will then be discussed on the basis of the EU General Data Protection Regulation (GDPR) and German federal and state laws, including the new Health Data Utilization Act (GDNG). Among other things, the following questions are answered: Why are there data protection laws at state, federal and European level? Which data protection law must be taken into account in a specific project? When do I need the test subjects’ consent? How long can I keep the data? What am I allowed to do with the data collected in a project? Which data protection officer is responsible for me? Do I have to coordinate with a data protection officer in advance of a project? When may I use data from routine care for research? What do I have to consider with regard to data protection in clinical trials according to AMG or MPG?
The terms anonymization and pseudonymization are often misinterpreted and not correctly distinguished from one another. Even experts do not agree on the classification of data as anonymous or pseudonymous in all cases. The workshop provides an overview of common definitions, addresses borderline cases and presents technical measures for implementation. The term k-anonymity, which is appearing more and more frequently in the literature, is also explained.

A central component of most data protection concepts in research projects is the informed consent form. The tutorial discusses when “informed” consent can be assumed and which framework conditions must be taken into account when formulating such a declaration. Particularly in the case of long-term data and sample collections (biobanks), the question of how specifically the purpose of the collection and processing of personal data must be formulated in the declaration of consent is being discussed more and more frequently. From the researcher’s perspective, broad consent is required. Accordingly, the background, the proposed concepts and their limitations are discussed.
The TMF has been supporting researchers for many years in the data protection-compliant implementation of research projects in medicine. In order to be able to implement collaborative research projects in several federal states, each with their own data protection laws and supervisory authorities, the TMF has coordinated generic data protection concepts with the data protection officers of all 16 federal states and the federal government. These concepts, which can be used as blueprints or templates, focus on data collections and biobanks that can be used in the long term and with comparatively few restrictions. At its meeting in March 2014, the Conference of Federal and State Data Protection Commissioners recommended that all medical research institutions and networks use the TMF guidelines as a basis for the concrete design of their own data protection concepts. The tutorial also provides an insight into the current revision of the TMF guidelines. The new data protection impact assessment instrument introduced by the GDPR will also be discussed.

Finally, the currently available offers to support researchers in the data protection-compliant implementation of their research projects are presented.

  1. Pommerening K, Drepper J, Helbing K, Ganslandt T. Guidelines for data protection in medical research projects – Generic solutions of TMF 2.0. e.V. T-uMfdvmF, editor. Berlin: Medizinisch Wissenschaftliche Verlagsgesellschaft; 2014.
  2. Weichert T. Data protection framework for medical research. requirements of the EU General Data Protection Regulation and national laws. e.V. T-uMfdvmF, editor. Berlin: Medizinisch Wissenschaftliche Verlagsgesellschaft; 2022.
  3. Dierks C, Roßnagel A. Secondary use of social and health data – legal framework. Berlin: Medizinisch Wissenschaftliche Verlagsgesellschaft; 2019.
  4. Zenker S, Strech D, Ihrig K, Jahns R, Müller G, Schickhardt C, et al. Data protection-compliant broad consent for secondary use of health care data and human biosamples for (bio)medical research: Towards a new German national standard. J Biomed Inform. 2022;131:104096.

Contact us

johannes.drepper [at] tmf-ev.de