1
|
Staunton C, Shabani M, Mascalzoni D, Mežinska S, Slokenberga S. Ethical and social reflections on the proposed European Health Data Space. Eur J Hum Genet 2024; 32:498-505. [PMID: 38355959 PMCID: PMC11061131 DOI: 10.1038/s41431-024-01543-9] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [Key Words] [MESH Headings] [Grants] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 03/28/2023] [Revised: 11/08/2023] [Accepted: 01/15/2024] [Indexed: 02/16/2024] Open
Abstract
The COVID-19 pandemic demonstrated the benefits of international data sharing. Data sharing enabled the health care policy makers to make decisions based on real-time data, it enabled the tracking of the virus, and importantly it enabled the development of vaccines that were crucial to mitigating the impact of the virus. This data sharing is not the norm as data sharing needs to navigate complex ethical and legal rules, and in particular, the fragmented application of the General Data Protection Regulation (GDPR). The introduction of the draft regulation for a European Health Data Space (EHDS) in May 2022 seeks to address some of these legal issues. If passed, it will create an obligation to share electronic health data for certain secondary purposes. While there is a clear need to address the legal complexities involved with data sharing, it is critical that any proposed reforms are in line with ethical principles and the expectations of the data subjects. In this paper we offer a critique of the EHDS and offer some recommendations for this evolving regulatory space.
Collapse
Affiliation(s)
- Ciara Staunton
- Institute for Biomedicine, Eurac Research, Bolzano, Italy.
- School of Law, University of Kwazulunatal, Durban, South Africa.
| | - Mahsa Shabani
- Faculty of Law and Criminology, Ghent University, Gent, Belgium
| | - Deborah Mascalzoni
- Institute for Biomedicine, Eurac Research, Bolzano, Italy
- Department of Public Health and Caring Science, Uppsala University, CRB, P.O. Box 256, 751 05, Uppsala, Sweden
| | - Signe Mežinska
- Institute of Clinical and Preventive Medicine, University of Latvia, Riga, Latvia
| | | |
Collapse
|
2
|
Bernier A, Molnár-Gábor F, Knoppers BM, Borry P, Cesar PMDG, Devriendt T, Goisauf M, Murtagh M, Jiménez PN, Recuero M, Rial-Sebbag E, Shabani M, Wilson RC, Zaccagnini D, Maxwell L. Reconciling the biomedical data commons and the GDPR: three lessons from the EUCAN ELSI collaboratory. Eur J Hum Genet 2024; 32:69-76. [PMID: 37322132 PMCID: PMC10267538 DOI: 10.1038/s41431-023-01403-y] [Citation(s) in RCA: 1] [Impact Index Per Article: 1.0] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [Key Words] [MESH Headings] [Grants] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 11/24/2022] [Revised: 01/26/2023] [Accepted: 05/24/2023] [Indexed: 06/17/2023] Open
Abstract
The coming-into-force of the EU General Data Protection Regulation (GDPR) is a watershed moment in the legal recognition of enforceable rights to informational self-determination. The rapid evolution of legal requirements applicable to data use, however, has the potential to outstrip the capabilities of networks of biomedical data users to respond to the shifting norms. It can also delegitimate established institutional bodies that are responsible for assessing and authorising the downstream use of data, including research ethics committees and institutional data custodians. These burdens are especially pronounced for clinical and research networks that are of transnational scale, because the legal compliance burden for outbound international data transfers from the EEA is especially high. Legislatures, courts, and regulators in the EU should therefore implement the following three legal changes. First, the responsibilities of particular actors in a data sharing network should be delimited through the contractual allocation of responsibilities between collaborators. Second, the use of data through secure data processing environments should not trigger the international transfer provisions of the GDPR. Third, the use of federated data analysis methodologies that do not provide analysis nodes or downstream users access to identifiable personal data as part of the outputs of those analyses should not be considered circumstances of joint controllership, nor lead to the users of non-identifiable data to be considered controllers or processors. These small clarifications of, or modifications to, the GDPR would facilitate the exchange of biomedical data amongst clinicians and researchers.
Collapse
Affiliation(s)
- Alexander Bernier
- EUCANCan: European-Canadian Cancer Network, Barcelona, Spain.
- euCanSHare: An EU-Canada Joint Infrastructure for Next-Generation Multi-Heart Research, Barcelona, Spain.
- Centre of Genomics and Policy, McGill University Faculty of Medicine and Health Sciences, Montréal, QC, Canada.
| | - Fruzsina Molnár-Gábor
- EUCANCan: European-Canadian Cancer Network, Barcelona, Spain
- Heidelberg Academy of Sciences and Humanities, Heidelberg University, Heidelberg, Germany
| | - Bartha M Knoppers
- EUCANCan: European-Canadian Cancer Network, Barcelona, Spain
- euCanSHare: An EU-Canada Joint Infrastructure for Next-Generation Multi-Heart Research, Barcelona, Spain
- Centre of Genomics and Policy, McGill University Faculty of Medicine and Health Sciences, Montréal, QC, Canada
| | - Pascal Borry
- euCanSHare: An EU-Canada Joint Infrastructure for Next-Generation Multi-Heart Research, Barcelona, Spain
- Centre for Biomedical Ethics and Law, Department of Public Health and Primary Care, Faculty of Medicine, KU Leuven, Leuven, Belgium
| | - Priscilla M D G Cesar
- Institute on Ethics & Policy for Innovation (IEPI), McMaster University, Hamilton, ON, Canada
- RECODID: Reconciliation of Cohort Data in Infectious Diseases, Heidelberg, Germany
| | - Thijs Devriendt
- euCanSHare: An EU-Canada Joint Infrastructure for Next-Generation Multi-Heart Research, Barcelona, Spain
- Centre for Biomedical Ethics and Law, Department of Public Health and Primary Care, Faculty of Medicine, KU Leuven, Leuven, Belgium
| | - Melanie Goisauf
- ELSI Services & Research, BBMRI-ERIC, Graz, Austria
- CINECA: Common Infrastructure for International Cohorts in Europe, Canada, and Africa, Heidelberg, Germany
| | - Madeleine Murtagh
- EUCAN-Connect: Federated, FAIR Platform Enabling Large-Scale Analysis of High-Value Cohort Data Connecting Europe and Canada in Personalized Health, Groningen, the Netherlands
- School of Social and Political Studies, University of Glasgow, Glasgow, Scotland, UK
| | - Pilar Nicolás Jiménez
- EUCANCan: European-Canadian Cancer Network, Barcelona, Spain
- EuCanImage: A European Cancer Image Platform Linked to Biological and Health Data for Next Generation Artificial Intelligence and Precision Medicine in Oncology, Barcelona, Spain
- Social and Legal Sciences Applied to the New Technosciences Research Group, Faculty of Law, University of the Basque Country, Bilbao, Spain
| | - Mikel Recuero
- EUCANCan: European-Canadian Cancer Network, Barcelona, Spain
- EuCanImage: A European Cancer Image Platform Linked to Biological and Health Data for Next Generation Artificial Intelligence and Precision Medicine in Oncology, Barcelona, Spain
- Social and Legal Sciences Applied to the New Technosciences Research Group, Faculty of Law, University of the Basque Country, Bilbao, Spain
| | - Emmanuelle Rial-Sebbag
- CINECA: Common Infrastructure for International Cohorts in Europe, Canada, and Africa, Heidelberg, Germany
- CERPOP, Inserm, Toulouse Paul Sabatier University, Toulouse, France
| | - Mahsa Shabani
- euCanSHare: An EU-Canada Joint Infrastructure for Next-Generation Multi-Heart Research, Barcelona, Spain
- Metamedica, Faculty of Law and Criminology, Ghent University, Ghent, Belgium
| | - Rebecca C Wilson
- EUCAN-Connect: Federated, FAIR Platform Enabling Large-Scale Analysis of High-Value Cohort Data Connecting Europe and Canada in Personalized Health, Groningen, the Netherlands
- Institute of Population Health, University of Liverpool, Liverpool, UK
| | - Davide Zaccagnini
- euCanSHare: An EU-Canada Joint Infrastructure for Next-Generation Multi-Heart Research, Barcelona, Spain
- Lynkeus S.R.L, Roma, Italy
| | - Lauren Maxwell
- RECODID: Reconciliation of Cohort Data in Infectious Diseases, Heidelberg, Germany
- Heidelberg Institute for Global Health, Heidelberg University, Im Neuenheimer Feld 130/3, 69120, Heidelberg, Germany
| |
Collapse
|
3
|
Prictor M. Data Breach Notification Laws-Momentum Across the Asia-Pacific Region. J Bioeth Inq 2023; 20:567-570. [PMID: 38082137 DOI: 10.1007/s11673-023-10324-w] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Key Words] [MESH Headings] [Track Full Text] [Subscribe] [Scholar Register] [Received: 10/10/2023] [Accepted: 11/17/2023] [Indexed: 03/16/2024]
Affiliation(s)
- Megan Prictor
- Melbourne Law School, The University of Melbourne, Carlton, 3053, VIC, Australia.
- Centre for Digital Transformation of Health, The University of Melbourne, Carlton, VIC, 3053, Australia.
| |
Collapse
|
4
|
Abd Majid M, Zainol Ariffin KA. Model for successful development and implementation of Cyber Security Operations Centre (SOC). PLoS One 2021; 16:e0260157. [PMID: 34797896 PMCID: PMC8604312 DOI: 10.1371/journal.pone.0260157] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [MESH Headings] [Grants] [Track Full Text] [Download PDF] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 08/27/2021] [Accepted: 11/03/2021] [Indexed: 11/18/2022] Open
Abstract
Cyberattacks have changed dramatically and have become highly advanced. This latest phenomenon has a massive negative impact on organizations, such as financial losses and shutting-down of operations. Therefore, developing and implementing the Cyber Security Operations Centre (SOC) is imperative and timely. Based on previous research, there are no international guidelines and standards used by organizations that can contribute to the successful implementation and development of SOC. In this regard, this study focuses on highlighting the significant factors that will impact and contribute to the success of SOC. Simultaneously, it will further design a model for the successful development and implementation of SOC for the organization. The study was conducted quantitatively and involved 63 respondents from 25 ministries and agencies in Malaysia. The results of this study will enable the retrieval of ten success factors for SOC, and it specifically focuses on humans, processes, and technology. The descriptive analysis shows that the top management support factor is the most influential factor in the success of the development and implementation of SOC. The study also contributes to the empirical finding that technology and process factors are more significant in the success of SOCs. Based on the regression test, the technology factor has major impact on determining the success of SOC, followed by the process and human factors. Relevant organizations or agencies can use the proposed model to develop and implement SOCs, formulate policies and guidelines, strengthen human models, and enhance cyber security.
Collapse
Affiliation(s)
- Maziana Abd Majid
- Malaysian Administrative Modernisation and Management Planning Unit, Federal Government Administrative Centre, Putrajaya, Malaysia
| | | |
Collapse
|
5
|
Affiliation(s)
- Dean F Sittig
- University of Texas/Memorial Hermann Center for Healthcare Quality and Safety and School of Biomedical Informatics, University of Texas Health Science Center, Houston
| | - Hardeep Singh
- Center for Innovations in Quality, Effectiveness and Safety, Michael E. DeBakey Veterans Affairs Medical Center, and Baylor College of Medicine, Houston, Texas
| |
Collapse
|
6
|
Affiliation(s)
- Quinn Grundy
- Lawrence S. Bloomberg Faculty of Nursing, University of Toronto, Toronto, ON, Canada
| | - Lindsay Jibb
- Hospital for Sick Children (SickKids), Toronto, ON, Canada
| | | | - Geoffrey Fang
- Hospital for Sick Children (SickKids), Toronto, ON, Canada
| |
Collapse
|
7
|
Gómez Arias PJ, Abad Arenas E, Arias Blanco MC, Redondo Sánchez J, Galán Gutiérrez M, Vélez García-Nieto AJ. Medical and Legal Aspects of the Practice of Teledermatology in Spain. Actas Dermosifiliogr (Engl Ed) 2021; 112:127-133. [PMID: 33035496 PMCID: PMC7537602 DOI: 10.1016/j.ad.2020.09.003] [Citation(s) in RCA: 7] [Impact Index Per Article: 2.3] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Download PDF] [Journal Information] [Subscribe] [Scholar Register] [Received: 05/31/2020] [Revised: 09/18/2020] [Accepted: 09/22/2020] [Indexed: 11/28/2022] Open
Abstract
Teledermatology is now fully incorporated into our clinical practice. However, after reviewing current legislation on the ethical aspects of teledermatology (data confidentiality, quality of care, patient autonomy, and privacy) as well as insurance and professional responsibility, we observed that a specific regulatory framework is still lacking and related legal aspects are still at a preliminary stage of development. Safeguarding confidentiality and patient autonomy and ensuring secure storage and transfer of data are essential aspects of telemedicine. One of the main topics of debate has been the responsibilities of the physicians involved in the process, with the concept of designating a single responsible clinician emerging as a determining factor in the allocation of responsibility in this setting. A specific legal and regulatory framework must be put in place to ensure the safe practice of teledermatology for medical professionals and their patients.
Collapse
Affiliation(s)
- P J Gómez Arias
- UGC de Dermatología Médico-Quirúrgica y Venereología, Hospital Universitario Reina Sofía, Córdoba, España.
| | - E Abad Arenas
- Departamento de Derecho Civil, Facultad de Derecho, Universidad Nacional de Educación a Distancia, Madrid, España
| | - M C Arias Blanco
- Consultorio de Villaharta. UGC La Sierra. Distrito Córdoba-Guadalquivir, Córdoba, España
| | - J Redondo Sánchez
- Centro de Salud Lucano. UGC Lucano. Distrito Córdoba-Guadalquivir, Córdoba, España
| | - M Galán Gutiérrez
- UGC de Dermatología Médico-Quirúrgica y Venereología, Hospital Universitario Reina Sofía, Córdoba, España
| | - A J Vélez García-Nieto
- UGC de Dermatología Médico-Quirúrgica y Venereología, Hospital Universitario Reina Sofía, Córdoba, España
| |
Collapse
|
8
|
Abstract
Smartphone apps to track SARS-CoV 2 infections need to fulfill certain minimal requirements to guarantee privacy and justify their use under data protection laws.
Collapse
|
9
|
Abstract
Data sharing has long been a cornerstone of healthcare and research and is only due to become more important with the rise of Big Data analytics and advanced therapies. Cell therapies, for example, rely not only on donated cells but also essentially on donated information to make them traceable. Despite the associated importance of concepts such as 'donor anonymity', the concept of anonymisation remains contentious. The Article 29 Working Party's 2014 guidance on 'Anonymisation Techniques' has perhaps helped encourage a perception that anonymity is the result of data modification 'techniques', rather than a broader process involving management of information and context. In light of this enduring ambiguity, this article advocates a 'relative' understanding of anonymity and supports this interpretation with reference not only to the General Data Protection Regulation but also to European Union health-related legislation, which also alludes to the concept. Anonymity, I suggest, should be understood not as a 'technique' which removes the need for information governance but rather as a legal standard of reasonable risk-management, which can only be satisfied by effective data protection. As such, anonymity can be not so much an alternative to data protection as its mirror, requiring similar safeguards to maintain privacy and confidentiality.
Collapse
Affiliation(s)
- Miranda Mourby
- Centre for Health, Law and Emerging Technologies, Faculty of Law, University of Oxford, Ewert House, Ewert Place, Summertown, Oxford OX2 7DD, UK
| |
Collapse
|
10
|
Abstract
mHealth, the use of mobile and wireless technologies in healthcare, and mHealth apps, a subgroup of mHealth, are expected to result in more person-focussed healthcare. These technologies are predicted to make patients more motivated in their own healthcare, reducing the need for intensive medical intervention. Thus, mHealth app technology might lead to a redesign of existing healthcare architecture making the system more efficient, sustainable, and less expensive. As a disruptive innovation, it might destabilise the existing healthcare organisation through a changed role for healthcare professionals with patients accessing care remotely or online. This account coincides with the broader narrative of National Health Service policy-makers, which focusses on personalised healthcare and greater patient responsibility with the potential for significant cost reductions. The article proposes that while the concept of mHealth apps as a disruptive technology and the narrative of personalisation and responsibilisation might support a transformation of the healthcare system and a reduction of costs, both are dependent on patient trust in the safety and security of the new technology. Forcing trust in this field may only be achieved with the application of traditional and other regulatory mechanisms and with this comes the risk of reducing the effect of the technology's disruptive potential.
Collapse
|
11
|
Lorè F. [Risk-based analysis in the handling of sensitive data in the health sector]. G Ital Nefrol 2020; 37:37-03-2020-13. [PMID: 32530158] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [Key Words] [MESH Headings] [Subscribe] [Scholar Register] [Indexed: 06/11/2023]
Abstract
This contribution delves into the EU Regulation 2016/679 that defines the accountability of data controllers, with regard to the processing of personal data, and imposes the adoption of technological and organizational measures demonstrating a full commitment to European data protection laws. A risk-based analysis and an impact-based approach are recommended for all personal data, and especially those concerning health, in order to safeguard the rights and freedoms of the data subjects. The article also describes the processes that should be put in place to avoid errors and violations in the handling of personal data, which can result in physical, material or non-material damage to natural persons. The controller, in fact, needs to evaluate the situation carefully and follow a series of compulsory steps to assess any potential weaknesses in the system. A balancing act between public health concerns and privacy protection is necessary; this can be obtained through a detailed analysis of the norms and their careful implementation.
Collapse
Affiliation(s)
- Filippo Lorè
- Professore a contratto per l'insegnamento "Trattamento dei dati sensibili", Dipartimento di Informatica dell'Università degli studi di Bari "A. Moro", Bari, Italy
| |
Collapse
|
12
|
|
13
|
Prata Ribeiro H, Ponte A, Robalo Cordeiro F, Vieira F. [The New General Data Protection Regulation and Its Implications Regarding Clinical Information Requests to Healthcare Professionals]. ACTA MEDICA PORT 2020; 33:221-224. [PMID: 32238234 DOI: 10.20344/amp.13162] [Citation(s) in RCA: 1] [Impact Index Per Article: 0.3] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 11/19/2019] [Accepted: 01/20/2020] [Indexed: 11/20/2022]
Affiliation(s)
- Henrique Prata Ribeiro
- Hospital Júlio de Matos. Centro Hospitalar Psiquiátrico de Lisboa. Lisboa. Clínica Universitária de Psiquiatria e Psicologia Médica. Faculdade de Medicina. Universidade de Lisboa. Lisboa. Deputado da iniciativa Health Parliament Portugal 2020. Lisboa. Portugal
| | - André Ponte
- Hospital Júlio de Matos. Centro Hospitalar Psiquiátrico de Lisboa. Lisboa. Clínica Universitária de Psiquiatria e Psicologia Médica. Faculdade de Medicina. Universidade de Lisboa. Lisboa. Portugal
| | | | - Fernando Vieira
- Hospital Júlio de Matos. Centro Hospitalar Psiquiátrico de Lisboa. Lisboa. Portugal
| |
Collapse
|
14
|
Verhenneman G, Claes K, Derèze JJ, Herijgers P, Mathieu C, Rademakers FE, Reyda R, Vanautgaerden M. How GDPR Enhances Transparency and Fosters Pseudonymisation in Academic Medical Research. Eur J Health Law 2020; 27:35-57. [PMID: 33652409 DOI: 10.1163/15718093-12251009] [Citation(s) in RCA: 2] [Impact Index Per Article: 0.5] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [MESH Headings] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 06/12/2023]
Abstract
The European General Data Protection Regulation (GDPR) has dotted the i's and crossed the t's in the context of academic medical research. One year into GDPR, it is clear that a change of mind and the uptake of new procedures is required. Research organisations have been looking at the possibility to establish a code-of-conduct, good practices and/or guidelines for researchers that translate GDPR's abstract principles to concrete measures suitable for implementation. We introduce a proposal for the implementation of GDPR in the context of academic research which involves the processing of health related data, as developed by a multidisciplinary team at the University Hospitals Leuven. The proposal is based on three elements, three stages and six specific safeguards. Transparency and pseudonymisation are considered key to find a balance between the need for researchers to collect and analyse personal data and the increasing wish of data subjects for informational control.
Collapse
Affiliation(s)
- G Verhenneman
- University Hospitals Leuven Leuven Belgium
- Centre for IP and IT Law, KU Leuven Leuven Belgium
| | - K Claes
- University Hospitals Leuven Leuven Belgium
- Department of Immunology, Microbiology and Transplantation, KU Leuven Leuven Belgium
| | - J J Derèze
- University Hospitals Leuven Leuven Belgium
| | | | - C Mathieu
- University Hospitals Leuven Leuven Belgium
| | | | - R Reyda
- University Hospitals Leuven Leuven Belgium
| | | |
Collapse
|
15
|
Tovino SA. Mobile Research Applications and State Data Protection Statutes. J Law Med Ethics 2020; 48:87-93. [PMID: 32342742 DOI: 10.1177/1073110520917033] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [MESH Headings] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 06/11/2023]
Abstract
This article focuses on state privacy, security, and data breach regulation of mobile-app mediated health research, concentrating in particular on research studies conducted or participated in by independent scientists, citizen scientists, and patient researchers. Prior scholarship addressing these issues tends to focus on the lack of application of the HIPAA Privacy and Security Rules and other sources of federal regulation. One article, however, mentions state law as a possible source of privacy and security protections for individuals in the particular context of mobile app-mediated health research. This Article builds on this prior scholarship by: (1) assessing state data protection statutes that are potentially applicable to mobile app-mediated health researchers; and (2) suggesting statutory amendments that could better protect the privacy and security of mobile health research data. As discussed in more detail below, all fifty states and the District of Columbia have potentially applicable data breach notification statutes that require the notification of data subjects of certain informational breaches in certain contexts. In addition, more than two-thirds of jurisdictions have potentially applicable data security statutes and almost one-third of jurisdictions have potentially applicable data privacy statutes. Because all jurisdictions have data breach notification statutes, these statutes will be assessed first.
Collapse
Affiliation(s)
- Stacey A Tovino
- Stacey A. Tovino, J.D., Ph.D., is the Judge Jack and Lulu Lehman Professor of Law at the William S. Boyd School of Law, University of Nevada-Las Vegas
| |
Collapse
|
16
|
Abstract
This article addresses the data protection and product safety regulatory models currently applied to consumer-facing health technologies. It explains how the design and structures of existing data protection and safety regulation in the U.S. have resulted in exceptionally thin protection for the users of consumer-facing devices and products that rely on or that facilitate consumer collection or aggregation of health and wellness data. It also examines some appealing legislative alternatives to the current thin model used in the U.S. and suggests a framework for prioritizing ameliorative regulation. To better understand existing regulatory models, their deficiencies, and how they should be reformed, the article employs an analytical model describing these regulatory systems across two axes. The vertical axis describes the quantity or depth of regulation, such as, for example, the strictness of the rules imposed by the regulatory model. The horizontal axis describes the reach of the regulation, the behaviors, products, or industries to which the regulation applies.
Collapse
Affiliation(s)
- Nicolas P Terry
- Nicolas P. Terry, LL.M., is the Hall Render Professor of Law and the Executive Director of the Hall Center for Law and Health at Indiana University Robert H. McKinney School of Law
| |
Collapse
|
17
|
Johnson SD, Blythe JM, Manning M, Wong GTW. The impact of IoT security labelling on consumer product choice and willingness to pay. PLoS One 2020; 15:e0227800. [PMID: 31978096 PMCID: PMC6980634 DOI: 10.1371/journal.pone.0227800] [Citation(s) in RCA: 17] [Impact Index Per Article: 4.3] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [MESH Headings] [Grants] [Track Full Text] [Download PDF] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 06/27/2019] [Accepted: 12/31/2019] [Indexed: 11/29/2022] Open
Abstract
The Internet of Things (IoT) brings internet connectivity to everyday electronic devices (e.g. security cameras and smart TVs) to improve their functionality and efficiency. However, serious security and privacy concerns have been raised about the IoT which impact upon consumer trust and purchasing. Moreover, devices vary considerably in terms of the security they provide, and it is difficult for consumers to differentiate between more and less secure devices. One proposal to address this is for devices to carry a security label to help consumers navigate the market and know which devices to trust, and to encourage manufacturers to improve security. Using a discrete choice experiment, we estimate the potential impact of such labels on participant’s purchase decision making, along with device functionality and price. With the exception of a label that implied weak security, participants were significantly more likely to select a device that carried a label than one that did not. While they were generally willing to pay the most for premium functionality, for two of the labels tested, they were prepared to pay the same for security and functionality. Qualitative responses suggested that participants would use a label to inform purchasing decisions, and that the labels did not generate a false sense of security. Our findings suggest that the use of a security label represents a policy option that could influence behaviour and that should be seriously considered.
Collapse
Affiliation(s)
- Shane D. Johnson
- Dawes Centre for Future Crime, University College London, London, England, United Kingdom
- * E-mail:
| | - John M. Blythe
- Dawes Centre for Future Crime, University College London, London, England, United Kingdom
| | - Matthew Manning
- ANU Centre for Social Research and Methods, The Australian National University, Canberra, Australia
| | - Gabriel T. W. Wong
- ANU Centre for Social Research and Methods, The Australian National University, Canberra, Australia
| |
Collapse
|
18
|
van der Wel JA. [Rigid interpretation of the GDPR hampers privacy protection: a closer look at GDPR]. Ned Tijdschr Geneeskd 2019; 163:D4431. [PMID: 31769634] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [MESH Headings] [Subscribe] [Scholar Register] [Indexed: 06/10/2023]
Abstract
With the introduction of the General Data Protection Regulation (GDPR), privacy legislation appears to be interpreted in an increasingly rigid manner in Dutch healthcare. This is unnecessary and may even be detrimental if it leads to caregivers taking the privacy regulations less seriously. Using a number of examples, I will show that in practice the GDPR has more to offer to healthcare professionals than they might think. The GDPR even provides healthcare institutions with the opportunity to request assistance from suppliers of information systems. In the light of recent checks and disciplinary measures implemented by the Dutch Data Protection Authority, additional focus on this opportunity could be the impulse required to bring privacy protection more closely in line with developments in information technology.
Collapse
|
19
|
Abstract
With the advent of modern technology, the way society handles and performs monetary transactions has changed tremendously. The world is moving swiftly towards the digital arena. The use of Automated Teller Machine (ATM) cards (credit and debit) has led to a "cash-less society" and has fostered digital payments and purchases. In addition to this, the trust and reliance of the society upon these small pieces of plastic, having numbers engraved upon them, has increased immensely over the last two decades. In the past few years, the number of ATM fraud cases has increased exponentially. With the money of the people shifting towards the digital platform, ATM skimming has become a problem that has eventually led to a global outcry. The present review discusses the serious repercussions of ATM card cloning and the associated privacy, ethical and legal concerns. The preventive measures which need to be taken and adopted by the government authorities to mitigate the problem have also been discussed.
Collapse
Affiliation(s)
- Paramjit Kaur
- Centre for Systems Biology and Bioinformatics, Panjab University, Chandigarh, India
| | - Kewal Krishan
- Department of Anthropology, Panjab University, Sector-14, Chandigarh, 160 014, India.
| | - Suresh K Sharma
- Centre for Systems Biology and Bioinformatics, Panjab University, Chandigarh, India
| | - Tanuj Kanchan
- Department of Forensic Medicine and Toxicology, All India Institute of Medical Sciences, Jodhpur, Jodhpur, India
| |
Collapse
|
20
|
Abstract
On May 25, 2018, the European Union's General Data Protection Regulation (GDPR) came into force. EU citizens are granted more control over personal data while companies and organizations are charged with increased responsibility enshrined in broad principles like transparency and accountability. Given the scope of the regulation, which aims to harmonize data practices across 28 member states with different concerns about data collection, the GDPR has significant consequences for individuals in the EU and globally. While the GDPR is primarily intended to regulate tech companies, it also has important implications for data use in scientific research. Drawing on ethnographic fieldwork with researchers, lawyers and legal scholars in Sweden, I argue that the GDPR's flexible accountability principle effectively encourages researchers to reflect on their ethical responsibility but can also become a source of anxiety and produce unexpected results. Many researchers I spoke with expressed profound uncertainty about 'impossible' legal requirements for research data use. Despite the availability of legal texts and interpretations, I suggest we should take researchers' concerns about 'unknowable' data law seriously. Many researchers' sense of legal ambiguity led them to rethink their data practices and themselves as ethical subjects through an orientation to what they imagined as the 'real people behind the data', variously formulated as a Swedish population desiring data use for social benefit or a transnational public eager for research results. The intentions attributed to people, populations and publics - whom researchers only encountered in the abstract form of data - lent ethical weight to various and sometimes conflicting decisions about data security and sharing. Ultimately, researchers' anxieties about their inability to discern the desires of the 'real people' lent new appeal to solutions, however flawed, that promised to alleviate the ethical burden of personal data.
Collapse
Affiliation(s)
- Alison Cool
- Department of Anthropology, University of Colorado Boulder, USA
| |
Collapse
|
21
|
Abstract
Existing data sources have tremendous potential to inform public health activities. However, a patchwork of data protection laws impede data sharing efforts. Nevertheless, a data-sharing initiative in Peoria, IL was able to overcome challenges to set up a cross-sectoral data system to coordinate mental health, law enforcement, and healthcare services.
Collapse
Affiliation(s)
- Cason Schmit
- Cason Schmit, J.D., is an assistant professor in the Texas A&M University School of Public Health Department of Health Policy and Management (College Station). Schmit received his J.D. from the Sandra Day O'Connor College of Law at Arizona State University (Tempe, AZ), and B.A. from Willamette University (Salem, OR). Kathleen Kelly, M.P.A., is a Management Assistant to the County Manager in Coconino County Arizona, and Co-founder of Lifting Up Peoria, LLC. Previously, Kelly worked as a Management Analyst with the Peoria Police Department. Kelly received her MPA focused in Community Development from Rutgers University - Camden (Camden, NJ) and BA from Saint Louis University (Saint Louis, MO). Jennifer Bernstein, J.D., M.P.H., is the Deputy Director at the Network for Public Health Law's Mid-States Region and helps lead the Data for Population Health initiative. Bernstein received a J.D./M.P.H. dual degree from the University of Iowa (Iowa City, IA), and B.S. in Women's Studies s from the University of Wisconsin-Madison (Madison, WI)
| | - Kathleen Kelly
- Cason Schmit, J.D., is an assistant professor in the Texas A&M University School of Public Health Department of Health Policy and Management (College Station). Schmit received his J.D. from the Sandra Day O'Connor College of Law at Arizona State University (Tempe, AZ), and B.A. from Willamette University (Salem, OR). Kathleen Kelly, M.P.A., is a Management Assistant to the County Manager in Coconino County Arizona, and Co-founder of Lifting Up Peoria, LLC. Previously, Kelly worked as a Management Analyst with the Peoria Police Department. Kelly received her MPA focused in Community Development from Rutgers University - Camden (Camden, NJ) and BA from Saint Louis University (Saint Louis, MO). Jennifer Bernstein, J.D., M.P.H., is the Deputy Director at the Network for Public Health Law's Mid-States Region and helps lead the Data for Population Health initiative. Bernstein received a J.D./M.P.H. dual degree from the University of Iowa (Iowa City, IA), and B.S. in Women's Studies s from the University of Wisconsin-Madison (Madison, WI)
| | - Jennifer Bernstein
- Cason Schmit, J.D., is an assistant professor in the Texas A&M University School of Public Health Department of Health Policy and Management (College Station). Schmit received his J.D. from the Sandra Day O'Connor College of Law at Arizona State University (Tempe, AZ), and B.A. from Willamette University (Salem, OR). Kathleen Kelly, M.P.A., is a Management Assistant to the County Manager in Coconino County Arizona, and Co-founder of Lifting Up Peoria, LLC. Previously, Kelly worked as a Management Analyst with the Peoria Police Department. Kelly received her MPA focused in Community Development from Rutgers University - Camden (Camden, NJ) and BA from Saint Louis University (Saint Louis, MO). Jennifer Bernstein, J.D., M.P.H., is the Deputy Director at the Network for Public Health Law's Mid-States Region and helps lead the Data for Population Health initiative. Bernstein received a J.D./M.P.H. dual degree from the University of Iowa (Iowa City, IA), and B.S. in Women's Studies s from the University of Wisconsin-Madison (Madison, WI)
| |
Collapse
|
22
|
Abstract
This article analyses the balance which the GDPR strikes between two important social values: protecting personal health data and facilitating health research through the lens of the consent requirement and the research exemption. The article shows that the normative weight of the consent requirement differs depending on the context for the health research in question. This more substantive approach to consent is reflected in the research exemption which allows for a more nuanced balancing of interests. However, because the GDPR articulates the exemption at an abstract and principled level, in practice the balance is struck at Member State level. Thus, the GDPR increases difficulties for EU cross-border health projects and impedes the policy goal of creating a harmonised regulatory framework for health research. The article argues that in order to address this problem, the European Data Protection Board should provide specific guidance on the operation of consent in health research.
Collapse
|
23
|
Høstmælingen N, Bentzen HB. The EU’s General Data Protection Regulation has two faces. Tidsskr Nor Laegeforen 2019; 139:19-0166. [PMID: 30969048 DOI: 10.4045/tidsskr.19.0166] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [What about the content of this article? (0)] [MESH Headings] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/02/2022] Open
|
24
|
Lorè F. [Il responsabile del trattamento]. G Ital Nefrol 2019; 36:36-2-2019-16. [PMID: 30983183] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [MESH Headings] [Subscribe] [Scholar Register] [Indexed: 06/09/2023]
|
25
|
Affiliation(s)
- David S Watson
- Oxford Internet Institute, University of Oxford, 1 St Giles', Oxford OX1 3JS, UK
- Centre for Translational Bioinformatics, William Harvey Research Institute, Queen Mary University of London, London, UK
- The Alan Turing Institute, London, UK
| | - Jenny Krutzinna
- Oxford Internet Institute, University of Oxford, 1 St Giles', Oxford OX1 3JS, UK
| | - Ian N Bruce
- Arthritis Research UK Centre for Epidemiology, Centre for Musculoskeletal Research, Faculty of Biology Medicine and Health, The University of Manchester, Manchester, UK
- NIHR Manchester Biomedical Research Centre, Manchester University Hospitals NHS Foundation Trust, Manchester M13 9WL, UK
| | - Christopher Em Griffiths
- NIHR Manchester Biomedical Research Centre, Manchester University Hospitals NHS Foundation Trust, Manchester M13 9WL, UK
- The Dermatology Centre, Salford Royal NHS Foundation Trust, The University of Manchester, Salford, UK
| | - Iain B McInnes
- Institute of Infection, Immunity and Inflammation, University of Glasgow, Glasgow, UK
| | - Michael R Barnes
- Centre for Translational Bioinformatics, William Harvey Research Institute, Queen Mary University of London, London, UK
- The Alan Turing Institute, London, UK
| | - Luciano Floridi
- Oxford Internet Institute, University of Oxford, 1 St Giles', Oxford OX1 3JS, UK
- The Alan Turing Institute, London, UK
| |
Collapse
|
26
|
Abstract
Precision medicine research is rapidly taking a lead role in the pursuit of new ways to improve health and prevent disease, but also presents new challenges for protecting human subjects. The extent to which the current "web" of legal protections, including technical data security measures, as well as measures to restrict access or prevent misuse of research data, will protect participants in this context remains largely unknown. Understanding the strength, usefulness, and limitations of this constellation of laws, regulations, and procedures is critical to ensuring not only that participants are protected, but also that their participation decisions are accurately informed. To address these gaps, we conducted in-depth interviews with a diverse group of 60 thought-leaders to explore their perspectives on the protections associated with precision medicine research.
Collapse
Affiliation(s)
- Catherine M Hammack
- Catherine M. Hammack, M.A., J.D., is an Associate in Health Policy in the Center for Biomedical Ethics & Society at Vanderbilt University Medical Center (Nashville, TN). Kathleen M. Brelsford, M.P.H., Ph.D., is a Research Assistant Professor in the Center for Biomedical Ethics & Society at Vanderbilt University Medical Center (Nashville, TN). Laura M. Beskow, M.P.H., Ph.D., is a Professor of Health Policy and Ann Geddes Stahlman Chair in Medical Ethics in the Center for Biomedical Ethics & Society at Vanderbilt University Medical Center (Nashville, TN)
| | - Kathleen M Brelsford
- Catherine M. Hammack, M.A., J.D., is an Associate in Health Policy in the Center for Biomedical Ethics & Society at Vanderbilt University Medical Center (Nashville, TN). Kathleen M. Brelsford, M.P.H., Ph.D., is a Research Assistant Professor in the Center for Biomedical Ethics & Society at Vanderbilt University Medical Center (Nashville, TN). Laura M. Beskow, M.P.H., Ph.D., is a Professor of Health Policy and Ann Geddes Stahlman Chair in Medical Ethics in the Center for Biomedical Ethics & Society at Vanderbilt University Medical Center (Nashville, TN)
| | - Laura M Beskow
- Catherine M. Hammack, M.A., J.D., is an Associate in Health Policy in the Center for Biomedical Ethics & Society at Vanderbilt University Medical Center (Nashville, TN). Kathleen M. Brelsford, M.P.H., Ph.D., is a Research Assistant Professor in the Center for Biomedical Ethics & Society at Vanderbilt University Medical Center (Nashville, TN). Laura M. Beskow, M.P.H., Ph.D., is a Professor of Health Policy and Ann Geddes Stahlman Chair in Medical Ethics in the Center for Biomedical Ethics & Society at Vanderbilt University Medical Center (Nashville, TN)
| |
Collapse
|
27
|
Abstract
Open science has recently gained traction as establishment institutions have come on-side and thrown their weight behind the movement and initiatives aimed at creation of information commons. At the same time, the movement's traditional insistence on unrestricted dissemination and reuse of all information of scientific value has been challenged by the movement to strengthen protection of personal data. This article assesses tensions between open science and data protection, with a focus on the GDPR.
Collapse
Affiliation(s)
- Mark Phillips
- Mark Phillips is an Academic Associate at the Centre of Genomics and Policy at McGill University. He is also a practicing member of the Quebec Bar Association. Bartha M. Knoppers, Ph.D., is the Director of the Centre of Genomics and Policy at McGill University
| | - Bartha M Knoppers
- Mark Phillips is an Academic Associate at the Centre of Genomics and Policy at McGill University. He is also a practicing member of the Quebec Bar Association. Bartha M. Knoppers, Ph.D., is the Director of the Centre of Genomics and Policy at McGill University
| |
Collapse
|
28
|
Refsum E, Helsingen LM, Jodal HC, Løberg M, Høstmælingen N, Kalager M. Data protection – an obstacle course. Tidsskr Nor Laegeforen 2019; 139:19-0077. [PMID: 30808102 DOI: 10.4045/tidsskr.19.0077] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [What about the content of this article? (0)] [MESH Headings] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/02/2022] Open
|
29
|
Brean A. Data protection in a vacuum? Tidsskr Nor Laegeforen 2019; 139:19-0092. [PMID: 30754937 DOI: 10.4045/tidsskr.19.0092] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [What about the content of this article? (0)] [MESH Headings] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/02/2022] Open
|
30
|
Clarke N, Vale G, Reeves EP, Kirwan M, Smith D, Farrell M, Hurl G, McElvaney NG. GDPR: an impediment to research? Ir J Med Sci 2019; 188:1129-1135. [PMID: 30734900 DOI: 10.1007/s11845-019-01980-2] [Citation(s) in RCA: 25] [Impact Index Per Article: 5.0] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 01/25/2019] [Accepted: 01/29/2019] [Indexed: 11/26/2022]
Abstract
BACKGROUND The recent introduction of the General Data Protection Regulation and Health Research Regulations has been an area of significant concern for those engaged in clinical research. These European regulations, following subsequent interpretation by Ireland's Department of Health, now place Ireland in a unique position which differs substantially from other European countries and may prove a significant impediment to Irish clinical research, depriving Irish patients of timely access to potentially life-saving treatments and making Ireland less attractive to pharmaceutical companies engaged in this area. At the very least, the regulations, as applied in Ireland, will place a significant extra burden of work on Ireland's clinical researchers and at their worst will force individuals and institutions out of the clinical research field, which will result in significant loss to the Irish knowledge economy and lead to the detriment of patient care. AIM In this article, we explore what exactly is proposed by Europe's GDPR and by Ireland's Health Research Regulations. We look at the challenges presented to clinical researchers, and we highlight those areas, which need clarification by the Department of Health and by the Data Protection Commissioner. CONCLUSIONS We propose five recommendations, which would ameliorate some of the more restrictive impositions of these regulations. This review was commissioned by the Irish Academy of Medical Science.
Collapse
Affiliation(s)
- Niamh Clarke
- Beaumont Hospital Ethics (Medical Research) Committee, Beaumont Hospital, Dublin, Ireland
- Royal College of Surgeons in Ireland, Beaumont Hospital, Dublin 9, Ireland
| | - Gillian Vale
- Beaumont Hospital Ethics (Medical Research) Committee, Beaumont Hospital, Dublin, Ireland
| | - Emer P Reeves
- Beaumont Hospital Ethics (Medical Research) Committee, Beaumont Hospital, Dublin, Ireland.
- Royal College of Surgeons in Ireland, Beaumont Hospital, Dublin 9, Ireland.
| | - Mary Kirwan
- Beaumont Hospital Ethics (Medical Research) Committee, Beaumont Hospital, Dublin, Ireland
- Royal College of Surgeons in Ireland, Beaumont Hospital, Dublin 9, Ireland
| | - David Smith
- Beaumont Hospital Ethics (Medical Research) Committee, Beaumont Hospital, Dublin, Ireland
- Royal College of Surgeons in Ireland, Beaumont Hospital, Dublin 9, Ireland
| | - Michael Farrell
- Beaumont Hospital Ethics (Medical Research) Committee, Beaumont Hospital, Dublin, Ireland
| | - Gerard Hurl
- Irish Academy of Medical Sciences, Dublin, Ireland
| | - Noel G McElvaney
- Beaumont Hospital Ethics (Medical Research) Committee, Beaumont Hospital, Dublin, Ireland
- Royal College of Surgeons in Ireland, Beaumont Hospital, Dublin 9, Ireland
- Irish Academy of Medical Sciences, Dublin, Ireland
| |
Collapse
|
31
|
Spencer A, Patel S. Applying the Data Protection Act 2018 and General Data Protection Regulation principles in healthcare settings. Nurs Manag (Harrow) 2019; 26:34-40. [PMID: 31468753 DOI: 10.7748/nm.2019.e1806] [Citation(s) in RCA: 9] [Impact Index Per Article: 1.8] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Accepted: 11/22/2018] [Indexed: 10/27/2022]
Abstract
The Data Protection Act (DPA) of 1998 was radically updated in 2018 and since then there has been much media coverage about the General Data Protection Regulation (GDPR). Recent headlines have featured well known organisations that have been fined under the DPA 1998. This article describes the recent changes in data protection law, including the principles behind the DPA and GDPR, highlights patients' rights and how nurses can advocate for the protection of patients' personal data, and outlines nurses' role in ensuring that the principles of data protection are implemented fully as part of patient care delivery.
Collapse
|
32
|
Grimm DJ. The Dark Data Quandary. Am Univ Law Rev 2019; 68:761-821. [PMID: 30919611] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [MESH Headings] [Subscribe] [Scholar Register] [Indexed: 06/09/2023]
Abstract
The digital universe remains a black box. Despite attaining high-technology capabilities like artificial intelligence and cognitive computing, "Big Data" analytics have failed to keep pace with surging data production. At the same time, the falling costs of cloud storage and distributed systems have made mass data storage cheaper and more accessible. These effects have produced a chasm between data that is stored and data that can be readily analyzed and understood. Enticed by the promise of extracting future value from rising data stockpiles, organizations now retain massive quantities of data that they cannot presently know or effectively manage. This rising sea of "dark data" now represents the vast majority of the digital universe. Dark data presents a quandary for organizations and the judicial system. For organizations, the inability to know the contents of retained dark data produces invisible risk under a spreading patchwork of digital privacy and data governance laws, most notably in the medical and consumer protection areas. For courts increasingly confronted with Big Data-derived evidence, dark data may shield critical information from judicial view while embedding subjective influences within seemingly objective methods. To avoid obscuring organizational risk and producing erroneous outcomes in the courtroom, decision-makers must achieve a new awareness of dark data’s presence and its ability to undermine Big Data’s vaunted advantages.
Collapse
|
33
|
Sadat MN, Aziz MMA, Mohammed N, Chen F, Jiang X, Wang S. SAFETY: Secure gwAs in Federated Environment through a hYbrid Solution. IEEE/ACM Trans Comput Biol Bioinform 2019; 16:93-102. [PMID: 29993695 PMCID: PMC6411680 DOI: 10.1109/tcbb.2018.2829760] [Citation(s) in RCA: 12] [Impact Index Per Article: 2.4] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [Key Words] [MESH Headings] [Grants] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 05/04/2023]
Abstract
Recent studies demonstrate that effective healthcare can benefit from using the human genomic information. Consequently, many institutions are using statistical analysis of genomic data, which are mostly based on genome-wide association studies (GWAS). GWAS analyze genome sequence variations in order to identify genetic risk factors for diseases. These studies often require pooling data from different sources together in order to unravel statistical patterns, and relationships between genetic variants and diseases. Here, the primary challenge is to fulfill one major objective: accessing multiple genomic data repositories for collaborative research in a privacy-preserving manner. Due to the privacy concerns regarding the genomic data, multi-jurisdictional laws and policies of cross-border genomic data sharing are enforced among different countries. In this article, we present SAFETY, a hybrid framework, which can securely perform GWAS on federated genomic datasets using homomorphic encryption and recently introduced secure hardware component of Intel Software Guard Extensions to ensure high efficiency and privacy at the same time. Different experimental settings show the efficacy and applicability of such hybrid framework in secure conduction of GWAS. To the best of our knowledge, this hybrid use of homomorphic encryption along with Intel SGX is not proposed to this date. SAFETY is up to 4.82 times faster than the best existing secure computation technique.
Collapse
Affiliation(s)
- Md Nazmus Sadat
- Department of Computer Science, University of Manitoba, Winnipeg, MB, R3T 2N2, Canada
| | - Md Momin Al Aziz
- Department of Computer Science, University of Manitoba, Winnipeg, MB, R3T 2N2, Canada
| | - Noman Mohammed
- Department of Computer Science, University of Manitoba, Winnipeg, MB, R3T 2N2, Canada
| | - Feng Chen
- Department of Biomedical Informatics, University of California San Diego, La Jolla, CA, 92093, USA
| | - Xiaoqian Jiang
- Department of Biomedical Informatics, University of California San Diego, La Jolla, CA, 92093, USA
| | - Shuang Wang
- Department of Biomedical Informatics, University of California San Diego, La Jolla, CA, 92093, USA
| |
Collapse
|
34
|
Na L, Yang C, Lo CC, Zhao F, Fukuoka Y, Aswani A. Feasibility of Reidentifying Individuals in Large National Physical Activity Data Sets From Which Protected Health Information Has Been Removed With Use of Machine Learning. JAMA Netw Open 2018; 1:e186040. [PMID: 30646312 PMCID: PMC6324329 DOI: 10.1001/jamanetworkopen.2018.6040] [Citation(s) in RCA: 62] [Impact Index Per Article: 10.3] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [MESH Headings] [Grants] [Track Full Text] [Figures] [Journal Information] [Submit a Manuscript] [Subscribe] [Scholar Register] [Indexed: 11/14/2022] Open
Abstract
IMPORTANCE Despite data aggregation and removal of protected health information, there is concern that deidentified physical activity (PA) data collected from wearable devices can be reidentified. Organizations collecting or distributing such data suggest that the aforementioned measures are sufficient to ensure privacy. However, no studies, to our knowledge, have been published that demonstrate the possibility or impossibility of reidentifying such activity data. OBJECTIVE To evaluate the feasibility of reidentifying accelerometer-measured PA data, which have had geographic and protected health information removed, using support vector machines (SVMs) and random forest methods from machine learning. DESIGN, SETTING, AND PARTICIPANTS In this cross-sectional study, the National Health and Nutrition Examination Survey (NHANES) 2003-2004 and 2005-2006 data sets were analyzed in 2018. The accelerometer-measured PA data were collected in a free-living setting for 7 continuous days. NHANES uses a multistage probability sampling design to select a sample that is representative of the civilian noninstitutionalized household (both adult and children) population of the United States. EXPOSURES The NHANES data sets contain objectively measured movement intensity as recorded by accelerometers worn during all walking for 1 week. MAIN OUTCOMES AND MEASURES The primary outcome was the ability of the random forest and linear SVM algorithms to match demographic and 20-minute aggregated PA data to individual-specific record numbers, and the percentage of correct matches by each machine learning algorithm was the measure. RESULTS A total of 4720 adults (mean [SD] age, 40.0 [20.6] years) and 2427 children (mean [SD] age, 12.3 [3.4] years) in NHANES 2003-2004 and 4765 adults (mean [SD] age, 45.2 [19.9] years) and 2539 children (mean [SD] age, 12.1 [3.4] years) in NHANES 2005-2006 were included in the study. The random forest algorithm successfully reidentified the demographic and 20-minute aggregated PA data of 4478 adults (94.9%) and 2120 children (87.4%) in NHANES 2003-2004 and 4470 adults (93.8%) and 2172 children (85.5%) in NHANES 2005-2006 (P < .001 for all). The linear SVM algorithm successfully reidentified the demographic and 20-minute aggregated PA data of 4043 adults (85.6%) and 1695 children (69.8%) in NHANES 2003-2004 and 4041 adults (84.8%) and 1705 children (67.2%) in NHANES 2005-2006 (P < .001 for all). CONCLUSIONS AND RELEVANCE This study suggests that current practices for deidentification of accelerometer-measured PA data might be insufficient to ensure privacy. This finding has important policy implications because it appears to show the need for deidentification that aggregates the PA data of multiple individuals to ensure privacy for single individuals.
Collapse
Affiliation(s)
- Liangyuan Na
- Operations Research Center, Massachusetts Institute of Technology, Cambridge
| | - Cong Yang
- Department of Industrial Engineering and Operations Research, University of California, Berkeley
| | - Chi-Cheng Lo
- Department of Industrial Engineering and Operations Research, University of California, Berkeley
| | - Fangyuan Zhao
- Tsinghua-Berkeley Shenzhen Institute, Tsinghua University, Shenzhen, China
| | - Yoshimi Fukuoka
- Institute For Health & Aging, Department of Physiological Nursing, University of California, San Francisco
| | - Anil Aswani
- Department of Industrial Engineering and Operations Research, University of California, Berkeley
| |
Collapse
|
35
|
Lorè F. [Records of processing activities]. G Ital Nefrol 2018; 35:35-6-2018-15. [PMID: 30550045] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [MESH Headings] [Subscribe] [Scholar Register] [Indexed: 06/09/2023]
|
36
|
van Veen EB. Observational health research in Europe: understanding the General Data Protection Regulation and underlying debate. Eur J Cancer 2018; 104:70-80. [PMID: 30336359 DOI: 10.1016/j.ejca.2018.09.032] [Citation(s) in RCA: 39] [Impact Index Per Article: 6.5] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 09/27/2018] [Accepted: 09/27/2018] [Indexed: 01/26/2023]
Abstract
Insights into the incidence and survival of cancer, the influence of lifestyle and environmental factors and the interaction of treatment regimens with outcomes are hugely dependent on observational research, patient data derived from the healthcare system and from volunteers participating in cohort studies, often non-selective. Since 25th May 2018, the European General Data Protection Regulation (GDPR) applies to such data. The GDPR focusses on more individual control for data subjects of 'their' data. Yet, the GDPR was preceded by a long debate. The research community participated actively in that debate, and as a result, the GDPR has research exemptions as well. Some of those apply directly; other exemptions need to be implemented into national law. Those exemptions will be discussed together with a general outline of the GDPR. I propose a substantive definition of research-absent in the GDPR-which can warrant its special status in the GDPR. The debate is not over yet. Most legal texts exhibit ambiguity and are interpreted against a background of values. In this case, those could be subsumed under informational self-determination versus solidarity and the deeper meaning of autonomy. Values will also guide national implementation and their interpretation. The value of individual control or informational self-determination should be balanced by nuanced visions about our mutual dependency in healthcare, as an ever-learning system, especially in the European solidarity-based healthcare systems. Good research governance might be a way forward to escape the consent or anonymise dichotomy.
Collapse
Affiliation(s)
- Evert-Ben van Veen
- MLC Foundation, Dagelijkse Groenmarkt 2, 2513 AL Den Haag, the Netherlands.
| |
Collapse
|
37
|
Negrouk A, Lacombe D. Does GDPR harm or benefit research participants? An EORTC point of view. Lancet Oncol 2018; 19:1278-1280. [PMID: 30303112 DOI: 10.1016/s1470-2045(18)30620-x] [Citation(s) in RCA: 10] [Impact Index Per Article: 1.7] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [MESH Headings] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 08/09/2018] [Revised: 08/10/2018] [Accepted: 08/13/2018] [Indexed: 11/15/2022]
Affiliation(s)
- Anastassia Negrouk
- European Organisation for Research and Treatment of Cancer, Brussels 1200, Belgium.
| | - Denis Lacombe
- European Organisation for Research and Treatment of Cancer, Brussels 1200, Belgium
| |
Collapse
|
38
|
Groenewegen WA, van de Putte EM. [General Data Protection Regulation and medical research: friend or foe?]. Ned Tijdschr Geneeskd 2018; 162:D3308. [PMID: 30379505] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [MESH Headings] [Subscribe] [Scholar Register] [Indexed: 06/08/2023]
Abstract
As of May 2018, the use of personal data in medical research is regulated under the General Data Protection Regulation (GDPR). While, as before, in principle patients' consent for the use of their personal data is still required, exemptions for medical research still exist. When all of the criteria for the exemptions are met, and the other requirements of the GDPR are adhered to, personal data can be used in medical research without consent. In this paper we present a brief outline of a number of GDPR-related requirements for use of personal data in medical research. Furthermore, we discuss how GDPR interlinks with the Medical Research Involving Human Subjects Act (WMO) and in which areas GDPR remains subject to interpretation. Medical researchers using personal data need to be aware when consent is required and on which grounds personal data can be used without consent in the Netherlands.
Collapse
|
39
|
Mendelson D. The European Union General Data Protection Regulation (EU 2016/679) and the Australian My Health Record Scheme - A Comparative Study of Consent to Data Processing Provisions. J Law Med 2018; 26:23-38. [PMID: 30302970] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [Key Words] [MESH Headings] [Subscribe] [Scholar Register] [Indexed: 06/08/2023]
Abstract
As a general rule, lawfulness of data processing under the European Union General Data Protection Regulation (EU 2016/679) (GDPR) is based on affirmative, unambiguous, voluntary, informed, and specific or "granular" consent to processing of their data, including health data, by individuals referred to as data subjects. The GDPR grants data subjects the legal right to specifically agree to (or refuse) having their data processed in any of the ways statutorily defined as "processing". Individuals also have the legal right to be fully informed about each and every intended use of their data by data processors and controllers, and the right to refuse such use. In Australia, once registered on the My Health Record (MHR) system, "healthcare recipients" as patients-cum-data subjects are called under the MHR scheme, have the right to remove documents from their MHR files and block some health care providers from accessing their data. However, this study demonstrates that the notion of "standing" consent that the MHR scheme appears to have created does not conform to any of the principles and rules governing data subjects' consent rights under GDPR.
Collapse
|
40
|
Plötz FB, Bekhof J. [The General Data Protection Regulation and clinical guidelines evaluation]. Ned Tijdschr Geneeskd 2018; 162:D2915. [PMID: 30358372] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [MESH Headings] [Subscribe] [Scholar Register] [Indexed: 06/08/2023]
Abstract
The General Data Protection Regulation (GDPR), which has replaced previous privacy legislation, came into full effect in the European Union in May 2018. This paper discusses the implications of the GDPR for the handling of health care data when evaluating clinical guidelines. Guideline evaluation is mandatory in order to improve the quality of health care. Following the implementation of the GDPR, there has been increased awareness that it is now mandatory to obtain consent and to provide patient information letters if patient data are not given anonymously.
Collapse
Affiliation(s)
- Frans B Plötz
- Tergooi, afd. Kindergeneeskunde, Blaricum
- Contact: F.B. Plötz
| | | |
Collapse
|
41
|
|
42
|
Abstract
There are various dento-legal considerations when adopting digital technologies, including record systems and issues surrounding communications in an increasingly social media driven world.
Collapse
|
43
|
Abstract
The evolution of genomic research and its integration into clinical practice, as they become international-even global-endeavors, has brought us to a place where scientists and clinicians may now only ignore the rules governing international data sharing at their own peril. Open data policies, on the one hand, increasingly require custodians of others' genomic data to make it as widely available as feasible, including to researchers in other countries. Data protection law, on the other, has become a significant hurdle to the sharing of personal data across jurisdictional borders. The space between these two competing duties is narrowing. In contrast with the other texts in this volume, which explore the present and future of data sharing and data protection, this article's focus is on the past. It centres on the historical development of the data protection rules regarding the international transfer of personal data up to the present. The article's aim is to bring into focus the underlying objectives that have influenced and that will continue to influence the way that data protection rules are applied to the fields of genomics and health, as well as future developments in data protection generally. The first part of this article describes the development of international data-sharing data protection rules since 1970. The second considers difficulties in applying general data protection rules to the specific context of genomics and health. The third and final part compares the options available to comply with the international transfer restrictions set out in the standard-setting EU General Data Protection Regulation from a genomics perspective.
Collapse
Affiliation(s)
- Mark Phillips
- Centre of Genomics and Policy, McGill University, Montreal, QC, H3A 0G1, Canada.
| |
Collapse
|
44
|
Abstract
This paper provides an overview of US laws and related guidance documents affecting transfer of genomic data to third countries, addressing the domains of consent, privacy, security, compatible processing/adequacy, and oversight. In general, US laws governing research and disclosure and use of data generated within the health care system do not impose different requirements on transfers to researchers and service providers based in third countries compared with US-based researchers or service providers. Of note, the US lacks a comprehensive data protection regime. Data protections are piecemeal, spread across bodies of law that target specific kinds of research or data generated or held by specific kinds of actors involved in the delivery of health care. Oversight is also distributed across a range of bodies, including institutional review boards and data access committees. The conclusion to this paper examines future directions in US law and policy, including proposals for more comprehensive protections for personal data.
Collapse
Affiliation(s)
- Mary Anderlik Majumder
- Center for Medical Ethics and Health Policy, Baylor College of Medicine, One Baylor Plaza, Houston, TX, 77030, USA.
| |
Collapse
|
45
|
Taylor MJ, Dove ES, Laurie G, Townend D. When can the Child Speak for Herself? The Limits of Parental Consent in Data Protection Law for Health Research. Med Law Rev 2018; 26:369-391. [PMID: 29140477 PMCID: PMC6093478 DOI: 10.1093/medlaw/fwx052] [Citation(s) in RCA: 9] [Impact Index Per Article: 1.5] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [Abstract] [Key Words] [MESH Headings] [Grants] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 06/07/2023]
Abstract
Draft regulatory guidance suggests that if the processing of a child's personal data begins with the consent of a parent, then there is a need to find and defend an enduring consent through the child's growing capacity and on to their maturity. We consider the implications for health research of the UK Information Commissioner's Office's (ICO) suggestion that the relevant test for maturity is the Gillick test, originally developed in the context of medical treatment. Noting the significance of the welfare principle to this test, we examine the implications for the responsibilities of a parent to act as proxy for their child. We argue, contrary to draft ICO guidance, that a data controller might legitimately continue to rely upon parental consent as a legal basis for processing after a child is old enough to provide her own consent. Nevertheless, we conclude that data controllers should develop strategies to seek fresh consent from children as soon as practicable after the data controller has reason to believe they are mature enough to consent independently. Techniques for effective communication, recommended to address challenges associated with Big Data analytics, might have a role here in addressing the dynamic relationship between data subject and processing. Ultimately, we suggest that fair and lawful processing of a child's data will be dependent upon data controllers taking seriously the truism that consent is ongoing, rather than a one-time event: the core associated responsibility is to continue to communicate with a data subject regarding the processing of personal data.
Collapse
Affiliation(s)
| | | | | | - David Townend
- Department of Health, Ethics & Society and CAPHRI Care and Public Health Research School, Maastricht University, The Netherlands
| |
Collapse
|
46
|
|
47
|
Affiliation(s)
| | - Michelle M Mello
- Stanford Law School, Department of Health Research and Policy, Stanford University School of Medicine, Stanford, California
| |
Collapse
|
48
|
Lorè F. [Privacy by Design in GDPR]. G Ital Nefrol 2018; 35:35-2018-11. [PMID: 30035450] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [MESH Headings] [Subscribe] [Scholar Register] [Indexed: 06/08/2023]
|
49
|
Lorè F. [Waiting for General Data Protection Regulation]. G Ital Nefrol 2018; 35:2018-vol3-13. [PMID: 29786191] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [What about the content of this article? (0)] [Affiliation(s)] [MESH Headings] [Subscribe] [Scholar Register] [Indexed: 06/08/2023]
|
50
|
Abstract
Using the metaphor and actuality of the 'everyday cyborg', this article makes the case that the law is ill-equipped to deal with challenges raised by the linking of the organic, biological person with synthetic, inorganic parts and devices. For instance, should internal medical devices that keep the person alive be viewed as part of the person or mere objects (or something else)? Is damage to neuro-prostheses (eg nervous system integrated limb prostheses) personal injury or damage to property? Who ought to control/own the software in implanted medical devices? And how should the law deal with risks around third-party device access (including that of unauthorised access and hacking)? We argue that satisfactorily answering such questions will likely require a re-analysis of the conceptual and philosophical underpinnings of the law, as well as the law itself. To demonstrate this, we examine the uncharted terrain which everyday cyborgs pose for the law, looking in particular at five areas: (i) medical device regulation, safety, and product liability; (ii) damage to devices and liability; (iii) data and privacy; (iv) security and biohacking; and (v) intellectual property rights. The article highlights how advancing biotechnology continues to reveal, and prompts us to confront, lacunae within the law. Our analysis calls particular attention to law's boundary-work (how the law utilises and incorporates supposed ontological and moral boundaries) and the challenges which everyday cyborgs pose to this.
Collapse
Affiliation(s)
- Muireann Quigley
- Birmingham Law School, University of Birmingham, Edgbaston, B15 2TT, UK
| | - Semande Ayihongbe
- Newcastle Law School, Newcastle University, 21-24 Windsor Terrace, Newcastle, NE1 7RU, UK
| |
Collapse
|