[Nationally standardized broad consent in practice: initial experiences, current developments, and critical assessment]

BACKGROUND

The digitalization in the healthcare sector promises a secondary use of patient data in the sense of a learning healthcare system. For this, the Medical Informatics Initiative's (MII) Consent Working Group has created an ethical and legal basis with standardized consent documents. This paper describes the systematically monitored introduction of these documents at the MII sites.

METHODS

The monitoring of the introduction included regular online surveys, an in-depth analysis of the introduction processes at selected sites, and an assessment of the documents in use. In addition, inquiries and feedback from a large number of stakeholders were evaluated.

RESULTS

The online surveys showed that 27 of the 32 sites have gradually introduced the consent documents productively, with a current total of 173,289 consents. The analysis of the implementation procedures revealed heterogeneous organizational conditions at the sites. The requirements of various stakeholders were met by developing and providing supplementary versions of the consent documents and additional information materials.

DISCUSSION

The introduction of the MII consent documents at the university hospitals creates a uniform legal basis for the secondary use of patient data. However, the comprehensive implementation within the sites remains challenging. Therefore, minimum requirements for patient information and supplementary recommendations for best practice must be developed. The further development of the national legal framework for research will not render the participation and transparency mechanisms developed here obsolete.

[Legal integration of artificial intelligence into internal medicine : Data protection, regulatory, reimbursement and liability questions]

Artificial intelligence (AI) opens up new opportunities to improve medical care in internal medicine; however, legal uncertainties in the application of AI impede its integration into the daily practice of internal medicine. To clarify the situation this paper gives an overview of the legal aspects related to AI and shows which frameworks must be adhered to in order to exploit the benefits of AI without neglecting the rights and protection of patients. The paper first addresses data protection issues which arise when sensitive health data are processed by AI. This is followed by a discussion of the key regulatory requirements for the use of AI in internal medicine. As the establishment of AI in practice also depends on sufficient funding, legal issues of reimbursement are additionally examined. Finally, the specific features that need to be considered when using AI to avoid medical liability consequences are highlighted.

Digital Platform for Continuous Monitoring of Patients Using a Smartwatch: Longitudinal Prospective Cohort Study

BACKGROUND

Since the COVID-19 pandemic, there has been a boost in the digital transformation of the human society, where wearable devices such as a smartwatch can already measure vital signs in a continuous and naturalistic way; however, the security and privacy of personal data is a challenge to expanding the use of these data by health professionals in clinical follow-up for decision-making. Similar to the European General Data Protection Regulation, in Brazil, the Lei Geral de Proteção de Dados established rules and guidelines for the processing of personal data, including those used for patient care, such as those captured by smartwatches. Thus, in any telemonitoring scenario, there is a need to comply with rules and regulations, making this issue a challenge to overcome.

OBJECTIVE

This study aimed to build a digital solution model for capturing data from wearable devices and making them available in a safe and agile manner for clinical and research use, following current laws.

METHODS

A functional model was built following the Brazilian Lei Geral de Proteção de Dados (2018), where data captured by smartwatches can be transmitted anonymously over the Internet of Things and be identified later within the hospital. A total of 80 volunteers were selected for a 24-week follow-up clinical trial divided into 2 groups, one group with a previous diagnosis of COVID-19 and a control group without a previous diagnosis of COVID-19, to measure the synchronization rate of the platform with the devices and the accuracy and precision of the smartwatch in out-of-hospital conditions to simulate remote monitoring at home.

RESULTS

In a 35-week clinical trial, >11.2 million records were collected with no system downtime; 66% of continuous beats per minute were synchronized within 24 hours (79% within 2 days and 91% within a week). In the limit of agreement analysis, the mean differences in oxygen saturation, diastolic blood pressure, systolic blood pressure, and heart rate were -1.280% (SD 5.679%), -1.399 (SD 19.112) mm Hg, -1.536 (SD 24.244) mm Hg, and 0.566 (SD 3.114) beats per minute, respectively. Furthermore, there was no difference in the 2 study groups in terms of data analysis (neither using the smartwatch nor the gold-standard devices), but it is worth mentioning that all volunteers in the COVID-19 group were already cured of the infection and were highly functional in their daily work life.

CONCLUSIONS

On the basis of the results obtained, considering the validation conditions of accuracy and precision and simulating an extrahospital use environment, the functional model built in this study is capable of capturing data from the smartwatch and anonymously providing it to health care services, where they can be treated according to the legislation and be used to support clinical decisions during remote monitoring.

The significance of general data protection regulation in the compliant data contribution to the European Society of Thoracic Surgeons database

The General Data Protection Regulation (GDPR), enacted in the European Union in 2018, has significantly transformed the landscape of personal data management and protection. This article provides an overview of GDPR's impact, focusing on its applicability, fundamental principles and influence on data management practices, particularly within the European Society of Thoracic Surgeons (ESTS) database. GDPR's reach extends to all entities collecting and processing personal data of European Union residents, regardless of their location. It encompasses various data types, emphasizing meticulous handling and protection of identifiable information. Special categories of data, such as health and sensitive attributes, require even more stringent protection. The regulation sets legal, fair and transparent data processing principles, emphasizing accuracy, purpose limitation and data minimization. It also stresses accountability, leading to the appointment of Data Protection Officers and significant penalties for non-compliance. The ESTS database, designed to enhance thoracic surgical research and care, collects data on European procedures. It follows GDPR principles by pseudonymizing data, ensuring secure data transmission and providing clear instructions for data submission. The database contributes to research, policymaking and practice improvement in thoracic surgery by offering a comprehensive dataset for analysis. Here, we aim to shed light on the complexities of GDPR implementation and emphasize the need for comprehensive data management strategies to ensure compliance and enhance privacy protection with the contribution to the ESTS database. GDPR compliance comes with challenges, including potential human dignity and privacy rights violations. Data breaches can result in unauthorized disclosures, and non-compliance can lead to substantial fines and reputational damage. The implementation of GDPR encourages organizations to prioritize ethical data practices, security measures and transparent data handling. In conclusion, GDPR has revolutionized personal data protection by emphasizing accountability, transparency and individual rights. It has impacted organizations globally, promoting responsible data management practices. Adhering to GDPR ensures privacy protection, trust-building and overall enhancement of data management in today's data-driven environment.

Record linkage of routine and cohort data of children in Portugal: challenges and opportunities when using record linkage as a tool for scientific research

Linking records could serve as a useful tool for scientific research and as a facilitator for local policymaking. This article examines the challenges and opportunities for researchers to lawfully link routinely collected health and education data with cohort data of children when using it as a tool for scientific research in Portugal. Such linking can be lawfully conducted in Portugal if three requirements are met. First, data processing pursues a legitimate purpose, such as scientific research. Secondly, data linking complies with the legal obligations of research entities and researchers, acting as data controllers or processors, and it respects the rights of children as data subjects. Finally, data linking is based on the explicit written consent of those with parental responsibility for the child. So far, the implementation of the General Data Protection Regulation in Portugal has not facilitated record linkage. It is argued that further harmonised implementation of that Regulation across European Union and European Economic Area Member States, establishing a minimum shared denominator for record linkage in scientific research for the common good, including without explicit consent, is needed.

[The limits of internal medicine]

"The limits of internal medicine" was the congress motto of the 128th Congress of the German Society of Internal Medicine in Wiesbaden in 2022. In his presidential address Prof. Lerch focused on four aspects of this motto: physician-assisted suicide, lessons from the corona pandemic, deficits in the digitalization of the German healthcare system and the German Sonderweg in applying EU regulations for patient data protection. Using data from Canada, Switzerland and the Netherlands, where different forms of physician-assisted suicide are practiced, Prof. Lerch appealed to internists, specifically in family practices, to confront this issue in view of a German Supreme Court ruling. With respect to the development of the corona pandemic he discussed the root causes of the opposition to vaccination in parts of society as well as the question why non-clinically active and only few clinical disciplines have shaped the discussion about corona protection measures in Germany. Another focus of his speech was the insufficient digital maturity of the German healthcare system, which clearly lags behind other countries with respect to digital transformation. Physicians need to become more involved in the digital transformation in order to reorganize the healthcare system for the benefit of the patients. The German Sonderweg in the application of the General Data Protection Regulation (GDPR) requires a new legal framework to enable a pragmatic and progressive use of patient data for medical research and patient safety.

Opportunities and Obstacles to the Development of Health Data Warehouses in Hospitals in France: The Recent Experience of Comprehensive Cancer Centers

Big Data and Artificial Intelligence can profoundly transform medical practices, particularly in oncology. Comprehensive Cancer Centers have a major role to play in this revolution. With the purpose of advancing our knowledge and accelerating cancer research, it is urgent to make this pool of data usable through the development of robust and effective data warehouses. Through the recent experience of Comprehensive Cancer Centers in France, this article shows that, while the use of hospital data warehouses can be a source of progress by taking into account multisource, multidomain and multiscale data for the benefit of knowledge and patients, it nevertheless raises technical, organizational and legal issues that still need to be addressed. The objectives of this article are threefold: 1. to provide insight on public health stakes of development in Comprehensive Cancer Centers to manage cancer patients comprehensively; 2. to set out a challenge of structuring the data from within them; 3. to outline the legal issues of implementation to carry out real-world evidence studies. To meet objective 1, this article firstly proposed a discussion on the relevance of an integrated approach to manage cancer and the formidable tool that data warehouses represent to achieve this. To address objective 2, we carried out a literature review to screen the articles published in PubMed and Google Scholar through the end of 2022 on the use of data warehouses in French Comprehensive Cancer Centers. Seven publications dealing specifically with the issue of data structuring were selected. To achieve objective 3, we presented and commented on the main aspects of French and European legislation and regulations in the field of health data, hospital data warehouses and real-world evidence.

Privacy engineering and the techno-regulatory imaginary

The European Union's General Data Protection Regulation (GDPR), in force since 2018, has introduced design-based approaches to data protection and the governance of privacy. In this article we describe the emergence of the professional field of privacy engineering to enact this shift in digital governance. We argue that privacy engineering forms part of a broader techno-regulatory imaginary through which (fundamental) rights protections become increasingly future-oriented and anticipatory. The techno-regulatory imaginary is described in terms of three distinct privacy articulations, implemented in technologies, organizations, and standardizations. We pose two interrelated questions: What happens to rights as they become implemented and enacted in new sites, through new instruments and professional practices? And, focusing on shifts to the nature of boundary work, we ask: What forms of legitimation can be discerned as privacy engineering is mobilized for the making of future digital markets and infrastructures?

Digital Biomarkers in Psychiatric Research: Data Protection Qualifications in a Complex Ecosystem

Psychiatric research traditionally relies on subjective observation, which is time-consuming and labor-intensive. The widespread use of digital devices, such as smartphones and wearables, enables the collection and use of vast amounts of user-generated data as "digital biomarkers." These tools may also support increased participation of psychiatric patients in research and, as a result, the production of research results that are meaningful to them. However, sharing mental health data and research results may expose patients to discrimination and stigma risks, thus discouraging participation. To earn and maintain participants' trust, the first essential requirement is to implement an appropriate data governance system with a clear and transparent allocation of data protection duties and responsibilities among the actors involved in the process. These include sponsors, investigators, operators of digital tools, as well as healthcare service providers and biobanks/databanks. While previous works have proposed practical solutions to this end, there is a lack of consideration of positive data protection law issues in the extant literature. To start filling this gap, this paper discusses the GDPR legal qualifications of controller, processor, and joint controllers in the complex ecosystem unfolded by the integration of digital biomarkers in psychiatric research, considering their implications and proposing some general practical recommendations.

Harmonization after the GDPR? Divergences in the rules for genetic and health data sharing in four member states and ways to overcome them by EU measures: Insights from Germany, Greece, Latvia and Sweden

The EU member states' healthcare and health-related research sectors are both characterized by an emerging infrastructural coalescence on a national and European level. The culmination of this coalescence is the planned creation of a European Health Data Space, an EU-wide infrastructure for the processing of personal data for healthcare and for secondary uses such as scientific research. In contrast to growing technical interoperability, the legal framework for such integration is not yet defined in detail, particularly with regard to data protection law. Its development is accompanied by discussions about divergent member state implementations of the EU General Data Protection Regulation (GDPR) that affect data sharing between healthcare and scientific research actors and across various sectors driven by divergent processing purposes. The article presents four member states' main rules on data sharing based on the respective provision of the GDPR in six health-related contexts regarding data sharing across the healthcare and research sector and between the main actors of those sectors. The striking differences are then evaluated from the perspective of their factual effect on European data sharing depending on the legal characteristics of the GDPR provisions they rely on. Against this backdrop, the planned regulatory measures for the setup of the European Health Data Space are introduced and evaluated with regard to further harmonization between member states' laws and possibilities to overcome divergences in data protection rules relevant for European data sharing. The results of the analysis point to the conclusion that the destructive effect of divergent member state rules depends on the legal qualification of the EU provisions they rely on and that this qualification also determines which further EU regulatory measure would be the most effective to set the framework for the European Health Data Space.

Development of a Web GIS for small-scale detection and analysis of COVID-19 (SARS-CoV-2) cases based on volunteered geographic information for the city of Cologne, Germany, in July/August 2020

BACKGROUND

Various applications have been developed worldwide to contain and to combat the coronavirus disease-19 (COVID-19) pandemic. In this context, spatial information is always of great significance. The aim of this study is to describe the development of a Web GIS based on open source products for the collection and analysis of COVID-19 cases and its feasibility in terms of technical implementation and data protection.

METHODS

With the help of this Web GIS, data on this issue were collected voluntarily from the Cologne area. Using house perimeters as a data basis, it was possible to check, in conjunction with the Official Topographic Cartographic Information System object type catalog, whether buildings with certain functions, for example residential building with trade and services, have been visited more frequently by infected persons than other types of buildings. In this context, data protection and ethical and legal issues were considered.

RESULTS

The results of this study show that the development of a Web GIS for the generation and evaluation of volunteered geographic information (VGI) with the help of open source software is possible. Furthermore, there are numerous data protection and ethical and legal aspects to consider, which not only affect VGI per se but also affect IT security.

CONCLUSIONS

From a data protection perspective, more attention needs to be paid to the intervention and post-processing of data. In addition, official data must always be used as a reference for the actual spatial consideration of the number of infections. However, VGI provides added value at a small-scale level, so that valid information can also be reliably derived in the context of health issues. The creation of guidelines for the consideration of data protection, ethical aspects, and legal requirements in the context of VGI-based applications must also be considered. Trial registration The article does not report the results of a health care intervention for human participants.

Remote monitoring of cardiac implanted electronic devices: legal requirements and ethical principles - ESC Regulatory Affairs Committee/EHRA joint task force report

The European Union (EU) General Data Protection Regulation (GDPR) imposes legal responsibilities concerning the collection and processing of personal information from individuals who live in the EU. It has particular implications for the remote monitoring of cardiac implantable electronic devices (CIEDs). This report from a joint Task Force of the European Heart Rhythm Association and the Regulatory Affairs Committee of the European Society of Cardiology (ESC) recommends a common legal interpretation of the GDPR. Manufacturers and hospitals should be designated as joint controllers of the data collected by remote monitoring (depending upon the system architecture) and they should have a mutual contract in place that defines their respective roles; a generic template is proposed. Alternatively, they may be two independent controllers. Self-employed cardiologists also are data controllers. Third-party providers of monitoring platforms may act as data processors. Manufacturers should always collect and process the minimum amount of identifiable data necessary, and wherever feasible have access only to pseudonymized data. Cybersecurity vulnerabilities have been reported concerning the security of transmission of data between a patient's device and the transceiver, so manufacturers should use secure communication protocols. Patients need to be informed how their remotely monitored data will be handled and used, and their informed consent should be sought before their device is implanted. Review of consent forms in current use revealed great variability in length and content, and sometimes very technical language; therefore, a standard information sheet and generic consent form are proposed. Cardiologists who care for patients with CIEDs that are remotely monitored should be aware of these issues.

Developing Modern System in Healthcare to Detect Covid 19 Based on Internet of Things

In this paper, a medical platform has architecture that depends on middleware and database supports people with Coronavirus, and this platform mainly relies on three users. The first person is the administrator, who is separated into two groups of users: the doctor and the patient. The doctor has an app that questions through the patient so he knows the patient that is being visited and extracts the health identity from him, and he questions the patient for sending him an OTP in the event that the patient does not have a mobile screen or an Internet connection. Alternatively, if QR asks him if his laptop is smart and wired to the Internet, the person will be able to access the system after the doctor has examined them. The patient will examine himself through the devices he has, and the system will provide him with the results of his doctor. The doctor can write a prescription every time he sends new readings. If the prescription is correct, then the patient can keep it and increase the dose. Doctors will work on the prescription console that sends the prescription for cloud authentication and obtain an encrypted QR that will then be issued to the recipient of the drug. The patient has the privilege of studying medication details via the recipient's app. The privilege of viewing QR encrypted cloud data is for life. The drug issuing outlet can decode and issue the drug only as prescribed until the expiration date of the QR. The scheme is designed to promote and provide access to care facilities for both patients and physicians, and it complies with General Data Protection Regulation (GDPR).

'Leading by Science' through Covid-19: the NHS Data Store & Automated Decision-Making

The UK government announced in March 2020 that it would create an NHS Covid-19 ‘Data Store’ from information routinely collected as part of the health service. This ‘Store’ would use a number of sources of population data to provide a ‘single source of truth’ about the spread of the coronavirus in England. The initiative illustrates the difficulty of relying on automated processing when making healthcare decisions under the General Data Protection Regulation (GDPR). The end-product of the store, a number of ‘dashboards’ for decision-makers, was intended to include models and simulations developed through artificial intelligence. Decisions made on the basis of these dashboards would be significant, even (it was suggested) to the point of diverting patients and critical resources between hospitals based on their predictions.

How these models will be developed, and externally validated, remains unclear. This is an issue if they are intended to be used for decisions which will affect patients so directly and acutely. We have (by default) a right under the GDPR not to be subject to significant decisions based solely on automated decision-making. It is not obvious, at present, whether resource allocation within the NHS could take place in reliance on this automated modelling. The recent A Level debacle illustrates, in the context of education, the risks of basing life-changing decisions on the national application of a single equation. It is worth considering the potential consequences for the health service if the NHS Data Store is used for resource planning as part of the Covid-19 response.

Revolutionizing Medical Data Sharing Using Advanced Privacy-Enhancing Technologies: Technical, Legal, and Ethical Synthesis

Multisite medical data sharing is critical in modern clinical practice and medical research. The challenge is to conduct data sharing that preserves individual privacy and data utility. The shortcomings of traditional privacy-enhancing technologies mean that institutions rely upon bespoke data sharing contracts. The lengthy process and administration induced by these contracts increases the inefficiency of data sharing and may disincentivize important clinical treatment and medical research. This paper provides a synthesis between 2 novel advanced privacy-enhancing technologies-homomorphic encryption and secure multiparty computation (defined together as multiparty homomorphic encryption). These privacy-enhancing technologies provide a mathematical guarantee of privacy, with multiparty homomorphic encryption providing a performance advantage over separately using homomorphic encryption or secure multiparty computation. We argue multiparty homomorphic encryption fulfills legal requirements for medical data sharing under the European Union's General Data Protection Regulation which has set a global benchmark for data protection. Specifically, the data processed and shared using multiparty homomorphic encryption can be considered anonymized data. We explain how multiparty homomorphic encryption can reduce the reliance upon customized contractual measures between institutions. The proposed approach can accelerate the pace of medical research while offering additional incentives for health care and research institutes to employ common data interoperability standards.

General Data Protection Regulation (GDPR) in Healthcare: Hot Topics and Research Fronts

General Data Protection Regulation came into effect across the European Union in May 2018 but its implications in healthcare are yet to be fully understood. The aim of this study was to identify the fronts and hot topics in research on GDPR in healthcare. We analyzed the relevant records in Scopus through bibliometric and scientometric approach and visualization techniques. A set of 155 records was obtained and processed for co-occurrence analysis of key terms and concept mapping. The number of published papers showed a steep rise in the past two years, mainly by European countries. Analysis of the abstract of the papers showed that data protection, privacy, and big data were the most frequently used terms. Three dominant research fronts of GDPR are 1) general implications of GDPR, 2) technology aspects of GDPR, and 3) GDPR in healthcare service. Blockchain and machine learning are among the remerging topics of GDPR research.

COVID-19 Mobile Positioning Data Contact Tracing and Patient Privacy Regulations: Exploratory Search of Global Response Strategies and the Use of Digital Tools in Nigeria

Background

The coronavirus disease (COVID-19) pandemic is the biggest global economic and health challenge of the century. Its effect and impact are still evolving, with deaths estimated to reach 40 million if unchecked. One effective and complementary strategy to slow the spread and reduce the impact is to trace the primary and secondary contacts of confirmed COVID-19 cases using contact tracing technology.

Objective

The objective of this paper is to survey strategies for digital contact tracing for the COVID-19 pandemic and to present how using mobile positioning data conforms with Nigeria’s data privacy regulations.

Methods

We conducted an exploratory review of current measures for COVID-19 contact tracing implemented around the world. We then analyzed how countries are using mobile positioning data technology to reduce the spread of COVID-19. We made recommendations on how Nigeria can adopt this approach while adhering to the guidelines provided by the National Data Protection Regulation (NDPR).

Results

Despite the potential of digital contact tracing, it always conflicts with patient data privacy regulations. We found that Nigeria’s response complies with the NDPR, and that it is possible to leverage call detail records to complement current strategies within the NDPR.

Conclusions

Our study shows that mobile position data contact tracing is important for epidemic control as long as it conforms to relevant data privacy regulations. Implementation guidelines will limit data misuse.

[Impact assessment on data protection in research projects]

Recent changes in European regulations for personal data protection still allow the use of health data for research purposes, but they have set the Impact Assessment on Data Protection as an instrument for reflection and risk analysis in the process of data processing. The publication of a guide for facilitates this impact assessment, although it is not directly applicable to research projects. Experience in a specific project is detailed, showing how the context of the treatment becomes relevant with respect to the data characteristics. Carrying out an impact assessment is an opportunity to ensure compliance with the principles of data protection in an increasingly complex environment with greater ethical challenges.

[Adaptation of the General Data Protection Regulation (GDPR) to a smartphone app for rhinitis and asthma (MASK-air®)]

The General Data Protection Regulation (GDPR) regulates the processing of personal data in the European Union. The legal context is adapted to follow the evolution of technologies and of society. This new European regulation became mandatory, especially for connected devices, on May 25, 2018. An app originally known as "The Allergy Diary" is available for Android phones and iPhones. Its name was recently changed to MASK-air. The downloading and use of this app are free of charge and there are no adverts. It enables users to record their symptoms and their medications to better track the progress of their allergic rhinitis and/or asthma. It has been developed by public (Foundation FMC VIA-LR, University of Montpellier) and private (KYomed INNOV) organizations based in France and therefore falls under French jurisdiction. This article summarizes the five main principles of personal data protection to be respected during the development of the app: purpose, proportionality and relevance, limited retention period, security and confidentiality, as well as the rights of the people who are involved in the management of the personal data (including withdrawal and modification).

Digital Oblivion (The Right to Be Forgotten): A Big Challenge for the Public Hospital Management in Greece

The purpose of this study is to ascertain the readiness of the public hospital in Greece to comply with the new Regulation for protecting personal data (GDPR). A qualitative research was carried out by using structured interview with experts and relevant hospital executives of the 2nd Health Region for collecting the data. Despite the mandatory application of the new Regulation by Hospitals, the right to be forgotten and the other rights on personal data in healthcare are virtually not applicable.

Genetic research and consent: On the crossroads of human and data research

This paper explores the legal and ethical concept of human subject research in order to determine whether genetic research with already available biosamples and data falls within this concept. Although the ethical concept seems to have evolved to recognize research based on data as human research, from a supranational legal perspective this form of research is not considered human subject research. Thus human subject research regulations do not apply and therefore do not invoke the requirement of obtaining consent prior to using an individual's biosample or genetic data in research. Furthermore, it remains ambiguous in both the legal and ethical realm whether the use of biosamples or genetic data without additional links to the individual would invoke the same safeguards as research involving additional or specific identifiers. Seeing that research based on already available biosamples and genetic data is not governed by rules concerning human subject research, the second part of the paper analyses whether any consent requirements apply for the further use of already available bio-samples or genetic data in research. Whereas further use of biosamples is subject to considerably lax consent requirements under Article 22 of the Oviedo Convention, under the General Data Protection Regulation further use of genetic data might not be subject to a prior consent requirement at all, unless it is stipulated in national laws. When it comes to clinical trials, however, sponsors will have the possibility under Article 28(2) of Regulation 536/2014 to obtain open consent for further use of data in any kind of future research.

GDPR: an impediment to research?

BACKGROUND

The recent introduction of the General Data Protection Regulation and Health Research Regulations has been an area of significant concern for those engaged in clinical research. These European regulations, following subsequent interpretation by Ireland's Department of Health, now place Ireland in a unique position which differs substantially from other European countries and may prove a significant impediment to Irish clinical research, depriving Irish patients of timely access to potentially life-saving treatments and making Ireland less attractive to pharmaceutical companies engaged in this area. At the very least, the regulations, as applied in Ireland, will place a significant extra burden of work on Ireland's clinical researchers and at their worst will force individuals and institutions out of the clinical research field, which will result in significant loss to the Irish knowledge economy and lead to the detriment of patient care.

AIM

In this article, we explore what exactly is proposed by Europe's GDPR and by Ireland's Health Research Regulations. We look at the challenges presented to clinical researchers, and we highlight those areas, which need clarification by the Department of Health and by the Data Protection Commissioner.

CONCLUSIONS

We propose five recommendations, which would ameliorate some of the more restrictive impositions of these regulations. This review was commissioned by the Irish Academy of Medical Science.

Genetic research and applicable law: the intra-EU conflict of laws as a regulatory challenge to cross-border genetic research

EU law does not regulate genetic research per se, but the latter is governed to a certain extent by data protection law. Regardless of the harmonizing efforts of the General Data Protection Regulation (GDPR), research regulations remain fragmented in the data protection framework. This is mainly due to the vast discretion granted to Member States in this regard in the GDPR. Albeit the GDPR enabling data flows for research cooperation in the EU, it creates a hurdle for cross-border research by ignoring the intra-EU conflict of laws that inevitably arises in a fragmented regulatory framework. Imagining ways to solve the dilemma of applicable national law under the GDPR generally is not that difficult, but becomes trickier in a research context. Whether the national data protection law of one or the other Member State is to be applied, either the interests of data subjects or those of researchers might end up compromised.

Soft ethics, the governance of the digital and the General Data Protection Regulation

The article discusses the governance of the digital as the new challenge posed by technological innovation. It then introduces a new distinction between soft ethics, which applies after legal compliance with legislation, such as the General Data Protection Regulation in the European Union, and hard ethics, which precedes and contributes to shape legislation. It concludes by developing an analysis of the role of digital ethics with respect to digital regulation and digital governance.This article is part of the theme issue 'Governing artificial intelligence: ethical, legal, and technical opportunities and challenges'.

District nurses must guard against inappropriately accessing patient records

Two NHS workers were recently disciplined after inappropriately accessing the records of the singer Ed Sheeran who had required treatment for a fractured wrist and elbow after falling from his bicycle ( Embury-Dennis 2018 ). The increasingly common use of electronic records across the NHS now allows nurses, including district nurses, to access a large archive of patient information that was much more difficult to obtain when records were manually held paper records. There have been several instances where curiosity and, occasionally, more malicious reasons have led district nurses and others to access those records and read the notes of high profile patients or persons known to them. In this article Richard Griffith cautions that district nurses who access and read the record of a person who is not in their care is in breach of both their duty of confidence and the requirements of the General Data Protection Regulation (Regulation 2016/679 EU ).

[Review of the methodological, ethical, legal and social issues of research projects in healthcare with big data]

The current model for reviewing research with human beings basically depends on decision-making processes within research ethics committees. These committees must be aware of the importance of the new digital paradigm based on the large-scale exploitation of datasets, including personal data on health. This article offers guidelines, with the application of the EU's General Data Protection Regulation, for the appropriate evaluation of projects that are based on the use of big data analytics in healthcare. The processes for gathering and using this data constitute a niche where current research is developed. In this context, the existing protocols for obtaining informed consent from participants are outdated, as they are based not only on the assumption that personal data are anonymized, but that they will continue to be so in the future. As a result, it is essential that research ethics committees take on new capabilities and revisit values such as privacy and freedom, updating protocols, methodologies and working procedures. This change in the work culture will provide legal security to the personnel involved in research, will make it possible to guarantee the protection of the privacy of the subjects of the data, and will permit orienting the exploitation of data to avoid the commodification of personal data in this era of deidentification, so that research meets actual social needs and not spurious or opportunistic interests disguised as research.

Legal issues in governing genetic biobanks: the Italian framework as a case study for the implications for citizen's health through public-private initiatives

This paper outlines some of the challenges faced by regulation of genetic biobanking, using case studies coming from the Italian legal system. The governance of genetic resources in the context of genetic biobanks in Italy is discussed, as an example of the stratification of different inputs and rules: EU law, national law, orders made by authorities and soft law, which need to be integrated with ethical principles, technological strategies and solutions. After providing an overview of the Italian legal regulation of genetic data processing, it considers the fate of genetic material and IP rights in the event of a biobank’s insolvency. To this end, it analyses two case studies: a controversial bankruptcy case which occurred in Sardinia, one of the first examples of private and public partnership biobanks. Another case study considered is the Chris project: an example of partnership between a research institute in Bolzano and the South Tyrolean Health System. Both cases seem to point in the same direction, suggesting expediency of promoting and improving public-private partnerships to manage biological tissues and biotrust to conciliate patent law and public interest.