Privacy risks of whole-slide image sharing in digital pathology.

Access to large volumes of so-called whole-slide images-high-resolution scans of complete pathological slides-has become a cornerstone of the development of novel artificial intelligence methods in pathology for diagnostic use, education/training of pathologists, and research. Nevertheless, a methodology based on risk analysis for evaluating the privacy risks associated with sharing such imaging data and applying the principle "as open as possible and as closed as necessary" is still lacking. In this article, we develop a model for privacy risk analysis for whole-slide images which focuses primarily on identity disclosure attacks, as these are the most important from a regulatory perspective. We introduce a taxonomy of whole-slide images with respect to privacy risks and mathematical model for risk assessment and design . Based on this risk assessment model and the taxonomy, we conduct a series of experiments to demonstrate the risks using real-world imaging data. Finally, we develop guidelines for risk assessment and recommendations for low-risk sharing of whole-slide image data.

The European health data space: Too big to succeed?

In May 2022, the European Commission issued the Proposal for a Regulation on the European Health Data Space (EHDS), with the aims of granting citizens increased access to and control of their (electronic) health data across the EU, and facilitating health data re-use for research, innovation, and policymaking. As the first in a series of European domain-specific "data spaces", the EHDS is a high-stakes development that will transform health data governance in the EU region. As an international consortium of experts from health policy, law, ethics and the social sciences, we are concerned that the EHDS Proposal will detract from, rather than lead to the achievement of, its stated aims. We are in no doubt on the benefits of using health data for secondary purposes, and we appreciate attempts to facilitate such uses across borders in a carefully curated manner. Based on the current draft Regulation, however, the EHDS risks undermining rather than enhancing patient control over data; hindering rather than facilitating the work of health professionals and researchers; and eroding rather than increasing the public value generated through health data sharing. Therefore, significant adjustments are needed if the EHDS is to realize its promised benefits. Besides analyzing the implications for key groups and European societies at large who will be affected by the implementation of the EHDS, this contribution advances targeted policy recommendations to address the identified shortcomings of the EHDS Proposal.

Joint controllers in large research consortia: a funnel model to distinguish controllers in the sense of the GDPR from other partners in the consortium.

Large European research consortia in the health sciences face challenges regarding the governance of personal data collected, generated and/or shared during their collective research. A controller in the sense of the GDPR is the entity which decides about purposes and means of the data processing. Case law of the Court of Justice of the European Union (CJEU) and Guidelines of the European Data Protection Board (EDPB) indicate that all partners in the consortium would be joint controllers. This paper summarises the case law, the Guidelines and literature on joint controllership, gives a brief account of a webinar organised on the issue by Lygature and the MLC Foundation. Participants at the webinar agreed in large majority that it would be extreme if all partners in the consortium would become joint controllers. There was less agreement how to disentangle partners who are controllers of a study from those who are not. In order to disentangle responsibilities, we propose a funnel model with consecutive steps acting as sieves in the funnel. It differentiates between two types of partners: all partners who are involved in shaping the project as a whole versus those specific partners who are more closely involved in a sub-study following from the DoA or the use of the data Platform. If the role of the partner would be comparable to that of an outside advisor, that partner would not be a data controller even though the partner is part of the consortium. We propose further nuances for the disentanglement which takes place in various steps. Uncertainty about formal controllership under the GDPR can stifle collaboration in consortia due to concerns over (shared) responsibility and liability. Data subjects' ability to exercise their right can also be affected by this. The funnel model proposes a way out of this conundrum.

Challenges and Legal Gaps of Genetic Profiling in the Era of Big Data.

Profiling of individuals based on inborn, acquired, and assigned characteristics is central for decision making in health care. In the era of omics and big smart data, it becomes urgent to differentiate between different data governance affordances for different profiling activities. Typically, diagnostic profiling is in the focus of researchers and physicians, and other types are regarded as undesired side-effects; for example, in the connection of health care insurance risk calculations. Profiling in a legal sense is addressed, for example, by the EU data protection law. It is defined in the General Data Protection Regulation as automated decision making. This term does not correspond fully with profiling in biomedical research and healthcare, and the impact on privacy has hardly ever been examined. But profiling is also an issue concerning the fundamental right of non-discrimination, whenever profiles are used in a way that has a discriminatory effect on individuals. Here, we will focus on genetic profiling, define related notions as legal and subject-matter definitions frequently differ, and discuss the ethical and legal challenges.

Mind the Gap: From Tool to Knowledge Base.

With the ethical, legal, and societal issues (ELSI) Knowledge Base, we introduce a key element of the Biobanking and Biomolecular Resources Research Infrastructure-European Research Infrastructure Consortium (BBMRI-ERIC) Common Service ELSI, which provides ethical, legal, and societal support for researchers and biobankers involved in transnational research. In contrast to the customized support provided by the ELSI Helpdesk, the ELSI Knowledge Base will be available to the user on a self-serve basis. The information that is made available through a knowledge base comes from multiple sources, usually from several expert contributors who are well versed in the subject matter. The knowledge base provides users with a first orientation on the subject matter, as well as allowing them to explore more detailed information if desired in a self-service manner. It is crucial that the information and knowledge provided are shared in a manner that is user friendly. Long lists of links, legalistic language, and multiple links have to be avoided wherever possible. The long-term sustainability and accuracy of a knowledge base need to be ensured by placing its expert curation and technical maintenance under the responsibility of an organization rather than a research consortium. In its core, it builds on a scenario-based approach using a nonlegalistic language. In addition, the knowledge base connects to frequently asked questions, promotes contract and informed consent templates, how-to-guides, best-practice models, and scripts. The ELSI Knowledge Base is a key element of the BBMRI-ERIC Common Service ELSI, which currently serves biobanks but will be enlarged to serve the biological and medical sciences community. In contrast to the ELSI Helpdesk, which provides customized support, the ELSI Knowledge Base is available to the user on a self-serve basis. The conceptualization of the ELSI Knowledge Base builds on assessments of several ethical, legal, and societal guidance tools that favor a single sustainable knowledge base for closing the knowledge gap by providing practical hands-on guidance for researchers. Ultimately, the ELSI Knowledge Base aims at promoting practical know-how and skills for conducting responsible research.

Enhancing Reuse of Data and Biological Material in Medical Research: From FAIR to FAIR-Health.

The known challenge of underutilization of data and biological material from biorepositories as potential resources for medical research has been the focus of discussion for over a decade. Recently developed guidelines for improved data availability and reusability-entitled FAIR Principles (Findability, Accessibility, Interoperability, and Reusability)-are likely to address only parts of the problem. In this article, we argue that biological material and data should be viewed as a unified resource. This approach would facilitate access to complete provenance information, which is a prerequisite for reproducibility and meaningful integration of the data. A unified view also allows for optimization of long-term storage strategies, as demonstrated in the case of biobanks. We propose an extension of the FAIR Principles to include the following additional components: (1) quality aspects related to research reproducibility and meaningful reuse of the data, (2) incentives to stimulate effective enrichment of data sets and biological material collections and its reuse on all levels, and (3) privacy-respecting approaches for working with the human material and data. These FAIR-Health principles should then be applied to both the biological material and data. We also propose the development of common guidelines for cloud architectures, due to the unprecedented growth of volume and breadth of medical data generation, as well as the associated need to process the data efficiently.

How Sensitive Is Genetic Data?

The rising demand to use genetic data for research goes hand in hand with an increased awareness of privacy issues related to its use. Using human genetic data in a legally compliant way requires an examination of the legal basis as well as an assessment of potential disclosure risks. Focusing on the relevant legal framework in the European Union, we discuss open questions and uncertainties around the handling of genetic data in research, which can result in the introduction of unnecessary hurdles for data sharing. First, we discuss defining features and relative disclosure risks of some DNA-related biomarkers, distinguishing between the risk for disclosure of (1) the identity of an individual, (2) information about an individual's health and behavior, including previously unknown phenotypes, and (3) information about an individual's blood relatives. Second, we discuss the European legal framework applicable to the use of DNA-related biomarkers in research, the implications of including both inherited and acquired traits in the legal definition, as well as the issue of "genetic exceptionalism"-the notion that genetic information has inherent characteristics that require different considerations than other health and medical information. Finally, by mapping the legal to specific technical definitions, we draw some initial conclusions concerning how sensitive different types of "genetic data" may actually be. We argue that whole genome sequences may justifiably be considered "exceptional" and require special protection, whereas other genetic data that do not fulfill the same criteria should be treated in a similar manner to other clinical data. This kind of differentiation should be reflected by the law and/or other governance frameworks as well as agreed Codes of Conduct when using the term "genetic data."

Sharing and reuse of individual participant data from clinical trials: principles and recommendations.

OBJECTIVES: We examined major issues associated with sharing of individual clinical trial data and developed a consensus document on providing access to individual participant data from clinical trials, using a broad interdisciplinary approach. DESIGN AND METHODS: This was a consensus-building process among the members of a multistakeholder task force, involving a wide range of experts (researchers, patient representatives, methodologists, information technology experts, and representatives from funders, infrastructures and standards development organisations). An independent facilitator supported the process using the nominal group technique. The consensus was reached in a series of three workshops held over 1 year, supported by exchange of documents and teleconferences within focused subgroups when needed. This work was set within the Horizon 2020-funded project CORBEL (Coordinated Research Infrastructures Building Enduring Life-science Services) and coordinated by the European Clinical Research Infrastructure Network. Thus, the focus was on non-commercial trials and the perspective mainly European. OUTCOME: We developed principles and practical recommendations on how to share data from clinical trials. RESULTS: The task force reached consensus on 10 principles and 50 recommendations, representing the fundamental requirements of any framework used for the sharing of clinical trials data. The document covers the following main areas: making data sharing a reality (eg, cultural change, academic incentives, funding), consent for data sharing, protection of trial participants (eg, de-identification), data standards, rights, types and management of access (eg, data request and access models), data management and repositories, discoverability, and metadata. CONCLUSIONS: The adoption of the recommendations in this document would help to promote and support data sharing and reuse among researchers, adequately inform trial participants and protect their rights, and provide effective and efficient systems for preparing, storing and accessing data. The recommendations now need to be implemented and tested in practice. Further work needs to be done to integrate these proposals with those from other geographical areas and other academic domains.

Reconsidering Anonymization-Related Concepts and the Term "Identification" Against the Backdrop of the European Legal Framework.

Sharing data in biomedical contexts has become increasingly relevant, but privacy concerns set constraints for free sharing of individual-level data. Data protection law protects only data relating to an identifiable individual, whereas "anonymous" data are free to be used by everybody. Usage of many terms related to anonymization is often not consistent among different domains such as statistics and law. The crucial term "identification" seems especially hard to define, since its definition presupposes the existence of identifying characteristics, leading to some circularity. In this article, we present a discussion of important terms based on a legal perspective that it is outlined before we present issues related to the usage of terms such as unique "identifiers," "quasi-identifiers," and "sensitive attributes." Based on these terms, we have tried to circumvent a circular definition for the term "identification" by making two decisions: first, deciding which (natural) identifier should stand for the individual; second, deciding how to recognize the individual. In addition, we provide an overview of anonymization techniques/methods for preventing re-identification. The discussion of basic notions related to anonymization shows that there is some work to be done in order to achieve a mutual understanding between legal and technical experts concerning some of these notions. Using a dialectical definition process in order to merge technical and legal perspectives on terms seems important for enhancing mutual understanding.