A Systematic Review on Privacy-Aware IoT Personal Data Stores.

Data from the Internet of Things (IoT) enables the design of new business models and services that improve user experience and satisfaction. These data serve as important information sources for many domains, including disaster management, biosurveillance, smart cities, and smart health, among others. However, this scenario involves the collection of personal data, raising new challenges related to data privacy protection. Therefore, we aim to provide state-of-the-art information regarding privacy issues in the context of IoT, with a particular focus on findings that utilize the Personal Data Store (PDS) as a viable solution for these concerns. To achieve this, we conduct a systematic mapping review to identify, evaluate, and interpret the relevant literature on privacy issues and PDS-based solutions in the IoT context. Our analysis is guided by three well-defined research questions, and we systematically selected 49 studies published until 2023 from an initial pool of 176 papers. We analyze and discuss the most common privacy issues highlighted by the authors and position the role of PDS technologies as a solution to privacy issues in the IoT context. As a result, our findings reveal that only a small number of works (approximately 20%) were dedicated to presenting solutions for privacy issues. Most works (almost 82%) were published between 2018 and 2023, demonstrating an increased interest in the theme in recent years. Additionally, only two works used PDS-based solutions to deal with privacy issues in the IoT context.

India's Conception of Community Data and Addressing Concerns for Access to Justice.

This paper discusses the idea of community data that was introduced in the Non-Personal Data framework in India. Our interest is to engage with existing commentaries on the definitional challenges around who is a community, how it is constituted, who it represents, as well as propose a framework to be able to explore how to address concerns of access to justice. In our attempt to offer a model to operationalise community data, we argue that such community data justice includes three crucial aspects, that is, the identification of belonging with a community, the capacity to participate within a community, and finally opportunity to exit the community. Consequently, justice in terms of access to, and use of community data inherently includes an analysis of the individual's standing in the community.

Personal data store ecosystems in health and social care.

This paper considers how the development of personal data store ecosystems in health and social care may offer one person-centered approach to improving the ways in which individual generated and gathered data-e.g., from wearables and other personal monitoring and tracking devices-can be used for wellbeing, individual care, and research. Personal data stores aim to provide safe and secure digital spaces that enable people to self-manage, use, and share personal data with others in a way that aligns with their individual needs and preferences. A key motivation for personal data stores is to give an individual more access and meaningful control over their personal data, and greater visibility over how it is used by others. This commentary discusses meanings and motivations behind the personal data store concept-examples are provided to illustrate the opportunities such ecosystems can offer in health and social care, and associated research and implementation challenges are also examined.

Opinions of professors, dental students, and patients for publishing the patient images in the articles.

INTRODUCTION: The journals must have an instruction for writers to observe the essential ethical principles like privacy-preserving, secrecy, and keeping the patients' identities hidden. Even though patient secrecy is an important ideology in medicine's ethics, most journals have a little guide on this topic for the authors. According to the absence of such studies in dentistry and limited studies in medicine, our goal in this article is to review the opinions of professors, Kerman dentistry students, and patients for publishing the patient images in the articles. METHOD: This research is an analytical, sectional, and descriptive study. The studied society includes the professors of the dentistry faculty (54 people), the 4th to 6th years dentistry students (122 people), and 129 patients who referred to the offices, the faculty, and other clinics in Kerman city base on simple random sampling method. A query including the personal questions, and questions related to the participants' opinions about publishing the images was given to contributors. Abundance, average tables, chi-square (χ 2) test, T-test, and SPSS 21 software were used for data description. RESULTS: The contributors' attitudes were different in three groups of participants: more than half of the patients (58.91%), 39.5% of students, and 31.38% of professors believed that no permission is needed. While, 64.34% of the patients, 89.34% of students, and 83.3% of professors believed that written permission is needed for publishing. CONCLUSION: From the participants' viewpoints, more strict forms are needed by increasing identity recognizability. The professors are more eager than the patients to receive patients' permission for any kind of image. By reducing the level of identification, doctors and students are more eager than patients to receive approvals.

A autodeterminação informativa como contexto normativo para elaboração de diretrizes para a construção de um Relatório de Impacto à Proteção de Dados Pessoais: a proposta de um modelo humanizador para a telemedicina / Informative self-determination as a normative context for the elaboration of guidelines for the Impact Report on Personal Data Protection: the proposal of a humanizing model for telemedicine / La autodeterminación informativa como contexto normativo para la elaboración de lineamentos para la construcción de un Informe de Impacto en Protección de Datos Personales: la propuesta de un modelo humanizador para la telemedicina

Apresentamos e discutimos a construção de um instrumento de compliance para tratamento de dados pessoais e dados pessoais sensíveis do Núcleo Telessaúde UFSC, com base na Lei Geral de Proteção de Dados Pessoais. Trata-se da elaboração de diretrizes para um Relatório de Impacto à Proteção de Dados Pessoais visando à preservação da dimensão humana do dado e à preservação de direitos. A pesquisa foi qualitativa e exploratória, tendo o relato de experiência como metodologia. O levantamento bibliográfico e a análise documental permitiram a investigação, realizada em 2022, de processos, etapas e fluxos do tratamento dos dados. A análise dos dados foi qualitativa, por comparação dos resultados com a legislação vigente e com a adequação ao princípio da autodeterminação informativa. Os resultados demonstraram que as propostas para o relatório contribuíram para um tratamento de dados mais adequado ao ordenamento jurídico e, consequentemente, mais humanizado

We present and discuss the construction of a compliance instrument for the processing of personal data and sensitive personal data of the Telessaúde UFSC Center, based on the General Data Protection Law. It is a model for the elaboration of guidelines for the construction of an Impact Report on the Protection of Personal Data that collaborates to the preservation of the human dimension of data and the preserva-tion of rights. The research was qualitative and exploratory, adopting experience report as methodology. Bibliographical research and documental analysis enabled the investigation of the processes, stages and flows of data processing, carried out in 2022. Data analysis was carried out qualitatively, comparing the results with current legislation and adequacy to the principle of informative self-determination. Results showed that the proposed guidelines for the report contributed to a data processing more appropriate to the legal system and, consequently, more humanized

Presentamos y discutimos la construcción de un instrumento de cumplimiento para el tratamiento de datos personales y datos personales sensibles del Núcleo Telessaúde UFSC, con base en la Ley General de Pro-tección de Datos. Es la preparación de directrices para un Informe de Impacto de Protección de Datos Per-sonales para preservación de la dimensión humana de los datos y preservar los derechos. La investigación cualitativa y exploratoria adoptó un relato de experiencia como metodología. El levantamiento bibliográfico y el análisis documental permitieron la indagación de procesos, etapas y flujos de procesamiento de datos, realizados en 2022. El análisis de datos fue cualitativa, mediante la comparación de los resultados con la legislación vigente y la adecuación al principio de autodeterminación informativa. Los resultados mostra-ron que las directrices propuestas para el informe contribuyó a un tratamiento de datos más adecuado al ordenamiento jurídico y, en consecuencia, más humano

Towards a simple mathematical model for the legal concept of balancing of interests.

We propose simple nonlinear mathematical models for the legal concept of balancing of interests. Our aim is to bridge the gap between an abstract formalisation of a balancing decision while assuring consistency and ultimately legal certainty across cases. We focus on the conflict between the rights to privacy and to the protection of personal data in Art. 7 and Art. 8 of the EU Charter of Fundamental Rights (EUCh) against the right of access to information derived from Art. 11 EUCh. These competing rights are denoted by (i1) right to privacy and (i2) access to information; mathematically, their indices are respectively assigned by u1∈[0,1] and u2∈[0,1] subject to the constraint u1+u2=1. This constraint allows us to use one single index u to resolve the conflict through balancing. The outcome will be concluded by comparing the index u with a prior given threshold u0. For simplicity, we assume that the balancing depends on only selected legal criteria such as the social status of affected person, and the sphere from which the information originated, which are represented as inputs of the models, called legal parameters. Additionally, we take "time" into consideration as a legal criterion, building on the European Court of Justice's ruling on the right to be forgotten: by considering time as a legal parameter, we model how the outcome of the balancing changes over the passage of time. To catch the dependence of the outcome u by these criteria as legal parameters, data were created by a fully-qualified lawyer. By comparison to other approaches based on machine learning, especially neural networks, this approach requires significantly less data. This might come at the price of higher abstraction and simplification, but also provides for higher transparency and explainability. Two mathematical models for u, a time-independent model and a time-dependent model, are proposed, that are fitted by using the data. Supplementary Information: The online version contains supplementary material available at 10.1007/s10506-022-09338-3.

Personal data protection compliance assessment: A privacy policy scoring approach and empirical evidence from Thailand's SMEs.

Privacy policies, intended to provide information to individuals regarding how their personal data is processed, are often complex and challenging for users to understand. Businesses often demonstrate non-compliance with personal data protection laws, ranging from the absence of privacy policies to the existence of policies that do not adhere to legal requirements. This paper aims to (1) develop a quantitative and systematic tool for evaluating privacy policies' compliance with the Personal Data Protection Act (PDPA), (2) assess compliance among Small and Medium Enterprises (SMEs) in Thailand, and (3) provide recommendations for enhancing compliance practices. To achieve this, we proposed a multi-criteria privacy policy scoring model integrated with comprehensive statistical data analyses. The privacy policy scoring model consists of ten privacy principles and 31 privacy criteria, providing a structured framework for evaluating privacy policies. During a two-year postponement period for enforcing the PDPA law, we conducted a stratified random-sampling survey of 384 SMEs to evaluate their privacy policies using the proposed scoring model. The accomplished results revealed significantly lower scores than anticipated, with the nationwide average score of SMEs reaching only 6.1909 out of 100 points. More than half of the SMEs collected personal data without announcing privacy policies, and those with privacy policies adhered to an average of only 12.15 out of 31 privacy criteria. These findings highlight the pressing need to improve compliance practices among SMEs in Thailand. The proposed methodology can be customized and applied to align with the requirements of personal data protection laws in other countries. Additionally, our findings indicate that compliance with the PDPA is influenced by the Thailand Standard Industrial Classification (TSIC) sections, suggesting the adoption of tailored approaches by policymakers to address the specific needs of different TSIC sections.

Thirty-three myths and misconceptions about population data: from data capture and processing to linkage.

Databases covering all individuals of a population are increasingly used for research and decision-making. The massive size of such databases is often mistaken as a guarantee for valid inferences. However, population data have characteristics that make them challenging to use. Various assumptions on population coverage and data quality are commonly made, including how such data were captured and what types of processing have been applied to them. Furthermore, the full potential of population data can often only be unlocked when such data are linked to other databases. Record linkage often implies subtle technical problems, which are easily missed. We discuss a diverse range of myths and misconceptions relevant for anybody capturing, processing, linking, or analysing population data. Remarkably, many of these myths and misconceptions are due to the social nature of data collections and are therefore missed by purely technical accounts of data processing. Many are also not well documented in scientific publications. We conclude with a set of recommendations for using population data.

Ethical, legal, and social implications in research biobanking: A checklist for navigating complexity.

Biobanks' activity is based not only on securing the technology of collecting and storing human biospecimen, but also on preparing formal documentation that will enable its safe use for scientific research. In that context, the issue of informed consent, the reporting of incidental findings and the use of Transfer Agreements remain a vast challenge. This paper aims to offer first-hand tangible solutions on those issues in the context of collaborative and transnational biobanking research. It presents a four-step checklist aiming to facilitate researchers on their compliance with applicable legal and ethical guidelines, when designing their studies, when recruiting participants, when handling samples and data, and when communicating research results and incidental findings. Although the paper reflects the outcomes of the H2020 B3Africa project and examines the transfers from and to the EU as a case study, it presents a global checklist that can be used beyond the EU.

Protección de datos en investigación clínica: ¿pseudonimización o anonimización? / [Data protection in clinical research: pseudonymization or anonymization?]

Se pretende analizar la necesidad de codificar los datos de los participantes de un estudio de salud, así como las técnicas que se pueden emplear como medida de protección, analizando sus características, ventajas e inconvenientes y abordándose desde un punto de vista semi-práctico, al desarrollarse brevemente algunas técnicas de codificación. (AU)

Te aim is to analyse the need to code the data of the participants of a health study, as well as the techniques that can be used to do so, analysing their characteristics, advantages and disadvantages and approaching it from a semi-practical point of view, by briefly developing some coding techniques. (AU)

Management of Onsite and Remote Communication in Oncology Hospitals: Data Protection in an Era of Rapid Technological Advances.

Modern communication and information technologies are rapidly being deployed at health care institutions around the world. Although these technologies offer many benefits, ensuring data protection is a major concern, and implementation of robust data protection measures is essential. In this context, health care providers and medical care facilities must frequently make difficult decisions and compromises between the need to provide effective medical care and the need to ensure data security and patient privacy. In the present paper, we describe and discuss key issues related to data protection systems in the setting of cancer care hospitals in Europe. We provide real-life examples from two European countries-Poland and the Czech Republic-to illustrate data protection issues and the steps being taking to address these questions. More specifically, we discuss the legal framework surrounding data protection and technical aspects related to patient authentication and communication.

Teaching Health Literacy and Digital Literacy Together at University Level: The FLOURISH Module.

Many universities have wellness programs to promote overall health and well-being. Using students' own personal data as part of improving their own wellness would seem to be a natural fit given that most university students are already data and information literate. In this work, we aim to show how the interplay between health literacy and data literacy can be used and taught together. The method we use is the development and delivery of the FLOURISH module, an accredited, online-only but extra-curricular course that delivers practical tips in the areas that impact students' everyday wellness including sleep, nutrition, work habits, procrastination, relationships with others, physical activity, positive psychology, critical thinking, and more. For most of these topics, students gather personal data related to the topic and submit an analysis of their data for assessment thus demonstrating how students can use their personal data for their benefit. More than 350 students have taken the module and an analysis of the use of online resources, as well as feedback on the module experience, are presented. The contributions of this article are to further endorse the need for health literacy and digital literacy for students, and we demonstrate that these can be taught together making each literacy more appealing to the digital natives of Generation Z who make up the majority of students. The implications for public health research and practice are that two student literacies, health and digital, are not independent and for our students, they should be taught together.

Workload and procedures used by European data protection authorities related to personal data protection: a cross-sectional study.

OBJECTIVE: Data protection authorities (DPAs) are independent public authorities supervising the application of the data protection law. There is one DPA in each European Union (EU) Member State. Workload and procedures used by European DPAs were analyzed via a cross-sectional study. RESULTS: DPAs from 13 countries participated: Austria, Bulgaria, Croatia, Estonia, Finland, Greece, Italy, Latvia, Liechtenstein, Lithuania, Norway, Romania, and Slovakia. Responding to opinion/guidance requests in DPAs was highly heterogeneous. Procedure types used by DPAs varied, from telephone-based advisory service in Norway to a formal legal opinion in Austria. The deadline for responding to the requests varied considerably in DPAs. The number of opinion/guidance requests sent by data controllers and processors, and the number of opinion/guidance requests and complaints sent by data subjects, increased from 2015 to 2018 when the General Data Protection Regulation (GDPR) came into full effect; it decreased in 2019. Few DPAs organized education about data protection for the research community. In conclusion, the procedures and workload of DPAs in the EU were highly variable. It is important to study these aspects further, as they may assist in tailoring future data protection policies and procedures at the EU level.

Personal Data Stores (PDS): A Review.

Internet services have collected our personal data since their inception. In the beginning, the personal data collection was uncoordinated and was limited to a few selected data types such as names, ages, birthdays, etc. Due to the widespread use of social media, more and more personal data has been collected by different online services. We increasingly see that Internet of Things (IoT) devices are also being adopted by consumers, making it possible for companies to capture personal data (including very sensitive data) with much less effort and autonomously at a very low cost. Current systems architectures aim to collect, store, and process our personal data in the cloud with very limited control when it comes to giving back to citizens. However, Personal Data Stores (PDS) have been proposed as an alternative architecture where personal data will be stored within households, giving us complete control (self-sovereignty) over our data. This paper surveys the current literature on Personal Data Stores (PDS) that enable individuals to collect, control, store, and manage their data. In particular, we provide a comprehensive review of related concepts and the expected benefits of PDS platforms. Further, we compare and analyse existing PDS platforms in terms of their capabilities and core components. Subsequently, we summarise the major challenges and issues facing PDS platforms' development and widespread adoption.

Breakthrough infections, hospital admissions, and mortality after major COVID-19 vaccination profiles: A prospective cohort study.

Background: Several COVID-19 vaccination rollout strategies are implemented. Real-world data from the large-scale, government-mandated Central Vaccination Center (CVC), Thailand, could be used for comparing the breakthrough infection, across all available COVID-19 vaccination profiles. Methods: This prospective cohort study combined the vaccine profiles from the CVC registry with three nationally validated outcome datasets to assess the breakthrough COVID-19 infection, hospitalization, and death among Thais individuals who received at least one dose of the COVID-19 vaccine. The outcomes were analyzed by comparing vaccine profiles to investigate the shot effect and homologous effect. Findings: Of 2,407,315 Thais who had at least one dose of COVID-19 vaccine, 63,469 (2.75%) had breakthrough infection, 42,001 (1.79%) had been hospitalized, and 431 (0.02%) died. Per one vaccination shot added, there was an 18% risk reduction of breakthrough infection (adjusted hazard ratio [HR] 0.82, 95% confidence interval [CI] 0.80-0.82), a 25% risk reduction of hospitalization (HR 0.75, 95% CI 0.73-0.76), and a 96% risk reduction of mortality (HR 0.04, 95% CI 0.03-0.06). The heterologous two-shot vaccine profiles had a higher protective effect against infection, hospitalization, and mortality compared to the homologous counterparts. Interpretation: COVID-19 breakthrough infection, hospitalization, and death differ across vaccination profiles that had a different number of shots and types of vaccines. Funding: This study did not involve any funding.

COVID-19, Personal Data Protection and Privacy in India.

The corona pandemic altered many traditional and historical norms of society and law. COVID-19 created a humanitarian crisis in some parts of globe, while pandemic privacy and civil liberties were under threat all over world. To combat the deadly virus, individual liberty and equality were compromised. This paper focuses on how India's health problem has compromised people's right to privacy. It will highlight how strict executive policies led to the creation of a massive surveillance system in the name of combating the COVID-19 pandemic, as well as how the absence of any policy or legal framework led to the exclusion of individuals and their families who were suspected of having the virus or caring for those who were infected with the deadly virus. The paper uses case studies and data collected from primary as well as secondary sources. The authors will also point out how the absence of privacy regulation puts millions of citizens' private information at risk of being compromised or exploited against their will.

Telemedicina no Brasil: ameaças à proteção de dados pessoais em decorrência da flexibilização da pandemia e da regulamentação precária / Telemedicine in Brazil: threats to the protection of personal data due to both easing of pandemic measures and poor regulation

O presente trabalho analisou os riscos envolvidos na utilização dos recursos de telessaúde e telemedicina, autorizados durante a pandemia de covid-19, sem um correspondente amadurecimento com relação aos requisitos necessários para garantir a segurança dos dados pessoais e dados pessoais sensíveis de seus usuários, seja pela recente entrada em vigor da Lei n. 13.709/2018, seja pela incipiente criação da Autoridade Nacional de Proteção de Dados, que ainda caminha no sentido de se estruturar organicamente. Sob o lume da metodologia civil-constitucional capitaneada por Perlingieri, o artigo destacou a necessidade de que os requisitos tecnológicos abarcados nas relações privadas sejam devidamente adequados aos valores intrínsecos àqueles delineados no texto constitucional, tendo as normas de direito civil como importante vetor na garantia de tal aplicação. A partir de pesquisa qualitativa, valendo-se de fontes indiretas, inclusive legislação estrangeira, e análise à luz da metodologia dedutiva, elencou-se uma série de considerações para a aplicação de recursos da telemedicina no Brasil de maneira adequada e em sintonia com a proteção de dados pessoais de seus cidadãos.

The present work analyzed the risks involved in the use of telehealth and telemedicine resources, authorized during the covid-19 pandemic, without a corresponding maturity in relation to the necessary requirements to guarantee the security of personal data and sensitive personal data of users, whether by the recent entry into force of Law no. 13,709/2018, or the incipient creation of the National Data Protection Authority, which is still moving towards an organic structure. Under the light of the civilconstitutional methodology led by Perlingieri, the article highlights the need for technological requirements encompassed in private relations to be duly adapted to the intrinsic values of those outlined in the constitutional text, with the norms of civil law as an important vector in guaranteeing such an application. Based on qualitative research, using indirect sources, including foreign legislation, and analysis in the light of deductive methodology, a series of considerations are listed for the application of telemedicine resources in Brazil in an adequate manner and in line with the protection of personal data of citizens.

Cyber security threats: A never-ending challenge for e-commerce.

This study explores the challenge of cyber security threats that e-commerce technology and business are facing. Technology applications for e-commerce are attracting attention from both academia and industry. It has made what was not possible before for the business community and consumers. But it did not come all alone but has brought some challenges, and cyber security challenge is one of them. Cyber security concerns have many forms, but this study focuses on social engineering, denial of services, malware, and attacks on personal data. Firms worldwide spend a lot on addressing cybersecurity issues, which grow each year. However, it seems complicated to overcome the challenge because the attackers continuously search for new vulnerabilities in humans, organizations, and technology. This paper is based on the conceptual analysis of social engineering, denial of services, malware, and attacks on personal data. We argue that implementing modern technology for e-commerce and cybersecurity issues is a never-ending game of cat and mouse. To reduce risks, reliable technology is needed, training of employees and consumer is necessary for using the technology, and a strong policy and regulation is needed at the firm and governmental level.

The legal aspect of interoperability of cross border electronic health services: A study of the european and national legal framework.

Legal interoperability constitutes a prerequisite for the provision of high-quality cross border e-health services, like ePrescription and ePatientSummary. A review of EU legislation, policy initiatives and relevant judgments of the European Court of Justice (ECJ) and the European Court of Human Rights (ECHR) was held, concerning personal medical data. Four European social welfare systems, according to Esping - Andersen's typology, were selected and a study of health policy in relation to the national legal framework regarding the data protection regulation is examined. A model of legal interoperability for cross-border eHealth services is proposed for policy makers at EU level based on the following major domains: protection and security of data, transparency and liability, further analyzed in multiple axes and combined with EU targets, policy priorities and basic European legal principles. This model could be viable because of the EU's transnational existence, the coexistence of national and Community law, and the need of novel models of political governance under a unified regulatory and normative base.