Data protection, data management, and data sharing: Stakeholder perspectives on the protection of personal health information in South Africa.

The Protection of Personal Information Act (POPIA) 2013 came into force in South Africa on 1 July 2020. It seeks to strengthen the processing of personal information, including health information. While POPIA is to be welcomed, there are concerns about the impact it will have on the processing of health information. To ensure that the National Health Laboratory Service [NHLS] is compliant with these new strict processing requirements and that compliance does not negatively impact upon its current screening, treatment, surveillance and research mandate, it was decided to consider the development of a NHLS POPIA Code of Conduct for Personal Health. As part of the process of developing such a Code and better understand the challenges faced in the processing of personal health information in South Africa, 19 semi-structured interviews with stakeholders were conducted between June and September 2020. Overall, respondents welcomed the introduction of POPIA. However, they felt that there are tensions between the strengthening of data protection and the use of personal information for individual patient care, treatment programmes, and research. Respondents reported a need to rethink the management of personal health information in South Africa and identified 5 issues needing to be addressed at a national and an institutional level: an understanding of the importance of personal information; an understanding of POPIA and data protection; improve data quality; improve transparency in data use; and improve accountability in data use. The application of POPIA to the processing of personal health information is challenging, complex, and likely costly. However, personal health information must be appropriately managed to ensure the privacy of the data subject is protected, but equally that it is used as a resource in the individual's and wider public interest.

To What Extent Does the EU General Data Protection Regulation (GDPR) Apply to Citizen Scientist-Led Health Research with Mobile Devices?

In this article, we consider the possible application of the European General Data Protection Regulation (GDPR) to "citizen scientist"-led health research with mobile devices. We argue that the GDPR likely does cover this activity, depending on the specific context and the territorial scope. Remaining open questions that result from our analysis lead us to call for lex specialis that would provide greater clarity and certainty regarding the processing of health data by for research purposes, including these non-traditional researchers.

Hacking HIPAA: "Best Practices" for Avoiding Oversight in the Sale of Your Identifiable Medical Information.

In light of the confusion invited by applying the label "de-identified" to information that can be used to identify patients, it is paramount that regulators, compliance professionals, patient advocates and the general public understand the significant differences between the standards applied by HIPAA and those applied by permissive "de-identification guidelines." This Article discusses those differences in detail. The discussion proceeds in four Parts. Part II (HIPAA's Heartbeat: Why HIPAA Protects Identifiable Patient Information) examines Congress's motivations for defining individually identifiable health information broadly, which included to stop the harms patients endured prior to 1996 arising from the commercial sale of their medical records. Part III (Taking the "I" Out of Identifiable Information: HIPAA's Requirements for De-Identified Health Information) discusses HIPAA's requirements for de-identification that were never intended to create a loophole for identifiable patient information to escape HIPAA's protections. Part IV (Anatomy of a Hack: Methods for Labeling Identifiable information "De-Identified") examines the goals, methods, and results of permissive "de-identification guidelines" and compares them to HIPAA's requirements. Part V (Protecting Un-Protected Health Information) evaluates the suitability of permissive "de-identification guidelines," concluding that the vulnerabilities inherent in their current articulation render them ineffective as a data protection standard. It also discusses ways in which compliance professionals, regulators, and advocates can foster accountability and transparency in the utilization of health information that can be used to identify patients.

No exchange, same pain, no gain: Risk-reward of wearable healthcare disclosure of health personally identifiable information for enhanced pain treatment.

Wearable technologies have created fascinating opportunities for patients to treat chronic pain in a discreet, mobile fashion. However, many of these health wearables require patients to disclose sensitive information, including health information (e.g., heart rate, glucose levels) and personal information (location, email, name, etc.). Individuals using wearables for treatment of chronic pain may sacrifice social health elements, including their privacy, in exchange for better physical and mental health. Utilizing communication privacy management, a popular disclosure theory, this article explores the policy and ethical ramifications of patients disclosing sensitive health information in exchange for better health treatment and relief of chronic pain. The article identifies scenarios where a user must disclose information, and what factors motivate or dissuade disclosure, and ultimately the use of a health wearable. Practical implications of this conceptual article include an improved understanding of how and why consumers may disclose personal data to health wearables, and potential impacts for public policy and ethics regarding how wearables and their manufacturers entice disclosure of private health information.

Cuestionario/guía para la evaluación de proyectos de investigación con datos por un CEI / Questionnaire/guide for the evaluation of research projects with personal data by a Research Ethics Committee

No disponible

Nuevos desafíos en torno al big data / New challenges around big data

Los nuevos reglamentos europeos sobre ensayos clínicos, dispositivos médicos y el nuevo Reglamento Europeo sobre protección de datos, incorporan varios preceptos para garantizar el derecho a la vida privada y la protección de datos en materia de salud. Sin embargo, la fragmentación de la regulación, el riesgo de sufrir ciber-ataques y violaciones de seguridad, las filtraciones masivas de big data, o el uso no autorizado de datos biométricos nos llevan a poner en duda el papel predominante que la regulación otorga al consentimiento previo del propietario en la cesión de los datos personales como clave del sistema. En este sentido, las normas de protección de datos generales del nuevo reglamento prohíben el tratamiento de los datos personales relativos a la salud, pero las numerosas excepciones a esta regla general pueden limitar los derechos del interesado. Además, la falta de medidas técnicas y organizativas comunes para garantizar el respeto del principio de minimización de datos y la falta de obligación de aplicar medidas de compatibilidad para intercambiar, cuando sea necesario, los datos obtenidos en los Estados miembros pueden poner en grave riesgo los beneficios de la regulación y amenazar la efectividad del derecho a la privacidad

New European Regulations on clinical trials, medical devices or the European Regulation on data protection, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, incorporate several rules to ensure the right to privacy and the data protection in the field of health. However, the fragmentation of the regulation, the risk of cyber-attacks and security breaches, the massive leaks of big data or the unauthorized use of biometric data, lead us to question about the dominant role that the regulation gives to the prior consent of the owner in the transfer of personal data as a key of the system. In this sense, the rules of protection of general data of the new Regulation prohibit the treatment of the personal data relating to health, but numerous exceptions to this general rule, may limit the rights of the person concerned. In addition, the lack of common technical and organizational measures to ensure the respect of the principle of data minimization and lack of obligation to implement measures of support for exchange, where necessary, the data obtained in the States Members can put at risk the benefits of regulation and threaten the effectiveness of the right to privacy

Revisión de las categorías jurídicas de la normativa europea ante la tecnología del big data aplicada a la salud / Revision of the legal categories of the European regulation in the face of big data technology applied to health

El nuevo RGPD dedica una mayor atención específica a los datos personales relativos a la salud, lo cual era estrictamente necesario. Además, se incluyen de forma explícita y por primera vez varias referencias a los datos genéticos en cuanto datos relativos a la salud, aunque separados de éstos. La posición actual de la UE y de los EM sobre el estatuto jurídico de los datos relativos a la salud ha cambiado sensiblemente, pues, aunque éstos conservan su condición de datos "sensibles", esto es, de datos que gozan de una protección jurídica especial, se ha decidido también facilitar el acceso a estos datos por parte de los diversos profesionales de la salud que tengan que prestar su actividad asistencial con el fin de ganar en eficacia y en rapidez respecto a dicho acceso. Mientras que en este supuesto se han querido primar los intereses del propio titular de los datos en relación con su salud, en el caso de la investigación relativa a la salud o biomédica con la eliminación o relajación de ciertos requisitos se ha dado preferencia al interés social que representa la misma frente al derecho individual a la protección de los datos personales, en la medida en que los resultados y avances científicos en el sector de la salud contribuyen al bienestar de la colectividad. Es obvio que otras disposiciones de carácter más general, que atienden también a situaciones nuevas o cambiantes, y por tanto a las necesidades jurídicas actuales, serán aplicables asimismo a los datos relativos a la salud; así, respecto al tratamiento masivo de datos y el flujo transnacional de datos, que han experimentado modificaciones relevantes con el nuevo marco legal europeo y, como es sabido, ambos supuestos son de extraordinario interés para los datos relativos a la salud. Coherentemente, la legislación interna de nuestro país sobre protección de datos personales ha sido objeto de revisión y de adaptación parlamentarias al RGPD mediante la promulgación de una nueva ley orgánica. En este artículo el autor estudia algunos conceptos y categorías jurídicas nuevos o revisados por la nueva regulación europea o que requieren un enfoque diferente, con el fin de delimitar su verdadero significado y alcance en la actualidad. Para este fin, tiene presente la nueva regulación estatal sobre protección de datos cuando resulta pertinente

The new GDPR devotes more specific attention to personal data relating to health, which was strictly necessary. In addition, for the first time a number of references to genetic data are explicitly included as health-related data but separate from them. The current position of the EU and the MS on the legal status of health data has changed significantly, even though they retain their status as "sensitive" data, i.e. data enjoying special legal protection, it has also been decided to facilitate access to these data by the various health professionals who have to provide care in order to increase the efficiency and speed of such access. While in this case the interests of the data subject in relation to his/her health have been prioritised, in the case of health or biomedical research with the elimination or relaxation of certain requirements, preference has been given to the social interest which it represents over the individual right to the protection of personal data, insofar as scientific results and advances in the health sector contribute to the well-being of the community. It is obvious that other provisions of a more general nature, which also deal with new or changing situations, and therefore with current legal needs, will also apply to data relating to health; thus, with regard to the massive processing of data and the transnational flow of data, which have undergone relevant modifications with the new European legal framework and, as is known, both assumptions are of extraordinary interest for data relating to health. Consistently, our country's internal legislation on the protection of personal data has been subject to parliamentary revision and adaptation to the GDPR through the enactment of a new fundamental law. In this paper the author studies some legal concepts and categories that are new or revised by the new European regulation or that require a different approach, in order to delimit their true meaning and scope at present. To this end, the author takes into account the new state regulation on data protection when it is relevant for that purpose

Observational health research in Europe: understanding the General Data Protection Regulation and underlying debate.

Insights into the incidence and survival of cancer, the influence of lifestyle and environmental factors and the interaction of treatment regimens with outcomes are hugely dependent on observational research, patient data derived from the healthcare system and from volunteers participating in cohort studies, often non-selective. Since 25th May 2018, the European General Data Protection Regulation (GDPR) applies to such data. The GDPR focusses on more individual control for data subjects of 'their' data. Yet, the GDPR was preceded by a long debate. The research community participated actively in that debate, and as a result, the GDPR has research exemptions as well. Some of those apply directly; other exemptions need to be implemented into national law. Those exemptions will be discussed together with a general outline of the GDPR. I propose a substantive definition of research-absent in the GDPR-which can warrant its special status in the GDPR. The debate is not over yet. Most legal texts exhibit ambiguity and are interpreted against a background of values. In this case, those could be subsumed under informational self-determination versus solidarity and the deeper meaning of autonomy. Values will also guide national implementation and their interpretation. The value of individual control or informational self-determination should be balanced by nuanced visions about our mutual dependency in healthcare, as an ever-learning system, especially in the European solidarity-based healthcare systems. Good research governance might be a way forward to escape the consent or anonymise dichotomy.

United Kingdom: transfers of genomic data to third countries.

In the United Kingdom (UK), transfer of genomic data to third countries is regulated by data protection legislation. This is a composite of domestic and European Union (EU) law, with EU law to be adopted as domestic law when Brexit takes place. In this paper we consider the content of data protection legislation and the likely impact of Brexit on transfers of genomic data from the UK to other countries. We examine the advice by regulators not to rely upon consent as a lawful basis for processing under data protection law, at least not when personal data are used for research purposes, and consider some of the other ways in which the research context can qualify an individual's ability to exercise control over processing operations. We explain how the process of pseudonymization is to be understood in the context of transfer of genomic data to third parties, as well as how adequacy of data protection in a third country is to be determined in general terms. We conclude with reflections on the future direction of UK data protection law post Brexit with the reclassification of the UK itself as a third country.

United States: law and policy concerning transfer of genomic data to third countries.

This paper provides an overview of US laws and related guidance documents affecting transfer of genomic data to third countries, addressing the domains of consent, privacy, security, compatible processing/adequacy, and oversight. In general, US laws governing research and disclosure and use of data generated within the health care system do not impose different requirements on transfers to researchers and service providers based in third countries compared with US-based researchers or service providers. Of note, the US lacks a comprehensive data protection regime. Data protections are piecemeal, spread across bodies of law that target specific kinds of research or data generated or held by specific kinds of actors involved in the delivery of health care. Oversight is also distributed across a range of bodies, including institutional review boards and data access committees. The conclusion to this paper examines future directions in US law and policy, including proposals for more comprehensive protections for personal data.

China: concurring regulation of cross-border genomic data sharing for statist control and individual protection.

This paper reviews the major legal instruments and self-regulations that bear heavily on the cross-border sharing of genomic data in China. It first maps out three overlapping frameworks on genomic data and analyzes their underpinning policy goals. Subsequent sections examine the regulatory approaches with respect to five aspects of responsible use and sharing of genomic data, namely, consent, privacy, security, compatible processing, and oversight. It argues that substantial centralised control exerted by the state is, and would probably remain, the dominant feature of genomic data governance in China, though concerns of individual protection are gaining momentum. Rather than revolving around a simplistic antinomy between privacy preservation and open science, the regulatory landscape is mainly shaped by the tension between government desires for national security, state competitiveness, and public health benefits.

Canada: will privacy rules continue to favour open science?

Canada's regulatory frameworks governing privacy and research are generally permissive of genomic data sharing, though they may soon be tightened in response to public concerns over commercial data handling practices and the strengthening of influential European privacy laws. Regulation can seem complex and uncertain, in part because of the constitutional division of power between federal and provincial governments over both privacy and health care. Broad consent is commonly practiced in genomic research, but without explicit regulatory recognition, it is often scrutinized by research or privacy oversight bodies. Secondary use of health-care data is legally permissible under limited circumstances. A new federal law prohibits genetic discrimination, but is subject to a constitutional challenge. Privacy laws require security safeguards proportionate to the data sensitivity, including breach notification. Special categories of data are not defined a priori. With some exceptions, Canadian researchers are permitted to share personal information internationally but are held accountable for safeguarding the privacy and security of these data. Cloud computing to store and share large scale data sets is permitted, if shared responsibilities for access, responsible use, and security are carefully articulated. For the moment, Canada's commercial sector is recognized as "adequate" by Europe, facilitating import of European data. Maintaining adequacy status under the new European General Data Protection Regulation (GDPR) is a concern because of Canada's weaker individual rights, privacy protections, and regulatory enforcement. Researchers must stay attuned to shifting international and national regulations to ensure a sustainable future for responsible genomic data sharing.

Personally Identifiable Information in State Laws: Use, Release, and Collaboration at Health Departments.

Despite benefits to sharing data among public health programs, confidentiality laws are often presumed to obstruct collaboration or data sharing. We present an overview of the use and release of confidential, personally identifiable information as consistent with public health interests and identify opportunities to align data-sharing procedures with use and release provisions in state laws to improve program outcomes. In August 2013, Centers for Disease Control and Prevention staff and legal researchers from the National Nurse-Led Care Consortium conducted a review of state laws regulating state and local health departments in 50 states and the District of Columbia. Nearly all states and the District of Columbia employ provisions for the general use and release of personally identifiable information without patient consent; disease-specific use or release provisions vary by state. Absence of law regarding use and release provisions was noted. Health departments should assess existing state laws to determine whether the use or release of personally identifiable information is permitted. Absence of direction should not prevent data sharing but prompt an analysis of existing provisions in confidentiality laws.