Reconciling the biomedical data commons and the GDPR: three lessons from the EUCAN ELSI collaboratory.

The coming-into-force of the EU General Data Protection Regulation (GDPR) is a watershed moment in the legal recognition of enforceable rights to informational self-determination. The rapid evolution of legal requirements applicable to data use, however, has the potential to outstrip the capabilities of networks of biomedical data users to respond to the shifting norms. It can also delegitimate established institutional bodies that are responsible for assessing and authorising the downstream use of data, including research ethics committees and institutional data custodians. These burdens are especially pronounced for clinical and research networks that are of transnational scale, because the legal compliance burden for outbound international data transfers from the EEA is especially high. Legislatures, courts, and regulators in the EU should therefore implement the following three legal changes. First, the responsibilities of particular actors in a data sharing network should be delimited through the contractual allocation of responsibilities between collaborators. Second, the use of data through secure data processing environments should not trigger the international transfer provisions of the GDPR. Third, the use of federated data analysis methodologies that do not provide analysis nodes or downstream users access to identifiable personal data as part of the outputs of those analyses should not be considered circumstances of joint controllership, nor lead to the users of non-identifiable data to be considered controllers or processors. These small clarifications of, or modifications to, the GDPR would facilitate the exchange of biomedical data amongst clinicians and researchers.

El ejercicio post mortem de los derechos de protección de datos personales en el ámbito sanitario / [The post-mortem exercise of personal data protection rights in the healthcare field]

La normativa de protección de datos no es clara a la hora de regular la diferencia entre el acceso a los datos personales del fallecido, y el acceso post mortem de cualquier contenido en formato digital de la persona fallecida. De la misma manera, hoy en día no existe ningún instrumento que permita reflejar la voluntad relativa al ejercicio futuro de los derechos del interesado. (AU)

The data protection regulation is not clear when it comes to regulating the difference between access to the personal data of the deceased, and post mortem access to any content in digital format of the deceased person. In the same way, today there is no instrument that allows reflecting the will regarding the future exercise of the rights of the data subject. (AU)

Informe del Comité de Bioética de España sobre aspectos del uso secundario de los datos y el espacio europeo de protección de datos / [Report of the Spanish Bioethics Committee on aspects of secondary use of data and the European data protection space]

El presente informe da respuesta a la consulta de la Secretaría de Estado de Sanidad del Ministerio de Sanidad de 26 de mayo de 2023 sobre algunos aspectos del uso secundario de los datos y el espacio europeo de protección de datos. Recibida la consulta, el Comité aprobó el siguiente informe en su reunión plenaria del día 7 de noviembre de 2023, conforme a lo dispuesto en el artículo 78.1 a) de la Ley 14/2007, de 3 de julio, de Investigación Biomédica, que fija entre las funciones del Comité emitir informes, propuestas y recomendaciones para los poderes públicos de ámbito estatal y autonómico en asuntos con implicaciones bioéticas relevantes. (AU)

Dataísmo (de la salud), tecnología y privacidad / (Health) dataism, technology and privacy

El dataísmo puede privar al individuo de su privacidad. Las personas reflexionan sobre el coste de oportunidad que supone ceder sus datos y otorgan mayor importancia a la efectividad en la lucha contra enfermedades y pandemias frente a su uso ilícito, ilegal o poco ético. El big data es un bien común de la humanidad, y compartir datos puede salvar vidas, pero aprovechémoslo aplicando correctamente la ética de los datos, donde los gobiernos y organizaciones estén implicados y se respete el derecho fundamental de protección de datos. (AU)

Dataism can deprive the individuals of their privacy. People are reflecting on the opportunity cost of giving away their data and are placing greater importance on the effectiveness of fighting diseases and pandemics than on its illicit, illegal or unethical use. Big data is a common good of humanity, and sharing data can save lives, but let’s harness it with the right application of data ethics, where governments and organisations are involved and the fundamental right to data protection is respected. (AU)

How privacy's past may shape its future.

An account of privacy's evolutionary roots may hold lessons for policies in the digital age.

Flimma: a federated and privacy-aware tool for differential gene expression analysis.

Aggregating transcriptomics data across hospitals can increase sensitivity and robustness of differential expression analyses, yielding deeper clinical insights. As data exchange is often restricted by privacy legislation, meta-analyses are frequently employed to pool local results. However, the accuracy might drop if class labels are inhomogeneously distributed among cohorts. Flimma ( https://exbio.wzw.tum.de/flimma/ ) addresses this issue by implementing the state-of-the-art workflow limma voom in a federated manner, i.e., patient data never leaves its source site. Flimma results are identical to those generated by limma voom on aggregated datasets even in imbalanced scenarios where meta-analysis approaches fail.

Model for successful development and implementation of Cyber Security Operations Centre (SOC).

Cyberattacks have changed dramatically and have become highly advanced. This latest phenomenon has a massive negative impact on organizations, such as financial losses and shutting-down of operations. Therefore, developing and implementing the Cyber Security Operations Centre (SOC) is imperative and timely. Based on previous research, there are no international guidelines and standards used by organizations that can contribute to the successful implementation and development of SOC. In this regard, this study focuses on highlighting the significant factors that will impact and contribute to the success of SOC. Simultaneously, it will further design a model for the successful development and implementation of SOC for the organization. The study was conducted quantitatively and involved 63 respondents from 25 ministries and agencies in Malaysia. The results of this study will enable the retrieval of ten success factors for SOC, and it specifically focuses on humans, processes, and technology. The descriptive analysis shows that the top management support factor is the most influential factor in the success of the development and implementation of SOC. The study also contributes to the empirical finding that technology and process factors are more significant in the success of SOCs. Based on the regression test, the technology factor has major impact on determining the success of SOC, followed by the process and human factors. Relevant organizations or agencies can use the proposed model to develop and implement SOCs, formulate policies and guidelines, strengthen human models, and enhance cyber security.

A Literature Review on the GDPR, COVID-19 and the Ethical Considerations of Data Protection During a Time of Crisis.

OBJECTIVE: This survey article presents a literature review of relevant publications aiming to explore whether the EU's General Data Protection Regulation (GDPR) has held true during a time of crisis and the implications that arose during the COVID-19 outbreak. METHOD AND RESULTS: Based on the approach taken and the screening of the relevant articles, the results focus on three themes: a critique on GDPR; the ethics surrounding the use of digital health technologies, namely in the form of mobile applications; and the possibility of cross border transfers of said data outside of Europe. Within this context, the article reviews the arising themes, considers the use of data through mobile health applications, and discusses whether data protection may require a revision when balancing societal and personal interests. CONCLUSIONS: In summary, although it is clear that the GDPR has been applied through a mixed and complex experience with data handling during the pandemic, the COVID-19 pandemic has indeed shown that it was a test the GDPR was designed and prepared to undertake. The article suggests that further review and research is needed to first ensure that an understanding of the state of the art in data protection during the pandemic is maintained and second to subsequently explore and carefully create a specific framework for the ethical considerations involved. The paper echoes the literature reviewed and calls for the creation of a unified and harmonised network or database to enable the secure data sharing across borders.

Guía práctica para el uso de registros visuales en la era del Reglamento General de Protección de Datos de la Unión Europea / Use of visual media in the era of European Union's General Data Protection Regulation: A practice-oriented guideline

El nuevo Reglamento General de Protección de Datos de la Unión Europea (más comúnmente conocido por sus siglas en inglés como «GDPR») conforma un nuevo marco para la protección de datos común para la Unión Europea. Es por ello que los profesionales del ámbito sanitario deben revisar cómo recopilan y comparten datos para garantizar que estos cumplan con todos los estándares. El propósito de este artículo es concienciar sobre el Reglamento General de Protección de Datos de la Unión Europea y proporcionar una guía práctica que ayude a evitar problemas legales en la redacción de artículos o la preparación de comunicaciones científicas que requieran compartir datos personales y visuales. Para hacer esto, se han analizado las más comunes situaciones donde es necesario recoger y utilizar datos personales y visuales, para finalmente dar una serie de respuestas y recomendaciones para todos los escenarios descritos. (AU)

With the European Union's new General Data Protection Regulation, commonly known as “GDPR”, as the new framework for data protection across the European Union, doctors will need to review how they collect and share personal data to ensure they meet the standards. The aim of this article is to raise awareness on the General Data Protection Regulation, and to provide an easy guideline to steer free from legal problems at the time of drafting papers, presenting lectures and sharing personal data and visual media in particular. To do so, we have analysed the most common situations where personal data, and above all visual media, can be collected, giving clear-cut answers and recommendations for all the scenarios. (AU)

Pacientes y protección de datos. Una aproximación jurídica / Patients and data protection. A legal approach

No disponible

[Current Status and the Future of Protection and Utilization of Personal Information at Medical Facilities Based on the Understanding of Related Regulations].

In September 2015, "the Act on the Protection of Personal Information" was amended. Accordingly, "the Ethical Guidelines for Medical Research Involving Human Subjects" were also amended. "The Act on Anonymized Medical Data That Are Meant to Contribute to Research and Development in the Medical Field," which came into effect in May 2018, aims to collect and utilize medical information of each patient from medical institutions for the purpose of research and development in the medical field. Thus, the rules of personal information that need to be followed are changing considerably in the balance between importance of protection and utilization for medical development. Therefore, health care professionals and researchers are required to fully understand the current situation and the future.

Data Sharing Under the General Data Protection Regulation: Time to Harmonize Law and Research Ethics?

The General Data Protection Regulation (GDPR) became binding law in the European Union Member States in 2018, as a step toward harmonizing personal data protection legislation in the European Union. The Regulation governs almost all types of personal data processing, hence, also, those pertaining to biomedical research. The purpose of this article is to highlight the main practical issues related to data and biological sample sharing that biomedical researchers face regularly, and to specify how these are addressed in the context of GDPR, after consulting with ethics/legal experts. We identify areas in which clarifications of the GDPR are needed, particularly those related to consent requirements by study participants. Amendments should target the following: (1) restricting exceptions based on national laws and increasing harmonization, (2) confirming the concept of broad consent, and (3) defining a roadmap for secondary use of data. These changes will be achieved by acknowledged learned societies in the field taking the lead in preparing a document giving guidance for the optimal interpretation of the GDPR, which will be finalized following a period of commenting by a broad multistakeholder audience. In parallel, promoting engagement and education of the public in the relevant issues (such as different consent types or residual risk for re-identification), on both local/national and international levels, is considered critical for advancement. We hope that this article will open this broad discussion involving all major stakeholders, toward optimizing the GDPR and allowing a harmonized transnational research approach.

Medical and Legal Aspects of the Practice of Teledermatology in Spain. / Aspectos medicolegales de la práctica de la teledermatología en España.

Teledermatology is now fully incorporated into our clinical practice. However, after reviewing current legislation on the ethical aspects of teledermatology (data confidentiality, quality of care, patient autonomy, and privacy) as well as insurance and professional responsibility, we observed that a specific regulatory framework is still lacking and related legal aspects are still at a preliminary stage of development. Safeguarding confidentiality and patient autonomy and ensuring secure storage and transfer of data are essential aspects of telemedicine. One of the main topics of debate has been the responsibilities of the physicians involved in the process, with the concept of designating a single responsible clinician emerging as a determining factor in the allocation of responsibility in this setting. A specific legal and regulatory framework must be put in place to ensure the safe practice of teledermatology for medical professionals and their patients.

What GDPR and the Health Research Regulations (HRRs) mean for Ireland: a research perspective.

BACKGROUND: Irish Health Research Regulations (HRRs) were introduced following the European Union (EU) General Data Protection Regulation (GDPR) in 2018. The HRRs described specific supplementary regulatory requirements for research regarding governance, processes and procedure that impact on several facets of research. The numerous problems that the HRRs and particularly "explicit consent" inadvertently created were presented under the auspices of the Irish Academy of Medical Sciences (IAMS) on November 25, 2019, at the Royal College of Surgeons in Ireland. AIMS: The objective of this review was to obtain feedback and to examine the impact of GDPR and the HRRs on health research in Ireland in order to determine whether the preliminary feedback, presented at the IAMS meetings, was reflected at a national level. METHODS: Individuals from the research community were invited to provide feedback on the impact, if any, of the HRRs on health research. Retrospective patient recruitment and consent outside a hospital setting for a multi-institutional Breast Predict study (funded by the Irish Cancer Society) were also analysed. RESULTS: Feedback replicated the issues presented at the IAMS with additional concerns identified. Only 20% of the original target population (n = 1987) could be included in the Breast Predict study. CONCLUSIONS: Our results confirm that the HRRs have had a significantly negative impact on health research in Ireland. Urgent meaningful engagement between patient advocate groups, the research community and legislators would help ameliorate these impacts.

What GDPR and the Health Research Regulations (HRRs) mean for Ireland: "explicit consent"-a legal analysis.

BACKGROUND: Irish Health Research Regulations (HRRs) were introduced following the commencement of the General Data Protection Regulation (GDPR) in 2018. The HRRs set out supplementary regulatory requirements for research. A legal analysis presented under the auspices of the Irish Academy of Medical Sciences (IAMS) on April 8 and November 25, 2019 at the Royal College of Surgeons in Ireland welcomed the introduction of GDPR and the HRRs. The analysis found the GDPR "explicit consent" introduced by the HRRs is problematic. A call was made to regulate informed consent in line with the common law as an achievable alternative safeguard, bringing Ireland in line with other EU Member States. AIMS: This article aims to review academic papers, legal opinion, EU opinion and advice and data protection law in relation to research and explicit consent, in order to examine the legal burden of GDPR and the HRRs on health research in Ireland and to determine whether the analysis presented at the IAMS meetings is reflected more widely in legal text. METHODS: Legal literature review of academic papers, legal opinion, EU opinion and advice and data protection legislation. RESULTS: The legal literature review overwhelmingly supports the concerns raised. CONCLUSIONS: Our results confirm the GDPR explicit consent requirement of the HRRs is having had a significantly negative and far-reaching impact on the conduct of health research in Ireland. Urgent review of the HRRs and meaningful engagement between the health research community and legislators in healthcare is required.