Lucie White,Philippe van Basshuysen

DOI: https://doi.org/10.1007/s11948-021-00301-0

IF: 3.777

2021-03-29

Science and Engineering Ethics

Abstract:Abstract At the beginning of the COVID-19 pandemic, high hopes were placed on digital contact tracing. Digital contact tracing apps can now be downloaded in many countries, but as further waves of COVID-19 tear through much of the northern hemisphere, these apps are playing a less important role in interrupting chains of infection than anticipated. We argue that one of the reasons for this is that most countries have opted for decentralised apps, which cannot provide a means of rapidly informing users of likely infections while avoiding too many false positive reports. Centralised apps, in contrast, have the potential to do this. But policy making was influenced by public debates about the right app configuration, which have tended to focus heavily on privacy, and are driven by the assumption that decentralised apps are “privacy preserving by design”. We show that both types of apps are in fact vulnerable to privacy breaches, and, drawing on principles from safety engineering and risk analysis, compare the risks of centralised and decentralised systems along two dimensions, namely the probability of possible breaches and their severity. We conclude that a centralised app may in fact minimise overall ethical risk, and contend that we must reassess our approach to digital contact tracing, and should, more generally, be cautious about a myopic focus on privacy when conducting ethical assessments of data technologies.

ethics,history & philosophy of science,multidisciplinary sciences,engineering, multidisciplinary

Andrej Zwitter,Oskar J. Gstrein

DOI: https://doi.org/10.1186/s41018-020-00072-6

2020-05-18

Journal of International Humanitarian Action

Abstract:Abstract The COVID-19 pandemic leads governments around the world to resort to tracking technology and other data-driven tools in order to monitor and curb the spread of SARS-CoV-2. Such large-scale incursion into privacy and data protection is unthinkable during times of normalcy. However, in times of a pandemic the use of location data provided by telecom operators and/or technology companies becomes a viable option. Importantly, legal regulations hardly protect people’s privacy against governmental and corporate misuse. Established privacy regimes are focused on individual consent, and most human rights treaties know derogations from privacy and data protection norms for states of emergency. This leaves little safeguards nor remedies to guarantee individual and collective autonomy. However, the challenge of responsible data use during a crisis is not novel. The humanitarian sector has more than a decade of experience to offer. International organisations and humanitarian actors have developed detailed guidelines on how to use data responsibly under extreme circumstances. This article briefly addresses the legal gap of data protection and privacy during this global crisis. Then it outlines the state of the art in humanitarian practice and academia on data protection and data responsibility during crisis.

Kirsten Bock,Christian Ricardo Kühne,Rainer Mühlhoff,Měto R. Ost,Jörg Pohle,Rainer Rehak

DOI: https://doi.org/10.2139/ssrn.3588172

2020-01-01

SSRN Electronic Journal

Abstract:Since SARS-CoV-2 started spreading in Europe in early 2020, there has been a strong call for technical solutions to combat or contain the pandemic, with contact tracing apps at the heart of the debates. The EU's General Daten Protection Regulation (GDPR) requires controllers to carry out a data protection impact assessment (DPIA) where their data processing is likely to result in a high risk to the rights and freedoms (Art. 35 GDPR). A DPIA is a structured risk analysis that identifies and evaluates possible consequences of data processing relevant to fundamental rights in advance and describes the measures envisaged to address these risks or expresses the inability to do so.Based on the Standard Data Protection Model (SDM), we present a scientific DPIA which thoroughly examines three published contact tracing app designs that are considered to be the most privacy-friendly: PEPP-PT, DP-3T and a concept summarized by CCC member Linus Neumann, all of which process personal health data. We show that even a decentralized architecture involves numerous serious weaknesses and risks, including larger ones left unaddressed. We also found that none of the proposed designs operates on anonymous data or ensures proper anonymization, that informed consent would not be a legitimate legal ground for the processing, that data subjects' rights are not sufficiently safeguarded, and that no design provides for sufficient purpose-binding.

Biljana DAMJANOVIĆ,Sanja GRBOVIĆ,Danilo ĆUPIĆ

DOI: https://doi.org/10.57017/jorit.v2.2(4).09

2023-12-01

Abstract:The basic constitutional freedoms and rights of a person and citizen are in principle unlimited: the full scope of their exercise is the rule, and the restriction determined by law can only be an exception based on explicit constitutional authority and the legitimate aim of the restriction determined by the Constitution. That being so, the restrictions - in addition to being based on constitutional authority and pursuing constitutional objectives - should be commensurate with the needs to achieve these objectives. This means that restrictive legal rules must be suitable for achieving the legitimate aim pursued, must not be stricter than necessary and must be balanced between the constitutionally guaranteed subjective right of the individual and the interests of society.In this paper, the authors point out the economic and legal consequences of the violation of individual privacy and data protection rights caused by the public disclosure of personal data of people who, at a certain time, were obliged to self-isolate due to suspicion of Covid-19 virus infection. 

Maria Christofidou,Nathan Lea,Pascal Coorevits

DOI: https://doi.org/10.1055/s-0041-1726512

Abstract:Objective: This survey article presents a literature review of relevant publications aiming to explore whether the EU's General Data Protection Regulation (GDPR) has held true during a time of crisis and the implications that arose during the COVID-19 outbreak. Method and results: Based on the approach taken and the screening of the relevant articles, the results focus on three themes: a critique on GDPR; the ethics surrounding the use of digital health technologies, namely in the form of mobile applications; and the possibility of cross border transfers of said data outside of Europe. Within this context, the article reviews the arising themes, considers the use of data through mobile health applications, and discusses whether data protection may require a revision when balancing societal and personal interests. Conclusions: In summary, although it is clear that the GDPR has been applied through a mixed and complex experience with data handling during the pandemic, the COVID-19 pandemic has indeed shown that it was a test the GDPR was designed and prepared to undertake. The article suggests that further review and research is needed to first ensure that an understanding of the state of the art in data protection during the pandemic is maintained and second to subsequently explore and carefully create a specific framework for the ethical considerations involved. The paper echoes the literature reviewed and calls for the creation of a unified and harmonised network or database to enable the secure data sharing across borders.

Stuart McLennan,Sarah Rachut,Johannes Lange,Amelia Fiske,Dirk Heckmann,Alena Buyx

DOI: https://doi.org/10.2196/38754

2022-06-27

Abstract:Background: The COVID-19 pandemic is a threat to global health and requires collaborative health research efforts across organizations and countries to address it. Although routinely collected digital health data are a valuable source of information for researchers, benefiting from these data requires accessing and sharing the data. Health care organizations focusing on individual risk minimization threaten to undermine COVID-19 research efforts, and it has been argued that there is an ethical obligation to use the European Union's General Data Protection Regulation (GDPR) scientific research exemption during the COVID-19 pandemic to support collaborative health research. Objective: This study aims to explore the practices and attitudes of stakeholders in the German federal state of Bavaria regarding the secondary use of health data for research purposes during the COVID-19 pandemic, with a specific focus on the GDPR scientific research exemption. Methods: Individual semistructured qualitative interviews were conducted between December 2020 and January 2021 with a purposive sample of 17 stakeholders from 3 different groups in Bavaria: researchers involved in COVID-19 research (n=5, 29%), data protection officers (n=6, 35%), and research ethics committee representatives (n=6, 35%). The transcripts were analyzed using conventional content analysis. Results: Participants identified systemic challenges in conducting collaborative secondary-use health data research in Bavaria; secondary health data research generally only happens when patient consent has been obtained, or the data have been fully anonymized. The GDPR research exemption has not played a significant role during the pandemic and is currently seldom and restrictively used. Participants identified 3 key groups of barriers that led to difficulties: the wider ecosystem at many Bavarian health care organizations, legal uncertainty that leads to risk-adverse approaches, and ethical positions that patient consent ought to be obtained whenever possible to respect patient autonomy. To improve health data research in Bavaria and across Germany, participants wanted greater legal certainty regarding the use of pseudonymized data for research purposes without the patient's consent. Conclusions: The current balance between enabling the positive goals of health data research and avoiding associated data protection risks is heavily skewed toward avoiding risks; so much so that it makes reaching the goals of health data research extremely difficult. This is important, as it is widely recognized that there is an ethical imperative to use health data to improve care. The current approach also creates a problematic conflict with the ambitions of Germany, and the federal state of Bavaria, to be a leader in artificial intelligence. A recent development in the field of German public administration known as norm screening (Normenscreening) could potentially provide a systematic approach to minimize legal barriers. This approach would likely be beneficial to other countries.

Michael J. S. Beauvais,Bartha Maria Knoppers

DOI: https://doi.org/10.3389/fgene.2021.659027

IF: 3.7

2021-04-14

Frontiers in Genetics

Abstract:The COVID-19 pandemic has underscored the need for new ways of thinking about data protection. This is especially so in the case of health research with children. The responsible use of children’s data plays a key role in promoting children’s well-being and securing their right to health and to privacy. In this article, we contend that a contextual approach that appropriately balances children’s legal and moral rights and interests is needed when thinking about data protection issues with children. We examine three issues in health research through a child-focused lens: consent to data processing, data retention, and data protection impact assessments. We show that these issues present distinctive concerns for children and that the General Data Protection Regulation provides few bright-line rules. We contend that there is an opportunity for creative approaches to children’s data protection when child-specific principles, such as the best interests of the child and the child’s right to be heard, are put into dialogue with the structure and logic of data protection law.

genetics & heredity

Katarzyna Kolasa,Francesca Mazzi,Ewa Leszczuk-Czubkowska,Zsombor Zrubka,Márta Péntek

DOI: https://doi.org/10.2196/23250

2021-06-10

Abstract:Background: During the COVID-19 pandemic, contact tracing apps have received a lot of public attention. The ongoing debate highlights the challenges of the adoption of data-driven innovation. We reflect on how to ensure an appropriate level of protection of individual data and how to maximize public health benefits that can be derived from the collected data. Objective: The aim of the study was to analyze available COVID-19 contact tracing apps and verify to what extent public health interests and data privacy standards can be fulfilled simultaneously in the process of the adoption of digital health technologies. Methods: A systematic review of PubMed and MEDLINE databases, as well as grey literature, was performed to identify available contact tracing apps. Two checklists were developed to evaluate (1) the apps' compliance with data privacy standards and (2) their fulfillment of public health interests. Based on both checklists, a scorecard with a selected set of minimum requirements was created with the goal of estimating whether the balance between the objective of data privacy and public health interests can be achieved in order to ensure the broad adoption of digital technologies. Results: Overall, 21 contact tracing apps were reviewed. In total, 11 criteria were defined to assess the usefulness of each digital technology for public health interests. The most frequently installed features related to contact alerting and governmental accountability. The least frequently installed feature was the availability of a system of medical or organizational support. Only 1 app out of 21 (5%) provided a threshold for the population coverage needed for the digital solution to be effective. In total, 12 criteria were used to assess the compliance of contact tracing apps with data privacy regulations. Explicit user consent, voluntary use, and anonymization techniques were among the most frequently fulfilled criteria. The least often implemented criteria were provisions of information about personal data breaches and data gathered from children. The balance between standards of data protection and public health benefits was achieved best by the COVIDSafe app and worst by the Alipay Health Code app. Conclusions: Contact tracing apps with high levels of compliance with standards of data privacy tend to fulfill public health interests to a limited extent. Simultaneously, digital technologies with a lower level of data privacy protection allow for the collection of more data. Overall, this review shows that a consistent number of apps appear to comply with standards of data privacy, while their usefulness from a public health perspective can still be maximized.

MIKHEIL BICHIA

DOI: https://doi.org/10.35945//gb.2021.11.005

2021-07-05

Globalization and Business

Abstract:Protection of the private sphere has become particularly important in the context of the pandemic, due, on the one hand, to the increasing use of technical means and, on the other, to the use of personal data to prevent infection. Accordingly, the purpose of the study is to define the scope of the concept of a private sphere in order to determine which relationships the public sphere applies to and when privacy begins. In this context, it must be clarified what the reasons are for intervening in the private sphere during the pandemic and whether a limitation of the right can be considered permissible (legal). Using normative-dogmatic, comparative, sociological methods, as well as analysis and synthesis of problems, it was established that the public and private spheres intersect in the information society, which makes it difficult to separate these spheres. However, the increased use of technology during the pandemic was found to pose a greater threat of interference in the private sphere. In this regard, it is important to establish strong and effective cybersecurity mechanisms. Thus, it is true that technological development benefits society and is perceived as a good thing, but at the same time contains the threat of invasion of privacy. This is especially true for the use of personal data during a pandemic to ensure public health. In this case, a conflict of interest arises between the private sphere and public health, which must be resolved by careful examination of the case and taking into account the principle of proportionality, so as not to violate an unreasonable right. A study of European practice has shown that interference in the private life is permissible if the restriction of the right (a) legally, (b) serves the legitimate public interest, (c) such restriction is necessary in a democratic society through the application of other, less restrictive measures. In this regard, it is advisable to determine the priority interest on the basis of a scrupulous analysis using the weighing method and the circumstances outlined above, which will prevent unreasonable interference with someone's rights.

Ondřej Pavelek,Drahomíra Zajíčková

DOI: https://doi.org/10.2478/bjes-2021-0020

2021-09-01

TalTech Journal of European Studies

Abstract:Abstract Personal data protection is one of the important areas of the EU’s operation and the general public is especially aware of the General Data Protection Regulation (GDPR). However, personal data protection has been an issue in the EU for a long time. The Court of Justice of the European Union (CJEU) plays a major role in personal data protection as their function is to interpret EU law and thus also EU legislation related to personal data protection. Until now, research papers have tackled specific issues related to interpreting EU legislation or analyses of specific decisions made by the CJEU. However, no comprehensive empirical legal study has been published so far which would evaluate the decision-making of the CJEU in the area of personal data protection using a combination of quantitative and qualitative methods. Therefore, no analysis has been carried out to determine how many decisions of the CJEU have been related to personal data protection, how their number has increased, or which participants and from which areas have participated in the proceedings. The results of the analysis presented here can be used as a basis for studying the future development of the CJEU’s decision-making in the area of personal data protection in relation to digitization and especially to the COVID-19 pandemic, which undoubtedly has contributed to a significant increase in online communication, posing new challenges towards a more efficient personal data protection in the online world.

Vibhushinie Bentotahewa,Chaminda Hewage,Jason Williams

DOI: https://doi.org/10.3389/fdata.2021.645204

2021-12-15

Frontiers in Big Data

Abstract:The growing dependency on digital technologies is becoming a way of life, and at the same time, the collection of data using them for surveillance operations has raised concerns. Notably, some countries use digital surveillance technologies for tracking and monitoring individuals and populations to prevent the transmission of the new coronavirus. The technology has the capacity to contribute towards tackling the pandemic effectively, but the success also comes at the expense of privacy rights. The crucial point to make is regardless of who uses and which mechanism, in one way another will infringe personal privacy. Therefore, when considering the use of technologies to combat the pandemic, the focus should also be on the impact of facial recognition cameras, police surveillance drones, and other digital surveillance devices on the privacy rights of those under surveillance. The GDPR was established to ensure that information could be shared without causing any infringement on personal data and businesses; therefore, in generating Big Data, it is important to ensure that the information is securely collected, processed, transmitted, stored, and accessed in accordance with established rules. This paper focuses on Big Data challenges associated with surveillance methods used within the COVID-19 parameters. The aim of this research is to propose practical solutions to Big Data challenges associated with COVID-19 pandemic surveillance approaches. To that end, the researcher will identify the surveillance measures being used by countries in different regions, the sensitivity of generated data, and the issues associated with the collection of large volumes of data and finally propose feasible solutions to protect the privacy rights of the people, during the post-COVID-19 era.

Andrew Buzzell

DOI: https://doi.org/10.48550/arXiv.2007.07016

2020-07-14

Abstract:Debate about the adoption of digital contact tracing (DCT) apps to control the spread of COVID-19 has focussed on risks to individual privacy (Sharma & Bashir 2020, Tang 2020). This emphasis reveals significant challenges to ethical deployment of DCT, but generates constraints which undermine justification to implement DCT. It would be a mistake to view this result solely as the successful operation of ethical foresight analysis (Floridi & Strait 2020), preventing deployment of potentially harmful technology. Privacy-centric analysis treats data as private property, frames the relationship between individuals and governments as adversarial, entrenches technology platforms as gatekeepers, and supports a conception of emergency public health authority as limited by individual consent and considerable corporate influence that is in some tension with the more communitarian values that typically inform public health ethics. To overcome the barriers to ethical and effective DCT, and develop infrastructure and policy that supports the realization of potential public benefits of digital technology, a public resource conception of aggregate data should be developed.

Computers and Society,Cryptography and Security

Olivia M. Y. Ngan,Adam M. Kelmenson

DOI: https://doi.org/10.1177/1010539520984360

2020-12-31

Asia Pacific Journal of Public Health

Abstract:While many freedoms became halted by city lockdowns and restrictive travel bans amid coronavirus crisis, some countries and regions reopened with public health monitoring and surveillance measures in place. Technology applications such as real-time location data, geofencing technology, video camera footage, and credit card history are now used in novel and poorly understood ways to track movement patterns to stem viral spread. The use of big data analytics, which sometimes involve involuntary and unconsented data access and disclosure, raise public unease about data protection. The result is a balance between public health safety and ethical use of personal data that pushes the limits of privacy rights. Is it ethically permissible to use big data analytics instantiating the goal of public health by infringing on personal privacy in exchange for maximizing public security? Demonstrating the effectiveness of public health measures is difficult as scientific uncertainties and social complexities are presented. This article provides some public health ethics considerations in balancing benefits of public security and personal privacy infringement, supported with examples drawn from Asian countries and regions.

public, environmental & occupational health

Simant Shankar Bharti,Saroj Kumar Aryal

DOI: https://doi.org/10.1080/14782804.2022.2130193

2022-10-09

Journal of Contemporary European Studies

Abstract:The article traces the European Union (EU)'s General Data Protection Regulation (GDPR) and implication in the Europe. In the era of global digitalisation, the right to respect private life, communication and the home has become a matter of protection. Protecting the right to privacy is a responsibility of a state which includes privacy of personal information, e.g. birth, messages, phone call and number and emails. Likewise, this study explains EU concern's about its citizens' privacy and the recent inclusion of the GDPR for the protection of natural persons. The article aims to explore individual fundamental rights and implications in the digital age, as well as cooperation data rules between companies and public bodies. At the same time, questions arise about the rightful implication of GDPR and the right to privacy of the public through protection, especially from tech companies. For validating the argument, various qualitative research methods were applied. The COVID-19 pandemic has raised a serious question over privacy rights protection by the government, which supports our findings that EU GDPR has a long road to go and have challenges. Its credibility of lawful data activities is also a matter of concern and a reliable promise by the member states and the EU.

area studies,political science,international relations

Luca Marelli,Giuseppe Testa,Ine Van Hoyweghen

DOI: https://doi.org/10.1177/20539517211018783

2021-01-01

Abstract:The emergence of a global industry of digital health platforms operated by Big Tech corporations, and its growing entanglements with academic and pharmaceutical research networks, raise pressing questions on the capacity of current data governance models, regulatory and legal frameworks to safeguard the sustainability of the health research ecosystem. In this article, we direct our attention toward the challenges faced by the European General Data Protection Regulation in regulating the potentially disruptive engagement of Big Tech platforms in health research. The General Data Protection Regulation upholds a rather flexible regime for scientific research through a number of derogations to otherwise stricter data protection requirements, while providing a very broad interpretation of the notion of “scientific research”. Precisely the breadth of these exemptions combined with the ample scope of this notion could provide unintended leeway to the health data processing activities of Big Tech platforms, which have not been immune from carrying out privacy-infringing and socially disruptive practices in the health domain. We thus discuss further finer-grained demarcations to be traced within the broadly construed notion of scientific research, geared to implementing use-based data governance frameworks that distinguish health research activities that should benefit from a facilitated data protection regime from those that should not. We conclude that a “re-purposing” of big data governance approaches in health research is needed if European nations are to promote research activities within a framework of high safeguards for both individual citizens and society.

social sciences, interdisciplinary

Rachelle Bosua,Damian Clifford,Megan Richardson

DOI: https://doi.org/10.5204/lthj.2829

2023-09-25

Abstract:While technologies offer potentially powerful tools to help address complex social challenges, experience shows that they may fail to meet expectations and may also raise challenges of their own, including for privacy and other data rights. To what extent can these difficulties be ascribed to a lack of public trust undermining the technologies’ effectiveness and disputing their legitimacy? The Australian and Dutch pandemic contact-tracing apps considered in this article suggest part of an answer to this question. As our case studies show, the greater efforts made by the Dutch Government to address a range of rights and provide for wide consultation in the CoronaMelder app’s various impact assessments paid off in terms of a better-designed app that was more broadly conversant with human rights than its Australian COVIDSafe counterpart, and was also more trusted—even if these benefits were still marginal compared to manual contact-tracking, especially in already marginalised communities. We argue that the Dutch experience should now be taken further to frame a right of social dialogue allowing data rights subjects to participate fully in the impact assessment process. We hope (and expect) this would result in better decision-making and improved public trust in ‘truly trustworthy’ technologies developed and deployed in response to a pandemic. However, ultimately, our more basic argument is that rights, premised on dignity and liberty, are of value and should be respected, including—indeed especially—in pandemic times.

Andrea Parziale,Deborah Mascalzoni

DOI: https://doi.org/10.3389/fpsyt.2022.873392

IF: 4.7

2022-06-10

Frontiers in Psychiatry

Abstract:Psychiatric research traditionally relies on subjective observation, which is time-consuming and labor-intensive. The widespread use of digital devices, such as smartphones and wearables, enables the collection and use of vast amounts of user-generated data as "digital biomarkers." These tools may also support increased participation of psychiatric patients in research and, as a result, the production of research results that are meaningful to them. However, sharing mental health data and research results may expose patients to discrimination and stigma risks, thus discouraging participation. To earn and maintain participants' trust, the first essential requirement is to implement an appropriate data governance system with a clear and transparent allocation of data protection duties and responsibilities among the actors involved in the process. These include sponsors, investigators, operators of digital tools, as well as healthcare service providers and biobanks/databanks. While previous works have proposed practical solutions to this end, there is a lack of consideration of positive data protection law issues in the extant literature. To start filling this gap, this paper discusses the GDPR legal qualifications of controller, processor, and joint controllers in the complex ecosystem unfolded by the integration of digital biomarkers in psychiatric research, considering their implications and proposing some general practical recommendations.

psychiatry

Iulian Nastasa,Florentina-Ligia Furtunescu,Dana-Galieta Minca

DOI: https://doi.org/10.26574/maedica.2024.19.2.2982024;

Abstract:Objective: The General Data Protection Regulation (GDPR), which became effective on May 25, 2016, underscored the significance of confidentiality across various economic and social domains. Within the medical sector, confidentiality of patient health information is meticulously governed by laws, e.g., no. 95/2006 and no. 46/2003. While these laws address numerous privacy aspects within the doctor-patient relationship, it becomes necessary to update them to align with the latest advancements in emerging technologies, particularly in the context of telemedicine. Material and methods: Upon reviewing the overview of rules pertaining to health data processing in Romania, as published by the European Data Protection Board (EDPB) in 2021, and comparing it with the current public health and research laws in Romania, it becomes apparent that there is a regulatory gap concerning the secondary use of health data. Results: This gap is particularly notable in terms of planning, managing and enhancing the healthcare system, as well as utilizing such data for scientific and historical research purposes, leading to the necessity of developing and regulating the European Health Data Space. Conclusion: Although steps have been taken to align the GDPR legislation in Romania, there is still a disproportionality in the regulation of privacy and cyber security with the implementation of new technologies that will collect, process and store sensitive medical data.

Antonia Vlahou,Dara Hallinan,Rolf Apweiler,Angel Argiles,Joachim Beige,Ariela Benigni,Rainer Bischoff,Peter C Black,Franziska Boehm,Jocelyn Céraline,George P Chrousos,Christian Delles,Pieter Evenepoel,Ivo Fridolin,Griet Glorieux,Alain J van Gool,Isabel Heidegger,John P A Ioannidis,Joachim Jankowski,Vera Jankowski,Carmen Jeronimo,Ashish M Kamat,Rosalinde Masereeuw,Gert Mayer,Harald Mischak,Alberto Ortiz,Giuseppe Remuzzi,Peter Rossing,Joost P Schanstra,Bernd J Schmitz-Dräger,Goce Spasovski,Jan A Staessen,Dimitrios Stamatialis,Peter Stenvinkel,Christoph Wanner,Stephen B Williams,Faiez Zannad,Carmine Zoccali,Raymond Vanholder

DOI: https://doi.org/10.1161/HYPERTENSIONAHA.120.16340

IF: 9.8968

Hypertension

Abstract:The General Data Protection Regulation (GDPR) became binding law in the European Union Member States in 2018, as a step toward harmonizing personal data protection legislation in the European Union. The Regulation governs almost all types of personal data processing, hence, also, those pertaining to biomedical research. The purpose of this article is to highlight the main practical issues related to data and biological sample sharing that biomedical researchers face regularly, and to specify how these are addressed in the context of GDPR, after consulting with ethics/legal experts. We identify areas in which clarifications of the GDPR are needed, particularly those related to consent requirements by study participants. Amendments should target the following: (1) restricting exceptions based on national laws and increasing harmonization, (2) confirming the concept of broad consent, and (3) defining a roadmap for secondary use of data. These changes will be achieved by acknowledged learned societies in the field taking the lead in preparing a document giving guidance for the optimal interpretation of the GDPR, which will be finalized following a period of commenting by a broad multistakeholder audience. In parallel, promoting engagement and education of the public in the relevant issues (such as different consent types or residual risk for re-identification), on both local/national and international levels, is considered critical for advancement. We hope that this article will open this broad discussion involving all major stakeholders, toward optimizing the GDPR and allowing a harmonized transnational research approach.

John M M Rumbold,Barbara K Pierscionek

DOI: https://doi.org/10.1186/s12910-017-0184-y

2017-04-08

Abstract:The EU offers a suitable milieu for the comparison and harmonisation of healthcare across different languages, cultures, and jurisdictions (albeit with a supranational legal framework), which could provide improvements in healthcare standards across the bloc. There are specific ethico-legal issues with the use of data in healthcare research that mandate a different approach from other forms of research. The use of healthcare data over a long period of time is similar to the use of tissue in biobanks. There is a low risk to subjects but it is impossible to gain specific informed consent given the future possibilities for research. Large amounts of data on a subject present a finite risk of re-identification. Consequently, there is a balancing act between this risk and retaining sufficient utility of the data. Anonymising methods need to take into account the circumstances of data sharing to enable an appropriate balance in all cases. There are ethical and policy advantages to exceeding the legal requirements and thereby securing the social licence for research. This process would require the examination and comparison of data protection laws across the trading bloc to produce an ethico-legal framework compatible with the requirements of all member states. Seven EU jurisdictions are given consideration in this critique.