ABSTRACT
The revised NIS-2 Directive has been assigned to the Committee on Industry, Research, and Energy (ITRE), within the European Parliament, and is intended to form one of the baselines for the European cybersecurity framework, as well as act as a central tool in advancing Europe's strategic autonomy and the Digital Europe Programme (3). The intention is that cyber resilience must be considered a priority at board and senior management level rather than be confined to the remit of technical teams. European Parliament Adopts New Draft Directive," Technology Law Dispatch, Reed Smith LLP, 20 Jan. 2022.
ABSTRACT
Privacy in Electronic Health Records (EHR) has become a significant concern in today's rapidly changing world, particularly for personal and sensitive user data. The sheer volume and sensitive nature of patient records require healthcare providers to exercise an intense quantity of caution during EHR implementation. In recent years, various healthcare providers have been hit by ransomware and distributed denial of service attacks, halting many emergency services during COVID-19. Personal data breaches are becoming more common day by day, and privacy concerns are often raised when sharing data across a network, mainly due to transparency and security issues. To tackle this problem, various researchers have proposed privacy-preserving solutions for EHR. However, most solutions do not extensively use Privacy by Design (PbD) mechanisms, distributed data storage and sharing when designing their frameworks, which is the emphasis of this study. To design a framework for Privacy by Design in Electronic Health Records (PbDinEHR) that can preserve the privacy of patients during data collection, storage, access and sharing, we have analysed the fundamental principles of privacy by design and privacy design strategies, and the compatibility of our proposed healthcare principles with Privacy Impact Assessment (PIA), Australian Privacy Principles (APPs) and General Data Protection Regulation (GDPR). To demonstrate the proposed framework, ‘PbDinEHR', we have implemented a Patient Record Management System (PRMS) to create interfaces for patients and healthcare providers. In addition, to provide transparency and security for sharing patients' medical files with various healthcare providers, we have implemented a distributed file system and two permission blockchain networks using the InterPlanetary File System (IPFS) and Ethereum blockchain. This allows us to expand the proposed privacy by design mechanisms in the future to enable healthcare providers, patients, imaging labs and others to share patient-centric data in a transparent manner. The developed framework has been tested and evaluated to ensure user performance, effectiveness, and security. The complete solution is expected to provide progressive resistance in the face of continuous data breaches in the patient information domain.
ABSTRACT
"The limits of internal medicine" was the congress motto of the 128th Congress of the German Society of Internal Medicine in Wiesbaden in 2022. In his presidential address Prof. Lerch focused on four aspects of this motto: physician-assisted suicide, lessons from the corona pandemic, deficits in the digitalization of the German healthcare system and the German Sonderweg in applying EU regulations for patient data protection. Using data from Canada, Switzerland and the Netherlands, where different forms of physician-assisted suicide are practiced, Prof. Lerch appealed to internists, specifically in family practices, to confront this issue in view of a German Supreme Court ruling. With respect to the development of the corona pandemic he discussed the root causes of the opposition to vaccination in parts of society as well as the question why non-clinically active and only few clinical disciplines have shaped the discussion about corona protection measures in Germany. Another focus of his speech was the insufficient digital maturity of the German healthcare system, which clearly lags behind other countries with respect to digital transformation. Physicians need to become more involved in the digital transformation in order to reorganize the healthcare system for the benefit of the patients. The German Sonderweg in the application of the General Data Protection Regulation (GDPR) requires a new legal framework to enable a pragmatic and progressive use of patient data for medical research and patient safety.
Subject(s)
Physicians , Suicide, Assisted , Male , Humans , Germany , Palliative Care , SwitzerlandABSTRACT
At the beginning of the pandemic, digital contact tracing was a much-hoped-for initiative that spurred a myriad of apps. Despite a great theoretical promise, however, the tool fell short of significant impact and, essentially, came to nothing. The technological development effort has attracted much scholarly and media attention and coverage. This article seeks to contribute to this growing body of knowledge by approaching the topic from a largely unexplored perspective. It examines the emergence of digital contact tracing as a standard setting exercise, focusing on key actors, processes of technical specification development and data protection assessment of technological choices. It also explores the governance attributes of standard settings from the perspective of data protection law. Given a potential of a technical standard to act as a regulatory means, it is proposed that the governance and legitimacy issues should receive much more consideration. It is believed that for a technical solution to stand the competition for a regulatory share and succeed in the future, the values of inclusiveness, transparency, accountability and openness should be meaningfully internalised in the very process of its development. © 2023
ABSTRACT
The European Union implemented data privacy laws in mid-2018 and the state of California enacted a similar law several weeks later. These regulations affect medical data collection and analysis. It is unclear if they achieve this goal in the realm of clinical trials. Here we investigate the effect of these laws on clinical trials through analysis of clinical trials recorded on the US's ClinicalTrials.gov, the World Health Organization's International Clinical Trials Registry Platform and scientific papers describing clinical trials. Our findings show that the number of phase 1 and 2 trials in countries not adhering to these data privacy laws rose significantly after implementation of these laws. The largest rise occurred in countries which are less free, as indicated by the negative correlation (-0.48, p = 0.008) between the civil liberties freedom score of countries and the increase in the number of trials. This trend was not observed in countries adhering to data privacy laws nor in the paper publication record. The rise was larger (and statistically significant) among industry funded trials and interventional trials. Thus, the implementation of data privacy laws is associated a change in the location of clinical trials, which are currently executed more often in countries where people have fewer protections for their data.
ABSTRACT
The COVID-19 pandemic saw a massive investment into collaborative research projects with a focus on producing data to support public health decisions. We relay our direct experience of four projects funded under the Horizon2020 programme, namely ReCoDID, ORCHESTRA, unCoVer and SYNCHROS. The projects provide insight into the complexities of sharing patient level data from observational cohorts. We focus on compliance with the General Data Protection Regulation (GDPR) and ethics approvals when sharing data across national borders. We discuss procedures for data mapping; submission of new international codes to standards organisation; federated approach; and centralised data curation. Finally, we put forward recommendations for the development of guidelines for the application of GDPR in case of major public health threats; mandatory standards for data collection in funding frameworks; training and capacity building for data owners; cataloguing of international use of metadata standards; and dedicated funding for identified critical areas.
ABSTRACT
The COVID-19 pandemic has highlighted the importance of digital health technologies and the role of effective surveillance systems. While recent events have accelerated progress towards the expansion of digital public health (DPH), there remains significant untapped potential in harnessing, leveraging, and repurposing digital technologies for public health. There is a particularly growing need for comprehensive action to prepare citizens for DPH, to regulate and effectively evaluate DPH, and adopt DPH strategies as part of health policy and services to optimise health systems improvement. As representatives of the European Public Health Association's (EUPHA) Digital Health Section, we reflect on the current state of DPH, share our understanding at the European level, and determine how the application of DPH has developed during the COVID-19 pandemic. We also discuss the opportunities, challenges, and implications of the increasing digitalisation of public health in Europe.
ABSTRACT
BACKGROUND: The COVID-19 pandemic is a threat to global health and requires collaborative health research efforts across organizations and countries to address it. Although routinely collected digital health data are a valuable source of information for researchers, benefiting from these data requires accessing and sharing the data. Health care organizations focusing on individual risk minimization threaten to undermine COVID-19 research efforts, and it has been argued that there is an ethical obligation to use the European Union's General Data Protection Regulation (GDPR) scientific research exemption during the COVID-19 pandemic to support collaborative health research. OBJECTIVE: This study aims to explore the practices and attitudes of stakeholders in the German federal state of Bavaria regarding the secondary use of health data for research purposes during the COVID-19 pandemic, with a specific focus on the GDPR scientific research exemption. METHODS: Individual semistructured qualitative interviews were conducted between December 2020 and January 2021 with a purposive sample of 17 stakeholders from 3 different groups in Bavaria: researchers involved in COVID-19 research (n=5, 29%), data protection officers (n=6, 35%), and research ethics committee representatives (n=6, 35%). The transcripts were analyzed using conventional content analysis. RESULTS: Participants identified systemic challenges in conducting collaborative secondary-use health data research in Bavaria; secondary health data research generally only happens when patient consent has been obtained, or the data have been fully anonymized. The GDPR research exemption has not played a significant role during the pandemic and is currently seldom and restrictively used. Participants identified 3 key groups of barriers that led to difficulties: the wider ecosystem at many Bavarian health care organizations, legal uncertainty that leads to risk-adverse approaches, and ethical positions that patient consent ought to be obtained whenever possible to respect patient autonomy. To improve health data research in Bavaria and across Germany, participants wanted greater legal certainty regarding the use of pseudonymized data for research purposes without the patient's consent. CONCLUSIONS: The current balance between enabling the positive goals of health data research and avoiding associated data protection risks is heavily skewed toward avoiding risks; so much so that it makes reaching the goals of health data research extremely difficult. This is important, as it is widely recognized that there is an ethical imperative to use health data to improve care. The current approach also creates a problematic conflict with the ambitions of Germany, and the federal state of Bavaria, to be a leader in artificial intelligence. A recent development in the field of German public administration known as norm screening (Normenscreening) could potentially provide a systematic approach to minimize legal barriers. This approach would likely be beneficial to other countries.
Subject(s)
COVID-19 , Artificial Intelligence , Attitude , COVID-19/epidemiology , COVID-19/prevention & control , Ecosystem , Humans , Pandemics/prevention & control , Qualitative ResearchABSTRACT
Vispārīgā datu aizsardzības regula (turpmāk - Regula), kas stājās spēkā 2018. gada 25. maijā un ar kuru tika ieviests jauns tiesiskais regulējums personas datu aizsardzībai Eiropas Savienībā, satur arī jaunas tiesības, precīzākas definīcijas un uzlabojumus personas datu aizsardzības jomā. Šis trīs gadu periods ir parādījis, ka Regula ir veiksmīgi aizstājusi Eiropas Parlamenta un Padomes Direktīvu 95/94/EC par personu aizsardzību attiecībā uz personas datu apstrādi un šādu datu brīvu apriti, bet Covid-19 pandēmijā datu pārziņu uzglabātie un apstrādātie dati rada jautājumu: vai Regula pietiekami definē un izskaidro, kā pārziņiem būtu jāveic sensitīvu datu apstrāde, arī situācijās, kad institūciju un uzņēmumu darbinieki strādā attālināti? Datu aizsardzība ir sarežgīts koncepts, kuru var analizēt gan no tiesiskā, gan sociālā viedokļa. Tradicionāli par datu aizsardzību sauc personas privātuma aizsardzību personas datu izmantošanas procesu kontekstā. Pirms Regulas ieviešanas pastāvošie personas datu aizsardzības noteikumi Eiropas Savienībā nebija pietiekami vienveidīgi un tika ieviesti atšķirīgi katrā dalībvalstī. Šis apstāklis veicināja Regulas izveidi un ieviešanu cerībā, ka ar to tiktu modernizēts un veicināts vienots datu aizsardzības režīms, tajā pašā laikā saglabājot visus datu aizsardzības pamatprincipus, kuriem sekots līdz šim. Pirms pandēmijas Regula veiksmīgi sasniedza sākotnējos mērķus, bet vai pandēmija ir radījusi nepieciešamību Regulu pārskatīt? Šajā rakstā analizēta personas datu aizsardzības tiesiskā regulējuma izveide un Regulas atbilstība pandēmijas seku radītajām prasībām.Alternate :The General Data Protection Regulation (hereinafter - the Regulation), which entered into force on 25 May 2018 and introduced a new legal framework for the protection of personal data in the European Union, also included a number of new rights, more precise definitions and improvements in the field of personal data protection. The three-year period has shown that the Regulation has successfully replaced Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, but the Covid-19 pandemic posed the question: does the Regulation sufficiently define and explain how controllers should deal with the processing of sensitive data, or in situations where employees of companies and institutions work remotely? Data protection is a complex concept that can be analyzed from both a legal and a social point of view. Traditionally, data protection has been referred to as the protection of personal privacy in the context of processes involving the use of personal data. Prior to the implementation of the Regulation, the existing rules on the protection of personal data in the European Union were not sufficiently uniform and were implemented differently in each Member State. It contributed to the development and implementation of the Regulation, in the hope that it would modernize and promote a common data protection regime, while maintaining all the basic principles of data protection that have been followed so far. Prior to the pandemic, the Regulation successfully achieved its original objectives, but has the pandemic necessitated a revision of the Regulation? This article will analyze the development of the legal framework for the protection of personal data and analyze the compliance of the Regulation with the requirements arising from the effects of the pandemic.
ABSTRACT
Health-related information is considered as 'highly sensitive' by the European General Data Protection Regulations (GDPR) and determining whether a text document contains health-related information or not is of interest for both individuals and companies in a number of different scenarios. Although some efforts have been made to detect different categories of personal data in texts, including health information, the classification task by machines is still challenging. In this work, we aim to contribute to solving this challenge by building a corpus of tweets being shared in the current COVID-19 pandemic context. The corpus is called PHDD(Corpus of Physical Health Data Disclosure on Twitter During COVID-19 Pandemic) and contains 1,494 tweets which have been manually tagged by three taggers in three dimensions: health-sensitivity status, categories of health information, and subject of health history. Furthermore, a lightweight ontology called PTHI (Privacy Tags for Health Information), which reuses two other vocabularies, namely hl7 and dpv, is built to represent the corpus in a machine-readable format. The corpus is publicly available and can be used by NLP experts for implementation of techniques to detect sensitive health information in textual documents.
ABSTRACT
The Covid-19 pandemic created a situation where online learning extended at speed. During the national lockdowns, when it was not possible for most children to physically attend school, the efficacy and efficiency of digital platforms made it possible for schools to fulfill their duties to provide an education. However, the urgency of the situation carried the risk that this was put in place without adequate consideration of the data protection risks from various online learning tools. Although the General Data Protection Regulation (GDPR) provides a framework of regulations and rights to protect users, the legal process is unwieldy to apply due to tensions in balancing the rights of the child learner with the public need to ensure that all children are provided with an education. This paper recommends that changes in digital schooling practices are needed so that children have realistically possible ways of enforcing their data protection rights as well as a clarified and uniformed approach to support schools.
ABSTRACT
During the COVID-19 pandemic, we witnessed how sharing of biological and biomedical data facilitated researchers, medical practitioners, and policymakers to tackle the pandemic on a global scale. Despite the growing use of electronic health records (EHRs) by medical practitioners and wearable digital gadgets by individuals, 80% of health and medical data remain unused, adding little value to the work of researchers and medical practitioners. Legislative constraints related to health data sharing, centralized siloed design of traditional data management systems, and most importantly, lack of incentivization models are thought to be the underpinning bottlenecks for sharing health data. With the advent of the General Data Protection Regulation (GDPR) of the European Union (EU) and the development of technologies like blockchain and distributed ledger technologies (DLTs), it is now possible to create a new paradigm of data sharing by changing the incentivization model from current authoritative or altruistic form to a shared economic model where financial incentivization will be the main driver for data sharing. This can be achieved by setting up a digital health data marketplace (DHDM). Here, we review papers that proposed technical models or implemented frameworks that use blockchain-like technologies for health data. We seek to understand and compare different technical challenges associated with implementing and optimizing the DHDM operation outlined in these articles. We also examine legal limitations in the context of the EU and other countries such as the USA to accommodate any compliance requirement for such a marketplace. Last but not least, we review papers that investigated the short-, medium-, and long-term socioeconomic impact of such a marketplace on a wide range of stakeholders.
ABSTRACT
Nowadays, information systems are evolving towards increasingly interconnected, smart, and self-adaptive models. This transformation has led to the representation of the systems themselves in terms of natural ecosystems. Similar to the natural environment, the virtual world can be threatened by specific forms of pollution, such as illegitimate access to the system, unwanted changes to data, and loss of information, which affect the only resource it possesses, i.e., data. In order to provide proactive protection of data integrity and confidentiality, in this paper we consider the well-known principles of privacy by design and privacy by default in the design phase of system development. To this end, we propose an approach based on axiomatic design, which allows us to implement these two principles through an appropriate reinterpretation of the information axiom, in terms of privacy impact assessment. We illustrate our approach by a case study, which implements the process of managing patients in home care. However, the proposed method can be applied to processing systems that provide services. The main result achieved is to select the most digitally sustainable design solution, i.e., the one that best prevents the threats mentioned above.
ABSTRACT
The pandemic situation caused by the SARS-CoV-2 virus has changed our lives significantly. Recent research has shown that seeking competent and advanced technological solutions to combat the COVID-19 pandemic is crucial to address not only this pandemic situation, but similar epidemics and pandemics in the future as well. However, the legal compliance of their application especially with European data protection legislation can be challenging. In this work, we would like to highlight the relevant data protection provisions of the Council of Europe and the European Union, which should be borne in mind while using digital solutions to fight against the pandemic. In the second part of our paper, we will analyse the main challenges of the three most frequently used emerging technologies from data protection point of view. As a result of our research, we can state that the main problem is to meet the requirement of data minimisation. In case the source data is not accurate, the results might be ineffective, unreliable or it may lead to data breaches. Therefore, to solve this paradox, we emphasize the importance of the data protection by design approach.
ABSTRACT
Digital vaccination passports are being proposed by various governments internationally. Trust, scalability and security are all key challenges in implementing an online vaccine passport. Initial approaches attempt to solve this problem by using centralised systems with trusted authorities. However, sharing vaccine passport data between different organisations, regions and countries has become a major challenge. A platform for creating, storing and verifying digital COVID-19 vaccine certifications is presented, making use of InterPlanetary File System (IPFS) to guarantee that there is no single point of failure and to allow data to be securely distributed globally. Blockchain and smart contracts are also integrated into the platform to explicitly determine policies and log access rights to the passport data while ensuring all actions are audited and verifiably immutable. Our proposed platform realises General Data Protection Regulation (GDPR) requirements in terms of user consent, data encryption, data erasure and accountability obligations. We assess the scalability and performance of the platform using IPFS and Blockchain test networks. © 2021 ACM.
ABSTRACT
This study analyses some of the leading technologies for the construction and configuration of IT infrastructures to provide services to users. For modern applications, guaranteeing service continuity even in very high computational load or network problems is essential. Our configuration has among the main objectives of being highly available (HA) and horizontally scalable, that is, able to increase the computational resources that can be delivered when needed and reduce them when they are no longer necessary. Various architectural possibilities are analysed, and the central schemes used to tackle problems of this type are also described in terms of disaster recovery. The benefits offered by virtualisation technologies are highlighted and are bought with modern techniques for managing Docker containers that will be used to build the back-end of a sample infrastructure related to a use-case we have developed. In addition to this, an in-depth analysis is reported on the central autoscaling policies that can help manage high loads of requests from users to the services provided by the infrastructure. The results we have presented show an average response time of 21.7 milliseconds with a standard deviation of 76.3 milliseconds showing excellent responsiveness. Some peaks are associated with high-stress events for the infrastructure, but the response time does not exceed 2 s even in this case. The results of the considered use case studied for nine months are presented and discussed. In the study period, we improved the back-end configuration and defined the main metrics to deploy the web application efficiently.
ABSTRACT
Turning the wealth of health and social data into insights to promote better public health, while enabling more effective personalized care, is critically important for society. In particular, social determinants of health have a significant impact on individual health, well-being, and inequalities in health. However, concerns around accessing and processing such sensitive data, and linking different datasets, involve significant challenges, not least to demonstrate trustworthiness to all stakeholders. Emerging datatrust services provide an opportunity to address key barriers to health and social care data linkage schemes, specifically a loss of control experienced by data providers, including the difficulty to maintain a remote reidentification risk over time, and the challenge of establishing and maintaining a social license. Datatrust services are a sociotechnical evolution that advances databases and data management systems, and brings together stakeholder-sensitive data governance mechanisms with data services to create a trusted research environment. In this article, we explore the requirements for datatrust services, a proposed implementation—the Social Data Foundation, and an illustrative test case. Moving forward, such an approach would help incentivize, accelerate, and join up the sharing of regulated data, and the use of generated outputs safely amongst stakeholders, including healthcare providers, social care providers, researchers, public health authorities, and citizens.
ABSTRACT
Multisite medical data sharing is critical in modern clinical practice and medical research. The challenge is to conduct data sharing that preserves individual privacy and data utility. The shortcomings of traditional privacy-enhancing technologies mean that institutions rely upon bespoke data sharing contracts. The lengthy process and administration induced by these contracts increases the inefficiency of data sharing and may disincentivize important clinical treatment and medical research. This paper provides a synthesis between 2 novel advanced privacy-enhancing technologies-homomorphic encryption and secure multiparty computation (defined together as multiparty homomorphic encryption). These privacy-enhancing technologies provide a mathematical guarantee of privacy, with multiparty homomorphic encryption providing a performance advantage over separately using homomorphic encryption or secure multiparty computation. We argue multiparty homomorphic encryption fulfills legal requirements for medical data sharing under the European Union's General Data Protection Regulation which has set a global benchmark for data protection. Specifically, the data processed and shared using multiparty homomorphic encryption can be considered anonymized data. We explain how multiparty homomorphic encryption can reduce the reliance upon customized contractual measures between institutions. The proposed approach can accelerate the pace of medical research while offering additional incentives for health care and research institutes to employ common data interoperability standards.
Subject(s)
Computer Security/ethics , Information Dissemination/ethics , Privacy/legislation & jurisprudence , Technology/methods , HumansABSTRACT
BACKGROUND: Various applications have been developed worldwide to contain and to combat the coronavirus disease-19 (COVID-19) pandemic. In this context, spatial information is always of great significance. The aim of this study is to describe the development of a Web GIS based on open source products for the collection and analysis of COVID-19 cases and its feasibility in terms of technical implementation and data protection. METHODS: With the help of this Web GIS, data on this issue were collected voluntarily from the Cologne area. Using house perimeters as a data basis, it was possible to check, in conjunction with the Official Topographic Cartographic Information System object type catalog, whether buildings with certain functions, for example residential building with trade and services, have been visited more frequently by infected persons than other types of buildings. In this context, data protection and ethical and legal issues were considered. RESULTS: The results of this study show that the development of a Web GIS for the generation and evaluation of volunteered geographic information (VGI) with the help of open source software is possible. Furthermore, there are numerous data protection and ethical and legal aspects to consider, which not only affect VGI per se but also affect IT security. CONCLUSIONS: From a data protection perspective, more attention needs to be paid to the intervention and post-processing of data. In addition, official data must always be used as a reference for the actual spatial consideration of the number of infections. However, VGI provides added value at a small-scale level, so that valid information can also be reliably derived in the context of health issues. The creation of guidelines for the consideration of data protection, ethical aspects, and legal requirements in the context of VGI-based applications must also be considered. Trial registration The article does not report the results of a health care intervention for human participants.