Medical Information Protection in Internet Hospital Apps in China: Scale Development and Content Analysis.

BACKGROUND: Hospital apps are increasingly being adopted in many countries, especially since the start of the COVID-19 pandemic. Web-based hospitals can provide valuable medical services and enhanced accessibility. However, increasing concerns about personal information (PI) and strict legal compliance requirements necessitate privacy assessments for these platforms. Guided by the theory of contextual integrity, this study investigates the regulatory compliance of privacy policies for internet hospital apps in the mainland of China. OBJECTIVE: In this paper, we aim to evaluate the regulatory compliance of privacy policies of internet hospital apps in the mainland of China and offer recommendations for improvement. METHODS: We obtained 59 internet hospital apps on November 7, 2023, and reviewed 52 privacy policies available between November 8 and 23, 2023. We developed a 3-level indicator scale based on the information processing activities, as stipulated in relevant regulations. The scale comprised 7 level-1 indicators, 26 level-2 indicators, and 70 level-3 indicators. RESULTS: The mean compliance score of the 52 assessed apps was 73/100 (SD 22.4%), revealing a varied spectrum of compliance. Sensitive PI protection compliance (mean 73.9%, SD 24.2%) lagged behind general PI protection (mean 90.4%, SD 14.7%), with only 12 apps requiring separate consent for processing sensitive PI (mean 73.9%, SD 24.2%). Although most apps (n=41, 79%) committed to supervising subcontractors, only a quarter (n=13, 25%) required users' explicit consent for subcontracting activities. Concerning PI storage security (mean 71.2%, SD 29.3%) and incident management (mean 71.8%, SD 36.6%), half of the assessed apps (n=27, 52%) committed to bear corresponding legal responsibility, whereas fewer than half (n=24, 46%) specified the security level obtained. Most privacy policies stated the PI retention period (n=40, 77%) and instances of PI deletion or anonymization (n=41, 79%), but fewer (n=20, 38.5%) committed to prompt third-party PI deletion. Most apps delineated various individual rights, but only a fraction addressed the rights to obtain copies (n=22, 42%) or to refuse advertisement based on automated decision-making (n=13, 25%). Significant deficiencies remained in regular compliance audits (mean 11.5%, SD 37.8%), impact assessments (mean 13.5%, SD 15.2%), and PI officer disclosure (mean 48.1%, SD 49.3%). CONCLUSIONS: Our analysis revealed both strengths and significant shortcomings in the compliance of internet hospital apps' privacy policies with relevant regulations. As China continues to implement internet hospital apps, it should ensure the informed consent of users for PI processing activities, enhance compliance levels of relevant privacy policies, and fortify PI protection enforcement across the information processing stages.

Legal aspects of privacy-enhancing technologies in genome-wide association studies and their impact on performance and feasibility.

Genomic data holds huge potential for medical progress but requires strict safety measures due to its sensitive nature to comply with data protection laws. This conflict is especially pronounced in genome-wide association studies (GWAS) which rely on vast amounts of genomic data to improve medical diagnoses. To ensure both their benefits and sufficient data security, we propose a federated approach in combination with privacy-enhancing technologies utilising the findings from a systematic review on federated learning and legal regulations in general and applying these to GWAS.

COMMENTARY: Protecting healthcare privacy: Analysis of data protection developments in India.

Patient privacy is essential and so is ensuring confidentiality in the doctor-patient relationship. However, today's reality is that patient information is increasingly accessible to third parties outside this relationship. This article discusses India's data protection framework and assesses data protection developments in India including the Digital Personal Data Protection Act, 2023.

A review on legal issues of medical robots.

This paper examines the legal challenges associated with medical robots, including their legal status, liability in cases of malpractice, and concerns over patient data privacy and security. And this paper scrutinizes China's nuanced response to these dilemmas. An analysis of Chinese judicial practices and legislative actions reveals that current denial of legal personality to AI at this stage is commendable. To effectively control the financial risks associated with medical robots, there is an urgent need for clear guidelines on responsibility allocation for medical accidents involving medical robots, the implementation of strict data protection laws, and the strengthening of industry standards and regulations.

Ethical and social reflections on the proposed European Health Data Space.

The COVID-19 pandemic demonstrated the benefits of international data sharing. Data sharing enabled the health care policy makers to make decisions based on real-time data, it enabled the tracking of the virus, and importantly it enabled the development of vaccines that were crucial to mitigating the impact of the virus. This data sharing is not the norm as data sharing needs to navigate complex ethical and legal rules, and in particular, the fragmented application of the General Data Protection Regulation (GDPR). The introduction of the draft regulation for a European Health Data Space (EHDS) in May 2022 seeks to address some of these legal issues. If passed, it will create an obligation to share electronic health data for certain secondary purposes. While there is a clear need to address the legal complexities involved with data sharing, it is critical that any proposed reforms are in line with ethical principles and the expectations of the data subjects. In this paper we offer a critique of the EHDS and offer some recommendations for this evolving regulatory space.

Reconciling the biomedical data commons and the GDPR: three lessons from the EUCAN ELSI collaboratory.

The coming-into-force of the EU General Data Protection Regulation (GDPR) is a watershed moment in the legal recognition of enforceable rights to informational self-determination. The rapid evolution of legal requirements applicable to data use, however, has the potential to outstrip the capabilities of networks of biomedical data users to respond to the shifting norms. It can also delegitimate established institutional bodies that are responsible for assessing and authorising the downstream use of data, including research ethics committees and institutional data custodians. These burdens are especially pronounced for clinical and research networks that are of transnational scale, because the legal compliance burden for outbound international data transfers from the EEA is especially high. Legislatures, courts, and regulators in the EU should therefore implement the following three legal changes. First, the responsibilities of particular actors in a data sharing network should be delimited through the contractual allocation of responsibilities between collaborators. Second, the use of data through secure data processing environments should not trigger the international transfer provisions of the GDPR. Third, the use of federated data analysis methodologies that do not provide analysis nodes or downstream users access to identifiable personal data as part of the outputs of those analyses should not be considered circumstances of joint controllership, nor lead to the users of non-identifiable data to be considered controllers or processors. These small clarifications of, or modifications to, the GDPR would facilitate the exchange of biomedical data amongst clinicians and researchers.

El ejercicio post mortem de los derechos de protección de datos personales en el ámbito sanitario / [The post-mortem exercise of personal data protection rights in the healthcare field]

La normativa de protección de datos no es clara a la hora de regular la diferencia entre el acceso a los datos personales del fallecido, y el acceso post mortem de cualquier contenido en formato digital de la persona fallecida. De la misma manera, hoy en día no existe ningún instrumento que permita reflejar la voluntad relativa al ejercicio futuro de los derechos del interesado. (AU)

The data protection regulation is not clear when it comes to regulating the difference between access to the personal data of the deceased, and post mortem access to any content in digital format of the deceased person. In the same way, today there is no instrument that allows reflecting the will regarding the future exercise of the rights of the data subject. (AU)

Informe del Comité de Bioética de España sobre aspectos del uso secundario de los datos y el espacio europeo de protección de datos / [Report of the Spanish Bioethics Committee on aspects of secondary use of data and the European data protection space]

El presente informe da respuesta a la consulta de la Secretaría de Estado de Sanidad del Ministerio de Sanidad de 26 de mayo de 2023 sobre algunos aspectos del uso secundario de los datos y el espacio europeo de protección de datos. Recibida la consulta, el Comité aprobó el siguiente informe en su reunión plenaria del día 7 de noviembre de 2023, conforme a lo dispuesto en el artículo 78.1 a) de la Ley 14/2007, de 3 de julio, de Investigación Biomédica, que fija entre las funciones del Comité emitir informes, propuestas y recomendaciones para los poderes públicos de ámbito estatal y autonómico en asuntos con implicaciones bioéticas relevantes. (AU)

Dataísmo (de la salud), tecnología y privacidad / (Health) dataism, technology and privacy

El dataísmo puede privar al individuo de su privacidad. Las personas reflexionan sobre el coste de oportunidad que supone ceder sus datos y otorgan mayor importancia a la efectividad en la lucha contra enfermedades y pandemias frente a su uso ilícito, ilegal o poco ético. El big data es un bien común de la humanidad, y compartir datos puede salvar vidas, pero aprovechémoslo aplicando correctamente la ética de los datos, donde los gobiernos y organizaciones estén implicados y se respete el derecho fundamental de protección de datos. (AU)

Dataism can deprive the individuals of their privacy. People are reflecting on the opportunity cost of giving away their data and are placing greater importance on the effectiveness of fighting diseases and pandemics than on its illicit, illegal or unethical use. Big data is a common good of humanity, and sharing data can save lives, but let’s harness it with the right application of data ethics, where governments and organisations are involved and the fundamental right to data protection is respected. (AU)

How privacy's past may shape its future.

An account of privacy's evolutionary roots may hold lessons for policies in the digital age.

Flimma: a federated and privacy-aware tool for differential gene expression analysis.

Aggregating transcriptomics data across hospitals can increase sensitivity and robustness of differential expression analyses, yielding deeper clinical insights. As data exchange is often restricted by privacy legislation, meta-analyses are frequently employed to pool local results. However, the accuracy might drop if class labels are inhomogeneously distributed among cohorts. Flimma ( https://exbio.wzw.tum.de/flimma/ ) addresses this issue by implementing the state-of-the-art workflow limma voom in a federated manner, i.e., patient data never leaves its source site. Flimma results are identical to those generated by limma voom on aggregated datasets even in imbalanced scenarios where meta-analysis approaches fail.

Model for successful development and implementation of Cyber Security Operations Centre (SOC).

Cyberattacks have changed dramatically and have become highly advanced. This latest phenomenon has a massive negative impact on organizations, such as financial losses and shutting-down of operations. Therefore, developing and implementing the Cyber Security Operations Centre (SOC) is imperative and timely. Based on previous research, there are no international guidelines and standards used by organizations that can contribute to the successful implementation and development of SOC. In this regard, this study focuses on highlighting the significant factors that will impact and contribute to the success of SOC. Simultaneously, it will further design a model for the successful development and implementation of SOC for the organization. The study was conducted quantitatively and involved 63 respondents from 25 ministries and agencies in Malaysia. The results of this study will enable the retrieval of ten success factors for SOC, and it specifically focuses on humans, processes, and technology. The descriptive analysis shows that the top management support factor is the most influential factor in the success of the development and implementation of SOC. The study also contributes to the empirical finding that technology and process factors are more significant in the success of SOCs. Based on the regression test, the technology factor has major impact on determining the success of SOC, followed by the process and human factors. Relevant organizations or agencies can use the proposed model to develop and implement SOCs, formulate policies and guidelines, strengthen human models, and enhance cyber security.

A Literature Review on the GDPR, COVID-19 and the Ethical Considerations of Data Protection During a Time of Crisis.

OBJECTIVE: This survey article presents a literature review of relevant publications aiming to explore whether the EU's General Data Protection Regulation (GDPR) has held true during a time of crisis and the implications that arose during the COVID-19 outbreak. METHOD AND RESULTS: Based on the approach taken and the screening of the relevant articles, the results focus on three themes: a critique on GDPR; the ethics surrounding the use of digital health technologies, namely in the form of mobile applications; and the possibility of cross border transfers of said data outside of Europe. Within this context, the article reviews the arising themes, considers the use of data through mobile health applications, and discusses whether data protection may require a revision when balancing societal and personal interests. CONCLUSIONS: In summary, although it is clear that the GDPR has been applied through a mixed and complex experience with data handling during the pandemic, the COVID-19 pandemic has indeed shown that it was a test the GDPR was designed and prepared to undertake. The article suggests that further review and research is needed to first ensure that an understanding of the state of the art in data protection during the pandemic is maintained and second to subsequently explore and carefully create a specific framework for the ethical considerations involved. The paper echoes the literature reviewed and calls for the creation of a unified and harmonised network or database to enable the secure data sharing across borders.

Guía práctica para el uso de registros visuales en la era del Reglamento General de Protección de Datos de la Unión Europea / Use of visual media in the era of European Union's General Data Protection Regulation: A practice-oriented guideline

El nuevo Reglamento General de Protección de Datos de la Unión Europea (más comúnmente conocido por sus siglas en inglés como «GDPR») conforma un nuevo marco para la protección de datos común para la Unión Europea. Es por ello que los profesionales del ámbito sanitario deben revisar cómo recopilan y comparten datos para garantizar que estos cumplan con todos los estándares. El propósito de este artículo es concienciar sobre el Reglamento General de Protección de Datos de la Unión Europea y proporcionar una guía práctica que ayude a evitar problemas legales en la redacción de artículos o la preparación de comunicaciones científicas que requieran compartir datos personales y visuales. Para hacer esto, se han analizado las más comunes situaciones donde es necesario recoger y utilizar datos personales y visuales, para finalmente dar una serie de respuestas y recomendaciones para todos los escenarios descritos. (AU)

With the European Union's new General Data Protection Regulation, commonly known as “GDPR”, as the new framework for data protection across the European Union, doctors will need to review how they collect and share personal data to ensure they meet the standards. The aim of this article is to raise awareness on the General Data Protection Regulation, and to provide an easy guideline to steer free from legal problems at the time of drafting papers, presenting lectures and sharing personal data and visual media in particular. To do so, we have analysed the most common situations where personal data, and above all visual media, can be collected, giving clear-cut answers and recommendations for all the scenarios. (AU)