Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

BDVE - Health Research in a COVID 19_Scenario

38 visualizaciones

Publicado el

he health crisis due to COVID-19 is shaping a new reality in which the exchange and access to health data in a secure way will be more and more necessary. In this complex challenge converge both the respect for the individual rights as well as the interests of the patients and the need to promote the research in pursuit of the public interest. To face this challenge, we can find different approaches across Europe. In this webinar, we will present the experiences of three EU-funded projects (BigMedilytics, BodyPass, and DeepHealth), besides an overview of the legal framework and recommendations to enforce both national regulations and GDPR by an expert in data privacy and security.

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

BDVE - Health Research in a COVID 19_Scenario

  1. 1. 001010010100101 1010010010001001001 0100101001 01000110 001011111100010 0000101010010010001001001 001001001000010001 01001000101001 01001 01001010010 01010010010100100100010101001 010100010100010 01010 10010010010001010 01010010010010010010010 0100100100010001001001001 0100101001010010 0101001001 Health Research in a COVID-19 Scenario Data protection officer Ricard Martínez
  2. 2. 10010100100001010101001001001010100101 01010010001001001010001001001 10100100100101100011100101011011001 1011001010010010000010101001010111001010010100101010 10010100100001010101001001001010100101 01010010001001001010001001001 1001010010010101001001001010100101 01010010001000010100010100101001001001010001001001 • Legal conditions in GDPR and e-Privacy Directive for processing data for health and research purposes in a pandemic scenario. 1. Research on personal (health) data which consists in the use of data directly collected for the purpose of scientific studies (“primary use”). 2. Research on personal (health) data which consists of the further processing of data initially collected for another purpose (“secondary use”). “scientific research” in this context means “a research project set up in accordance with relevant sector-related methodological and ethical standards, in conformity with good practice”
  3. 3. 10010100100001010101001001001010100101 01010010001001001010001001001 10100100100101100011100101011011001 1011001010010010000010101001010111001010010100101010 10010100100001010101001001001010100101 01010010001001001010001001001 1001010010010101001001001010100101 01010010001000010100010100101001001001010001001001 Categories of data ❑ (art. 4 GDPR) “data concerning health” means “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”. ✓ Directly considered as: o Information collected by a health care provider in a patient record. o Information from a “self check” survey, where data subjects answer questions related to their health (such as stating symptoms). ✓ By reference or by context o Information that becomes health data by cross referencing with other data thus revealing the state of health or health risks. o Information that becomes health data because of its usage in a specific context. ▪ Socioeconomic data. ▪ Addresses in neighbourhoods with a high rate of infection. ▪ Geolocation.
  4. 4. 10010100100001010101001001001010100101 01010010001001001010001001001 10100100100101100011100101011011001 1011001010010010000010101001010111001010010100101010 10010100100001010101001001001010100101 01010010001001001010001001001 1001010010010101001001001010100101 01010010001000010100010100101001001001010001001001 Legal Basis ❑Article 6 and Article 9 GDPR: there is no ranking between the legal bases stipulated in the GDPR. ❑ Consent: ✓ Double check: National Law + Consent ✓ One requirement when National law allows for the processing of health data with consent. ✓ must be freely given, specific, informed, and unambiguous, and it must be made by way of a statement or “clear affirmative action”. ✓ Really difficult from patients with a severe disease: o consent cannot be considered freely given if there is a clear imbalance between the data subject and the controller. o the data subjects should not be in a situation of whatsoever dependency with the researchers that could inappropriately influence the exercise of their free will ✓ Additional requirements (art. 7 GDPR): o Clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. o The data subject shall have the right to withdraw his or her consent at any time.
  5. 5. 10010100100001010101001001001010100101 01010010001001001010001001001 10100100100101100011100101011011001 1011001010010010000010101001010111001010010100101010 10010100100001010101001001001010100101 01010010001001001010001001001 1001010010010101001001001010100101 01010010001000010100010100101001001001010001001001 ❑National legislations. ✓ Additional safeguards: o Legal pre-determination. o Definition of purposes. o Safeguard the fundamental rights and the interests of the data subject. o Security measures… ❑Spanish Case: ✓ Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights (17th additional provision. Processing of health data). o Consent: may include wide areas linked to a medical or research specialty. ▪ Reuse is allowed for purposes or areas of research related to the area in which the initial study was scientifically integrated. Does not applies to trials. o Public health research in cases of epidemics. Health authorities and public institutions with competence in public health surveillance may carry out scientific studies without the consent of the affected persons in situations of exceptional public health relevance and seriousness ▪ Vital interests of the data subject or of another natural person… Society? o Pseudonymized data (i) There is an express confidentiality and commitment and no re-identification agreement. o(ii) security measures in place to prevent re-identification and access by unauthorised third parties. o Further safeguards: ▪ Data Protection Impact Assessment. ▪ Previous Review by the Research Ethics Committee (DPO integrated in)
  6. 6. 10010100100001010101001001001010100101 01010010001001001010001001001 10100100100101100011100101011011001 1011001010010010000010101001010111001010010100101010 10010100100001010101001001001010100101 01010010001001001010001001001 1001010010010101001001001010100101 01010010001000010100010100101001001001010001001001 Principles: ❑ Transparency (arts. 13-14): ✓ Directly. ✓ When personal data have not been obtained from the data subject, Article 14 (3) (a) GDPR stipulates that the controller shall provide the information “within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed”. ✓ Exemptions: o National Law Exemption. o the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1). ▪ Proves impossible by the controller “compulsory”. ▪ Disproportionate effort taking into account: the number of data subjects, the age of the data… ❑ Data minimization. ✓ Volume of data. ✓ Limited storage periods. ✓ Anonymisation preference. ❑ Purpose limitation: ✓ Compatibility presumption. ✓ Consent on trials (art. 28 CTR and EU Commission FAQ).
  7. 7. 10010100100001010101001001001010100101 01010010001001001010001001001 10100100100101100011100101011011001 1011001010010010000010101001010111001010010100101010 10010100100001010101001001001010100101 01010010001001001010001001001 1001010010010101001001001010100101 01010010001000010100010100101001001001010001001001 ❑International data transfers for scientific research purposes: ✓ General rules. ✓ Exemptions. o “transfer necessary for important reasons of public interest” and “explicit consent” may apply. ▪ Public interest: may require urgent action in the field of scientific research (to identify treatments and/or develop vaccines vaccines).
  8. 8. 10010100100001010101001001001010100101 01010010001001001010001001001 10100100100101100011100101011011001 1011001010010010000010101001010111001010010100101010 10010100100001010101001001001010100101 01010010001001001010001001001 1001010010010101001001001010100101 01010010001000010100010100101001001001010001001001
  9. 9. 10010100100001010101001001001010100101 01010010001001001010001001001 10100100100101100011100101011011001 1011001010010010000010101001010111001010010100101010 10010100100001010101001001001010100101 01010010001001001010001001001 1001010010010101001001001010100101 01010010001000010100010100101001001001010001001001 USE OF LOCATION DATA ❑ Location data collected by electronic communication service providers: ✓ these data can only be transmitted to authorities or other third parties if they have been anonymised by the provider; ✓ with the prior consent of the users. ❑ Information, including location data, collected directly from the terminal equipment only : ✓ if (i) the user has given consent6 or ✓ (ii) the storage and/or access is strictly necessary for the information society service explicitly requested by the user ❑ Derogations to the rights and obligations provided for in the “ePrivacy” Directive: ✓ national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system ✓ Not health research, or public health ❑
  10. 10. 10010100100001010101001001001010100101 01010010001001001010001001001 10100100100101100011100101011011001 1011001010010010000010101001010111001010010100101010 10010100100001010101001001001010100101 01010010001001001010001001001 1001010010010101001001001010100101 01010010001000010100010100101001001001010001001001 Anonymization???????
  11. 11. 10010100100001010101001001001010100101 01010010001001001010001001001 10100100100101100011100101011011001 1011001010010010000010101001010111001010010100101010 10010100100001010101001001001010100101 01010010001001001010001001001 1001010010010101001001001010100101 01010010001000010100010100101001001001010001001001 A controlled open data environment ❑A solution built on solid pillars: ✓ Adoption of safeguards. ✓ Ensuring the legitimate origin of data and taking into account national laws. ✓ Risk analysis of reidentification and anonymization in two steps. ✓ Security measures: same as those applied to personal data. ✓ Processes that ensure controlled access without the possibility of data extraction. ✓ Legal guarantees equivalent to those of a processor: data sharing agreements.
  12. 12. 10010100100001010101001001001010100101 01010010001001001010001001001 10100100100101100011100101011011001 1011001010010010000010101001010111001010010100101010 This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 780495. Any dissemination of results here presented reflects only the author’s view. The European Commission is not responsible for any use that may be made of the information it contains. www.bigmedilytics.eu

×