Data Protection and Ethics in Healthcare

Similar documents
PROTECTION GOALS FOR PRIVACY ENGINEERING

Privacy Self-Protection for Connected Cars

Interactive Workshop on Data Protection Impact Assessment

Data Protection by Design and by Default. à la European General Data Protection Regulation

The General Data Protection Regulation and use of health data: challenges for pharmaceutical regulation

Standards and privacy engineering ISO, OASIS, PRIPARE and Other Important Developments

Robert Bond Partner, Commercial/IP/IT

Biometric Data, Deidentification. E. Kindt Cost1206 Training school 2017

Efese, ethics in research

EXIN Privacy and Data Protection Foundation. Preparation Guide. Edition

Global Alliance for Genomics & Health Data Sharing Lexicon

Security and Risk Assessment in GDPR: from policy to implementation

Interaction btw. the GDPR and Clinical Trials Regulation

Privacy by Design: Integrating Technology into Global Privacy Practices

GDPR Awareness. Kevin Styles. Certified Information Privacy Professional - Europe Member of International Association of Privacy professionals

Big Data and Personal Data Protection Challenges and Opportunities

Privacy by Design with or without information security? Kirsten Bock CPDP

IAB Europe Guidance THE DEFINITION OF PERSONAL DATA. IAB Europe GDPR Implementation Working Group WHITE PAPER

Privacy by Design and the New Protection Goals

Wireless Sensor Networks and Privacy

The new GDPR legislative changes & solutions for online marketing

Before the NATIONAL HIGHWAY TRAFFIC SAFETY ADMINISTRATION Washington, D.C Docket No. NHTSA

HL7 Standards and Components to Support Implementation of the European General Data Protection Regulation (GDPR)

Ethical issues raised by big data and real world evidence projects. Dr Andrew Turner

BUREAU OF LAND MANAGEMENT INFORMATION QUALITY GUIDELINES

Internet, Human Rights and privacy

Our position. ICDPPC declaration on ethics and data protection in artificial intelligence

National population registers in a Europe without barriers

Security in the "Digital Society" - New Risks and their Management

End-to-End Privacy Accountability

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Privacy framework

Protection of Privacy Policy

Executive Summary Industry s Responsibility in Promoting Responsible Development and Use:

The Information Commissioner s response to the Draft AI Ethics Guidelines of the High-Level Expert Group on Artificial Intelligence

The GDPR and Upcoming mhealth Code of Conduct. Dr Etain Quigley Postdoctoral Research Fellow (ARCH, UCD)

About the Office of the Australian Information Commissioner

Personal Data Protection Competency Framework for School Students. Intended to help Educators

Pan-Canadian Trust Framework Overview

TechAmerica Europe comments for DAPIX on Pseudonymous Data and Profiling as per 19/12/2013 paper on Specific Issues of Chapters I-IV

Ethics Review Data Sharing Bridging Legal Environments

Towards Code of Conduct on Processing of Personal Data for Purposes of Scientific Research in the Area of Health

Granting Equity Abroad: Employment Law Pitfalls and Best Practices

Privacy engineering, privacy by design, and privacy governance

PRIVACY ANALYTICS WHITE PAPER

Privacy Policy SOP-031

IPRs and Public Health: Lessons Learned Current Challenges The Way Forward

Privacy Management in Smart Cities

Justice Select Committee: Inquiry on EU Data Protection Framework Proposals

The EFPIA Perspective on the GDPR. Brendan Barnes, EFPIA 2 nd Nordic Real World Data Conference , Helsinki

GDPR IMPLEMENTATION SISCON 2018 CONFERENCE 13/09/2018

EU-GDPR The General Data Protection Regulation

BBMRI-ERIC WEBINAR SERIES #2

IoT in Health and Social Care

Privacy and Security in Europe Technology development and increasing pressure on the private sphere

Spring Conference of European Data Protection Authorities (Budapest, May 2016)

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT. pursuant to Article 294(6) of the Treaty on the Functioning of the European Union

clarification to bring legal certainty to these issues have been voiced in various position papers and statements.

Diana Gordick, Ph.D. 150 E Ponce de Leon, Suite 350 Decatur, GA Health Insurance Portability and Accountability Act (HIPAA)

GREECE. Policy environment. General approaches to information technology and infrastructure

Ministry of Justice: Call for Evidence on EU Data Protection Proposals

Hong Kong Personal Data Protection Regulatory Framework From Compliance to Accountability

DaPIS: an Ontology-based Data Protection Icon Set

Decision regarding PHARMAC s Implementation of Trans-Pacific Partnership (TPP) provisions and other Amendments to Application Processes

Privacy and the EU GDPR US and UK Privacy Professionals

Privacy Procedure SOP-031. Version: 04.01

GUIDELINES ON PRIVACY BY DESIGN AND PRIVACY IMPACT ASSESSMENT

MAPPING Managing Alternatives for Privacy, Property and Internet Governance

Societal and Ethical Challenges in the Era of Big Data: Exploring the emerging issues and opportunities of big data management and analytics

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: Safeguarding Policy Data Protection Policy

ediscovery and Digital Evidence Online Course

The European Securitisation Regulation: The Countdown Continues... Draft Regulatory Technical Standards on Content and Format of the STS Notification

Whatever Happened to the. Fair Information Practices?

Executive Summary. The process. Intended use

(Fig.) JPMA Industry Vision 2025

European Union General Data Protection Regulation Effects on Research

LAB3-R04 A Hard Privacy Impact Assessment. Post conference summary

Smart Cards in the Public Sector

ARTICLE 29 DATA PROTECTION WORKING PARTY

EUROPASS DIPLOMA SUPPLEMENT

Violent Intent Modeling System

Guidelines for the Stage of Implementation - Self-Assessment Activity

What does the revision of the OECD Privacy Guidelines mean for businesses?

ARAMINTA FREEDOM INITIATIVE

DATA PROTECTION IMPACT ASSESSMENT

Building DIGITAL TRUST People s Plan for Digital: A discussion paper

Interest Balancing Test Assessment on the processing of the copies of data subjects driving licences for the MOL Limo service

GDPR Implications for ediscovery from a legal and technical point of view

Global Standards Symposium. Security, privacy and trust in standardisation. ICDPPC Chair John Edwards. 24 October 2016

This research is supported by the TechPlan program funded by the ITS Institute at the University of Minnesota

PLANNING YOUR COURSE OF STUDY (JURIS DOCTOR)

Privacy Laws, Technological Developments, and Their Impact on You Review of: Understanding Privacy and Data Protection: What You Need to Know

EU Research Integrity Initiative

ARTICLE 29 Data Protection Working Party

HBM4EU project. Information, Invitation and Informed Consent Lisbeth E. Knudsen, Berit A. Faber. Information and recruitment of participants

New Age Vital Statistics Services: What They Do and Don t Do

The University of Sheffield Research Ethics Policy Note no. 14 RESEARCH INVOLVING SOCIAL MEDIA DATA 1. BACKGROUND

The TRIPS Agreement and Patentability Criteria

Spurring Big Data-Driven Innovation and Promoting Responsible Data Governance in a Privacy-Centred Europe

Technologies that will make a difference for Canadian Law Enforcement

Implementability of the Identity Management Part in Pfitzmann/Hansen s Terminology for a Complex Digital World

Transcription:

Data Protection and Ethics in Healthcare Harald Zwingelberg ULD June 14 th, 2017 at Brocher Foundation, Geneva Organized by: with input by:

Overview Goal: Protection of people Specific legal setting for medical data Security and Privacy protection goals Recap and conclusion This had been topic at Geneva meeting? => Topic at Workshop Geneva 2

Data protection is about data people and their fundamental rights To be checked while developing technologies for connected cars - impact on persons - impact on society Topic at Foto: Ashtyn Renee Workshop Geneva 3

Protection of Medical data (verified for D, AT, CH)* professional secrecy criminal law professional law civil law data protection law At least in Germany this is similar for other occupations with professional secrecy including other medical professions such as dentists, apothecaries, psychologists but also advocates, notaries, tax consultants, etc. 4

Protection of Medical data (verified for D, AT, CH)* professional secrecy criminal law Punishment for breaking secrecy. CH: up to 3 years AT: up to 6 month D: 1 year professional law civil law data protection law At least in Germany this is similar for other occupations with professional secrecy including other medical professions such as dentists, apothecaries, psychologists but also advocates, notaries, tax consultants, etc. 5

Protection of Medical data (verified for D, AT, CH)* professional secrecy criminal law professional law Enforcement of professional law warning, fines, loss of licence. civil law data protection law At least in Germany this is similar for other occupations with professional secrecy including other medical professions such as dentists, apothecaries, psychologists but also advocates, notaries, tax consultants, etc. 6

Protection of Medical data (verified for D, AT, CH)* professional secrecy criminal law professional law civil law Patient makes own claims in civil law courts, e.g. for damages, information. data protection law At least in Germany this is similar for other occupations with professional secrecy including other medical professions such as dentists, apothecaries, psychologists but also advocates, notaries, tax consultants, etc. 7

Protection of Medical data (verified for D, AT, CH)* professional secrecy Reasoning: Protection of the doctor-patient relationship. professional criminal Patients must feel their data lawto be save and secure law with the health provider to have trust. Otherwise necessary information may be withheld and cause threat to success of treatment and patient safety. Topic at civil law data protection law General rules and specific requirements for special categories of data genetic, biometric and At least in Germany this is similar for other occupations with professional secrecy including other medical Workshop professions Geneva such as dentists, apothecaries, psychologists but also advocates, notaries, tax consultants, etc. health data 8

Protection of Medical data (verified for D, AT, CH)* So far strict rules on medical data, specifically enforced as professional secrecy Opening clause in Art. 90 GDPR for member states to adopt specific regarding the enforcement of obligations of professional secrecy Remains to be seen how members states react Highly relevant for the health sector as professional secrecy applies to physicians and many healthcare professionals 9

Security Protection Goals 10

Confidentiality The protection goal of Confidentiality is defined as the property that (privacy-relevant) data and services that process such data cannot be accessed by unauthorized entities. 11

Confidentiality applied to helath data Protection of patients data Separation of data necessary for different tasks / roles, separation of different Even the information, that health related or AAL devices exist in a household is subject to confidentiality Timely deletion of unnecessary data 12

Implementation Techniques: Data Encryption Confidentiality in transit (TLS, HTTPS, SSH, ) at rest (PGP, S/MIME, TrueCrypt, ) Encryption special to national health record system Data Segregation Secret Sharing, Secure Multiparty Computations Access Control Enforcement 13

Integrity The protection goal of Integrity is defined as the property that (privacy-relevant) data and services that process such data cannot be modified in an unauthorized or undetected manner. 14

Integrity for health data Access to unchanged and accurate information in health files Detect unauthorized changes What if ransomware randomly changes values in patient files? Protection of access and medical devices e.g. for pacemakers, insulin pumps 15

Implementation Techniques: Integrity Digital Signatures Hash Values Access Control Enforcement Low energy cryptography for implantable devices 16

Availability The protection goal of Availability is defined as the property that access to (privacy-relevant) data and to services that process such data is always granted in a comprehensible, processable, timely manner. 17

Availability for health data Have data available when needed Processes for loss of data (Backups) Accessibility when and where necessary (mobile access, home visits) 18

Implementation Techniques: Availability Backups Load Balancers Failovers Redundant Components Avoidance of Single-Points-of-Failure Watchdogs / Canaries 19

Privacy Protection Goals 20

Unlinkability The protection goal of Unlinkability is defined as the property that privacy-relevant data cannot be linked across domains that are constituted by a common purpose and context. 21

Unlinkability for health data Central health records: measures against forcing patients into giving away the data Topic at e.g. plausible deniability Use of pseudonyms in research and allow identity management Well considered architecture decisions, e.g. between centralized / cloud based solutions vs. decentralized usercontrolled systems Workshop Geneva Topic at Workshop Geneva 22

Unlinkability for health data Research databases: share unlinkable data (e.g. based on concepts such as k-anonymity, l-diversity etc.) Research databases: multiparty computation Topic at Workshop Geneva Research databases: publication of aggregated data only 23

Implementation Techniques: Unlinkability Data Avoidance / Reduction Access Control Enforcement Aggregated data Separation / Isolation Avoidance of (unique) Identifiers 24

Unlinkability Think of it as 25

Transparency The protection goal of Transparency is defined as the property that all privacy-relevant data processing including the legal, technical, and organizational setting can be understood and reconstructed at any time. 26

Transparency for health/ ambient assisted living Information must be understandable and digestible for target audience For digital screens: scalable text, no ads that can hide the information Multi-layered policies with pictures and diagrams Computer readable privacy policies Understandable controls e.g. I/O buttons 27

Implementation Techniques: Transparency Logging and Reporting User notifications Documentation of services Privacy policies Transparency Services for patient files (useful) Data breach notifications 28

Transparency Think of it as 29

Intervenability The protection goal of Intervenability is defined as the property that intervention is possible concerning all ongoing or planned privacy-relevant data processing. 30

Intervenability Control in hands of the patients, e.g. allowing interruption of surveillance and tracking e.g. for monitoring devices in sports, in ambient assisted living granting moments of privacy Design: Address special requirements of target audience (sick, injured, elderly, or confused persons) Topic at Workshop Geneva 31

Intervenability Provide transparency and way for informed consent / right to object for any change of purposes and secondary use of data. Quality of life: Allow patients to stay at home and provide necessary aid when necessary. Topic at Workshop Geneva 32

Implementation Techniques: Intervenability Configuration Menu Help Desks Stop-Button for Processes Break-Glass / Alert Procedures Manual Override of Automated Decisions External Supervisory Authorities (DPAs) 33

Intervenability Think of it as 34

The whole picture 35

Data protection goals Confidentiality Unlinkability Integrity Intervenability Transparency Availability 36

Data protection goals Confidentiality Unlinkability Integrity Intervenability Transparency Availability 37

Data protection goals Confidentiality Unlinkability Integrity Legal ground & Ethic considerations Intervenability Transparency Availability 38

Conclusion 39

Protection Goals have proven very useful How to bring ethics and privacy to practice? Conclusion Insert in existing testing and evaluation processes Include ethic aspects in privacy assessments by DPO s/ DPA Consider privacy aspects in assessments by ethic boards Construction of an additional protection goal, but if so what could it be Include ethic aspects into other assessment steps: Weighing process of legal ground, e.g. as suitable safeguard for rights and freedoms or proportionate processing (Art. 9 GDPR) Mandatory consideration points in public calls for tenders by hospitals, social security and health insurances 40

Conclusion (last minute slide) Suggestion for a statement in the paper on this conference: Make security, data protection and ethical aspects integral part of investment decisions. Make it mandatory where possible (public health insurance, all investments and call for tenders by public bodies such as university and municipal hospitals). Entry points in Art. 32 and 25 GDPR 41

More about the Standard Data Protection Model Content Methodology Data Protection Goals In progress: catalogues with measures V.1.0 recommended for intensified testing by the conference of German data protection authorities. One of three existing DPIA frameworks (Fr, GB, D) mentioned by Art. 29 WP in working paper 248 in April 2017. Latest versions and translations are and will be available at: https://www.datenschutzzentrum.de/sdm/ 42

Data Protection in Ambient Assisted Living (2011) Content Early evaluation of the whole upcoming branch of ambient assisted living technologies (AAL) Structured on basis of the data protection goal methodology Data protection requirements Research questions German version only: https://www.datenschutzzentrum.de/projekte/aal/ 43

Funding Notice Slides are based on results from CANVAS and these further projects: Forum Privatheit I & II Privacy & Us funded by the German Federal Ministry of Education and Research www.forum-privatheit.de/ Funded by the European Union s Horizon 2020 research and innovation programme under grant agreement No. 731601 specialprivacy.eu funded by MSCA-ITN-2015-ETN Marie Skłodowska-Curie Innovative Training Networks Project Number: 675730 www.privacyus.eu 44

Thank you for your attention Questions? Comments? Harald Zwingelberg Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD) https://www.datenschutzzentrum.de/projekte/canvas/ E-Mail: uld6@datenschutzzentrum.de Phone: +49 431 988-1222 Funded by the European Union s Horizon 2020 research and innovation programme under grant agreement No. 700540 45

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback