We are addressing the complexity generated by different ethical, legal and regulatory requirements resulting from data sharing needs between Research Infrastructures. We conducted a comprehensive analysis of the regulatory landscape for creating data bridges: including GDPR (EU Data Protection Directive), relevant national data protection acts, Good Clinical Practice (GCP), animal protection laws, security rules for biosamples, intellectual property regulations. The legal analysis was based on five Usage Scenarios and used for the development of Legal Requirements Clusters for data protection, data security, intellectual property, security of biosamples and animal protection.
We intended to create conditions for legal interoperability for data sharing that may be used for the automation of data exchange processes.
Call Girls In Mahipalpur O9654467111 Escorts Service
Regulations, privacy and security requirements - Legal interoperability for data sharing
1. BioMedBridges – Del5.1
Report on regulations, privacy
and security requirements
- Introduction to the report -
Wolfgang Kuchinke
University Duesseldorf, Duesseldorf, Germany
Paris, March 5, 2014
Presentation for the ECRIN Workshop
1
2. W. Kuchinke (2014)
Report on regulations, privacy
and security requirements
• Working Tasks
WT 1: Regulations and privacy requirements for
using the data bridges concept
WT 2: Rules and regulations for accessing
databases of e-Infrastructures
WT 3: Regulations and security issues regarding
security of biosamples, security issues regarding
animal protection and rules and regulations
connected to intellectual property and licenses
2
3. W. Kuchinke (2014)
Aim of the Deliverable
• Addressing the complexity
– ethical, legal and regulatory
– resulting from data sharing between Research
Infrastructures
• Providing a comprehensive analysis of
the regulatory landscape for creating
data bridges
– Data Protection Directive
– Relevant national data protection acts
– Good Clinical Practice (GCP)
– Animal protection laws
– Security rules for biosamples, IP, ... 3
4. Regulatory landscape for
Research Infrastructures
4
EU regulations + RulesEU regulations + Rules national regulations + rulesnational regulations + rules
Data Protection Directive
(Directive 95/46/EC)
Data Protection Directive
(Directive 95/46/EC)
Good Practices (GCP, GLP) ,
Recommendation of the OECD
Council, OECD Principles and
Guidelines for Access to Research
Data 2007, Declaration of Helsinki,
IMIA Code of Ethics 2011
Good Practices (GCP, GLP) ,
Recommendation of the OECD
Council, OECD Principles and
Guidelines for Access to Research
Data 2007, Declaration of Helsinki,
IMIA Code of Ethics 2011
National data protection acts (Data
Protection Act 1998 in GB, Sw.
Personuppgiftslagen (1998:204) in
Sweden, Bundesdatenschutzgesetz
(BDSG) and 16 federal
„Landesdatenschutzgesetze“, LDSG
in Germany)
National data protection acts (Data
Protection Act 1998 in GB, Sw.
Personuppgiftslagen (1998:204) in
Sweden, Bundesdatenschutzgesetz
(BDSG) and 16 federal
„Landesdatenschutzgesetze“, LDSG
in Germany)
Clinical Trials Directive (Directive
2001/20/EC)
Clinical Trials Directive (Directive
2001/20/EC)
Animal protection laws
The Animal Welfare Act 2006
(UK), The Animals (Scientific
Procedures) Act 1986
(France), German Animal
Welfare Act (Germany),…
Animal protection laws
The Animal Welfare Act 2006
(UK), The Animals (Scientific
Procedures) Act 1986
(France), German Animal
Welfare Act (Germany),…Security rules for biosamples
Directive 2002/98/EC , Directives
2004/23/EC , 2006/17/EC, 2006/86/EC
Security rules for biosamples
Directive 2002/98/EC , Directives
2004/23/EC , 2006/17/EC, 2006/86/EC
Genetic data
Decree n° 2000-156, February 23th,
2000 in France, Ley 14/2007 de
Investigación Biomédica in Spain,
Gendiagnostikgesetz GenDG 379/09
in Germany
Genetic data
Decree n° 2000-156, February 23th,
2000 in France, Ley 14/2007 de
Investigación Biomédica in Spain,
Gendiagnostikgesetz GenDG 379/09
in Germany
Intellectual property rights
Law on Copyright and Related Rights
1965 in Germany, The Copyright,
Designs and Patents Act 1988 in UK,
Law No. 92-597 of July 1, 1992 in
France
Intellectual property rights
Law on Copyright and Related Rights
1965 in Germany, The Copyright,
Designs and Patents Act 1988 in UK,
Law No. 92-597 of July 1, 1992 in
France
Intellectual property and licence rights
Directives 2001/29/EC, 2004/48/EC ,
2009/24/EC
Intellectual property and licence rights
Directives 2001/29/EC, 2004/48/EC ,
2009/24/EC
Example UK:
The Caldicott Review 1997,
Caldicott2 (2013), Data Sharing
Code of Practice, Managing and
Sharing Data (UK Data Archive
2011)
Example UK:
The Caldicott Review 1997,
Caldicott2 (2013), Data Sharing
Code of Practice, Managing and
Sharing Data (UK Data Archive
2011)
ECRIN-(TWG), Del18, Standard Operating
Procedures on Ethics, Euro-BioImaging
WP2 ‘Legal Governance Ethical
Framework, …
ECRIN-(TWG), Del18, Standard Operating
Procedures on Ethics, Euro-BioImaging
WP2 ‘Legal Governance Ethical
Framework, …
Animal protection
Directive 86/609/EEC, Directive
2010/63/EU
Animal protection
Directive 86/609/EEC, Directive
2010/63/EU
Security rules for biosamples
Human Tissue Act 2004 (UK), Bioethics
Law n°.2011-814 and Ordinance nº 2007-
613 in France, Human Tissue (Scotland)
Act 2006
Security rules for biosamples
Human Tissue Act 2004 (UK), Bioethics
Law n°.2011-814 and Ordinance nº 2007-
613 in France, Human Tissue (Scotland)
Act 2006
Genetic data
Recommendation No.R(97)
WHO Genetic Databases
2003, UNESCO,
International Declaration on
Human Genetic Data 2003
Genetic data
Recommendation No.R(97)
WHO Genetic Databases
2003, UNESCO,
International Declaration on
Human Genetic Data 2003
5. W. Kuchinke (2014)
Results of legal analysis
• Legal analysis based on five Usage
Scenarios
• Development of Requirements
Clusters for data protection, data
security, intellectual property,
security of biosamples and animal
protection
– Easy incorporation of results into the development of use
cases for legal interoperability
– Provision of constraints and recommendations for legally
sound data bridges 5
6. W. Kuchinke (2014)
Data bridges
• Building data bridges between
biological and medical Research
Infrastructures (RIs)
– Examples : Data bridges between BBMRI,EATRIS, ECRIN,
ELIXIR, Infrafrontier, INSTRUCT, ERINHA, …
• Most RIs have already some form of
data curation and data protection
• Enabling interoperability and
cooperation between infrastructures
– Data protection as well as data security challenges must
be considered 6
7. W. Kuchinke (2014)
Medical data can play
different roles
7
Personal data
Open Data
Sensitive data
Medical data
8. W. Kuchinke (2014)
Open Access vs. Restricted
Access
• Open Data
– freely available to everyone to use
– without restrictions from copyright, patents
– Without control mechanisms
• Personal data
– Identification of patients, donors, etc.
• Medical data
– Highly sensitive
– Can be misued for discrimination
• Genetic information
– Predictive
– Dormant diseases
– Can be used for identification and discrimination
– Ethnical origin
9. W. Kuchinke (2014)
Focus to address :
Information concerning an identified or
identifiable person
EU GDPR - The principles of data protection should
apply to any information concerning an identified or
identifiable natural person
10. W. Kuchinke (2014)
Recital 26
Whereas the principles of protection must apply
to any information concerning an identified or
identifiable person; whereas, to determine
whether a person is identifiable, account should
be taken of all the means likely reasonably to
be used either by the controller or by any
other person to identify the said person;
whereas the principles of protection shall not
apply to data rendered anonymous in such a
way that the data subject is no longer
identifiable;…
11. W. Kuchinke (2014)
Legal frameworks that
facilitate data access
• To achieve seamless access to data
– It is necessary not only to adopt appropriate technical
standards, practices and architecture
– but also to develop legal frameworks that facilitate
access to and use of research data, whether on an inter-
organisational basis or across national borders
(From: Legal Framework as e-Research Infrastructure, Anne M.
Fitzgerald, 2007)
11
12. W. Kuchinke (2014)
Legal frameworks that
facilitate data access
• A legal framework for data sharing
between different research
infrastructures in BMB will be created
• The legal framework will be built on a
legal requirements analysis
– Different data providers will be interviewed for
data access, data ownership and data sharing
requirements
– Legal requirements will be expressed as
functional rules for data sharing
12
13. W. Kuchinke (2014)
Legal Interoperability
• Legal interoperability is about
ensuring that organisations operating
under different legal frameworks,
policies and strategies are able to
work together
• This applies also to Research Networks
that usually operate internationally
involving many different organisations
13From: https://ec.europa.eu/isa2/actions/legal-interoperability_en
14. W. Kuchinke (2014)
Legal Interoperability and
Data Bridges
• Basis for security frameworks for the
intended data bridges
– Systematic in depth analysis of legal and ethical rules of
sharing data and information
– Sharing between infrastructures on a European, International
and national level
• Our report generated the necessary
requirements to ensure legal
interoperability for data protection,
privacy and security of the
envisioned data bridges
14
15. W. Kuchinke (2014)
Key legal issues facing Data
Bridges
• Research data access contractual
framework
– Research data governance mechanisms
– Variation in types of collaboration → Influence on data protection
• Intellectual property law
– Sharing of intellectual property
• Data protection and Privacy law
– Recognition of the importance of trust
• Jurisdiction
• Liability
15
16. W. Kuchinke (2014)
Usage Scenarios
• Usage Scenarios for Data Bridges
were developed
• The Usage scenarios contain
– Overview over the data sources
– Involved actors
– Processes involved in data sharing
– Events and actions that constitute the data bridge
– In addition, listings of all involved data sources, their
data type and modes of access (e.g. open access,
restricted access), and their modes of data linking
16
17. W. Kuchinke (2014)
Scanning process
• Collection of all rules and regulations
for access, processing and transfer of
data, covering human data, animal
data, biosample data and intellectual
property / licences
• Rules were applied to the Usage Scenarios
• Generation of requirements clusters that
define conditions under which the diverse
Data Bridges can be used conformant with
regulations and rules
17
18. W. Kuchinke (2014)
Result of analysis: rôle of
human data
• For human data and especially for
personal data the legal
interoperability can become quite
complicated
• A number of barriers have to be
overcome to ensure harmonized data
access or licensing conditions
18
19. W. Kuchinke (2014)
Example of legal barrier for
the exchange of human data
Different conditions and policies
imposed by national and local
legislations governing the different
data repsoitories involed in a data
bridge (e.g. limitation of cross-border
data sharing of personal data)
19
20. W. Kuchinke (2014)
What is legal interoperability
• Legal rights, terms, and conditions of
database sources that are compatible allowing
that the data may be shared without
compromising legal rights of any of the data
sources
• Development of harmonized rules and policies
(data use conditions, data access rules)
– Basis for a functional environment in which different
usage conditions imposed on datasets from disparate
data sources are readily determinable to allow users
legally compatible access and use of data without
seeking permission on a case-by-case basis
20
21. W. Kuchinke (2014)
What are Usage Scenarios
• Describe a real-world example of how
a person or organization interact with
a system
• Describe the steps, events, actions
which occur during this interaction
• Usage scenarios can indicate exactly
how someone works with the user
interface, high-level describing only
the critical business actions
21
22. W. Kuchinke (2014)
Usage Scenarios for legal
interoperability
• The overarching instrument for data
protection in the EU is the Data
Protection Directive (GDPR)
• But member states may vary in how
they have implemented this directive
– countries with especially confusingly
complex regulations and rules
framework, the UK and Germany are
discussed in detail, because the
existence of too many data protection
rules can hamper research. 22
23. W. Kuchinke (2014)
Example UK
• The UK relies on its Data Protection Act
• Specialized laws: the Human Tissue Act, Clinical
Trials Regulations, Human Fertilization and
Embryology Act
• Caldicott Guardian oversees the use of clinical data
in NHS Units
• Research Ethics Committees provide guidance
• Additional rules: funding by the Medical Research
Council and organisations like the Wellcome Trust
and Cancer Research UK
• Guidance and rules by the General Medical Council,
the medical colleges, and other organisations, like
the Human Genetics Commission 23
24. W. Kuchinke (2014)
Merging of results in
Requirement clusters
• The generated requirements define
conditions under which systems with
different data protection rules can share a
legal interface that translates data
protection rules in a compliant way
– for example, the requirements to share or link
data from an open access data base with
anonymised human data
– the procedure of sharing open access data may
result in certain constraints, (guarantee of data
integrity, IP restrictions)
24
25. W. Kuchinke (2014)
Special case: Sharing of
health data
• Sharing / linking of personal data and
health data that are subject to
special strict protection
• A legal interface has to consider the
risk of identification of the involved
data subject
– preventive measures like privacy enhancing
technologies (data deletion, pseudonymisation,
anonymisation) have to be considered to allow for
legal interoperability
25
26. W. Kuchinke (2014)
Results: overview
• In most analysed data sources, biomolecular
information is well-organised and in the
public domain openly accessible
• Personal and health data of humans is a
major concern because of confidentiality and
sensitivity of medical information
– clinical trial data and biobanking data are lacking
in legal interoperability
• Intellectual property issues may hinder open
access in cases in which open access
policies are not properly planned 26
27. W. Kuchinke (2014)
Results: overview
• In most analysed data sources, biomolecular
information is well-organised and in the
public domain openly accessible
• Personal and health data of humans is a
major concern because of confidentiality and
sensitivity of medical information
– clinical trial data and biobanking data are lacking
in legal interoperability
• Intellectual property issues may hinder open
access in cases in which open access
policies are not properly planned 27
28. W. Kuchinke (2014)
Results: overview
• In most analysed data sources, biomolecular
information is well-organised and in the
public domain openly accessible
• Personal and health data of humans is a
major concern because of confidentiality and
sensitivity of medical information
– clinical trial data and biobanking data are lacking
in legal interoperability
• Intellectual property issues may hinder open
access in cases in which open access
policies are not properly planned 28
30. W. Kuchinke (2014)
Thank you for your attention!
30
Wolfgang Kuchinke
University Duesseldorf, Duesseldorf, Germany
wolfgang.kuchinke@uni-duesseldorf.de
Further information on the project:
https://ecrin.org/
http://www.biomedbridges.eu/