The presentation is addressing the complexity of data sharing from two view points: (1) Ethical, legal and regulatory challenges, (2) Data sharing between Research Infrastructures.
A comprehensive analysis of the regulatory landscape of data bridges is provided, including: Data Protection Directive, relevant national data protection acts, Good Clinical Practice (GCP), Animal protection laws, security rules for biosamples, data ownership regulations (intellectual ownership, database laws), and others.
Basis was the concepts of Open Data and Open Science, which aims to make scientific research output (publications, data, biosamples, and alogrithms) accessible to all levels of an inquiring including research bey citicen scientists. This includes transparent and accessible knowledge that is shared and developed through collaborative networks and practices such as publishing open research, campaigning for open access and data sharing. But several mechanisms restrict access to data or reuse of data: copyright, patents, database rights, time-limited access rules, political, commercial or legal rules and interests.
Researchers are confronted with the question, whether, on what basis and with what limitations, human data can be used freely and made available to support open research and open science. We conducted an analysis of the legal landscape for data sharing, employing concepts from requirements engineering, like the definition and collection of legal requirements for data bridges, which were based on access rules of many database providers. We defined “legal interoperability” of data sharing as interoperability that forms conditions where a combination of rules allows the exchange of data between different data providers. The basis was the creation of legal “requirement clusters” defining applicable rules, roles and policies used by database owners (data controllers). Such "requirement clusters” can act as a kind of „filter" between different data sources to allow for compliant data transfer. To create "requirement clusters” data sharing usage scenarios were built consisting of real-world examples of interaction between data providers during data sharing. Finally, the legal analysis based on five Usage Scenarios and the development of Requirements Clusters for data protection, data security, intellectual property, security of biosamples and animal protection providing constraints and recommendations for legally sound data bridges and the implementation of “legal filters“ for complinat data flow.
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Regulations, privacy, security for data bridges - Kuchinke
1. W. Kuchinke (2014) 1
Regulations, privacy and security
requirements for data bridges
Introduction
Wolfgang Kuchinke
University Duesseldorf, Duesseldorf, Germany
March 5, 2014 (Paris, France)
Presentation for the ECRIN Workshop
2. W. Kuchinke (2014) 2
Report on regulations, privacy
and security requirements
• BioMedBridges EU project
– Creation of Data Bridges between research infrastructures
• Deliverable 5.1 (Report)
• Working Tasks
– WT 1: Regulations and privacy requirements for using the data bridges concept
– WT 2: Rules and regulations for accessing databases of e-Infrastructures
– WT 3: Regulations and security issues regarding security of biosamples, security
issues regarding animal protection and rules and regulations connected to
intellectual property and licenses
3. W. Kuchinke (2014) 3
Aim of the Deliverable
• Addressing the complexity of data sharing
– Ethical, legal and regulatory
– Resulting from data sharing between Research Infrastructures
• Providing a comprehensive analysis of the regulatory
landscape for data bridges
– Data Protection Directive
– Relevant national data protection acts
– Good Clinical Practice (GCP)
– Animal protection laws
– Security rules for biosamples, IP, database laws, ...
4. W. Kuchinke (2014) 4
Open Data and Open Science
• Open science
–make scientific research output (publications, data, biosamples, and
alogrithms) accessible to all levels of an inquiring including citicen
scientists or professional
–Transparent and accessible knowledge that is shared and developed
through collaborative networks
–Practices such as publishing open research, campaigning for open
access, data sharing
• Open data
–idea that most data should be freely available to everyone to use and
republish as they wish, without restrictions from copyright, patents or
other mechanisms of control
–the growth of the open data movement is paralleled by a rise in
intellectual property rights
• Several mechanisms restrict access to or reuse of data: copyright, patent ,
database rights, time-limited access, political, commercial or legal rules
5. W. Kuchinke (2014) 5
Starting point
• Heterogeneity of policies for data access between many
different data providers
• Lack of national harmonized legislations in Europe
• Increased relevance of legal interoperability as a key aspect
of research collaboration
• Researchers are confronted with the question, whether, on
what basis and with what limitations, human data can be
used freely and made available to support open research
and open science
• Human data from multiple sources using different usage
rules may result in combined datasets that inherit
complicated restrictions from each source
6. W. Kuchinke (2014) 6
Analysis of the legal landscape
for data sharing
• Implementtion of a novel approach
– Employing concepts from requirements engineering
– Definition and collection of legal requirements for data bridges
based on the access rules of many database providers
– “Legal interoperability” is the sort of interoperability that forms
conditions where a combination of rules allows the exchange
of data between different data providers
– Basis was the creation of legal “requirement clusters” defining
applicable rules, roles and policies used by database owners
(data controllers)
– “Requirement clusters” can act as a kind of „filte“r between
different data sources to allow for compliant data transfer
7. W. Kuchinke (2014) 7
Regulatory landscape for
Research Infrastructures
7
EU regulations + rules
EU regulations + rules National regulations + rules
National regulations + rules
Data Protection Directive
(Directive 95/46/EC)
Data Protection Directive
(Directive 95/46/EC)
Good Practices (GCP, GLP) ,
Recommendation of the OECD
Council, OECD Principles and
Guidelines for Access to Research
Data 2007, Declaration of Helsinki,
IMIA Code of Ethics 2011
Good Practices (GCP, GLP) ,
Recommendation of the OECD
Council, OECD Principles and
Guidelines for Access to Research
Data 2007, Declaration of Helsinki,
IMIA Code of Ethics 2011
National data protection acts (Data
Protection Act 1998 in GB, Sw.
Personuppgiftslagen (1998:204) in
Sweden, Bundesdatenschutzgesetz
(BDSG) and 16 federal
„Landesdatenschutzgesetze“, LDSG
in Germany)
National data protection acts (Data
Protection Act 1998 in GB, Sw.
Personuppgiftslagen (1998:204) in
Sweden, Bundesdatenschutzgesetz
(BDSG) and 16 federal
„Landesdatenschutzgesetze“, LDSG
in Germany)
Clinical Trials Directive (Directive
2001/20/EC)
Clinical Trials Directive (Directive
2001/20/EC)
Animal protection laws
The Animal Welfare Act 2006
(UK), The Animals (Scientific
Procedures) Act 1986
(France), German Animal
Welfare Act (Germany),…
Animal protection laws
The Animal Welfare Act 2006
(UK), The Animals (Scientific
Procedures) Act 1986
(France), German Animal
Welfare Act (Germany),…
Security rules for biosamples
Directive 2002/98/EC , Directives
2004/23/EC , 2006/17/EC, 2006/86/EC
Security rules for biosamples
Directive 2002/98/EC , Directives
2004/23/EC , 2006/17/EC, 2006/86/EC
Genetic data
Decree n° 2000-156, February 23th,
2000 in France, Ley 14/2007 de
Investigación Biomédica in Spain,
Gendiagnostikgesetz GenDG 379/09
in Germany
Genetic data
Decree n° 2000-156, February 23th,
2000 in France, Ley 14/2007 de
Investigación Biomédica in Spain,
Gendiagnostikgesetz GenDG 379/09
in Germany
Intellectual property rights
Law on Copyright and Related Rights
1965 in Germany, The Copyright,
Designs and Patents Act 1988 in UK,
Law No. 92-597 of July 1, 1992 in
France
Intellectual property rights
Law on Copyright and Related Rights
1965 in Germany, The Copyright,
Designs and Patents Act 1988 in UK,
Law No. 92-597 of July 1, 1992 in
France
Intellectual property and licence rights
Directives 2001/29/EC, 2004/48/EC ,
2009/24/EC
Intellectual property and licence rights
Directives 2001/29/EC, 2004/48/EC ,
2009/24/EC
Example UK:
The Caldicott Review 1997,
Caldicott2 (2013), Data Sharing
Code of Practice, Managing and
Sharing Data (UK Data Archive
2011)
Example UK:
The Caldicott Review 1997,
Caldicott2 (2013), Data Sharing
Code of Practice, Managing and
Sharing Data (UK Data Archive
2011)
ECRIN-(TWG), Del18, Standard Operating
Procedures on Ethics, Euro-BioImaging
WP2 ‘Legal Governance Ethical
Framework, …
ECRIN-(TWG), Del18, Standard Operating
Procedures on Ethics, Euro-BioImaging
WP2 ‘Legal Governance Ethical
Framework, …
Animal protection
Directive 86/609/EEC, Directive
2010/63/EU
Animal protection
Directive 86/609/EEC, Directive
2010/63/EU
Security rules for biosamples
Human Tissue Act 2004 (UK), Bioethics
Law n°.2011-814 and Ordinance nº 2007-
613 in France, Human Tissue (Scotland)
Act 2006
Security rules for biosamples
Human Tissue Act 2004 (UK), Bioethics
Law n°.2011-814 and Ordinance nº 2007-
613 in France, Human Tissue (Scotland)
Act 2006
Genetic data
Recommendation No.R(97)
WHO Genetic Databases
2003, UNESCO,
International Declaration on
Human Genetic Data 2003
Genetic data
Recommendation No.R(97)
WHO Genetic Databases
2003, UNESCO,
International Declaration on
Human Genetic Data 2003
8. W. Kuchinke (2014) 8
Scanning process
• All data sources for scanned for usage conditions and access
rules
• Collection of all rules and regulations for access, processing
and transfer of data
• Covering human data, animal data, biosample data and
intellectual property / licences
• Rules were applied to the Usage Scenarios
• Generation of requirements clusters
– Definition of conditions under which diverse Data Bridges can be used
conform with all regulations and rules that apply
9. W. Kuchinke (2014) 9
Usage Scenarios
• Real-world examples of interaction between
data providers during data sharing
• Description of the steps, events, and actions
which occur during the allowing data access
and data sharing arrangements
• We used Usage Scenarios for the legal
regulations and access rules relevant for data
sharing between Research Infrastructures
10. W. Kuchinke (2014) 10
Content of Usage Scenarios
• Development of Usage Scenarios for Data Bridges
• Content
– Overview over the data sources
– Involved actors (data provider, data owner, data
processor, ...)
– Processes involved in data sharing
– Events and actions that constitute the data bridge
– In addition, listings of all involved data sources, their
data type and modes of access (e.g. open access,
restricted access), and their modes of data linking
11. W. Kuchinke (2014) 11
Usage Scenarios for legal
interoperability
• The overarching instrument for data protection
in the EU is the Data Protection Directive
(GDPR)
• But member states may vary in how they have
implemented this directive
– countries with especially confusingly complex
regulations and rules framework, the UK and
Germany are discussed in detail
– existence of too many data protection rules can
hamper research
12. W. Kuchinke (2014) 12
Results of legal analysis
• Legal analysis based on five Usage Scenarios
• Development of Requirements Clusters for data
protection, data security, intellectual property, security of
biosamples and animal protection
– Creating interoperability use cases
– Easy incorporation of results into the development of use cases for legal
interoperability
– Provision of constraints and recommendations for legally sound data
bridges
– Implementation of the requirements clusters in “legal filters“
13. W. Kuchinke (2014) 13
Result of analysis: Role of
human data in data sharing
• For human data and especially for all personal
data the legal interoperability can become quite
complicated
• A number of barriers have to be overcome to
ensure harmonized data access or licensing
conditions
• Consideration of rights of data subject and
privacy regulations (GDPR)
• Anonymisation has to play a role in data sharing
14. W. Kuchinke (2014) 14
Example of legal barrier for the
exchange of human data
• Different conditions and policies imposed by
national and local legislations governing the
different data repsoitories involed in a data
bridge
– e.g. limitation of cross-border data sharing of
personal data
– Restrictions based on consent by data subject
– Data rights by data subject
– Completeness of necessary anonymisation
15. W. Kuchinke (2014) 15
Basic element for data sharing:
Data bridges
• Building data bridges between biological and medical
Research Infrastructures (RIs)
– Examples : Data bridges between BBMRI,EATRIS, ECRIN, ELIXIR,
Infrafrontier, INSTRUCT, ERINHA, …
• Most RIs have already some form of data curation and
data protection
• Enabling interoperability and cooperation between
infrastructures
– Data protection as well as data security challenges must be considered
16. W. Kuchinke (2014) 16
Data bridges and compliance
Research
Infrastructure
1
Research
Infrastructure
2
Research
Infrastructure
3
legal
filter
legal
filter
legal
filter
legal
filter
Data sharing by data
bridges between research
infrastructures and legal
filters that considers the
legal requirements
between the different
databases (data providers)
17. W. Kuchinke (2014) 17
Need for open access and legally
interoperable data sharing
• The research community in general and BioMedBridges in
particular want to support approaches and methods for open data
and open science
• Many data providers (databases) contain and provide already
some form of human data
• Challenges and restrictions associated with the processing of
human health data
• We searched for ways to present researchers who access
databases, share or link data, with the requirements for legally
compliant data sharing
• Integrated approach that considers data protection as well as data
ownership (IP and licences) for legally compliant data sharing
18. W. Kuchinke (2014) 18
Open Access vs. Restricted
Access
• Open Data
– freely available to everyone to use
– without restrictions from copyright, patents
– Without control mechanisms
• Personal data
– Identification of patients, donors, etc.
• Medical data
– Highly sensitive
– Can be misued for discrimination
• Genetic information
– Predictive
– Dormant diseases
– Can be used for identification and discrimination
– Ethnical origin
19. W. Kuchinke (2014) 19
Focus personal data
Information concerning an identified or
identifiable person
EU GDPR - The principles of data protection
should apply to any information concerning an
identified or identifiable natural person
20. W. Kuchinke (2014) 20
Personal data protection by GDPR
GDPR
(from 2018)
Extended definition of
personal data
Health data is sensitive data
Protection of all EU residents
worldwide
Roles of Data Controller and
Data Processor
Special rights
Right of access by the data subject
Right to be forgotten
Right for consent
Right to restrict data processing
Right for data portability
Obligations for
Data Processors
•Accountability
•Privacy by design
•Privacy by default
•Reporting of data breaches
•Data Protection Officer
•Privacy impact analysis
21. W. Kuchinke (2014) 21
Recital 26
• The principles of protection must apply to any
information concerning an identified or identifiable
person
• To determine whether a person is identifiable, account
should be taken of all the means likely reasonably to be
used either by the data controller or by any other person
to identify the said person
• The principles of protection shall not apply to data
rendered anonymous in such a way that the data subject
is no longer identifiable;…
22. W. Kuchinke (2014) 22
Legal frameworks that facilitate
data access
• To achieve seamless access to data
– It is necessary not only to adopt appropriate technical
standards, practices and architecture
– but also to develop legal frameworks that facilitate
access to and use of research data, whether on an inter-
organisational basis or across national borders
– Anonymisation must play a part in these frameworks
(From: Legal Framework as e-Research Infrastructure, Anne M. Fitzgerald, 2007)
23. W. Kuchinke (2014) 23
Legal Interoperability
• Definition
– Legal interoperability exists when one can
legally access, search, retrieve, and use the
data that exists in different databases with
differnt data providers
– The data user must be able to legally access,
and use all combined data without the need to
get special authorization from the data owners
24. W. Kuchinke (2014) 24
Legal Interoperability
• Legal interoperability is about ensuring
that organisations operating under
different legal frameworks, policies and
strategies are able to work together
• This applies especially to Research
Networks that usually operate
internationally involving many different
organisations
From: European Interoperability Framework
(EIF)
25. W. Kuchinke (2014) 25
Legal Interoperability and Data
Bridges
• Basis for security frameworks for data bridges
– Based on systematic in depth analysis of legal
and ethical rules of sharing data and information
– Allows data sharing between infrastructures on a
European, International and national level
• Our report generated the necessary
requirements to ensure legal interoperability
for data protection, privacy and security of the
envisioned data bridges
26. W. Kuchinke (2014) 26
Key legal issues facing Data
Bridges
• Research data access contractual framework
– Research data governance mechanisms
– Variation in types of collaboration → Influence on data
protection
• Intellectual property law
– Sharing of intellectual property
• Data protection and Privacy law
– Recognition of the importance of trust
• Jurisdiction
• Liability
27. W. Kuchinke (2014) 27
Example: UK
• The UK relies on its Data Protection Act
• Specialized laws: the Human Tissue Act, Clinical Trials
Regulations, Human Fertilization and Embryology Act
• Caldicott Guardian oversees the use of clinical data in NHS
Units
• Research Ethics Committees provide guidance
• Additional rules: funding by the Medical Research Council and
organisations like the Wellcome Trust and Cancer Research
UK
• Guidance and rules by the General Medical Council, the
medical colleges, and other organisations, like the Human
Genetics Commission
28. W. Kuchinke (2014) 28
Merging of results in
Requirement clusters
• The generated requirements define conditions
under which systems with different data protection
rules can share a legal interface that translates
data protection rules in a compliant way
– for example, the requirements to share or link data
from an open access data base with anonymised
human data
– the procedure of sharing open access data may result
in certain constraints, (guarantee of data integrity, IP
restrictions)
29. W. Kuchinke (2014) 29
Special case: Sharing of health
data
• Sharing / linking of personal data and health
data that are subject to specially strict
protection
• A legal interface has to consider the risk of
identification of the involved data subject
– preventive measures like privacy enhancing technologies
(data deletion, pseudonymisation, anonymisation) have
to be considered to allow for legal interoperability
– Additional rights by the data subject (GDPR)
– Considering privacy by design
30. W. Kuchinke (2014) 30
Results: overview
• In most analysed data sources, biomolecular information is
well-organised and in the public domain openly accessible
• Personal and health data of humans is a major concern
because of confidentiality and sensitivity of medical
information
– clinical trial data and biobanking data are lacking in legal
interoperability
• Intellectual property issues may hinder open access in
cases in which open access policies are not properly
planned
• The developed requirement clusters will be used to create
legal filters for the LAT (Legal Assessment Tool)
31. W. Kuchinke (2014) 31
Thank you for your attention!
Wolfgang Kuchinke
University Duesseldorf, Duesseldorf, Germany
wolfgang.kuchinke@uni-duesseldorf.de
wokuchinke@outlook.de
Further information on the project:
https://ecrin.org/
http://www.biomedbridges.eu/
5.1 - Report on regulations, privacy and security requirements
http://www.biomedbridges.eu/deliverables/51-0
This presentation contains additional explanatory material.