in Projects Related to eHealth and mHealth Paul Quinn Brno, 26 - - PowerPoint PPT Presentation

Paul Quinn Brno, 26 November 2016

The Potential for Impact Assessments in Projects Related to eHealth and mHealth

1-12-2016 | 1

OUTLINE

• 1. Introduce myself, the work of my group and why this topic interests me.
• 2. Discuss the concept of an Impact Assessment. Where does the idea come
• from. Why is it applicable to privacy and data protection issues.
• 3. Discuss why it may be useful inter alia in EU research projects (including

those concerning mHealth and eHealth)

• 4. Discuss the experiences I have in using Impact Assessments using a

particular project as an example.

1-12-2016 | 2

Motivation

• Research institute based the

Vrije Universiteit Brussel.

• Multi-disciplinary with a

primary focus in law

• Involved in numerous projects

as an ethical and legal advisor

1-12-2016 | 3

eHealth projects LSTS has been involved in

1-12-2016 | 4

What is eHealth/mHealth?

• eHealth refers to the digitization of patient records, the organization of and

practices of health care.

• mHealth utilizes eHealth to deliver health care remotely, i.e. away from the

traditional setting of the hospital and consultation room

1-12-2016 | 5

What does this role involve

• Common elements involve
• Advising on data protection requirements
• Advising on other legal requirements linked to privacy
• Advising on ethical requirements
• Advising on intellectual property issues
• The main goal: to ensure technical partners take account of requirements

and implement them into their design.

1-12-2016 | 6

Beware of Ethics

• Ethics usually have the final say on whether research plans can go ahead.
• Whilst the law sets the boundaries of what they can approve it does not

instruct them.

• Ethics committees often demand requirements that go beyond data

protection law.

• They may attach extra conditionality.

1-12-2016 | 7

The approach used for these issues in the past.

• An initial requirements document.
• A series of deliverables based on the different domains mentioned previously

i.e. legal issues, ethical issues

• Little documented and formal follow up.

1-12-2016 | 8

The most common problems

• No way to ensure technical partners read documents
• A general level of disinterest in all things legal and ethical.
• No way to ensure technical partners made efforts to implement

requirements.

1-12-2016 | 9

It is not just the fault of Engineers!

• Legal ethical requirements may often appear generic and too abstract.
• Difficult for legal ethical scholars to come up with technical requirements that

relate

• Legal and ethical scholars may have little or no knowledge or engineering

restraints and requirements.

1-12-2016 | 10

An Example – Data Processing Principles

• Fairness
• Lawfulness
• Transparency
• Purpose limitation
• Data minimization
• Data quality
• Data Security
• Integrity of data and confidentiality.

1-12-2016 | 11

The All Too Often Result of 'Multi- Disciplinary Collaboration'

1-12-2016 | 12

The Appeal of an Impact Assessment Approach

• The need to foster interaction
• The need to implement privacy by design and data protection by design
• The need to ensure compliance
• The need to ensure a formalized way of following up on the implementation
• f requirements

1-12-2016 | 13

What are Impact Assessments?

• Pioneered in environmental decision making – introduced 'environmental

democracy’ (Kloza 2013)

• Process has been adapted to address privacy and data protection concerns.
• Useful for technological projects. IA’s are embodied in the protect cycle itself

ensuring that privacy/ethical requirements are considered at all stages.

• Highly collaborative processes that involve all stakeholders

1-12-2016 | 14

Impact Assessments as a Requirement in the GDPR

• Article 35(1)
• Where a type of processing in particular using new technologies, and taking

into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data…

1-12-2016 | 15

What may be the subject matter of an IA?

Recital 84 GDPR In

• rder

to enhance compliance with this Regulation where processing

• perations are likely to result in a high risk to the rights and freedoms of natural

persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in

• rder to demonstrate that the processing of personal data complies with this
• Regulation. …..

1-12-2016 | 16

What may be the subject matter of an IA?

Data Protection Rights include:  Article 17 – Right to erasure (“right to be forgotten”)  A right to data portability  Article 21 – Right to object – on grounds including profiling  Article 22 – Right not to be subject to a decision based solely on automated processing, including profiling  Article 25 – Data protection by design and by default  Article 32 – Security of processing

1-12-2016 | 17

Other Fundamental Rights and Freedoms??

• Rights of privacy and autonomy (e.g. Article 8 ECHR)
• Privacy goes beyond data protection
• The reason for the emphasis on necessity and proportionality?
• Freedom from discrimination
• What if personal data is misused in order to discriminate?
• A right to access to health care (Art 2, 8 ECHR)

Titel van dia 1-12-2016 | 18

Impact Assessments as a Requirement in the GDPR (2)

• The GDPR demands that an impact assessment be carried out it certain
• circumstances. These are (article 35(3)):
• 1. A systematic and extensive evaluation of personal aspects relating to natural

persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.

• 2. Processing on a large scale of special categories of data, or of personal data

relating to criminal convictions and offences or related security measures.

• 3. A systematic monitoring of a publicly accessible area on a large scale.

Titel van dia 1-12-2016 | 19

Impact Assessments as a Requirement in the GDPR (3)

• Article 35(7)

The assessment shall contain at least: (a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; (b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes; (c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

Titel van dia 1-12-2016 | 20

Relevance of Impact Assessment to mHealth/eHealth projects

• Will apply in most projects using sensitive data
• Seemingly require a consideration of aspects that go beyond data protection

(fundamental rights and freedoms).

• A consideration of necessity and proportionality of proposed measures
• The protection of personal data (including respecting the principle of data

protection by default).

Titel van dia 1-12-2016 | 21

Relevance of Impact Assessment to H2020

• Ideal for use in the consortium setting where a range of actors may exists,

each with different backgrounds and specializations (e.g. software engineers, hardware designers, law enforcement, legal and ethical.

• Needed to implement data protection by design (as required by the GDPR)
• A requirement of the GDPR (at least viz-a-viz data protection requirements)
• Can be used in a joint manner to consider impacts to other legal and ethical

issues (article 35(1) - 'risk to the rights and freedoms of natural persons')

Titel van dia 1-12-2016 | 22

5th October 2016

WHINN 2016 - Odense, Denmark - Integrating Health and Social Care 23

PICASO Project Overview

• PHC 25 – 2015: Advanced ICT

systems and services for Integrated Care

• Re-design health and care systems

by developing integrated care models that are shifting from a reactive approach to proactive and patient-centred care

Technology Partners Clinical Partners

PICASO FEATURES

• The PICASO project - A Personalised, Integrated Care Approach
• Funded by the EU, 8m€, 3 years, 9 partners, 7 countries
• Three major innovations in ICT supported integrated care / continuum of care
• Automated and integrated workflows across sectors
• Secure data exchange between actors
• Handling of care plans for multimorbidity
• Trials and reference implementation
• Two trials in Rheumatic Arthritis and Parkinson’s Disease with CVD as co-morbidity
• Diverse set of formal carers and organisation involved (Co-morbidities)
• DIverse cultural backgrounds (Northern and Southern Europe)
• Example: Using the PICASO platform for Remote Cardiac Examination

Titel van dia 1-12-2016 | 24

Multiple morbidities are becoming the norm

1-12-2016 | 25

Age Event Monitoring/Therapy PICASO Component 45 Hypertension Blood pressure, risk score for complication Telehealth, BPM, data mining Intelligent personalised feedback 55 Type II Diabetes Blood glucose (spot), lifestyle advice Telehealth, data mining Intelligent personalised feedback 65 Rheumatoid Arthritis Temperature, agility Personalised rehabilitation service execution, decision support 67 Hearth Failure Balancing, exercise, gait Telehealth weight, BPM, Kinetics 70 Early Dementia Medication monitor Environmental sensors Reminder services, social well being Integrated care plan execution 72 Insulin dependent Continuous BG, urine and ketone monitoring Multimorbidity analysis, goal

• ptimiser

74 Valve disease Medication, risks factors Integrated care, decision support 75 Peripheral vascular (leg ulcer) Leg elevation monitoring, image monitoring Telehealth, telecare Integrated care, decision support 76 Incontinence Incontinence monitor Telecare, intervention alert 78 Fall Fall sensors, fall alert Telecare, intervention alert 80 Vision Movement, fall alert, agility Telecare, intervention alert 82 Death

5th October 2016

26

Prevalence of Multimorbidity in Age Groups (UK n=99,997)

C Salisbury, L Johnson: Epidemiology and impact of multimorbidity in primary care, Br J Gen Pract 2011; DOI: 10.3399/bjgp11X548929.

Project Aims

• PICASO aims to federate patient records
• Patients with a range of co-morbidites often see specialists at different

hospitals or clinics.

• More often than not physicians at each clinic can not see the patient’s health

record as it exists in other clinics

• This creates problems in terms of lack of knowledge and dangers in terms of

prescribing treatment.

Titel van dia 1-12-2016 | 27

Poor communication between different clinics

• Overall, direct communication between hospital physicians and primary care

physicians occurred infrequently (3%-20%).

• The availability of a discharge summary at the first post-discharge visit was

low (12%-34%) and remained poor at 4 weeks (51%-77%), affecting the quality of care in approximately 25% of follow-up visits and contributing to primary care physician dissatisfaction

• Discharge summaries often lacked important information such as diagnostic

test results (missing from 33%-63%), treatment or hospital course (7%- 22%), discharge medications (2%-40%), test results pending at discharge (65%), patient or family counselling (90%-92%), and follow-up plans (2%- 43%)

Titel van dia 1-12-2016 | 28

Federation of Healthcare data

1-12-2016 | 29

The Impact Assesment Process

• An Initial Benchmark Report
• A requirements based report and extensive questionnaire.
• Recommendations based on responses to the questionnaire
• A follow-up report, yet to be done.

Titel van dia 1-12-2016 | 30

Example of the Questionnaire.

Titel van dia 1-12-2016 | 31

EXAMPLE OF QUESTIONAIRE

Titel van dia 1-12-2016 | 32

Experiences

• Positive experiences.
• Much (enforced interaction). Answering the questions posed required face to

face interaction between legal/ethical partners and other partners.

• A better understanding by technical partners of legal and ethical

requirements.

• A better understanding by legal and ethical partners of technical possibilities

and limitations.

Titel van dia 1-12-2016 | 33

Experiences (2)

• Technical partners realize that they will have to account for legal ethical

compliance at several stages of the project.

• Where deviations in terms of compliance are identified remedial action can be

taken in a timely manner.

• Issues of compliance of death with at the same time in global manner.

Titel van dia 1-12-2016 | 34

Negative Experiences

• The risk of a tick box exercise.
• Partner irritation.
• A lack of academic freedom to explore?

Titel van dia 1-12-2016 | 35

Concluding Points

• Communication on multidisciplinary projects is essential, but given the nature
• f the subject matter and the parties involved is by nature difficult.
• Without proper communication crucial requirements relating to privacy and

data protection may not be implemented.

• Impact assessments may have a role to play in improving interaction and

communication between partners.

• A data protection impact assessment is, in any even likely to be required in

many cases by the GDPR.

1-12-2016 | 36

1-12-2016 | 37

Thank you! Paul.quinn@vub.ac.be