The Potential for Impact Assessments in Projects Related to eHealth and mHealth Paul Quinn Brno, 26 November 2016 1-12-2016 | 1
OUTLINE 1. Introduce myself, the work of my group and why this topic interests me. 2. Discuss the concept of an Impact Assessment. Where does the idea come from. Why is it applicable to privacy and data protection issues. 3. Discuss why it may be useful inter alia in EU research projects (including those concerning mHealth and eHealth) 4. Discuss the experiences I have in using Impact Assessments using a particular project as an example. 1-12-2016 | 2
Motivation Research institute based the • Vrije Universiteit Brussel. Multi-disciplinary with a • primary focus in law Involved in numerous projects • as an ethical and legal advisor 1-12-2016 | 3
eHealth projects LSTS has been involved in 1-12-2016 | 4
What is eHealth/mHealth? eHealth refers to the digitization of patient records, the organization of and • practices of health care. mHealth utilizes eHealth to deliver health care remotely, i.e. away from the • traditional setting of the hospital and consultation room 1-12-2016 | 5
What does this role involve Common elements involve • • Advising on data protection requirements • Advising on other legal requirements linked to privacy • Advising on ethical requirements • Advising on intellectual property issues The main goal: to ensure technical partners take account of requirements • and implement them into their design. 1-12-2016 | 6
Beware of Ethics Ethics usually have the final say on whether research plans can go ahead. • Whilst the law sets the boundaries of what they can approve it does not • instruct them. Ethics committees often demand requirements that go beyond data • protection law. They may attach extra conditionality. • 1-12-2016 | 7
The approach used for these issues in the past. An initial requirements document. • A series of deliverables based on the different domains mentioned previously • i.e. legal issues, ethical issues Little documented and formal follow up. • 1-12-2016 | 8
The most common problems No way to ensure technical partners read documents • A general level of disinterest in all things legal and ethical. • No way to ensure technical partners made efforts to implement • requirements. 1-12-2016 | 9
It is not just the fault of Engineers! Legal ethical requirements may often appear generic and too abstract. • Difficult for legal ethical scholars to come up with technical requirements that • relate Legal and ethical scholars may have little or no knowledge or engineering • restraints and requirements. 1-12-2016 | 10
An Example – Data Processing Principles Fairness • Lawfulness • Transparency • Purpose limitation • Data minimization • Data quality • Data Security • Integrity of data and confidentiality. • 1-12-2016 | 11
The All Too Often Result of 'Multi- Disciplinary Collaboration' 1-12-2016 | 12
The Appeal of an Impact Assessment Approach The need to foster interaction • The need to implement privacy by design and data protection by design • The need to ensure compliance • The need to ensure a formalized way of following up on the implementation • of requirements 1-12-2016 | 13
What are Impact Assessments? Pioneered in environmental decision making – introduced 'environmental • democracy’ ( Kloza 2013) Process has been adapted to address privacy and data protection concerns. • Useful for technological projects. IA’s are embodied in the protect cycle itself • ensuring that privacy/ethical requirements are considered at all stages. Highly collaborative processes that involve all stakeholders • 1-12-2016 | 14
Impact Assessments as a Requirement in the GDPR Article 35(1) • Where a type of processing in particular using new technologies, and taking • into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data … 1-12-2016 | 15
What may be the subject matter of an IA? Recital 84 GDPR In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with this Regulation. … .. 1-12-2016 | 16
What may be the subject matter of an IA? Data Protection Rights include: Article 17 – Right to erasure (“right to be forgotten”) A right to data portability Article 21 – Right to object – on grounds including profiling Article 22 – Right not to be subject to a decision based solely on automated processing, including profiling Article 25 – Data protection by design and by default Article 32 – Security of processing 1-12-2016 | 17
Other Fundamental Rights and Freedoms?? Rights of privacy and autonomy (e.g. Article 8 ECHR) • • Privacy goes beyond data protection • The reason for the emphasis on necessity and proportionality? Freedom from discrimination • What if personal data is misused in order to discriminate? • A right to access to health care (Art 2, 8 ECHR) • Titel van dia 1-12-2016 | 18
Impact Assessments as a Requirement in the GDPR (2) The GDPR demands that an impact assessment be carried out it certain • circumstances. These are (article 35(3)): 1. A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person. 2. Processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences or related security measures. 3. A systematic monitoring of a publicly accessible area on a large scale. Titel van dia 1-12-2016 | 19
Impact Assessments as a Requirement in the GDPR (3) Article 35(7) • The assessment shall contain at least: (a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; (b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes; (c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned. Titel van dia 1-12-2016 | 20
Relevance of Impact Assessment to mHealth/eHealth projects Will apply in most projects using sensitive data • Seemingly require a consideration of aspects that go beyond data protection • (fundamental rights and freedoms). A consideration of necessity and proportionality of proposed measures • The protection of personal data (including respecting the principle of data • protection by default). Titel van dia 1-12-2016 | 21
Relevance of Impact Assessment to H2020 Ideal for use in the consortium setting where a range of actors may exists, • each with different backgrounds and specializations (e.g. software engineers, hardware designers, law enforcement, legal and ethical. Needed to implement data protection by design (as required by the GDPR) • A requirement of the GDPR (at least viz-a-viz data protection requirements) • Can be used in a joint manner to consider impacts to other legal and ethical • issues (article 35(1) - 'risk to the rights and freedoms of natural persons') Titel van dia 1-12-2016 | 22
PICASO Project Overview Technology Partners Clinical Partners PHC 25 – 2015: Advanced ICT • systems and services for Integrated Care Re-design health and care systems • by developing integrated care models that are shifting from a reactive approach to proactive and patient-centred care WHINN 2016 - Odense, Denmark - Integrating Health and Social Care 23 5th October 2016
PICASO FEATURES The PICASO project - A Personalised, Integrated Care Approach • • Funded by the EU, 8m€, 3 years, 9 partners, 7 countries • Three major innovations in ICT supported integrated care / continuum of care • Automated and integrated workflows across sectors • Secure data exchange between actors • Handling of care plans for multimorbidity Trials and reference implementation • • Two trials in Rheumatic Arthritis and Parkinson’s Disease with CVD as co -morbidity • Diverse set of formal carers and organisation involved (Co-morbidities) • DIverse cultural backgrounds (Northern and Southern Europe) • Example: Using the PICASO platform for Remote Cardiac Examination Titel van dia 1-12-2016 | 24
Recommend
More recommend
