privacy regulations impact Australia What to consider as an - - PowerPoint PPT Presentation

Tough European Union (EU) privacy regulations impact Australia – What to consider as an Australian researcher.

12th August 2019 JACINTA OPIE

SIG-Deidentification 2019 v3.pptx

2

Overview

GDPR

Non Compliance Our Experience – TrueNTH Global Registry Core Principles GDPR What to Consider in Research Questions

3

SIG-Deidentification 2019 v3.pptx

January 2018 Data released by on-line fitness tracker Strava pinpoints military base in Syria

People are scared of data misuse…

2014

A Facebook quiz invited users to find out their personality type. About 305,000 people installed the app but it gathered information on 87 million people

March 2019 Hackers hold prominent Melbourne Cardiology specialist to ransom after infiltrating their EMR

If people hesitate to share their data, where does that leave research?

4

SIG-Deidentification 2019 v3.pptx

What is it?

General Data Protection Regulation

New rights for data subjects Data Protection Officer 72hrs to report a data breach

GDPR provides stronger safeguards when people share their data

• EU research partners will not be able to

collaborate and lawfully share personal data for research

• Reputational risk.
• Individuals are also empowered to: bring

private claims and make a complaint to regulatory authorities

€20 Million

4% of global annual turn

• ver

OR

• Reprimands
• Enforcement orders
• Hefty fines

=

6

SIG-Deidentification 2019 v3.pptx

Core Principles of the GDPR – what it means for a global registry:

GDPR

Lawfulness Consent

Confidentiality and Integrity

• Data security
• Data incident

response plan

Purpose Limitation

• Consent
• Recruitment

Data Minimisation

• Research

Accuracy

• Data security
• Erasure

Storage Limitation

• Length of time to

store data

7

SIG-Deidentification 2019 v3.pptx

Research Landscape - requirements for TrueNTH Global Registry

• Roles and Responsibilities – Data Controller, Data Processor, Sub data

processor

• Data breach response plan
• Data Protection Officer

Lawfulness

Confidentiality and Integrity Purpose Limitations Data minimisation Accuracy Storage limitations

8

SIG-Deidentification 2019 v3.pptx

TrueNTH Global Prostate Cancer Registry

United States of America

• Health Insurance

Portability and Accountability Act (HIPAA) (Federal)

• California Consumer

Privacy Act (CCPA) Canada

• Privacy Act (Federal)
• Personal Information

Protection and Electronic Documents Act (PIPEDA) amended in 2018 European Union

• General Data Protection

Regulating (EU) (GDPR)

• Data Protection Act

Victoria, Australia

• Privacy Act (APP)

Commonwealth amended in 2018

• Health records Act (VIC,

NSW,QLD)

• Privacy and data protection

(VIC, NSW,QLD) New Zealand

• Privacy Act (1993) will be

amended and expected to be enacted in 2020 Singapore

• Singapore Personal Data

Protection Act expects to be amended in 2019

9

SIG-Deidentification 2019 v3.pptx

GDPR Impact on Research

Consent

• The GDPR does not allow for ‘opt out’ consent
• Public Interest might be available for institutes based in the EU, needs to be a basis

for EU law and can be different for each country

• Recruitment - implications
• Ethics

Data Security

• The pseudonymisation and encryption of personal data
• Data and privacy incident response plan
• 72hrs to notify a data breach

Lawfulness

Confidentiality and Integrity

Purpose Limitations Data Minimisation

Accuracy Storage limitations

10

SIG-Deidentification 2019 v3.pptx

When collecting data you need to consider:

• How data is collected
• Limiting to that which meets the purpose of the

research

• What data it holds
• Including how long it is held
• How the data is stored
• To ensure its confidentiality and integrity
• How to manage and protect that data appropriately

– locally and when shared with third parties

• To ensure it complies with all obligations

Lawfulness

Confidentiality and Integrity

Purpose Limitations Data Minimisation

Accuracy

Storage Limitations

SIG-Deidentification 2019 v3.pptx

11

SIG-Deidentification 2019 v3.pptx

Finding the balance when sharing data

Lawfulness Confidentiality and Integrity

Purpose Limitations Data Minimisation Accuracy

Storage limitations

• Alfred Hospital
• Male
• 58
• Head injuries
• Surgery
• 10 Nov 2018

SIG-Deidentification 2019 v3.pptx

12

What elements do we need to alter?

Country State Hospital DOB Date T reatment

?

10 Nov 18

3 Sept 60

Combining

Supply age not DOB & Procedure Date

Age

58Y 2M 7D

Rounding

Take age to year not day Take procedure to year not day

2018

Age

58Y

Masking

Removal of whole Data Element

Utility of Data Protection

• f Data

?

13

SIG-Deidentification 2019 v3.pptx

Heath data is susceptible

Healthcare: 256 Incidents 2018 (6 months) 27% total data breaches Highest in any industry

Source: https://www.cbronline.com/news/global- data-breaches-2018

14

SIG-Deidentification 2019 v3.pptx

Reaching for the best standard

GDPR

Lawfulness Confidentiality and Integrity Purpose Limitation Data Minimisation Accuracy Storage Limitation

SIG-Deidentification 2019 v3.pptx

15

Acknowledgements

• Movember Foundation – Paul Vilanti, Ruth Liley, Cate Bennet
• Monash University Data Protection and Privacy Office (DPPO)
• Monash University Data Protection Officer – Susan Anderson,

Stephanie Lombardi

• Monash University – HELIX - Dianne Brown
• Monash University - Prostate Cancer Outcomes Registry –

Professor Sue Evans, Jade Ting, Fanny Sampurno

• Monash University - eSolutions, HELIX, eResearch teams
• TrueNTH Global Registry
• UCLA – David Geffen School of Medicine – Dr Mark Litwin, Sarah

Connor, Emily Pearman

Thank You Any Questions?