Tough European Union (EU) privacy regulations impact Australia – What to consider as an Australian researcher. JACINTA OPIE 12 th August 2019
Overview Non GDPR Compliance Our Experience – Core Principles TrueNTH GDPR Global Registry What to Questions Consider in Research 2 SIG-Deidentification 2019 v3.pptx
People are scared of data misuse… 2014 January 2018 March 2019 Data released by on-line Hackers hold prominent A Facebook quiz invited fitness tracker Strava Melbourne Cardiology users to find out their pinpoints military base specialist to ransom personality type. About in Syria after infiltrating their 305,000 people installed the app but it gathered EMR information on 87 million people If people hesitate to share their data, where does that leave research? 3 SIG-Deidentification 2019 v3.pptx
General Data Protection Regulation What is it? New rights for data subjects Data Protection Officer 72hrs to report a data breach GDPR provides stronger safeguards when people share their data 4 SIG-Deidentification 2019 v3.pptx
4% of global €20 OR annual turn Million over • EU research partners will not be able to collaborate and lawfully share personal = • Reprimands data for research • Enforcement orders • Reputational risk. • Hefty fines • Individuals are also empowered to: bring private claims and make a complaint to regulatory authorities
Core Principles of the GDPR – what it means for a global registry: Lawfulness Consent Storage Limitation Confidentiality and Integrity • Length of time to • Data security store data • Data incident response plan GDPR Purpose Limitation Accuracy • Data security • Consent • Erasure • Recruitment Data Minimisation • Research 6 SIG-Deidentification 2019 v3.pptx
Lawfulness Confidentiality Purpose Data Storage Accuracy and Integrity Limitations minimisation limitations Research Landscape - requirements for TrueNTH Global Registry • Roles and Responsibilities – Data Controller, Data Processor, Sub data processor • Data breach response plan • Data Protection Officer 7 SIG-Deidentification 2019 v3.pptx
TrueNTH Global Prostate Cancer Registry Canada European Union • • Privacy Act (Federal) General Data Protection • Personal Information Regulating (EU) (GDPR) • Protection and Electronic Data Protection Act Documents Act (PIPEDA) amended in 2018 Singapore • Singapore Personal Data Protection Act expects to United States of America be amended in 2019 • Health Insurance Portability and Accountability Act (HIPAA) (Federal) • California Consumer Privacy Act (CCPA) Victoria, Australia • Privacy Act (APP) New Zealand • Commonwealth amended in Privacy Act (1993) will be 2018 amended and expected to be • Health records Act (VIC, enacted in 2020 NSW,QLD) • Privacy and data protection (VIC, NSW,QLD) 8 SIG-Deidentification 2019 v3.pptx
Purpose Data Confidentiality Storage Lawfulness Accuracy and Integrity Limitations Minimisation limitations GDPR Impact on Research Consent • The GDPR does not allow for ‘opt out’ consent • Public Interest might be available for institutes based in the EU, needs to be a basis for EU law and can be different for each country • Recruitment - implications Ethics • Data Security • The pseudonymisation and encryption of personal data • Data and privacy incident response plan • 72hrs to notify a data breach 9 SIG-Deidentification 2019 v3.pptx
Purpose Data Storage Confidentiality Lawfulness Accuracy and Integrity Limitations Minimisation Limitations When collecting data you need to consider: • How data is collected • Limiting to that which meets the purpose of the research • What data it holds • Including how long it is held • How the data is stored • To ensure its confidentiality and integrity • How to manage and protect that data appropriately – locally and when shared with third parties • To ensure it complies with all obligations 10 SIG-Deidentification 2019 v3.pptx
Finding the balance when Purpose Data Confidentiality Storage Accuracy Lawfulness and Integrity Limitations Minimisation limitations sharing data • Alfred Hospital • Male • 58 • Head injuries • Surgery • 10 Nov 2018 11 SIG-Deidentification 2019 v3.pptx SIG-Deidentification 2019 v3.pptx
What elements do we need to alter? Country Removal of whole Data Supply age not State DOB & Element Procedure Date Hospital Masking Combining Take age to Age DOB Age year not day 58Y 58Y 2M 7D 3 Sept 60 Utility of Protection Data of Data Rounding Date 2018 10 Nov 18 Take reatment procedure to year not day T ? ? 12 SIG-Deidentification 2019 v3.pptx
Heath data is susceptible Healthcare: 256 Incidents 2018 (6 months) 27% total data breaches Highest in any industry Source: https://www.cbronline.com/news/global- data-breaches-2018 13 SIG-Deidentification 2019 v3.pptx
Reaching for the best standard Lawfulness Storage Limitation Confidentiality and Integrity GDPR Purpose Accuracy Limitation Data Minimisation 14 SIG-Deidentification 2019 v3.pptx
Acknowledgements • Movember Foundation – Paul Vilanti, Ruth Liley, Cate Bennet • Monash University Data Protection and Privacy Office (DPPO) • Monash University Data Protection Officer – Susan Anderson, Stephanie Lombardi • Monash University – HELIX - Dianne Brown • Monash University - Prostate Cancer Outcomes Registry – Professor Sue Evans, Jade Ting, Fanny Sampurno • Monash University - eSolutions, HELIX, eResearch teams • TrueNTH Global Registry • UCLA – David Geffen School of Medicine – Dr Mark Litwin, Sarah Connor, Emily Pearman 15 SIG-Deidentification 2019 v3.pptx
Thank You Any Questions?
Recommend
More recommend
