Re-using health data is crucial for advancing research and health care. But health data is highly personal and sensitive information, and its protection is strongly regulated. All stakeholders need to trust the ways in which health data is used and reused. How can you ensure data protection whilst re-using health data?
I. How does the GDPR apply to health data?
This topic focuses on the broad impacts of GDPR and how it applies to health data-driven research. We will consider the implications for innovation from a legal professional, health sector and health industrial perspective.
II. Setting up a GDPR-compliant data collection and processing pipeline
What are the GDPR compliance steps and specifications that should be adopted when developing an innovation or a research study that collects, processes, retains, analyses and possibly shares health data from patients, citizens, or research data subjects?
III. Patient and participant consent, transparency notices and data subject rights
This topic explores which data processing activities need formal permission from patients and research data subjects, how consent forms and transparency notices should be worded and how to meet the obligations of data subject rights such as withdrawal.
IV. Data protection safeguards, threats and breaches
This topic explores the implications of the Security Principle in GDPR and the prosecutions that have resulted. We explore the practical implications of how to manage security and determine what information security safeguards are appropriate for the intended data, data flows, processing and risks within the data pipeline, how best to apply and combine them to assure appropriate levels of protection and what to do if there is a data breach.
V. Anonymisation and pseudonymisation
“How can we balance privacy protection using anonymisation and pseudonymisation with the need to ensure we can ask pertinent research questions?” The focus of this topic is the aforementioned forms of data minimisation, the practical implementations and the implications for conducting research. Quantifying privacy risk and how to mitigate against it without rendering datasets useless for research is a consideration discussed here.
VI. Regulatory compliance for AI development
At this point, the spotlight is put on the combined implications for artificial intelligence development within the GDPR, the Medical Device Regulation and the forthcoming EU Regulation on AI.