i~HD webinars 2021: GDPR for tomorrow’s health data-driven innovation
Webinar 1: How does the GDPR apply to health data?
In the first webinar we will introduce the series with a welcome from i~HD’s President Dipak Kalra and Educational Programme Lead Tanja Vincken. This webinar focuses on the broad impacts of GDPR and how it applies to health data driven research. We will consider the implications for innovation from a legal professional, health sector and health industrial perspective.
Topics covered include: Why the GDPR was introduced (its purpose), to whom and what it applies to. The GDPR principles and how these impact on the main data flows when collecting and analysing health data through apps, wearables, clinical systems and research systems. Practical adoption and compliance steps (e.g. what is a DPIA, what legal bases are often used in different situations). Boundary conditions: data minimisation, use that is consistent with the legal basis, catering for withdrawal of consent. Good practices that should be adopted: transparency, information security measures, codes of conduct. An introduction to anonymisation and pseudonymisation. If COVID-19 has changed the expectation landscape. Q&A from the audience.
Date: 16/09/2021 Time: 14.00 CEST Duration: 2 hours
Webinar 2: Setting up a GDPR-compliant data collection and processing pipeline
What are the GDPR compliance steps and specifications that should be adopted when developing an innovation or a research study that collects, processes, retains, analyses and possibly shares health data from patients, citizens, or research data subjects? We explore this area from the contractual and practical, governance and data management and research requirements perspectives.
Topics covered include: Exploration of the practicalities involved in planning and implementation of data pipelines to support research and innovation. This includes the importance of understanding who the parties are responsible for developing the sharing and receipt of data, their roles and responsibilities, how data will be shared and stored, under what legal bases, the obligations on each party as a result and the role of contracts and agreements to formalize these arrangements. What agreements and approvals are usually needed in the context of conducting research or data sharing, what documentation evidence do these require, what are the main issues in agreeing to data sharing across partners and regulators, and what is needed to successfully complete a European Commission grant proposal ethics section. This session will focus on the practicalities of setting up and running a research database and consider the differences across national jurisdictions.
Date: 28/09/2021 Time: 14.00 CEST Duration: 2 hours
Webinar 3: Patient and participant consent, transparency notices and data subject rights
We explore in this session which data processing activities need formal permission from patients and research data subjects, how consent forms and transparency notices should be worded and how to meet the obligations of data subject rights such as withdrawal. We consider here in more detail the ethical considerations and Independent Review Board requirements in line with consents and participant engagement.
Topics covered include: How to determine and then specify the data collection, storage, analysis and reuse permissions you need to request from participants, and then how to word patient choices, consent forms and transparency notices in ways that assure those permission whilst being understandable and clear. What data subject access rights does GDPR require, and how to comply with the rights including data portability. Handling participant withdrawal: scenarios and obligations, transparency and feedback. How to re-approach patients/users for additional permissions downstream, for example if new data use opportunities arise.
Date: 08/10/2021 Time: 14.00 CEST Duration: 2 hours
Webinar 4: Data protection safeguards, threats and breaches
This session explores the implications of the Security Principle in GDPR and the prosecutions that have resulted. We explore the practical implications of how to manage security and determine what information security safeguards are appropriate for the intended data, data flows, processing and risks within the data pipeline. How best to apply and combine them to assure appropriate levels of protection, and what to do if there is a data breach.
Topics covered include: Looking at the Data Protection Impact Assessment to determine the requirements for organisational, physical and technical safeguards. Exploring The main information security safeguards that should be adopted by an organisation, and the additional safeguards that should be adopted for information sharing and federated querying. Developing a data code of conduct, inducting and monitoring staff, demonstrating organisational compliance. The principal threats potential errors, and how to ensure adequate protection against them. Handling a data breach including your legal obligations. Q&A from the audience.
Date: 15/10/2021 Time: 14.00 CEST Duration: 2 hours
Webinar 5: Anonymisation and pseudonymisation
In this session we explore the definitions of both these forms of data minimisation, the practical implementations and the implications for conducting research. We will consider quantifying privacy risk and how to mitigate against it without rendering datasets useless for research. We consider the question: how can we balance privacy protection using anonymisation and pseudonymisation with the need to ensure we can ask pertinent research questions?
Topics covered include: Why anonymisation is useful with regard to GDPR and data protection, and how this aids compliance with data minimisation. Practicalities around the principles and main methods for anonymisation, examples of data transformation rules that can be applied. We also review privacy risk and its quantification, including disclosure controls that need to be adopted on top of data anonymisation. Why is pseudonymisation useful, principles, the main methods adopted, protecting pseudonymisation keys, managing longitudinal linkage. We explore the implications for research Q&A from the audience.
Date: 15/11/2021 Time: 14.00 CEST Duration: 2 hours
Webinar 6: Regulatory compliance for AI development
The combined implications for artificial intelligence development within the GDPR, the Medical Device Regulation and the forthcoming EU Regulation on AI.
Topics covered include: Enabling permitted access to big data resources that are often needed to develop and validate AI algorithms, knowing and reducing bias in AI development. The requirements of the Medical Device Regulation on the development and use of AI, and how to ensure compliance, what evidence of transparency, trustworthiness and safety a healthcare provider or health region may require before it will adopt an AI solution. How the new EU Regulation on AI introduces a robust and risk-based assessment and compliance approach: how to be AI-Regulation-ready. Q&A from the audience.
Date: 23/11/2021 Time: 14.00 CEST Duration: 2 hours
Webinar 7: Ask the Experts!
An opportunity for our past webinar participants to pose their specific challenges, obstacles or new ambitions to our panel of experts for advice – a “clinic” for our attendees to try and address GDPR problems!
People who have participated in one or more past webinars in this programme will be eligible to submit a question (in advance) to our panel. This may be about how to tackle a specific challenge, or how best to leverage a new data use opportunity in compliance with the GDPR. The panel expert answers will provide a specific response to the question in its context, plus generalised learning points from that situation that may be relevant others in the audience. Questions arising from any of the previous webinars in the programme can be considered.
Date: 09/12/2021 Time: 14.00 CEST Duration: 2 hours
Meet our experts! They work in the legal, ethical, ICT, data management, and patient representative professions. In GDPR Webinar Series, they will share their knowledge and experience on different aspects of data protection in healthcare innovation. They aim to discuss and explore practical experience and solutions, best practices and approaches for compliance, data breach management, failures and prosecutions, meaningful public engagement, security, novel technologies, and forthcoming regulation (including the AI Regulation and Data Governance Act), and more.
Associate Professor in the Department of Mathematical Sciences at Durham University
Louis Aslett is an Associate Professor in the Department of Mathematical Sciences at Durham University.
He has 3 primary areas of methodological research interest. The first is at the interface between cryptography and statistics, with the focus on privacy-preserving statistical analyses. His personal interest is on the statistics side of this fusion, developing novel statistical methodology which is amenable to use in the constrained environment of encrypted computation made possible by recent developments in homomorphic encryption and multiparty computation methods such as homomorphic secret sharing.
His second main strand of research is in reliability theory, where interest is in the structural reliability of engineered systems, usually taken from a Bayesian perspective. Finally, he is interested in the development of statistical methodology which is amenable to implementation in modern massively parallel computing architectures such as GPUs which are prevalent today — specifically this includes accelerating Bayesian modelling and genetic ancestry problems.
On the applied side of research, he is engaged in large-scale machine learning modelling with NHS Scotland via a Programme Fellowship at the Alan Turing Institute, the UK’s national institute for data science and AI. He is project lead for SPARRA (Scottish Patients At Risk of Re-admission and Admission), which is developing the next generation of a model designed to aid GPs in prioritising primary care interventions to reduce the risk of emergency hospital admissions. This work utilises various Electronic Health Records (EHRs) for roughly 3.6 million people in Scotland (roughly 80% population coverage).
From 2013 to 2017 he was a postdoc on the EPSRC funded i-like project in Chris Holmes’ group at the University of Oxford, and Junior Research Fellow at Corpus Christi College. He completed his Ph.D. in 2013, entitled “MCMC for Inference on Phase-type and Masked System Lifetime Models” at Trinity College Dublin with supervisor Simon Wilson. Before entering research he was Founder and Technical Director of 6 Internet Limited, a server hosting and application development specialist, and holds a first-class BA (Hons) in Mathematics and a Ph.D. in Mathematical Statistics from Trinity College Dublin.
Director Data Protection and IP, EFPIA
Brendan Barnes is Director Data Protection and IP at the European Federation of Pharmaceutical Industries and Associations (EFPIA). EFPIA represents the pharmaceutical industry operating in Europe. Through its direct membership of 33 national associations and 40 leading pharmaceutical companies, EFPIA is the voice on the EU scene of 1,900 companies committed to researching, developing and bringing to patients new medicines that will improve health and the quality of life around the world.
Brendan Barnes joined EFPIA in 2002 to work on the alignment of national laws in new member states during the enlargement of 2004. Subsequently, he has been involved in EFPIA’s work on multilateral trade and intellectual property issues, including the EU’s legislation on product diversion and compulsory licensing and on issues relating to access to medicines. More recently, he has been involved in the development of new business models in the areas of neglected disease and infection.
He previously worked in the pharmaceutical industry for 11 years, in a range of roles including Finance, Strategic Planning and Public Affairs, among other things coordinating work on the Montreal Protocol phase-out of CFC’s. In the course of his career he has also worked in a number of other industries in a range of finance roles. He has degrees in Psychology and Business. A UK national, he is married with two children.
Early Stage Researcher
Maria Christofidou is an Early Stage Researcher based at the European Institute for Innovation Through Health Data (i ~HD). She graduated from the University of Kent with a LLB in Law (2012-2015) and followed on to study at the University of Edinburgh where she graduated with a LLM in European Law (2015-2016). She successfully passed the LPC at the University of Law (2016-2017), subsequent to which she worked in an international law firm in London on Intellectual Property law.
In 2019 she was a stagiaire at the Legal Service of the European Commission dealing with Competition Law and then joined a consultancy where she worked on EU public affairs relating to healthcare and life sciences. In 2020 she successfully applied for the Marie Skłodowska-Curie HELICAL Grant and is currently undertaking her PhD at the University of Ghent on GDPR and health data.
Co-founder of resolut
Diego Fornaciari is the co-founder of the law firm resolut, which specialises in health law and dispute resolution. Within his field of expertise, he has a particular interest in the legal aspects of “entrepreneurship” and innovation in healthcare.
Data Protection, Contract Review and Negotiation, Intellectual Property Protection
Evelyn Fox has been working as the Deputy Data Protection Officer (Research) in Trinity College Dublin, the University of Dublin since July 2019. Trinity is Ireland’s leading University, and is a research centred collaborative University, rich in heritage and culture, set in an iconic campus in the heart of Dublin, Ireland. Evelyn is responsible for advising Trinity’s researchers on compliance with data protection law: including review of privacy notices, information leaflet and consent forms, DPRAs, DPIAs and contractual compliance involving data and biomaterial transfer.
Evelyn regularly provides training to Trinity’s staff and students on data protection compliance and has produced an online module for PhD students on GDPR and Research. Evelyn has chaired and presented at national events on health research compliance, in conjunction with the Department of Health and the DPC. Evelyn is a member of the Health Research Data Protection Network in Ireland, and is a qualified Solicitor in Ireland, England, and Wales with particular expertise in medical law, data protection and intellectual property. Evelyn has over ten years’ experience advising on data and biomaterial transfer in health research.
Lecturer in Health Law at Ghent University
As a health lawyer Tom Goffin has been able to shape two important legislative initiatives on quality and safety in recent years:
the European Directive on patients’ rights in cross-border healthcare. This directive encourages the Member States, among other things, to develop a concrete quality policy;
the law on quality practice in health care. Quality and safety are central to this act. The caregiver will have to meet the necessary quality requirements regardless of where he provides his activities.
He wants to use his knowledge within the expertise center to translate the legal quality rules into frameworks that can be used in practice and to conduct research into the legal implications of the various dimensions of quality within our healthcare.
Dipak Kalra, PhD, FRCGP, FBCS, British, is President of The European Institute for Innovation through Health Data (i~HD).
He plays a leading international role in research and development of Electronic Health Records, including the requirements and models to ensure the robust long-term preservation of clinical meaning and protection of privacy. He leads the development of ISO standards on EHR interoperability, personal health records, EHR requirements, and has contributed to several EHR security and confidentiality standards.
Dipak has led multiple European projects in these areas, including Horizon 2020 and the IMI programme alongside pharma companies, hospitals and ICT companies. He recently co-led a €16m project on the re-use of EHR information for clinical research, EHR4CR, alongside ten global pharma. He is a partner in another IMI project, EMIF, on the development of a European clinical research platform federating multiple population health and cohort studies. Dipak also led an EU Network of Excellence on semantic interoperability, and is a partner in other EU projects on the sustainability of interoperability assets, the transatlantic sharing of patient summaries and quality labelling.
Dipak is Professor of Health Informatics at University College London and Visiting Professor of Health Informatics at the University of Gent.
DPO & Information Governance Lead for I~HD, Senior Research Fellow UCL
Nathan (PhD) is an independent consultant who is working with i~HD as their data protection officer and on the development of adaptive codes of practice and standard operating procedures to govern and secure the use of health and genetic data for research purposes and digital health innovation. He has focused his work on operational security and design implementation and he has an interest in understanding the legal, ethical and societal impacts and concerns around novel health data uses, particularly in the area of Artificial Intelligence for health management and genomics research.
Nathan is the Information Governance Lead for the University College London Hospitals NHS Foundation Trust NIHR Biomedical Research Centre Clinical Research Informatics Unit and a Senior Research Fellow at UCL where his research and teaching focuses on understanding legal, ethical and security requirements for Big Data driven clinical research. Nathan has worked with the UCL European Institute to examine the implications of No Deal Brexit on EU Data Flows and reviewing transatlantic data flows in the light of Privacy Shield and the Schrems II Case. He is an Editorial Board Member of the International Journal of Population Data Science.
Professor/Consultant of Nephrology (Clinical Medicine)
Mark Little runs a translational medicine research programme focused on the investigation of pathogenesis and the discovery of biomarkers of disease in glomerulonephritis. His principal research interest is in ANCA vasculitis, an autoimmune condition that causes multi-organ failure as a consequence of overwhelming necrotising inflammation affecting small blood vessels.
Assistant professor in Medical Ethics at Ghent University
Heidi Mertes is an expert in moral philosophy (applied and theoretical), with a focus on bioethics, primarily regarding embryo research, stem cell research, assisted reproduction, fertility preservation, genetics and intersections of the above .
Prof. Biomedical Data Sciences
Liesbet dreams of a world where one day every single person gets the treatment they deserve in a timely manner. She is convinced that we have to supercharge our healthcare system with insights gained from Big Data. Her research focuses on developing big data sharing procedures and artificial intelligence algorithms with a specific focus on real-world evidence. She is assistant professor (tenure) at the Biomedical Research Institute and Data Science Institute of Hasselt University. In 2013, she finished her PhD in Bio-Engineering Sciences at the KULeuven in Belgium. She is a member of the ELIXIR community focussing on constructing a sustainable infrastructure for the sharing of biological information throughout Europe. She heavily invests in increased community engagement and communication between stakeholders. For example, she is the chair of the MS Data Alliance initiative. Through the MS Data Alliance Academy activities, she aims for increased awareness about the value of real-world data, community building and promoting trustworthy and transparent practices. Next to this, as a core group member of the “Data Saves Lives” initiative, she is involved in setting up a large-scale multi-stakeholder awareness raising campaign on health data in Europe.
Patient Contact and Policy Officer at Vasculitis Ireland Awareness
Julie Power Provides support to those affected by any of the Vasculitis Diseases in Ireland, raising awareness of Vasculitis, improving the care of those affected by Vasculitis.
Attorney in Technology, IT, Data Protection and Cybersecurity Law
Ruben Roex performs privacy and data protection (GDPR) compliance audits for SMEs, multinationals and public sector organizations and assists clients with implementing data protection requirements in day to day activities, processes and systems. He advises clients regularly on complex issues regarding data protection law, often at the crossroads of other domains such as eHealth and Human Resources. He drafts information notices for virtually any target audience and is very well acquainted with data processing, data exchange and data sharing agreements.
Ruben is well versed in data transfer matters. He also assists clients with the data protection aspects of mergers and acquisitions. He gives trainings and lectures on privacy and data protection topics and developments to company lawyers, fellow attorneys, data protection officers, students and other interested parties. He is also experienced in all matters relating to cybersecurity and cybercrime.
He advises clients on legal aspects of information security, defends clients’ interests before the courts in cybercrime related cases and regularly provides trainings on topics related to cybersecurity and cybercrime. Ruben assists clients with setting up data breach management procedures, notification procedures and processes and contingency strategies. Ruben regularly advises on different aspects of IT and e-business, such as contracting, trust services (e.g. electronic signatures, electronic archiving, authentication, etc.), trade secrets and consumer protection. He also has a particularly strong focus on the legal aspects of e-payments, FinTech and other innovations in the payments sphere. Ruben’s expertise also covers the legal aspects of specific technologies such as drones, surveillance cameras, Internet of Things (IoT) and many others.
Assistant Professor in Privacy Law at UGent
Mahsa Shabani is Assistant Professor in Privacy Law at the Faculty of Law and Criminology, Ghent University in Belgium. Her research focus is on personal data protection, health privacy, data sharing and access platforms, and biomedical and genomics research ethics, law and policy. She has extensively published her work in scientific journals with a broad readership in the fields of data protection, medical law, bioethics, genomics and bioinformatics.
Previously, she was a visiting scholar at the Center of Genomics and Policy at McGill University, the Center for Health, Law and Emerging Technologies (HeLEX) at University of Oxford, and the Columbia CEER at Columbia University Medical Center. In the recent years, she has been collaborating with various international and European projects such as the Regulatory and Ethics Working Group of Global Alliance for Genomics and Health initiative, EUCelLEX and euCanSHare projects.
Currently, she is a member of the Ethics advisory broad of various European Commission (EC) and IMI funded projects (Konfido, RHAPSODY, BEAT-DKD, and HEADSpAcE projects) and acts as an external expert for the EC. She is also a selected member of the Scientific Committee of the International Rare Diseases Research Consortium.
Information Governance Expert
Peter Singleton is an experienced IT manager, specialising in the strategic application of information technology to improve client businesses, often leading in the innovative application of new technologies in business. He is skilled in mentoring client and internal staff, and managing systems implementation to ensure business fit.
Peter is broadly-based, bridging commercial, financial, and technical areas. He has international experience. He has spent the last fifteen years addressing key issues in health informatics, including the implementation of electronic health record systems from strategic business analysis through development to evaluation of NHS implementation programmes.
He has worked with a wide range of NHS and European organisations, advising and supporting IT implementation.Previously he was involved in delivering enterprise reporting systems to clients across Europe and prior to that developed two IT services companies to leaders in their fields by developing premium services, staff skills, and close liaison with key software suppliers.
Senior International Clinical Project Manager, Freelance Clinical Research Professional
Anke has more than 20 years of experience in clinical research with a main focus on project management of large, international clinical trials with a wide variety of therapeutic background including cardiovascular, neurology, pneumology, dermatology, nephrology , urology, endocrinology and infectious diseases. As of 2009 she works as independent contractor in clinical research for several large pharma companies such as Janssen Pharmaceutica. Since 2019 Anke supports Novellas Healthcare in Zellik (Brussels, Belgium) as Quality Manager. She has guided the company through an ISO 9001 certification process early 2021. Novellas Healthcare is a pioneer in the organisation of Patient Support Programs, in which protection of personal data is key. Anke currently continues to support Novellas Healthcare in expanding their Quality Management System and ensuring data protection is guaranteed throughout the different tools used within the Patient Support Programs.
Educational Programme Manager
As i~HD’s educational programme manager, Tanja is in charge of the coordination of all i~HD educational events. Furthermore, she lends support to the marketing of i~HD Programmes.
Tanja has good knowledge of the health sector, after obtaining a bachelor nursing degree and building up a career in sales as a medical representative for many years. In this capacity, she had the opportunity to work for Novartis Oncology, KCI Medical and Linde Gas Therapeutics.
As a representative she has developed good listening skills to precisely understand clients’ needs and to collaboratively propose solid solutions. Eager to learn new things and to get events organised, she enthusiastically joined the i~HD team in October 2020.
Information Governance Expert
Petra Wilson is co-founder and managing director of Health Connect Partners, a boutique consultancy which focusses primarily on helping clients understand the European health policy environment. Current projects being undertaken by Health Connect Partners include the review of cross-border patient mobility for the European Commission, leading the development of an eHealth Governance Strategy for the Ministry of Health in Algeria, and the development of a new code of conduct for gene banking for the national gene bank in Spain.
In addition, Petra is engaged as EU Programme Director for the Personal Connected Health Alliance (a HIMSS innovation company), and also acts a senior advisor on health and life sciences at FTI Consulting. Petra’s past experience includes eight years in the European Commission, where she focussed particularly on the use of information society technologies in healthcare; seven years as Senior Director of Connected Health at Cisco, where Petra’s team supported clients in making best use of new communications technologies to drive safer and more efficient access to healthcare. Petra also has deep experience of the health services sector, having worked on both the patient and provider side as CEO of the International Diabetes Federation.
Petra holds a Doctorate in Public Health Law from Oxford University, she has British and Belgian nationality, has lived in Brussels for over 20 years and works in English, German and French.