Hands On RDM
Legal aspects related to data: Information you should be aware of
You find the notepad of today’s session:
http://www.crc1382.org/pad05

1 Topic

Today we will talk about several legal aspects which are related to data and data management. Anonymization of data will also be part of it.

1.1 Disclaimer

This session cannot give you any legal advice. For consultancy on this matter contact the Center of Translational & Clinical Research (CTC-A)

Information partly taken from "TMF School 2021; Datenschutz medizinische Forschung; Johannes Drepper";

TMF – Technologie- und Methodenplattform für die vernetzte medizinische Forschung: https://tmf-ev.de/

2 Introduction

  • Breakout session (7 min)
  • All breakout sessions groups will work in one padlet: https://padlet.com/lukas4htc/c2tdlihtptiksyg4
  • What are the relevant legal fields regarding RDM?
  • Discuss and document the fields of legal aspects for RDM.
  • Nominate a spokesperson to present the results.

2.1 Legal Challanges

Legal fields of research data1

  • Patent law (Patentrecht): What do you need to consider when RD (research data) will work as patent?
  • Proprietary right (Urheberrecht): Unclear if RD are covered by proprietary rights.
  • Competition law (Wettbewerbsrecht): Are RD used in an unfair way in business transactions?
  • Privacy protection (Datenschutz): What RD are worth being protected?
  • (Wissenschaftsrecht): Is it allowd to force publication and licencing of RD?
  • Fundamental rights (Grundrechte): Where are the limits of fundamental rights
  • International law (Internationales Recht): Will foreign rights be applicable to RD?
  • EU law (EU-Recht): How will the "European Data Economy" affect RD?
  • Contracts (Verträge): Are there agreements on RD as "intellectual property"?
  • Employment law (Arbeits-/Dienstrecht): How is the owner of RD?
  • Funding conditions (Förderbedingungen): What are the demands of Third party funding agencies?
  • Policies (Policies): Are there legal consequences following (institute) policies?

3 Fundamental rights, personal data and their de-identification

3.1 Quiz

Mentimeter / How to play the Quiz

  1. Before the first question starts, participants get to enter a nickname
  2. The question appears and the participants need to answer before the countdown ends
  3. Wrong or no answer gives zero points
  4. You can choose to show a leaderboard after each question to show who's in the lead
  5. At the last Quiz leaderboard, the final winner is revealed!

Answer the questions2: https://www.menti.com/ei5fc4wyjv

Results: https://www.mentimeter.com/s/64c035b31b527339a45e1dace158fc99/51a846e508d4

3.2 FUNDAMENTAL RIGHTS OF THE EUROPEAN UNION

Which fundamental rights are to be taken into account of medical research projects? (Welche Grundrechte sind bei einer datenschutzrechtlichen Prüfung medizinischer Forschungsprojekte im Regelfall zu berücksichtigen?)

  1. Freedom of practice (freie Berufsausübung)
  2. *Freedom of science (Wissenschaftsfreiheit)
  3. *Protection of personal data (Schutz personenbezogener Daten)
  4. Physical integrity (körperliche Unversehrtheit)
  5. Freedom of speech (Meinungsfreiheit)

3.2.1 Article 8

Protection of personal data3

  1. Everyone has the right to the protection of personal data concerning him or her.
  2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
  3. Compliance with these rules shall be subject to control by an independent authority.

3.2.2 Article 13

Freedom of the arts and sciences4

The arts and scientific research shall be free of constraint. Academic freedom shall be respected.

3.3 FUNDAMENTAL RIGHTS OF THE EUROPEAN UNION – Equal Consideration

How do the fundamental rights to data protection and freedom of research relate to each other? (Wie verhalten sich die Grundrechte zum Datenschutz und zur Forschungsfreiheit zueinander?)

  1. Freedom of research always comes first (Forschungsfreiheit geht immer vor)
  2. Both always to be considered equally (Beide immer gleich zu berücksichtigen)
  3. *Both in harmony, weighing in individual cases (Beide im Einklang, Abwägung im Einzelfall)
  4. Protection of personal data always comes first (Schutz personenbezogener Daten geht immer vor)

How can these two fundamental laws considered equally?5

3.3.1 Practical concordance

Both laws must be balanced: Practical concordance, e.g. by informed consent.

Individual interest of the persons concerned in secrecy Interest of individual researchers in the use of personal data for research purposes
General interest in self-determination as the basis of a liberal basic order (Allgemeininteresse an Selbstbestimmung als Grundlage freiheitlicher Grundordnung) Interest of the general public in medical progress

3.3.2 Informed consent

  • Participants (e.g. of clinical study) need to be informed what happens with their data.
  • Participants need to give their consent (voluntarily!) using their data.
  • Data analysis and data archiving require different consents. Common problem for archiving data: No consent present.

Get advice:

3.4 Personal data

To which information does data protection law apply

  1. *Hilde Müller with family with cystic fibrosis (Hilde Müller mit Familie mit Mukoviszidose)
  2. *Herta Müller, Teacher at community college (Herta Müller, Volkshochschulkursleiterin)
  3. *Herbert Müller, participant of clinical study (Herbert Müller, Studienteilnehmer)
  4. *Hilde Müller, Doctor in Diabetology (Hilde Müller, Ärztin in Diabetologie)
  5. Hospital with financial loss (Krankenhaus mit finanz. Verlust)
  6. Hospital with 22 treatment errors (Krankenhaus mit 22 Behandlungsfehlern)
  7. Ape in lab (Affe im Labor)
  8. *Hand Müller with diabetes (Hans Müller mit Diabetes)

3.4.1 General Data Protection Regulation / GDPR (Datenschutz-Grundverordnung / DSGVO)

  1. Article 4: Definition6

    For the purposes of this Regulation:

    (1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

3.5 Personal data / Categories

What information relates to special categories of personal data? (Welche Angaben betreffen besondere Kategorien personenbezogener Daten?)

  1. *Hilde Müller with family with cystic fibrosis (Hilde Müller mit Familie mit Mukoviszidose)
  2. Herta Müller, Teacher at community college (Herta Müller, Volkshochschulkursleiterin)
  3. *Herbert Müller, participant of clinical study (Herbert Müller, Studienteilnehmer)
  4. Hilde Müller, Doctor in Diabetology (Hilde Müller, Ärztin in Diabetologie)
  5. Hospital with financial loss (Krankenhaus mit finanz. Verlust)
  6. Hospital with 22 treatment errors (Krankenhaus mit 22 Behandlungsfehlern)
  7. Ape in the lab (Affe im Labor)
  8. *Hans Müller with diabetes (Hans Müller mit Diabetes)

3.5.1 General Data Protection Regulation / GDPR (Datenschutz-Grundverordnung / DSGVO)

  1. Article 9: Processing of special categories of personal data7
    1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

3.6 De-identification: Anonymization vs. Pseudonymization

Which of the following statements do you agree with wholeheartedly? (Welchen der folgenden Aussagen stimmen Sie vorbehaltlos zu?)

  1. *Pseudonymization usually better than anonymization due to data quality (Pseudonymisierung im Regelfall besser als Anonymisierung wg. Datenqualität)
  2. Pseudonymization always better than anonymization (Pseudonymisierung immer besser als Anonymisierung)
  3. *Use anonymization only in individual cases, if data quality is nevertheless sufficient (Anonymisierung nur im Einzelfall anwenden, wenn Datenqualität dennoch ausreichend)
  4. *Anonymity prevails only when re-identification is absolutely impossible (Anonymität herrscht nur, wenn Reidentifizierung absolut unmöglich)
  5. There is no more anonymous data (Es gibt keine anonyme Daten mehr)
  6. Anonymization is the gold standard (Anonymisierung ist der Goldstandard)
  7. Anonymization is just a synonym for Pseudonymisation (Anonymisierung ist nur ein Synonym für Pseudonymisierung)

3.6.1 Data anonymization and pseudonymization

Do we have to consider GDPR always?

  1. Recital 26

    GDPR is not applicable to anonymous data.8

    (5) The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

3.6.2 Anonymization

Markers to identify a person:9

  • Identifier: Name, address, identification number (e.g. health insurance, hospital record etc.)
  • Quasi-identifier: variables which can be read/identified using additional knowledge (age, residence, height, sex etc.)
  • Sensible data: data whose assignment to persons may not be disclosed (diagnoses, findings etc.)

(Example image)

Simple-data-anonymization-example.png

Figure 1: Anonymized personal data (source: https://bizdatax.com/wp-content/uploads/2020/09/Simple-data-anonymization-example.png)

BUT: Anonymized data is (usually) lost data for science. You may loose important information.

3.6.3 Pseudononymization

Data still can be connected to a person, but:

  • relation is secured by a "key",
  • which is in the hand of a trustee.

Simple-data-pseudonymization-example.png

Figure 2: Pseudonymized personal data (credit: https://bizdatax.com/wp-content/uploads/2020/09/Simple-data-pseudonymization-example.png)

3.6.4 Why is it important for the research data management?

Personal data must not be stored in online services, e.g. Sciebo10:

6.2 Personal Data of Third Parties …

Special categories of personal data of third parties pursuant to Art. 9 para. 1 GDPR may not be stored in the service. This includes:

  • data revealing the racial and ethnic origin
  • data indicating the political opinion
  • data revealing the religious or philosophical convictions
  • data indicating the trade union membership
  • genetic data
  • biometric data for the unique identification of a natural person
  • health data
  • data on the sex life or sexual orientation of a natural person

Only (pseudo)anonymized data can be stored.

3.6.5 How can I anonymize or pseudonymize my data?

Anonymization

  • Deleting all identifiable information.
  • Replacing sensitive information with a description that has reference to original context
  • Anonymity before completeness/information

Pseudononymization

  • Replacing sensitive information with a pseudonym (code)

Technically

4 Breakout session

(20 min) Your task:

  • Download the PDF: https://rwth-aachen.sciebo.de/s/WZzvX8Ewj3YYAs5 (Transcript of an interview)
  • Follow the instructions in the PDF:
    • Find and highlight personal data information like "identifier", "quasi-identifier", "sensible data"
    • What would be a solution to de-identify the personal data?
  • Nominate a person to present the results of your group.

5 Interesting links

Anonymization and Pseudonymization in the context of GDPR by Josipa Popović (September 18, 2020)

Footnotes:

1

Compiled using the FDMentor 3.1 slides, based on [cite:@Hartmann2019]

2

Based on: J. Drepper, Datenschutz in der medizinischen Forschung, TMF School 2021

3

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:12012P/TXT&from=DE#d1e189-393-1

4

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:12012P/TXT&from=DE#d1e261-393-1

5

J. Drepper, Datenschutz in der medizinischen Forschung, TMF School 2021

6

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e1489-1-1

7

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e2051-1-1

8

Recital 26: https://gdpr-info.eu/recitals/no-26/

9

Based on: J. Drepper, Datenschutz in der medizinischen Forschung, TMF School 2021

10

https://hochschulcloud.nrw/en/nutzungsbedingungen/

Date: 2021-08-04

Author: Lukas C. Bossert

Created: 2021-08-04 Mi 13:40

Validate