February 20, 2018 | Rodrigo/David
If research institutions and collaborations haven’t already, we’re sure many are now turning their attention to understanding their obligations, as data controllers, under the General Data Protection Regulation (GDPR) that will come into effect in May 2018.
GDPR will replace the Data Protection Directive 95/46/EC and aims to harmonise data protection laws across all the member countries. In the process it will impose new obligations on organisations that process the personal data of European Union residents, but also takes the opportunity to support innovation and research.
Since development of AnalytiXagility, our digital research service, began we’ve used the Data Protection Directive 95/46/EC as a guiding design principle. The service supports numerous European research collaborations across healthcare, academia and the pharmaceutical industry to process their biomedical, precision medicine and healthcare research data.
AnalytiXagility is now available from three European hubs and has processed health research data from 15 different EU countries, the US and Australia across multiple data and disease types.
As our clients would expect, we are, in our role as their data processor, paying close attention to how we can support them with their data controller requirements under GDPR.
Considerations for healthcare-related research
GDPR requires that the processing of personal data is fair, lawful and transparent.
It may sound obvious, but we recommend that researchers, in conjunction with their data protection officer, take time to review the new regulation. We think that GDPR supports research collaborations that already follow good research practice. Some points we would highlight for that discussion are;
- To be lawful (in the UK) a research collaboration needs to have a lawful basis to process personal data and must also satisfy a common law duty of confidence.
- Confusion may arise in that “consent” may be used to be both the lawful basis to process data, and also the basis to satisfy the duty of confidence.
- The overwhelming feedback we’ve received is that data controllers in the healthcare research setting should consider a different basis other than “consent” as their lawful basis for processing personal data; for example, they could use “public interest” as the basis for processing personal data, then use “consent” to satisfy the common law duty of confidence.
- GDPR Article 5 and recital 39 (PDFs) both outline the importance of transparency when processing personal data. At each seminar and conference we’ve attended recently, transparency has been one of the key messages from organisations including the ICO, NHS Digital and the Medical Research Council (MRC). The ability to demonstrably prove transparency should be central to any data protection and privacy strategy.
If you are a researcher, it’s also worth understanding the provisions proposed under Article 89 (PDF), which sees research occupy a privileged position within the Regulation. Organisations which process personal data for research purposes may avoid certain restrictions, as long as they implement appropriate safeguards.
Those safeguards must ensure that technical and organisational measures are in place that respect the principle of data minimisation, such as pseudonymisation. Although we are currently awaiting further detail on what satisfies the requirement for data minimisation, the current ICO Code of Practice is a good guideline to follow.
Article 25 (PDF) ensures that the requirements are not an afterthought as it places the obligation on the data controller to apply data protection by design and by default. Article 28 (PDF) ensures that the data controller consider the whole of their supply chain when it states: “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
No doubt there will be clarifications required in the run up to the legislation’s launch, but our view is those research collaborations that observe the points noted below should be prepared come May 2018:
- Have a clear understanding of the legal basis as to why they are processing personal data and are clear on how they are using consent.
- Are demonstrably able to prove transparency in their actions.
- Understand the principles of data minimisation and how they are being applied.
- Choose an appropriate data processing partner(s) that actively support Data Protection and GDPR.
Help and advice on GDPR is widely available, including from:
- The Information Commissioner’s Office
- The Medical Research Council Regulatory Support Centre
- NHS Digital
Enabling innovation, collaboration and access to privileged data
In support of the Data Protection Directive 95/46/EC, Aridhia designed into the AnalytiXagility digital research service many functions and features that data controllers could consider as appropriate safeguards to support transparency, security and data minimisation.
These services offer functionality that institutes including Great Ormond Street Hospital, Stratified Medicine Scotland Innovation Centre, Radboud University Medical Centre in the Netherlands and EPAD, the 38-member European Prevention of Alzheimer’s Dementia programme, use to conduct their collaborative research.
We thought it worthwhile to take a moment to review how the AnalytiXagility digital research service could support research collaborations and Principle Investigators (PIs) with their data controller obligations under GDPR.
At the core of the AnalytiXagility platform are two services which are designed to support transparency, security and data minimisation in the pursuit of innovation.
- Collaborative Analytic Research Workspaces – private data analytics environments protected with role-based access control, which facilitate data access and sharing for distributed teams to conduct collaborative, secure, auditable and reproducible research. Some clients have referred to their workspace as their “legal space” which enables them to transform from a “file system approach” which sees them worrying about hardware, into an “ecosystem approach” which allows them to support a community of research.
- Bi-Directional healthcare research data interface, or HDRspace – a mechanism and service for the bi-directional transfer of patient identifiable data to and from a health system and an AnalytiXagility workspace while supporting pseudonymisation, de-identification, traceability, application hosting and later in 2018, adaptive consent.
The following sections consider the four design principles of transparency, secure processing, data minimisation and consent and explains how these are supported through the functions and features available to users of the AnalytiXagility service.
Data protection by design and default
As we all know, technology alone won’t ensure compliance with any specific regulation. A data controller must take responsibility for the organisational and process aspects of adherence. For example, are the correct employment contracts in place and the appropriate ongoing training available?
As an example, as part of our own development programme, Aridhia has appointed an appropriately qualified Data Protection Officer and our staff complete relevant training courses including the MRC’s “Good Research Practices” and “Research Data and Confidentiality”, thus continually improving research data management expertise and capabilities across the organisation.
At Aridhia, we’ve taken this knowledge and designed our service to facilitate process-driven data stewardship. Our philosophy is to create a service that makes it easier for research collaborations to implement good research practice and to monitor its use, ensuring the research team is as productive as possible.
Transparency is designed into the AnalytiXagility service at multiple layers and data controllers – designated as Workspace Administrators – can use the following functionality to support their transparency goals:
- Upon sign in to a workspace, each user is reminded of their obligations and certify their right to use the data by accepting the terms and conditions of an “End User Agreement”. These agreements will reflect changes under GDPR obligations.
- Users and user activity within the workspace are transparent to the data controller (and other users) via the workspace members directory, continuous activity feed and observable and analysable audit log.
- A workspace “Airlock” feature allows data controllers to implement a transparent “data export” process.
- Access to a seamless data research lifecycle via an integrated eCRF process aids compliance with Good Clinical Practice guidelines on data collection.
Article 32 of the GDPR (PDF) states that the controller and the processor shall: “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing… implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…”. Within AnalytiXagility, secure processing of data is implemented through the following capability:
- The service is delivered to an operational service agreement that asserts service availability and associated subscription costs.
- Access to the service is restricted to users via multi-factor authentication and one of four user roles depending on the access to data and analytics they require.
- The service is regularly subjected to penetration testing and regularly patched.
- Data encryption can be implemented for data both at rest and in-flight and automatic virus scanning is enabled on all files loaded into a workspace.
- Aridhia and our delivery partners ensure relevant security certification is in place including, but not limited to, ISO 27001, Cyber Essentials and NHS Information Governance Toolkit.
Article 5, clause 1c (PDF) states that “…personal data shall be: adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).” Data controllers are supported in implementing the principle of data minimisation within AnalytiXagility through use of the following functionality:
- The option to either anonymise or pseudonymise patient data, from within a client network, using 14 core anonymisation plug-ins, and removing linkage information to a separate encrypted, secure store.
- Functionality to adapt to local legal requirements, enabling data controllers to create and implement bespoke anonymisation plug-ins and de-identification algorithms to suit their specific requirements.
- User confirmation that uploaded data has been minimised and the ability to implement a “Data Review and Approvals” function.
We continue to develop AnalytiXagility and reference the GDPR requirements to inform our technical design decisions, specifically how we continue to support our clients (data controllers) to implement appropriate safeguards regarding transparency, data minimisation and consent. In 2018, AnalytiXagility will be upgraded to include an adaptive consent functionality which has been designed in conjunction with our clients.
Organisations such as research hospitals collect consent information through a variety of mechanisms, including paper forms, electronic patient records and study-specific eCRFs. The new AnalytiXagility Privacy and Consent service will extend the existing De-identification Service to provide the ability to collate records from many sources in a standardised way, and apply them in an automated way as part of data flows to research. Initially focused on data re-use, the service will ensure research hospitals apply consent consistently when hospital data is de-identified for use in a research project. This will be integrated with the workspace audit trail and authorised re-identification functionality of the platform.
There are long-term trends toward data re-use driven by the need to validate studies, and also to follow patients for many years (e.g. longitudinal studies). Driven by these trends and the increased need for transparency and audit, the vision of the new service is to connect research participants with projects that use their personal health data and provide answers to questions such as:
- Where was my data used?
- What was the impact?
- What were the research outcomes?
- How can I change my mind and adapt my consent for use of my data in this project?
For researchers, the service will reduce the fear that GDPR will slow down science. By embracing the GDPR rights of EU citizens who participate in research and providing tools to meet those requirements, AnalytiXagility will be uniquely placed to help researchers actively engage with their participants.