Top

BMC Medical Informatics and Decision Making

Published in:

Open Access 01-12-2016 | Research article

Legal assessment tool (LAT): an interactive tool to address privacy and data protection issues for data sharing

Authors: Wolfgang Kuchinke, Christian Krauth, René Bergmann, Töresin Karakoyun, Astrid Woollard, Irene Schluender, Benjamin Braasch, Martin Eckert, Christian Ohmann

Published in: BMC Medical Informatics and Decision Making | Issue 1/2016

Abstract

Background

In an unprecedented rate data in the life sciences is generated and stored in many different databases. An ever increasing part of this data is human health data and therefore falls under data protected by legal regulations. As part of the BioMedBridges project, which created infrastructures that connect more than 10 ESFRI research infrastructures (RI), the legal and ethical prerequisites of data sharing were examined employing a novel and pragmatic approach.

Methods

We employed concepts from computer science to create legal requirement clusters that enable legal interoperability between databases for the areas of data protection, data security, Intellectual Property (IP) and security of biosample data. We analysed and extracted access rules and constraints from all data providers (databases) involved in the building of data bridges covering many of Europe’s most important databases. These requirement clusters were applied to five usage scenarios representing the data flow in different data bridges: Image bridge, Phenotype data bridge, Personalised medicine data bridge, Structural data bridge, and Biosample data bridge. A matrix was built to relate the important concepts from data protection regulations (e.g. pseudonymisation, identifyability, access control, consent management) with the results of the requirement clusters. An interactive user interface for querying the matrix for requirements necessary for compliant data sharing was created.

Results

To guide researchers without the need for legal expert knowledge through legal requirements, an interactive tool, the Legal Assessment Tool (LAT), was developed. LAT provides researchers interactively with a selection process to characterise the involved types of data and databases and provides suitable requirements and recommendations for concrete data access and sharing situations. The results provided by LAT are based on an analysis of the data access and sharing conditions for different kinds of data of major databases in Europe.

Conclusions

Data sharing for research purposes must be opened for human health data and LAT is one of the means to achieve this aim. In summary, LAT provides requirements in an interactive way for compliant data access and sharing with appropriate safeguards, restrictions and responsibilities by introducing a culture of responsibility and data governance when dealing with human data.

Available only for authorised users

Obligations of data controllers. http://ec.europa.eu/justice/data-protection/data-collection/obligations/index_en.htm. Accessed 27 Apr 2016.

van Panhuis WG, Paul P, Emerson C, Grefenstette J, Wilder R, Herbst AJ. Heymann D and Donald S Burke. A systematic review of barriers to data sharing in public health. BMC Public Health. 2014;14:1144–53.CrossRefPubMedPubMedCentral

Lee LM, Gostin LO. Ethical collection, storage, and use of public health data: a proposal for a national privacy protection. JAMA. 2009;302(1):82–4.CrossRefPubMed

IMIA Code of Ethics for Health Information Professionals. http://www.imia-medinfo.org/new2/node/39. Accessed 27 Apr 2016.

Goodman KW, Adams S, Berner ES, Embi PJ, Hsiung R, et al. AMIA’s code of professional and ethical conduct. JAMIA. 2013;20:141–3.PubMedPubMedCentral

Shabani M, Borry P. Challenges of web-based personal genomic data sharing. Life Sciences, Society and Policy. 2015;11:3–16.CrossRefPubMedPubMedCentral

Knoppers BM, Harris JR, Budin-Ljøsne I, Dove ES. A human rights approach to an international code of conduct for genomic and clinical data sharing. Hum Genet. 2014;133:895–903.CrossRefPubMedPubMedCentral

Malin B, Karp D, Scheuermann RH. Technical and policy approaches to balancing patient privacy and data sharing in clinical and translational research. J Investig Med. 2010;58(1):11–8.CrossRefPubMedPubMedCentral

Yu F, Ji Z. Scalable privacy-preserving data sharing methodology for genome-wide association studies: an application to iDASH healthcare privacy protection challenge. BMC Med Inform Decis Mak. 2014;14 Suppl 1:S3–11.CrossRefPubMedPubMedCentral

10.

Jiang X, Zhao Y, Wang X, Malin B, Wang S, Ohno-Machado L, Tang H. A community assessment of privacy preserving techniques for human genomes. BMC Med Inform Decis Mak. 2014;14 Suppl 1:S1.CrossRefPubMedPubMedCentral

11.

BioMedBridges. www.biomedbridges.eu/. Accessed 27 Apr 2016.

12.

ESFRI (European Strategy Forum on Research Infrastructures). http://ec.europa.eu/research/infrastructures/index_en.cfm?pg=esfri. Accessed 27 Apr 2016.

13.

Ohmann C, Kuhn K and WP5: Deliverable D5.1. Tool for the assessment of regulatory and ethical requirements. BioMedBridges (31 December 2013). http://www.biomedbridges.eu/sites/biomedbridges.eu/files/documents/deliverables/d5-2_report_biomedbridges_deliverable_assessment_tool_edited _final_complete.pdf. Accessed 27 Apr 2016.

14.

Information Management Glossary, SourceMedia (2016). http://www.information-management.com/glossary/d.html. Accessed 27 Apr 2016.

15.

Large human databases with human data have been created, like the Human Metabolome Database (HMDB), Immuno Polymorphism Database, 1000 Genomes Project, European Genome-phenome Archive. http://www.hmdb.ca/, https://www.ebi.ac.uk/ipd/. http://www.1000genomes.org/, https://www.ebi.ac.uk/ega/home. Accessed 27 Apr 2016.

16.

ESFRI. European Research Infrastructures with global impact. Brussels, Belgium: ESFRI brochure 113. SFRI Secretariat; 2013.

17.

e-IRG Report on Data Management. Data Management Task Force. Espoo, Finland: e-IRG secretariat; 2009.

18.

Uhlir PF. The Legal Interoperability of Data. NSGIC Conference, 24–27 Feb 2013, Annapolis, MD, USA (2013). http://www.nsgic.org/public_resources/02_Uhlir_Legal-Interoperability-of-Data_NSGIC-Conf_Feb13.pdf. Accessed 27 Apr 2016.

19.

SMART2007/0059. Study on the legal framework for interoperable eHealth in Europe. Final report. Version 1.5. Brussels: European Commission (2009).

20.

Bartling S, Friesike S. Opening Science. Heidelberg, Germany: Springer One; 2014.CrossRef

21.

Pohl K. Requirements Engineering: An Overview. In: Encyclopedia of Computer Science and Technology, vol. 36. New York, USA: Marcel Dekker, Inc; 1997.

22.

Sutcliffe A. Scenario-based requirements engineering. Requirements Engineering Conference 2003. Proceedings. 11th IEEE International; 2003. 320–329.

23.

Ian A, Neil M. Scenarios, Stories, Use Cases. Through the systems development life-cycle. Chichester, England: John Wiley & Sons, Ltd; 2004.

24.

Interface (computing). https://en.wikipedia.org/wiki/Interface_(computing). Accessed 29 Apr 2016.

25.

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995. No L 281/31. Luxembourg, Luxembourg; 1995.

26.

Guideline for Good Clinical Practice E6(R1). ICH Expert Working Group; 1996.

27.

World Intellectual Property Organisation (WIPO). http://www.wipo.int/ipstrategies/en/. Accessed 26 Apr 2016.

28.

Boussi Rahmouni H, Solomonides T, Casassa Mont M, Shiu S, Rahmouni M. A model-driven privacy compliance decision support for medical data sharing in Europe. Methods Inf Med. 2011;50:326–36.CrossRefPubMed

29.

Ramingwong L. A review of requirements engineering processes, problems and models. Int J Eng Sci Technol (IJEST). 2012;4(June):2997–3002.

30.

Legal Assessement Tool (LAT). http://hhu2.at.xencon.de:8080/lat/tool. Accessed 26 Apr 2016.

31.

Train-online LAT. http://www.ebi.ac.uk/training/online/. Accessed 26 Apr 2016.

32.

The Ethical Governance Framework of BioMedBridges. http://www.biomedbridges.eu/deliverables/16. Accessed 26 Apr 2016.

33.

de Maat E, van Engers TM. Mission impossible? Automated norm analysis of legal texts. Legal Knowledge and Information systems, Jurix. 2003 (sixteenth Annual Conference); 2003. p.398.

34.

Gaur S, Vo NH, Kashihara K, Baral C. Translating Simple Legal Text to Formal Representations (2015). http://www.public.asu.edu/~cbaral/papers/shruti2015.pdf. Accessed 26 Apr 2016.

35.

Poulin D, Bratley P, Frémont J, Mackaay E. Legal interpretation in expert systems. In: Proceedings of the 4th international conference on Artificial intelligence and law. ACM; 1993. pp. 90–99.

36.

Grabmair M, Ashley KD. Towards Modeling Systematic Interpretation of Codified Law. In: Moens MF, Spyns P, editors. Legal Knowledge and Information Systems (JURIX 2005). Amsterdam: IOS Press; 2005. p. 107-8.

37.

Breaux TD, Vail MW, Antón A. Towards regulatory compliance: Extracting rights and obligations to align requirements with regulations. In: Requirements Engineering, 14th IEEE International Conference Proceedings (IEEE 2006, September); 2006:49–58.

38.

Casellas N, Nieto JE, Meroño A, et al. Ontological Semantics for Data Privacy Compliance: The NEURONA Project. Palo Alto, California: 2010 AAAI Spring Symposium Series; 2010.

39.

Cappelli A, Lenzi VB, Sprugnoli R, Biagioli C. Modelization of Domain Concepts Extracted from the Italian Privacy Legislation. In: Proceedings of the Workshop on Computational Semantics (IWCS-7); 2007. http://www.ittig.cnr.it/Presentazione/OrganizzazioneLogistica/biagioli/Cappelli-et-al.pdf. Accessed 26 Apr 2016.

40.

LKIF-Core Ontology - core ontology of basic legal concepts. http://www.estrellaproject.org/lkif-core/. Accessed 26 Apr 2016.

41.

Allison DS, Capretz MAM, ELYamany HF, Wang S. Privacy protection framework with defined policies for service-oriented architecture. J Softw Eng Appl. 2012;5(3):200–15. http://ir.lib.uwo.ca/electricalpub/27. Accessed 26 Apr 2016.CrossRef

42.

McCallister E, Grance T, Scarfone K. Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). NIST, Special Publication 800–122. Gaithersburg, USA: National Institute of Standards and Technology; 2010.

43.

Rahmouni HB, Solomonides T, Mont MC, Shiu S. Privacy compliance in European healthgrid domains: an ontology-based approach. In: Proc. 22nd IEEE Int. Symp. Albuquerque, NM: On Computer-Based Medical Systems, CBMS 2009; 2009.

44.

Rahmouni HB, Solomonides T, Mont MC, Shiu S. Ontology-based privacy compliance on European healthgrid domains. In: Proc. 11th Int. Protégé Conf. Amsterdam, The Netherlands, 23–26 June 2009; 2009. http://protege.stanford.edu/conference/2009/abstracts/S13P1Boussi.pdf for extended abstract. Accessed 26 Apr 2016.

45.

Home State Compliance. http://www.bbmri-wp4.eu/wiki/index.php/Home_State_Compliance. Accessed 26 Apr 2016.

46.

Nielsen F, Teperek M. How to share personal/sensitive research data? Repositive, Blog, 29 February 2016, University of Cambridge. Cambridge UK: Future Business Centre. http://blog.repositive.io/how-to-share-personal-sensitive-research-data/. Accessed 26 Apr 2016

47.

Kuchinke W, Ohmann C, Verheij RA, van Veen EB, Arvanitis TN, Taweel A, Delaney BC. A standardised graphic method for describing data privacy frameworks in primary care research using a flexible zone model. Int J Med Inform. 2014;83(12):941–57.CrossRefPubMed

48.

Expert Advisory Group on Data Access: Governance of Data Access. London UK: Wellcome Trust (June 2015). http://eprints.whiterose.ac.uk/92286/1/wtp059343.pdf. Accessed 26 Apr 2016.

49.

Governance of data access, London UK: Wellcome Trust. http://www.wellcome.ac.uk/About-us/Policy/Spotlight-issues/Data-sharing/EAGDA/wtp059350.htm. Accessed 26 Apr 2016.

50.

Data Best Practices. Research data. Working with Sensitive Data. Berkeley, CA, USA: University of California Berkeley. http://researchdata.berkeley.edu/content/working-sensitive-data. Accessed 26 Apr 2016.

51.

ANDS (Australian National Data Service) Guide: Ethics, consent and data sharing. http://ands.org.au/guides/ethics-consent-and-data-sharing. Accessed 25 Apr 2016.

52.

Bhimani N. Personal and sensitive research data & the law. UCL Blog (22 January 2016). London UK: University College London; 2016. https://blogs.ucl.ac.uk/rdm/2016/01/personal-and-sensitive-research-data-the-law/. Accessed 25 Apr 2016.

53.

Regulatory Affairs Database. TREAT-NMD. http://www.treat-nmd.eu/industry/regulatory-affairs/. Accessed 28 Apr 2016.

54.

ELSI2.0 workspace. https://elsi2workspace.tghn.org/. Accessed 28 Apr 2016.

55.

HumGen: International Database on the Legal, Social, and Ethical Aspects of Human Genetics. http://www.humgen.org/. Accessed 01 June 2016.

56.

BioPolicy Wiki. http://www.biopolicywiki.org/index.php?title=Main_Page. Accessed 01 June 2016.

57.

WHO's ELSI Genetics Resource Directory. http://www.who.int/genomics/elsi/regulatory_data/en/. Accessed 28 Apr 2016.

58.

US. DOE ELSI Research. http://www.ornl.gov/sci/techresources/Human_Genome/research/elsi.shtml. Accessed 25 Apr 2016.

59.

Center for Transdisciplinary ELSI Research in Translational Genomics (CT2G). http://www.ct2g.org/resources.html. Accessed 28 Apr 2016.

60.

The International Policy interoperability and data Access Clearinghouse (IPAC) provides a “one stop” screening service for policy interoperability and access authorization. http://www.p3g.org/ipac. Accessed 28 Apr 2016.

61.

BBMRI’s legal wiki. http://www.bbmri-wp4.eu/wiki/index.php/Main_Page. Accessed 25 Apr 2016.

62.

hSERN (Human Sample Exchange Regulation Navigator). http://bbmri-eric.eu/events/-/asset_publisher/wiZaUl5ie56w/content/webinar-hsercn. Accessed 29 Apr 2016.

63.

Tool for assessment of regulatory and ethical requirements. BioMedBridges (2015). http://www.biomedbridges.eu/sites/biomedbridges.eu/files/documents/deliverables/user-guide_and_tool-description_biomedbridges_legal-assessment-tool.pdf. Accessed 25 Apr 2016.

64.

EU Data Protection Collection. http://ec.europa.eu/justice/data-protection/data-collection/obligations/index_en.htm. Accessed 25 Apr 2016.

65.

Brittain J, Darwin IF. Tomcat: The Definitive Guide. Boston, MA, USA: O’Reilly Media, Inc; 2007.

66.

Lindholm T, Yellin F. Java Virtual Machine Specification. 2nd ed. Boston, MA, USA: Addison-Wesley Longman Publishing Co., Inc; 1999.

Title: Legal assessment tool (LAT): an interactive tool to address privacy and data protection issues for data sharing
Authors: Wolfgang Kuchinke
Christian Krauth
René Bergmann
Töresin Karakoyun
Astrid Woollard
Irene Schluender
Benjamin Braasch
Martin Eckert
Christian Ohmann
Publication date: 01-12-2016
Publisher: BioMed Central
Published in: BMC Medical Informatics and Decision Making / Issue 1/2016
Electronic ISSN: 1472-6947
DOI: https://doi.org/10.1186/s12911-016-0325-0

At a glance: The ONWARDS insulin icodec trials

Springer Medicine

Legal assessment tool (LAT): an interactive tool to address privacy and data protection issues for data sharing

Abstract

Background

Methods

Results

Conclusions

At a glance: The ONWARDS insulin icodec trials

Springer Medicine

Abstract

Background

Methods

Results

Conclusions

Please log in to get access to this content

Other articles of this Issue 1/2016

Using eye tracking and gaze pattern analysis to test a “dirty bomb” decision aid in a pilot RCT in urban adults with limited literacy

A web-based data visualization tool for the MIMIC-II database

Critical factors influencing physicians’ intention to use computerized clinical practice guidelines: an integrative model of activity theory and the technology acceptance model

Clinician time used for decision making: a best case workflow study using cardiovascular risk assessments and Ask Mayo Expert algorithmic care process models

Decision aids to help older people make health decisions: a systematic review and meta-analysis

Diagnostic support for selected neuromuscular diseases using answer-pattern recognition and data mining techniques: a proof of concept multicenter prospective trial