key: cord-275069-opuwyaiv authors: Amram, Denise title: Building up the “Accountable Ulysses” model. The impact of GDPR and national implementations, ethics, and health-data research: Comparative remarks date: 2020-07-31 journal: Computer Law & Security Review DOI: 10.1016/j.clsr.2020.105413 sha: doc_id: 275069 cord_uid: opuwyaiv Abstract The paper illustrates obligations emerging under articles 9 and 89 of the EU Reg. 2016/679 (General Data Protection Regulation, hereinafter “GDPR”) within the health-related data processing for research purposes. Furthermore, through a comparative analysis of the national implementations of the GDPR on the topic, the paper highlights few practical issues that the researcher might deal with while accomplishing the GDPR obligations and the other ethical requirements. The result of the analyses allows to build up a model to achieve an acceptable standard of accountability in health-related data research. The legal remarks are framed within the myth of Ulysses. Ulysses, according to the Homer's epic poem the Odyssey, was king of Ithaca, son of Laertes and Anticleia, and father of Telemachus. Ulysses was described as a man of outstanding intelligence, wisdom, and endurance. Ulysses is cunning as he is able to overcome insurmountable obstacles to shape reality. Dante, the latter admired his skills and competence, courage and smartness. In the nineteenth century, Ulysses became the intellectual hero, who is far away from the current society, looking for a safe harbor but always in trouble. 2 In twentieth century, Ulysses is the modern hero bringing the anxieties and sufferings to find the true sense of things. 3 Nowadays, the Ulysses 4.0 has been interpreted as a human person in his complexity of skills and feelings. 4 The fils rouge in the several interpretations of the myth is how Ulysses faces new challenges during his journey, combining his technical and organizational skills in order to deal with (and sometimes overcome) the vulnerabilities and limits of human beings. This model is particularly relevant today that scientific efforts are addressed to facing COVID-19 pandemia through new technological solutions aimed at both supporting the early-detection and treatment of the disease as well as at managing its social and economics consequences in light of a needed balance between fundalmental rights. Without pretending to contributing to literature, the idea of Ulysses as a researcher, who develops technical skills and ethical competence to properly achieve his scientific goals, appears suitable in order to build up a model of ethical-legal compliance within research and development activities in light of the GDPR principle of accountability. In the following paragraphs, we will discuss the ethicallegal obligations that the researchers have to deal with while processing personal data, and in particular, health data, during their journey (i.e. the life cycle of the research), highlighting through a comparative analysis the critical profiles emerging from the current legal framework. After the GDPR entered into application, a strong debate arose in light of the impact that new regulation had on research. The balance between the protection of fundamental rights and the free circulation of data makes the researchers responsible of a series of obligations for the whole duration of the research lifecycle. This could be seen as an obstacle, at least in terms of time and resource allocation. The need to adapt current practices to the new paradigm of privacy by design and privacy by default approach with respect to the whole research architecture includes the necessity to deal with the adoption of proper technical and organizational measures. However, they cannot be standardized for every project, as they should be appropriate to the specific activity and they can be replaced during the developing of the research, considering the possible introduction of new risks or new technologies to mitigate it. According to the principle of accountability, in fact, the researcher has the burden to prove the implementation of the mentioned measures not only because the project proposal has to satisfy a given check list of conditions, but as the research methodology itself has to be ethical-legal compliant by design. 5 Therefore, the first skill of our Ulysses 4.0. is the openmindness to consider the ethical-legal compliance as a necessary step despite of the given area of research and regardless (as well as beyond) the existence of a given check-list section in the project proposal template. 6 In the daily routine, these profiles might constitute a new combination of procedures, contacts, administrative activities which take time and should be supported by the research institutions. The great challenge that the GDPR launched is to create the opportunity of sharing ideas, models, and options in a continuous interdisciplinary dialogue aimed at addressing research and innovation towards the EU values and fundamental rights. To protect dignity and fundamental rights is the compass to improve society and enhance its values: science serves human beings, not viceversa , despite the technological progress goes faster than legal positivism and it has already put (personal as well as non-personal) data analysis as the first step of the research. This is true in the case of research dealing with health data, since the information connected to such a processing make the data subjects particularly vulnerable. The GDPR has standardized the legislation at the European level, but at the same time it allowed Member States to nationally specify conditions and requirement in the context of data processing for scientific and statistical research purposes. This might create an obstacle while the activities (and therefore the processing of personal data related to them) are frequently conducted by partnerships belonging to several nationalities. From this viewpoint, it is certainly useful to compare different national interpretations in order to compare the implemented/proposed national models to find out possible best practices which may address the discussion towards a specific code of conduct. For this reason, considering the new ethical-legal issues emerging from the scientific-technological progress that involves a daily use of health-related data, our comparative analysis will firstly discuss the legal bases for health data processing for research purposes in order to identify the critical profiles as well possible practical solutions that might help Ulysses 4.0. to develop the "accountability" virtue. Health-related data are those information which are relevant for health conditions, i.e. reproductive outcomes, causes of death, and also the quality of life. 7 For this reason, they are included in the list of personal data considered as sensitive under article 9 GDPR. This article regulates the legal bases to process data belonging to the so-called "particular categories". First of all, to allocate the data subject "responsibility" of the whole data processing, national implementations prefer to asking for the consent to data processing, even if other legal bases might be applied. This tension reflects a sort of confusion between the informed consent for volunteers who participate to a research experiment and the information about personal data processing as well. The involvement of human being in a research, both for clinical and not clinical trials, in fact, requires to ask for their consent, therefore the overlap of the procedure is quite common. However, instead of asking for consent for data processing under article 6 sub a) or 9, para 2, sub a) GDPR, data might be processed in the public interest of the controller under article 6 sub e) and art. 9, para 2, sub i) or j) GDPR) or pursuing a legitimate interest (article 6 sub f) and art. 9, para 2, sub j) GDPR), in light of article 89 GDPR, which regulates the data processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. According to the GDPR system, in fact, the data subject's consent could be seen as a residual legal basis, considering that transparency and awareness are in any case achieved by the information under article 13 ff. GDPR, which are due regardless the legal basis of the data processing. Moreover, to collect consent does not mean only to sign a form, but it means to be responsible that the obtained consent is informed, relating to a specific purpose, unambiguous, freely given, as stated by article 4 GDPR and explained in the recitals 40 ff. The right to revoke it should be always guaranteed. This might constitute an issue, if we consider that the favor for data processing for research purposes, and the presumption of conformity of re-using for research purposes under article 5 sub b) and e) GDPR are strictly connected to the article 89 GDPR paradigm, which recalls the necessity to implement appropriate safeguards that the researcher has to adopt to minimize any risks. Some critical profiles emerge from article 9, para 4, GDPR which allows Member States to decide whether or not maintaining the legal bases provided by the EU Regulation or introducing further conditions, including limitations, with regard to the processing of particularly sensitive data, like the genetic data, the biometric ones, or those concerning health. This reduces the room of harmonization of the legal basis to process health-related data, also for research purposes. In fact, article 89 GDPR offers the opportunity to Member States to provide derogation to data subjects' rights while processing personal data under the proper safeguards (such as the pseudonymization and anonymization). At this regard, the Spanish Ley Orgánica de Protección de Datos Personales 8 states that limits to the exercise of data subjects' rights are valid only if addressed to the researchers that process anonymized or pseudonymized data. In light of this provision, some systems have introduced new rules or updated the previous legal framework, identifying specific conditions and requirements applicable also in case of health-related data processing for research purposes. The topic has been highlighted in the last weeks while na- tional legislators have been introducted specific provisions to deal with the COVID-19 emergency. 9 For example, the Irish Data Protection Act 2018, 10 which replaced the previous Data Protection Acts in light of the GDPR, states under the article 36 that the suitable and specific measures for processing sensitive data also for research purposes should be regulated in a further specific act: the Health Research Regulation 2018 11 (hereinafter "HRR"). According to the HRR, the data controller who is processing or further processing personal data for the purposes of health research shall ensure that the collection of an explicit consent from the data subject, before starting the health research. The consent could be obtained "either in relation to a particular area or more generally in that area or a related area of health research, or part thereof ". The favor for the application of article 9, para 2, sub j) is anyway recovered when there is a public interest in the research as declared by a specific committee appointed by the Health Ministry. In that case, the Data Protection Impact Assessment under article 35 GDPR should be performed together with the positive approval from the ethics committee. Likewise, the Italian ethics rules adopted by the Italian Data Protection Authority to process personal data for scientific research and statistical purposes, namely Regole deontologiche per trattamenti a fini statistici o di ricerca scientifica pubblicate ai sensi dell'art. 20, comma 4, del d.lgs. 10 agosto 2018, n. 101 , 12 refer to the consent as a legal basis to process sensitive data under article 9 GDPR. For medical, biomedical, epidemiological research, article 8 of the above-mentioned ethics rules states that data subjects/patients should be able to distinguish through proper information data flows for healthcare purposes and data flows for research purposes, but consent seems to be maintained as the principal legal basis to process data. This might be misled if it is not compared with article 110 of the Privacy Code Legislative Decree n. 196/2003, as amended by the Legislative Decree 101/2018, a higher ranking rule. 13 It states, in fact, that consent it is not necessary if the legal basis is article 9, para 2, sub j) and a data protection impact assessment has been performed and published. The provision is quite cryptic as it is not evident which are 9 During the publication of this paper, the scientific community focused on the ethical and legal issues emerging from the COVID-19 emergency management. In particular, the necessity to balance individual and collective health protection and personal data protection stimulated an interesting and inditersciplinary debate, that we cannot avoid. the cases where article 9, para 2, sub j) is not applicable and it does not explain how the data protection impact assessment should be published to fulfill the requirements. Furthermore, according to the mentioned article, the consent is not required whether there is a positive approval from an ethical committee and a prior consultation before the data protection authority has been performed. Also this exception may create some practical issues if we consider that data protection is an ethical profile that an ethical committee should face in its opinion. The relationship between data protection compliance and ethical compliance is, again, recalled within the article 8 of the ethics rules. Its para 4, indeed, states that the informed consent under the Oviedo Convention and Helsinki Declaration shall include information about incidental findings, while in the previous paragraphs the topic was the legal basis for data processing. This combination of provisions on privacy information and informed consent misleads the GDPR paradigm which promotes data circulation, under the principles of data protection by design and by default, instead of requiring the data subject's consent. Another group of legal systems, instead, did not introduce the consent as a further condition under article 9, para 4, GDPR, but established additional measures to allow health data (as well as genetic or biometric ones) processing. This is the case of the Belgian Loi relative à la protection des personnes physiques à l'égard des traitements de données à caractère personnel , 14 which for example provides specific confidential obligations for those who processes, at any title, sensitive data. Research purposes conditions are included in article 186 ff. of the mentioned Act. Further organizational measures, like the necessity to appoint a data protection officer (DPO) even if not required for the data controller according to the article 37 GDPR, are stated in case the data protection impact assessment considers a high risk. The data processing record under article 30 GDPR must include (i) the reasons that justifies the public interest in pursuing the research or in further processing data and how the possible lack of information might be justified by the anonymization (the pseudonymization or the reasons to avoid it) or the risk to compromise the research, and (ii) the agreement between who firstly collected data and the further processing actors. The Belgian approach addresses the debate on the role of the legal basis compared to a series of other ethical-legal requirements while processing sensitive data for research purposes. Indeed, pursuing the data protection by design and by default in a project means to build up a complex system of checks and balance, through organizational and technical measures discussed between the several expertise involved in the research. Their implementation ensures that the research output will be aligned with the EU values and fundamental rights. 14 Loi relative à la protection des personnes physiques à l'égard des traitements de données à caractère personnel , 30.7.2018, https://www.ipnews.be/wp-content/uploads/2018/ 09/20180730-Loi-belge-adaptant-réglementation-belge-au-RGPD. pdf. According to the above-discussed system, the data controller (i.e. the university/research institute in person of the legal representative) shall involve the principal investigator in the data management activities, authorizing to data processing under article 29 GDPR, in order to proactively guarantee the adoption of those technical and organizational measures aimed at safeguarding the rights and freedoms of data subjects in her project. This first organizational measure that a research institute has to apply is to appoint a role in the privacy orgchart to the principal investigator of each research. At the same time, this helps to sensitize, trains, makes each Ulysses 4.0 responsible of a data protection by-design research, and let the data controller achieve the compliance with the principles of correctness, transparency, and minimization under article 24 GDPR. However, this might not be sufficient since the principal investigator might not have an ethical-legal background able to identify those proper safeguards that would make her research compliant with the current legal framework. At this regard, a principal investigator non-GDPR expert may consider a double level of ethical-legal experts' involvement. The first level concerns the data protection officer appointed by the data controller under articles 37 ff., who -in light of the principle of proximity -shall be able to deal with research issues and be a key-person between the principal investigator, the data controller, the ethics committee, the IT services, and the data protection authority. This supposes a strong collaboration with the administrative staff that supports the research. The second level refers to the increasing role played by an ethical-legal unit as a partner of the developed project. Its task is to help the principal investigator to design and implement the research in compliance with the whole ethical-legal framework during the entire duration of the project. Considering the ethical-legal challenges emerging from the current legal-ethical framework, to address an impact assessment on the basis of the risk for the shared values and fundamental rights could enhance the given research not only in terms of innovation, but also for the consequences on the society, economy etc. The involvement both of a DPO and an ethical-legal unit could make the difference in terms of achieving the goal of an ethical-legal compliant research by design and by default in a given system. In fact, it strengthens the interdisciplinary dialogue and helps the cross-fertilization between different domains. According to the current national implementations of the GDPR, in fact, many systems, like the above-illustrated Belgian one have introduced check-lists and protocols to properly address the data protection compliance activities. For example, in the Spanish system, firstly, an impact assessment must be carried out; secondly, the research must be subjected to quality standards according to the international directives and clinical best practices; thirdly, it is necessary to implement tools aimed at avoiding the re-identification of the data subjects; finally, the Spanish law requires the ap-pointment of a legal representative in the European Union under the article 74 EU Reg. 536/2014 and 21 GDPR in case of extra-EU partnerships. The provision 17 sub g), indeed, states that in case the ethical committee cannot express an approval, the principal investigator may ask the data protection officer's one. However, it specifies that ethical committees should add specific competence on data protection by one year. From this perspective, as far as health data are concerned, data protection compliance walks together with the ethical one. Therefore, the ethical committees should empower their competence on data protection and the data protection officer shall be able to address the researcher to an ethical-legal unit or legal-ethical advisor. The proactive risk-based approach which has been implemented by the GDPR for data processing could be potentially applicable to all the ethical issues emerging in the research. To this end, the already mentioned Irish HRR takes the opportunity to deal with the ethical profiles related to research (e.g. informed consent, voluntary research, cost-benefits assessment with respect to the clinical trial, conflict of interests etc.) answering the need to develop a coherent paradigm to properly process health data for research purposes. The HRR firstly provides a definition for "Health Research", listing 5 scientific areas for the purpose of human health, including: "(i) research with the goal of understanding normal and abnormal functioning, at molecular, cellular, organ system and whole body levels; (ii) research that is specifically concerned with innovative strategies, devices, products or services for the diagnosis, treatment or prevention of human disease or injury; (iii) research with the goal of improving the diagnosis and treatment (including the rehabilitation and palliation) of human disease and injury and of improving the health and quality of life of individuals; (iv) research with the goal of improving the efficiency and effectiveness of health professionals and the health care system; (v) research with the goal of improving the health of the population as a whole or any part of the population through a better under-standing of the ways in which social, cultural, environmental, occupational and economic factors determine health status ". Then the HRR recalls the ethical issues to be assessed by the ethical committees for approval: data protection is one of them, but it finds a specific development in article 3 and ff. Article 3 states that personal data can be processed for research purposes as long as it is necessary to achieve the research purposes and it does not cause any damage or distress to the data subject and if the organizational measures stated sub b) are in place. The check-list that follows is a sort of data protection plan, which includes the ethical approval by an ethical committee, the identification of the privacy governance structure (including joint controllers, data processors, and recipients), the training programme for those who are involved in the research, the data protection impact assessment for higher processing risks. The Italian ethics rules issued by the Data Protection Authority, instead, identify the field of application under a subjective requirement: "to all the data processing carried out for statistical and scientific purposes -in accordance with the methodological standards of the relevant disciplinary sector -which are held by universities, other research institutions and research institutes and scientific societies, as well as researchers operating within the scope of said universities, institutions, research institutes and members of these scientific societies ". To this end, marketing purposes hidden under "research or statistical" purposes are excluded since private companies are included only if in their company bylaws research activities are mentioned. Pseudonymization, anonymization, and data re-using for research purposes According to the article 89 GDPR data processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards. The same article refers to pseudonymization as the first measure aimed at achieving the minimization purposes. For further processing, it states that a further level "which does not permit or no longer permits the identification of data subjects" should be gained. 15 Technically, it does not exist a unique criterion of anonymization. Data can be considered anonymized having regard to any methods reasonably likely to be used by the data controller (or any third party) to reverse the process and allow the re-linking of the data subject. The assessment is based on the risk of re-identification through a rational effort. 16 Therefore, the pseudonymization standard could be always obtained through technical separation of information, considering several levels (e.g. scrambling, encryption, masking, tokenization, data blurring, etc.) while the anonymization could be achieved by the combination of technical and organizational measures as well, considering the features of the data controller. Some national implementations of the article 89 GDPR focused on this profile. The Belgian law establishes, in case of health data processed for research purposes, that pseudonymization could not be performed by the data controller, but by an independent body, who is subject to specific confidentiality obligations (i.e. professional secrecy). At this regard, the Spanish law requires a "technical separation" between who performs the two activities and an explicit obligation for the ones who pseudonymized to avoid re-identification. These provisions arise two issues. Firstly, when the data controller is a research hospital, healthcare purposes and scientific ones might be performed at the same time by the same team. In this context, despite of the application of pseudonymization techniques, clinicians might be always able to recognize and refer to their patients, even if committed to professional secrecy. Secondly, to always identify a partner or team for pseudonymization could constitute an expense for the research: perhaps it could be sufficient to appoint such a task to IT services of the data controller and establishing granular accessibility to the token (e.g. only the principal investigator, but not the research team). The article 110 bis of the Italian Privacy Code refers to the reusing of data by third parties. 17 First condition is that data subjects must be informed. Otherwise a prior authorization from the data protection authority is needed. This approach is not applicable whereas personal data are collected for healthcare purposes and used for research ones by the same research clinics, considering the functional link between the two purposes. The provision seems to refer to patients' personal data before being pseudonymized or anonymized for research purposes, as stated under article 89 GDPR. Another profile of the GDPR compliance consists of the system security: data flows are usually in a digital format, therefore proper measures shall be implemented to guarantee the availability, integrity and confidentiality of data. As far as the security of data is concerned, the Irish act, for example, refers to the criterion of the "effectiveness" of the adopted measures. So far, the interdisciplinary dialogue touches the fields of the data management, including IP rights. If we consider that open access is becoming the new standard to manage research data, the role of the data protection officer/expert/advisor becomes essential to establish which data can be shared or not. Therefore, skills required to Ulysses 4.0 and his crew become everyday more specialized ones. In the context of the COVID-19 pandemia, for example, during the so called lockdown, governments opted for establishing interdisciplinary task forces aimed at identifying effective, ethical-legal, suistanable solutions to plan a safe re-starting of the activities. 18 This strategy appears in line with the Ulysses 4.0 model. As shown in the previous paragraphs, the "accountable Ulysses" is a standard which might be achieved only estab-lishing an interdisciplinary dialogue between the researcher in different fields. Starting from this principle, some common features can be identified to reach an acceptable level of compliance. i) Whereas health data are processed, to involve ethicallegal experts, who could play either an institutional role (as the data protection officer) or being a partner of the research, since the beginning of the project proposal is an added value to design an ethical-legal compliant ecosystem. Ulysses cannot avoid from including an interdisciplinary support in her crew. ii) Research purposes are functional to empower human dignity and values. Considering the strong impact on individuals as well as on groups, as the research could identify new vulnerabilities, or classify individuals (as more exposed to a given risk), Ulysses processing health data shall adopt suitable and effective technical and organizational measures to ensuring the ethical-legal compliance, in order to avoid possible misuse or dual use. iii) The IT infrastructure and data management strategy should be designed in order to guarantee the availability, confidentiality, integrity of data. iv) If Ulysses is also a physician, the combination of data processed for healthcare and scientific research should be clearly distinguished and therefore following possible different data protection plans: risks, technical protocols, access, time retention, level of pseudonymization might be different. v) Data flows should be regulated between partners as well as within the given research teams. vi) Data flows should be recorded and described in the information given to data subjects. vii) Data protection is one of the several ethical issues that might arise from a research. The coordination between different legal constrains, protocols, and requirements should be analyzed in terms of risk assessment and monitored during the whole life-cycle of the research. The GDPR introduced a new proactive approach to dataintensive research. Its handling supposes the cross fertilization between different domains, where the legal one plays the role to establish boundaries between lawful and unlawful, contributing to identifying possible tensions under the ethical framework. In order to sensitize Ulysses to this new approach, which necessarily includes the allocation of time and resources, a coherent ethical-legal support to the core-research should be promoted by the research institutes. In this perspective, Ulysses does not represent only the principal investigator of a given research, but the university/research institute per se , which as the data controller, should firstly train the research staff and the administrative staff to ethical-legal compliance, inform on duties and responsibilities, organizing and introducing specific support. In other terms, be accountable both within the technical and the organizational activities. The Anonymisation of Research Data-A Pyric Victory for Privacy that Should Not Be Pushed Too Hard by the EU Data Protection Framework? Passenger Name Records, data mining & data protection: the need for strong safeguards, report for the Council of Europe Consultative Committee on data protection Therefore, Ulysses 4.0 is the one who embraces a new way of working, as it has been stressed during these last weeks within the analysis of the solution to combat 19 open to assess together with the technical specifications the ethical-legal consequences not only in order to mitigate the 19 EU Commission, Joint European Roadmap towards lifting COVID-19 containment measures, https://ec.europa.eu/info/sites/ info/files/communication _ -_ a _ european _ roadmap _ to _ lifting _ coronavirus _ containment _ measures _ 0.pdf. risk to compromise fundamental rights, but to empower human dignity as main core of her research. I hereby declare that there is no conflict of interests in publishing this paper.