The donation of data has become essential to the advancement of medical research and the development of medical products. In particular machine learning models, which play a growing role in modern healthcare, require vast amounts and a wide variety of data to achieve accuracy and reliability in their predictions and decisions.
However, medical data is highly sensitive, containing personal and highly private information about individuals. The potential risks of misuse or unauthorized access to such data are significant and must be mitigated to protect individuals’ privacy and trust.
To address these concerns, the European Union introduced the General Data Protection Regulation (GDPR) in 2016, setting strict rules for the handling of personal and sensitive data, including medical information. The GDPR aims to protect individuals’ rights and ensure that organizations process medical data responsibly and transparently [3]. In this blog post, we will clarify the rules given by the GDPR and how these can be implemented into practice.
GDPR Rules
As medical data is considered highly sensitive data, i.e. the following rules apply to it according to the GDPR:
- Processing of medical data has to be justified and the purpose has to be limited to a certain research topic or the development of a single medical product and clearly defined
- Organizations must maintain detailed provisions about their data protection and the data processing operations
- Data should be secured in the best way possible.
- When data is processed by third parties (e.g. service providers like cloud providers) the responsibilities should be defined by a Data Processing Agreement (DPA)
- Companies must grant certain rights to individuals about the processing of their personal data, i.e.:
-
- Individuals have to be informed about the processing of their data through a data protection state
- They can request the correction or deletion of their data
- They can object further processing of their data
- They can request the transfer of their data to other suppliers
- Whenever possible the data has to be fully anonymized or if not possible the data should be pseudonymized as best as possible in order to protect information that could identify the patient under any circumstances
How to be GDPR Compliant
As mentioned above, GDPR compliance is crucial when handling medical data. In order to incorporate the GDPR rules into your development processes following steps are necessary:
- Obtain Explicit Consent: Ensure that individuals give explicit, informed consent before processing their medical data. The consent must be specific to the intended purpose, freely given, and unambiguous. Additionally, it should be easy for individuals to withdraw consent at any time.
- Use Anonymization and Pseudonymization Pipelines: Anonymizing data (removing all personal identifiers) whenever possible. When full anonymization is impossible, pseudonymization can offer an additional layer of security by separating personal identifiers from the rest of the data.
- Conduct Data Protection Impact Assessments (DPIA): For projects involving large-scale processing of sensitive data, GDPR requires a DPIA to assess and mitigate privacy risks. This assessment should outline the nature, scope, and purpose of processing, along with the measures taken to ensure data protection [1]
- Ensure Transparency and Individual Rights: Inform individuals about the nature and purpose of data collection through a clear privacy notice. In addition, your systems should be able to rectify, or delete individuals data, at any given time.
- Enhance Security Measures: Use encryption, access controls, and secure storage solutions to prevent unauthorized access to medical data. Regular audits and monitoring can also help identify and mitigate potential security threats to stored data.
- Implement Robust DPA: When sharing data with third parties, establish data processing agreements to outline their obligations and maintain GDPR compliance. DPAs help clarify responsibilities and ensure all parties involved protect the data according to GDPR standards.
Following these principles not only promotes GDPR compliance but also strengthens the ethical handling of sensitive medical data in research and medical product development.
Conclusion
Work with medical data has to follow strict rules and although it can be difficult to incorporate them into development processes, it is important to keep in mind that behind every medical data sample, there is a real life person that has volunteered to donate their data for medical research and the development of medical devices. Therefore, in order to protect the personal rights of individuals the European Union created the GDPR. We at PAICON take this very seriously and have adapted our processes according to it.