University of Groningen
New European privacy regulation
Mulder, Trix; Jagesar, Raj R.; Klingenberg, Aline M.; Mifsud Bonnici, Jeanne P.; Kas, Martien
J.
Published in:
European Psychiatry
DOI:
10.1016/j.eurpsy.2018.07.003
IMPORTANT NOTE: You are advised to consult the publisher's version (publisher's PDF) if you wish to cite from
it. Please check the document version below.
Document Version
Publisher's PDF, also known as Version of record
Publication date:
2018
Link to publication in University of Groningen/UMCG research database
Citation for published version (APA):
Mulder, T., Jagesar, R. R., Klingenberg, A. M., Mifsud Bonnici, J. P., & Kas, M. J. (2018). New European
privacy regulation: Assessing the impact for digital medicine innovations. European Psychiatry, 54, 57-58.
https://doi.org/10.1016/j.eurpsy.2018.07.003
Copyright
Other than for strictly personal use, it is not permitted to download or to forward/distribute the text or part of it without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license (like Creative Commons).
Take-down policy
If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim.
Downloaded from the University of Groningen/UMCG research database (Pure): http://www.rug.nl/research/portal. For technical reasons the number of authors shown on this cover page is limited to 10 maximum.
Viewpoint
New
European
privacy
regulation:
Assessing
the
impact
for
digital
medicine
innovations
Theuseofsmartphonebaseddatastreamsinrelationtomental
healthresearchis steadilygaining tractioninthefield [1]. This
approach, also knownas digital phenotyping, yieldscontinuous
behavioural data which shows promise in uncovering new
perspectivesonhumanbehaviour[2].However,callshaverecently
beenaddressingtheneedforincreasedawarenessregardingthe
privacyoftheparticipants[3].Theseconcernscoincidewiththe
newEuropeanGeneralDataProtectionRegulation(GDPR)thatcame
into effect 25 May 2018 [4]. In most cases, the GDPR will
fundamentally impact how research should go about handling
highlysensitive(medical)data,sincetheGDPRcomeswithsome
new responsibilities and obligations for both controllers1 and
processors2. One of these obligations requires organisations to
carryoutaDataProtectionImpactAssessment(DPIA).Thisarticle
willassesstheimpactofsuchaDPIAonresearchinpractice
1.AbouttheGDPR
The road to compliance with the GDPR proves to be a
challenging path for small scale and tech-driven research
initiatives.First,limitationsregardingtechnicalandlegal
knowl-edgegapsneedtobeovercome.Second,beingatechnologydriven
initiative,proper securitystandardsneed tobe metand
main-tained in order to ensure that participant data is handled
responsibly.Thiscallsforaninterdisciplinaryapproachtoresearch
projectsoperating in this space. Thereby drawing fromvarious
additionalspecialisations,suchasbiology,lawandinformatics.
The GDPR lays downthe rules relating tothe protection of
personaldata,whichisdefinedas“anyinformationrelatingtoan
identified or identifiable natural person”. Although the GDPR
specifically mentions that identification can take place via
identifierssuchasname,identificationnumberandlocationdata,
identificationisnotlimitedtotheseidentifiers.TheGDRPdoesnot
onlysetoutrulesfordealingwithpersonaldata,italsooffersatool
thatcanhelptoimplementmandatorypracticesaslaidoutinthe
GDPR:aDataProtectionImpactAssessment.
2.Dataprotectionimpactassessment
Researchdatamanagementconcernsdifferentstages,namely
preparation,datacollection,dataprocessing,dataanalysis, data
preservation,accesstodataandpublicationand re-use.Sincea
DPIAhelpstovisualisetheimpactoftheintendeddataprocessing,
theDPIAshouldtakeplaceattheendofthepreparationphase,or
thebeginningofthedatacollectionphase.ADPIAisnotalways
mandatory,however,inmanyinstancescarryingoutaDPIAisstill
advisable since it will help to both build and demonstrate
compliancewiththeGDPR [7].Forexample,aDPIAmight help
tocomplywiththerequirementsofdataprotectionbydesignand
bydefault.
TheGDPRdoesnotdefinetheconceptofaDPIAindetail,but
sets a number of minimum requirements instead. These
minimum requirements, such as an assessment of the
necessityandproportionalityoftheprocessingoperationsin
relationtothepurposes,resultinthesituationwhereboththe
content of the assessment and the way in which a DPIA is
carried out is left to the discretion of the controller. The
advisorybodyknownasthe EuropeanDataProtectionBoard
(EDPB)andpreviouslyknownastheArticle29WorkingParty
specifythatthecontrollercanchoosethemethodology,aslong
asthemethodologyiscompliantwiththecriteriaprovidedin
theirguidelines.
ConcerningthequestionofwhenaDPIAisobligated,theGDPR
givessomegeneralguidelines.Forexample,ifnewtechnologies
areusedandtheprocessingis‘likelytoresultinahighrisktothe
rightsandfreedomsofnaturalpersons’thecontrollerisobligedto
carry out a DPIA before the processing starts. The term ‘new
technologies’isnotdefinedbytheGDPR,butisdescribedbythe
recitals of theGDPRas ‘inaccordancewiththe achievedstateof
technologicalknowledge’.Furthermore,threesituationsinwhicha
DPIAhastobecarriedoutaredescribedinparagraph3ofarticle35
GDPR. Although these three situations are meant as a
non-exhaustivelist,itdoesoffersomesupporttothecontrollerifa
decision has to be made whether or not a DPIA is needed.
Paragraph8ofarticle35GDPRmentionsthatifcodesofconduct
are in place, compliance to these codes have to be taken into
account, in particular for the purpose of a DPIA. Therefore,
researcherscouldreallybenefitfromthedevelopmentofsucha
(European)codeofconduct.
1 Thecontrollerdetermineswhatdataiscollected,howthisisdoneandforwhich purpose(article4(7)GDPR).
2
Processorsneverdeterminethepurposeandmeansofdataprocessing,they merelyprocessthedatacollectedbythecontrolleronbehalfofthecontrollerand undertheinstructionsofthecontroller(article4(8)GDPR).
http://dx.doi.org/10.1016/j.eurpsy.2018.07.003
0924-9338/©2018ElsevierMassonSAS.Allrightsreserved.
EuropeanPsychiatry54(2018)57–58
ContentslistsavailableatScienceDirect
European
Psychiatry
3.PracticalimplicationsoftheDPIA
Scientificresearchis,bynature,innovativeandthereforeoften
inclinedtopush theexisting limitsofknowledge. Asa result,for
studiesrequiringtheuseofpersonaldata,aDPIAismostprobably
neededandcanenhancetransparency.ThisarticleusestheBEHAPP
programmeasintroducednext,asanexampletoshowhowtheGDPR,
focussedontheDPIA,affectsdigitalphenotypingresearchinpractice.
4.BEHAPP
TheBEHAPPprogrammeiscentredaroundtheuseofpassively
collectedsmartphonedatatohelpquantifyhumanbehaviourin
terms of communication and exploration [5]. The supporting
software,BEHAPP V2, hasbeendeveloped bythe Universityof
Groningen (Faculty of Science & Engineering), a non-profit
academicorganisation.OneofthemajordesigngoalsofBEHAPP
V2isthatitisbuiltasaresearchplatformallowingformultiple
simultaneousandconfigurablestudies.Thishasresultedinvarious
initiativesthatarecurrentlyemployingBEHAPPintheirrespective
linesof researchhelpingtoevaluateclinicalrelevanceofdigital
phenotyping tools in practice. For example, BEHAPP is
imple-mentedtoidentifynoveldigitalbiomarkersforsocialwithdrawal
inpatientssufferingfromschizophrenia,Alzheimer’sdisease,and
Major Depression in the PRISM study [6], a large EU funded
InnovativeMedicineInitiativeproject.IntheBEHAPPprogramme
scientistsfromtheFacultyofScienceandEngineeringworkclosely
togetherwith,amongothers,scientistsfromtheFacultyofLaw.
Thisinterdisciplinaryapproachhasprovenhelpfulinlightofthe
GDPRingeneralandaDPIAspecifically.
Inthiscase,theBEHAPPworkingcontextisespeciallyinteresting,
sincetheprogrammeisboththeproduceroftheappandajoint
controllerofthedatacollection.Inthelattercasethismeansthat
article26GDPRapplies,sincethatarticledealswiththesituationof
jointcontrollers.Article26GDPRdeterminesthatjointcontrollers
havetodeterminetheirrespectiveresponsibilitiesinatransparent
matter.InthecaseofBEHAPP,theconsortiumagreementorthedata
managementplancouldbeusedforthis.Ontheotherhand,the
privacystatementoftheappshouldalsomakenoticeofthesituation
ofjointcontrollers.Sinceparticipantsarefurthermoredividedin
severalgroups,forexamplefocusgroupsandpatientgroups,this
impactsthequestionoftransparency.
ForBEHAPPawarenessoftheGDPRcomesatarelativelylate
stagewiththeservicealreadyinactiveusebydifferentstudies.
Nonetheless,theinitiativeiscurrentlygoingthroughitsfirstDPIA
cycleandbasedontheinitialreview,BEHAPPisnowexpanding
andimproving onits policiesdetailingprivacyand information
security.Transparencyiskeyanddependingonwhowillbeusing
the service (e.g. Schizophrenia patients or healthy controls)
differenttailormadedocumentshavetobedevelopedtosecure
understandingofdatausebytheparticipant.
Furthermore,thedesignreflectsprinciplestakenfromconcepts
such asdata protection bydesign and by default.For example,
participant records are pseudonymised through a practice also
knownascodingsoparticipantscanonlybereferredtothrougha
uniqueidentifierandnodirectlyidentifiableinformationisstored
inthesystem,withtheexceptionoflocationdata,whichiscollected
aspartofthemeasurementstakenbythesmartphoneapplication.
Lastly,sinceprivacyprotectionisacontinuousprocess,going
forwardinlinewithGDPRthismeansthateffortsmustcontinueto
improve data protection. The GDPR demands technical and
organisational measures are taken to ensure data protection.
From a technical perspective this is established by applying
increasedisolationmeasures onsensitivedata andbyapplying
encryption. Froman organisationalperspective researchers are
trainedonresponsibleuseandhandlingofsensitivedata.
5.Concludingthecycle
InthecaseofBEHAPP,thisDPIAisafirst-timeexperienceforall
partiesinvolved.Ithasshownthataninterdisciplinaryapproachis
essentialtoresponsiblycreateandoperateatech-drivenresearch
initiative. A DPIA can help bring deficiencies to light which
otherwisemaynothavesurfaced.Thecycleenforcesallpartiesto
continuously remain critical on technical developments while
aligningtheseeffortstodataprotectionframeworksliketheGDPR.
Atthesametimeitisimportanttoremainmindfulofthe(often)
limitedcapacityofsmallscaleandtech-drivenresearchinitiatives.
Thisiswhywepleadfora(European)codeofconduct,whichcould
reallybenefitresearchers.
References
[1]TorousJ.,StaplesP,BarnettI,OnnelaJ,KeshavanM.OPENAcrossroadfor validatingdigitaltoolsinschizophreniaandmentalhealth.NPJSchizophr 2018;1–2,doi:http://dx.doi.org/10.1038/s41537-018-0048-6.
[2]InselTR.Digitalphenotyping:technologyforanewscienceofbehavior.JAMA 2017;318:1215–6.
[3]MarschLA, Wallace AG. Opportunitiesand needs in digital phenotyping. Neuropsychopharmacology2018;1–2, doi:http://dx.doi.org/10.1038/s41386-018-0051-7.
[4]Generaldataprotectionregulation.2016..(Accessed5June2018) https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L:2016:119:
FULL&from=EN.
[5]EskesP,SpruitM,BrinkkemperS,VorstmanJ,KasMJ.Thesociabilityscore: app-basedsocialprofilingfromahealthcareperspective.ComputHumanBehav 2016;59:39–48,doi:http://dx.doi.org/10.1016/j.chb.2016.01.024.
[6]KasMJ,PenninxB,SommerB,SerrettiA,ArangoC,MarstonH.Aquantitative approachtoneuropsychiatry:thewhyandthehow.NeurosciBiobehavRev 2017,doi:http://dx.doi.org/10.1016/j.neubiorev.2017.12.008.
[7]Article 29 Data Protection WorkingParty. 248 Rev012017. ec.europa.eu/ newsroom/document.cfm?doc_id=47711(Accessed5June2018).
TrixMuldera,*
aSecurity,Technology&e-PrivacyResearchGroup,FacultyofLaw,
UniversityofGroningen,POBox716,9700ASGroningen,The
Netherlands
RajR.Jagesar
GroningenInstituteforEvolutionaryLifeSciences,FacultyofScience
andEngineering,UniversityofGroningen,POBOX11103,9700CC
Groningen,TheNetherlands
AlineM.Klingenberg
IT-Law,FacultyofLaw,UniversityofGroningen,POBox716,9700AS
Groningen,TheNetherlands
JeanneP.MifsudBonnici
Security,Technology&e-PrivacyResearchGroup,FacultyofLaw,
UniversityofGroningen,POBox716,9700ASGroningen,The
Netherlands
MartienJ.Kas**
GroningenInstituteforEvolutionaryLifeSciences,FacultyofScience
andEngineering,UniversityofGroningen,POBOX11103,9700CC
Groningen,TheNetherlands
* Correspondingauthor.
** Correspondingauthor.
E-mailaddresses:t.mulder@step-rug.nl(T.Mulder),
m.j.h.kas@rug.nl(M.Kas).
Received12June2018
Availableonlinexxx
