COVID-19 Mobile Positioning Data Contact Tracing and Patient Privacy Regulations: Exploratory Search of Global Response Strategies and the Use of Digital Tools in Nigeria

Background

The coronavirus disease (COVID-19) pandemic is the biggest global economic and health challenge of the century. Its effect and impact are still evolving, with deaths estimated to reach 40 million if unchecked. One effective and complementary strategy to slow the spread and reduce the impact is to trace the primary and secondary contacts of confirmed COVID-19 cases using contact tracing technology.

Objective

The objective of this paper is to survey strategies for digital contact tracing for the COVID-19 pandemic and to present how using mobile positioning data conforms with Nigeria’s data privacy regulations.

Methods

We conducted an exploratory review of current measures for COVID-19 contact tracing implemented around the world. We then analyzed how countries are using mobile positioning data technology to reduce the spread of COVID-19. We made recommendations on how Nigeria can adopt this approach while adhering to the guidelines provided by the National Data Protection Regulation (NDPR).

Results

Despite the potential of digital contact tracing, it always conflicts with patient data privacy regulations. We found that Nigeria’s response complies with the NDPR, and that it is possible to leverage call detail records to complement current strategies within the NDPR.

Conclusions

Our study shows that mobile position data contact tracing is important for epidemic control as long as it conforms to relevant data privacy regulations. Implementation guidelines will limit data misuse.

Revolutionizing Medical Data Sharing Using Advanced Privacy-Enhancing Technologies: Technical, Legal, and Ethical Synthesis

Multisite medical data sharing is critical in modern clinical practice and medical research. The challenge is to conduct data sharing that preserves individual privacy and data utility. The shortcomings of traditional privacy-enhancing technologies mean that institutions rely upon bespoke data sharing contracts. The lengthy process and administration induced by these contracts increases the inefficiency of data sharing and may disincentivize important clinical treatment and medical research. This paper provides a synthesis between 2 novel advanced privacy-enhancing technologies-homomorphic encryption and secure multiparty computation (defined together as multiparty homomorphic encryption). These privacy-enhancing technologies provide a mathematical guarantee of privacy, with multiparty homomorphic encryption providing a performance advantage over separately using homomorphic encryption or secure multiparty computation. We argue multiparty homomorphic encryption fulfills legal requirements for medical data sharing under the European Union's General Data Protection Regulation which has set a global benchmark for data protection. Specifically, the data processed and shared using multiparty homomorphic encryption can be considered anonymized data. We explain how multiparty homomorphic encryption can reduce the reliance upon customized contractual measures between institutions. The proposed approach can accelerate the pace of medical research while offering additional incentives for health care and research institutes to employ common data interoperability standards.

Remote monitoring of cardiac implanted electronic devices: legal requirements and ethical principles - ESC Regulatory Affairs Committee/EHRA joint task force report

The European Union (EU) General Data Protection Regulation (GDPR) imposes legal responsibilities concerning the collection and processing of personal information from individuals who live in the EU. It has particular implications for the remote monitoring of cardiac implantable electronic devices (CIEDs). This report from a joint Task Force of the European Heart Rhythm Association and the Regulatory Affairs Committee of the European Society of Cardiology (ESC) recommends a common legal interpretation of the GDPR. Manufacturers and hospitals should be designated as joint controllers of the data collected by remote monitoring (depending upon the system architecture) and they should have a mutual contract in place that defines their respective roles; a generic template is proposed. Alternatively, they may be two independent controllers. Self-employed cardiologists also are data controllers. Third-party providers of monitoring platforms may act as data processors. Manufacturers should always collect and process the minimum amount of identifiable data necessary, and wherever feasible have access only to pseudonymized data. Cybersecurity vulnerabilities have been reported concerning the security of transmission of data between a patient's device and the transceiver, so manufacturers should use secure communication protocols. Patients need to be informed how their remotely monitored data will be handled and used, and their informed consent should be sought before their device is implanted. Review of consent forms in current use revealed great variability in length and content, and sometimes very technical language; therefore, a standard information sheet and generic consent form are proposed. Cardiologists who care for patients with CIEDs that are remotely monitored should be aware of these issues.

Soft ethics, the governance of the digital and the General Data Protection Regulation

The article discusses the governance of the digital as the new challenge posed by technological innovation. It then introduces a new distinction between soft ethics, which applies after legal compliance with legislation, such as the General Data Protection Regulation in the European Union, and hard ethics, which precedes and contributes to shape legislation. It concludes by developing an analysis of the role of digital ethics with respect to digital regulation and digital governance.This article is part of the theme issue 'Governing artificial intelligence: ethical, legal, and technical opportunities and challenges'.

GDPR: an impediment to research?

BACKGROUND

The recent introduction of the General Data Protection Regulation and Health Research Regulations has been an area of significant concern for those engaged in clinical research. These European regulations, following subsequent interpretation by Ireland's Department of Health, now place Ireland in a unique position which differs substantially from other European countries and may prove a significant impediment to Irish clinical research, depriving Irish patients of timely access to potentially life-saving treatments and making Ireland less attractive to pharmaceutical companies engaged in this area. At the very least, the regulations, as applied in Ireland, will place a significant extra burden of work on Ireland's clinical researchers and at their worst will force individuals and institutions out of the clinical research field, which will result in significant loss to the Irish knowledge economy and lead to the detriment of patient care.

AIM

In this article, we explore what exactly is proposed by Europe's GDPR and by Ireland's Health Research Regulations. We look at the challenges presented to clinical researchers, and we highlight those areas, which need clarification by the Department of Health and by the Data Protection Commissioner.

CONCLUSIONS

We propose five recommendations, which would ameliorate some of the more restrictive impositions of these regulations. This review was commissioned by the Irish Academy of Medical Science.

[Adaptation of the General Data Protection Regulation (GDPR) to a smartphone app for rhinitis and asthma (MASK-air®)]

The General Data Protection Regulation (GDPR) regulates the processing of personal data in the European Union. The legal context is adapted to follow the evolution of technologies and of society. This new European regulation became mandatory, especially for connected devices, on May 25, 2018. An app originally known as "The Allergy Diary" is available for Android phones and iPhones. Its name was recently changed to MASK-air. The downloading and use of this app are free of charge and there are no adverts. It enables users to record their symptoms and their medications to better track the progress of their allergic rhinitis and/or asthma. It has been developed by public (Foundation FMC VIA-LR, University of Montpellier) and private (KYomed INNOV) organizations based in France and therefore falls under French jurisdiction. This article summarizes the five main principles of personal data protection to be respected during the development of the app: purpose, proportionality and relevance, limited retention period, security and confidentiality, as well as the rights of the people who are involved in the management of the personal data (including withdrawal and modification).

Harmonization after the GDPR? Divergences in the rules for genetic and health data sharing in four member states and ways to overcome them by EU measures: Insights from Germany, Greece, Latvia and Sweden

The EU member states' healthcare and health-related research sectors are both characterized by an emerging infrastructural coalescence on a national and European level. The culmination of this coalescence is the planned creation of a European Health Data Space, an EU-wide infrastructure for the processing of personal data for healthcare and for secondary uses such as scientific research. In contrast to growing technical interoperability, the legal framework for such integration is not yet defined in detail, particularly with regard to data protection law. Its development is accompanied by discussions about divergent member state implementations of the EU General Data Protection Regulation (GDPR) that affect data sharing between healthcare and scientific research actors and across various sectors driven by divergent processing purposes. The article presents four member states' main rules on data sharing based on the respective provision of the GDPR in six health-related contexts regarding data sharing across the healthcare and research sector and between the main actors of those sectors. The striking differences are then evaluated from the perspective of their factual effect on European data sharing depending on the legal characteristics of the GDPR provisions they rely on. Against this backdrop, the planned regulatory measures for the setup of the European Health Data Space are introduced and evaluated with regard to further harmonization between member states' laws and possibilities to overcome divergences in data protection rules relevant for European data sharing. The results of the analysis point to the conclusion that the destructive effect of divergent member state rules depends on the legal qualification of the EU provisions they rely on and that this qualification also determines which further EU regulatory measure would be the most effective to set the framework for the European Health Data Space.

Digital Biomarkers in Psychiatric Research: Data Protection Qualifications in a Complex Ecosystem

Psychiatric research traditionally relies on subjective observation, which is time-consuming and labor-intensive. The widespread use of digital devices, such as smartphones and wearables, enables the collection and use of vast amounts of user-generated data as "digital biomarkers." These tools may also support increased participation of psychiatric patients in research and, as a result, the production of research results that are meaningful to them. However, sharing mental health data and research results may expose patients to discrimination and stigma risks, thus discouraging participation. To earn and maintain participants' trust, the first essential requirement is to implement an appropriate data governance system with a clear and transparent allocation of data protection duties and responsibilities among the actors involved in the process. These include sponsors, investigators, operators of digital tools, as well as healthcare service providers and biobanks/databanks. While previous works have proposed practical solutions to this end, there is a lack of consideration of positive data protection law issues in the extant literature. To start filling this gap, this paper discusses the GDPR legal qualifications of controller, processor, and joint controllers in the complex ecosystem unfolded by the integration of digital biomarkers in psychiatric research, considering their implications and proposing some general practical recommendations.

General Data Protection Regulation (GDPR) in Healthcare: Hot Topics and Research Fronts

General Data Protection Regulation came into effect across the European Union in May 2018 but its implications in healthcare are yet to be fully understood. The aim of this study was to identify the fronts and hot topics in research on GDPR in healthcare. We analyzed the relevant records in Scopus through bibliometric and scientometric approach and visualization techniques. A set of 155 records was obtained and processed for co-occurrence analysis of key terms and concept mapping. The number of published papers showed a steep rise in the past two years, mainly by European countries. Analysis of the abstract of the papers showed that data protection, privacy, and big data were the most frequently used terms. Three dominant research fronts of GDPR are 1) general implications of GDPR, 2) technology aspects of GDPR, and 3) GDPR in healthcare service. Blockchain and machine learning are among the remerging topics of GDPR research.

Digitizing the Informed Consent Process: A Review of the Regulatory Landscape in the European Union

Background

Rapid technological advancements are reshaping the conduct of clinical research. Electronic informed consent (eIC) is one of these novel advancements, allowing to interactively convey research-related information to participants and obtain their consent. The COVID-19 pandemic highlighted the importance of establishing a digital, long-distance relationship between research participants and researchers. However, the regulatory landscape in the European Union (EU) is diverse, posing a legal challenge to implement eIC in clinical research. Therefore, this study takes the necessary steps forward by providing an overview of the current regulatory framework in the EU, relevant to eIC.

Methods

We reviewed and analyzed the key EU regulations, such as the EU General Data Protection Regulation (GDPR) and the Clinical Trials Regulation (CTR). We investigated the legality of eIC in several EU Member States, Switzerland, and the United Kingdom. To this end, we contacted the medicines agencies of various countries to clarify the national requirements related to the implementation and use of eIC in clinical research. Our research was complemented by comparing the legal acceptance of eIC between the EU and the United States.

Results

In the EU, a distinction must be made between eIC for participation in clinical research and eIC for processing the participants' personal data, complying respectively with requirements laid down by the CTR and the GDPR. On a national level, countries were classified into three groups: (1) countries accepting and regulating the use of eIC, (2) countries accepting the use of eIC without explicitly regulating it, and (3) countries not accepting the use of eIC. As a result, the regulation of eIC through laws and guidelines shows a large variety among EU Member States, while in the United States, it is harmonized through the Code of Federal Regulations.

Conclusion

Various requirements must be considered when implementing eIC in clinical research. Nevertheless, requirements across the EU Member States may differ significantly, whereas, in the United States, efforts have already been made to achieve a harmonized approach.

Genetic research and applicable law: the intra-EU conflict of laws as a regulatory challenge to cross-border genetic research

EU law does not regulate genetic research per se, but the latter is governed to a certain extent by data protection law. Regardless of the harmonizing efforts of the General Data Protection Regulation (GDPR), research regulations remain fragmented in the data protection framework. This is mainly due to the vast discretion granted to Member States in this regard in the GDPR. Albeit the GDPR enabling data flows for research cooperation in the EU, it creates a hurdle for cross-border research by ignoring the intra-EU conflict of laws that inevitably arises in a fragmented regulatory framework. Imagining ways to solve the dilemma of applicable national law under the GDPR generally is not that difficult, but becomes trickier in a research context. Whether the national data protection law of one or the other Member State is to be applied, either the interests of data subjects or those of researchers might end up compromised.

[Review of the methodological, ethical, legal and social issues of research projects in healthcare with big data]

The current model for reviewing research with human beings basically depends on decision-making processes within research ethics committees. These committees must be aware of the importance of the new digital paradigm based on the large-scale exploitation of datasets, including personal data on health. This article offers guidelines, with the application of the EU's General Data Protection Regulation, for the appropriate evaluation of projects that are based on the use of big data analytics in healthcare. The processes for gathering and using this data constitute a niche where current research is developed. In this context, the existing protocols for obtaining informed consent from participants are outdated, as they are based not only on the assumption that personal data are anonymized, but that they will continue to be so in the future. As a result, it is essential that research ethics committees take on new capabilities and revisit values such as privacy and freedom, updating protocols, methodologies and working procedures. This change in the work culture will provide legal security to the personnel involved in research, will make it possible to guarantee the protection of the privacy of the subjects of the data, and will permit orienting the exploitation of data to avoid the commodification of personal data in this era of deidentification, so that research meets actual social needs and not spurious or opportunistic interests disguised as research.

Development of a Web GIS for small-scale detection and analysis of COVID-19 (SARS-CoV-2) cases based on volunteered geographic information for the city of Cologne, Germany, in July/August 2020

BACKGROUND

Various applications have been developed worldwide to contain and to combat the coronavirus disease-19 (COVID-19) pandemic. In this context, spatial information is always of great significance. The aim of this study is to describe the development of a Web GIS based on open source products for the collection and analysis of COVID-19 cases and its feasibility in terms of technical implementation and data protection.

METHODS

With the help of this Web GIS, data on this issue were collected voluntarily from the Cologne area. Using house perimeters as a data basis, it was possible to check, in conjunction with the Official Topographic Cartographic Information System object type catalog, whether buildings with certain functions, for example residential building with trade and services, have been visited more frequently by infected persons than other types of buildings. In this context, data protection and ethical and legal issues were considered.

RESULTS

The results of this study show that the development of a Web GIS for the generation and evaluation of volunteered geographic information (VGI) with the help of open source software is possible. Furthermore, there are numerous data protection and ethical and legal aspects to consider, which not only affect VGI per se but also affect IT security.

CONCLUSIONS

From a data protection perspective, more attention needs to be paid to the intervention and post-processing of data. In addition, official data must always be used as a reference for the actual spatial consideration of the number of infections. However, VGI provides added value at a small-scale level, so that valid information can also be reliably derived in the context of health issues. The creation of guidelines for the consideration of data protection, ethical aspects, and legal requirements in the context of VGI-based applications must also be considered. Trial registration The article does not report the results of a health care intervention for human participants.

Legal issues in governing genetic biobanks: the Italian framework as a case study for the implications for citizen's health through public-private initiatives

This paper outlines some of the challenges faced by regulation of genetic biobanking, using case studies coming from the Italian legal system. The governance of genetic resources in the context of genetic biobanks in Italy is discussed, as an example of the stratification of different inputs and rules: EU law, national law, orders made by authorities and soft law, which need to be integrated with ethical principles, technological strategies and solutions. After providing an overview of the Italian legal regulation of genetic data processing, it considers the fate of genetic material and IP rights in the event of a biobank’s insolvency. To this end, it analyses two case studies: a controversial bankruptcy case which occurred in Sardinia, one of the first examples of private and public partnership biobanks. Another case study considered is the Chris project: an example of partnership between a research institute in Bolzano and the South Tyrolean Health System. Both cases seem to point in the same direction, suggesting expediency of promoting and improving public-private partnerships to manage biological tissues and biotrust to conciliate patent law and public interest.

Developing Modern System in Healthcare to Detect Covid 19 Based on Internet of Things

In this paper, a medical platform has architecture that depends on middleware and database supports people with Coronavirus, and this platform mainly relies on three users. The first person is the administrator, who is separated into two groups of users: the doctor and the patient. The doctor has an app that questions through the patient so he knows the patient that is being visited and extracts the health identity from him, and he questions the patient for sending him an OTP in the event that the patient does not have a mobile screen or an Internet connection. Alternatively, if QR asks him if his laptop is smart and wired to the Internet, the person will be able to access the system after the doctor has examined them. The patient will examine himself through the devices he has, and the system will provide him with the results of his doctor. The doctor can write a prescription every time he sends new readings. If the prescription is correct, then the patient can keep it and increase the dose. Doctors will work on the prescription console that sends the prescription for cloud authentication and obtain an encrypted QR that will then be issued to the recipient of the drug. The patient has the privilege of studying medication details via the recipient's app. The privilege of viewing QR encrypted cloud data is for life. The drug issuing outlet can decode and issue the drug only as prescribed until the expiration date of the QR. The scheme is designed to promote and provide access to care facilities for both patients and physicians, and it complies with General Data Protection Regulation (GDPR).

Digital Oblivion (The Right to Be Forgotten): A Big Challenge for the Public Hospital Management in Greece

The purpose of this study is to ascertain the readiness of the public hospital in Greece to comply with the new Regulation for protecting personal data (GDPR). A qualitative research was carried out by using structured interview with experts and relevant hospital executives of the 2nd Health Region for collecting the data. Despite the mandatory application of the new Regulation by Hospitals, the right to be forgotten and the other rights on personal data in healthcare are virtually not applicable.

[Impact assessment on data protection in research projects]

Recent changes in European regulations for personal data protection still allow the use of health data for research purposes, but they have set the Impact Assessment on Data Protection as an instrument for reflection and risk analysis in the process of data processing. The publication of a guide for facilitates this impact assessment, although it is not directly applicable to research projects. Experience in a specific project is detailed, showing how the context of the treatment becomes relevant with respect to the data characteristics. Carrying out an impact assessment is an opportunity to ensure compliance with the principles of data protection in an increasingly complex environment with greater ethical challenges.

[Legal integration of artificial intelligence into internal medicine : Data protection, regulatory, reimbursement and liability questions]

Artificial intelligence (AI) opens up new opportunities to improve medical care in internal medicine; however, legal uncertainties in the application of AI impede its integration into the daily practice of internal medicine. To clarify the situation this paper gives an overview of the legal aspects related to AI and shows which frameworks must be adhered to in order to exploit the benefits of AI without neglecting the rights and protection of patients. The paper first addresses data protection issues which arise when sensitive health data are processed by AI. This is followed by a discussion of the key regulatory requirements for the use of AI in internal medicine. As the establishment of AI in practice also depends on sufficient funding, legal issues of reimbursement are additionally examined. Finally, the specific features that need to be considered when using AI to avoid medical liability consequences are highlighted.

'Leading by Science' through Covid-19: the NHS Data Store & Automated Decision-Making

The UK government announced in March 2020 that it would create an NHS Covid-19 ‘Data Store’ from information routinely collected as part of the health service. This ‘Store’ would use a number of sources of population data to provide a ‘single source of truth’ about the spread of the coronavirus in England. The initiative illustrates the difficulty of relying on automated processing when making healthcare decisions under the General Data Protection Regulation (GDPR). The end-product of the store, a number of ‘dashboards’ for decision-makers, was intended to include models and simulations developed through artificial intelligence. Decisions made on the basis of these dashboards would be significant, even (it was suggested) to the point of diverting patients and critical resources between hospitals based on their predictions.

How these models will be developed, and externally validated, remains unclear. This is an issue if they are intended to be used for decisions which will affect patients so directly and acutely. We have (by default) a right under the GDPR not to be subject to significant decisions based solely on automated decision-making. It is not obvious, at present, whether resource allocation within the NHS could take place in reliance on this automated modelling. The recent A Level debacle illustrates, in the context of education, the risks of basing life-changing decisions on the national application of a single equation. It is worth considering the potential consequences for the health service if the NHS Data Store is used for resource planning as part of the Covid-19 response.

Digital Platform for Continuous Monitoring of Patients Using a Smartwatch: Longitudinal Prospective Cohort Study

BACKGROUND

Since the COVID-19 pandemic, there has been a boost in the digital transformation of the human society, where wearable devices such as a smartwatch can already measure vital signs in a continuous and naturalistic way; however, the security and privacy of personal data is a challenge to expanding the use of these data by health professionals in clinical follow-up for decision-making. Similar to the European General Data Protection Regulation, in Brazil, the Lei Geral de Proteção de Dados established rules and guidelines for the processing of personal data, including those used for patient care, such as those captured by smartwatches. Thus, in any telemonitoring scenario, there is a need to comply with rules and regulations, making this issue a challenge to overcome.

OBJECTIVE

This study aimed to build a digital solution model for capturing data from wearable devices and making them available in a safe and agile manner for clinical and research use, following current laws.

METHODS

A functional model was built following the Brazilian Lei Geral de Proteção de Dados (2018), where data captured by smartwatches can be transmitted anonymously over the Internet of Things and be identified later within the hospital. A total of 80 volunteers were selected for a 24-week follow-up clinical trial divided into 2 groups, one group with a previous diagnosis of COVID-19 and a control group without a previous diagnosis of COVID-19, to measure the synchronization rate of the platform with the devices and the accuracy and precision of the smartwatch in out-of-hospital conditions to simulate remote monitoring at home.

RESULTS

In a 35-week clinical trial, >11.2 million records were collected with no system downtime; 66% of continuous beats per minute were synchronized within 24 hours (79% within 2 days and 91% within a week). In the limit of agreement analysis, the mean differences in oxygen saturation, diastolic blood pressure, systolic blood pressure, and heart rate were -1.280% (SD 5.679%), -1.399 (SD 19.112) mm Hg, -1.536 (SD 24.244) mm Hg, and 0.566 (SD 3.114) beats per minute, respectively. Furthermore, there was no difference in the 2 study groups in terms of data analysis (neither using the smartwatch nor the gold-standard devices), but it is worth mentioning that all volunteers in the COVID-19 group were already cured of the infection and were highly functional in their daily work life.

CONCLUSIONS

On the basis of the results obtained, considering the validation conditions of accuracy and precision and simulating an extrahospital use environment, the functional model built in this study is capable of capturing data from the smartwatch and anonymously providing it to health care services, where they can be treated according to the legislation and be used to support clinical decisions during remote monitoring.

mHealth Systems Need a Privacy-by-Design Approach: Commentary on "Federated Machine Learning, Privacy-Enhancing Technologies, and Data Protection Laws in Medical Research: Scoping Review"

Brauneck and colleagues have combined technical and legal perspectives in their timely and valuable paper "Federated Machine Learning, Privacy-Enhancing Technologies, and Data Protection Laws in Medical Research: Scoping Review." Researchers who design mobile health (mHealth) systems must adopt the same privacy-by-design approach that privacy regulations (eg, General Data Protection Regulation) do. In order to do this successfully, we will have to overcome implementation challenges in privacy-enhancing technologies such as differential privacy. We will also have to pay close attention to emerging technologies such as private synthetic data generation.

District nurses must guard against inappropriately accessing patient records

Two NHS workers were recently disciplined after inappropriately accessing the records of the singer Ed Sheeran who had required treatment for a fractured wrist and elbow after falling from his bicycle ( Embury-Dennis 2018 ). The increasingly common use of electronic records across the NHS now allows nurses, including district nurses, to access a large archive of patient information that was much more difficult to obtain when records were manually held paper records. There have been several instances where curiosity and, occasionally, more malicious reasons have led district nurses and others to access those records and read the notes of high profile patients or persons known to them. In this article Richard Griffith cautions that district nurses who access and read the record of a person who is not in their care is in breach of both their duty of confidence and the requirements of the General Data Protection Regulation (Regulation 2016/679 EU ).

Privacy engineering and the techno-regulatory imaginary

The European Union's General Data Protection Regulation (GDPR), in force since 2018, has introduced design-based approaches to data protection and the governance of privacy. In this article we describe the emergence of the professional field of privacy engineering to enact this shift in digital governance. We argue that privacy engineering forms part of a broader techno-regulatory imaginary through which (fundamental) rights protections become increasingly future-oriented and anticipatory. The techno-regulatory imaginary is described in terms of three distinct privacy articulations, implemented in technologies, organizations, and standardizations. We pose two interrelated questions: What happens to rights as they become implemented and enacted in new sites, through new instruments and professional practices? And, focusing on shifts to the nature of boundary work, we ask: What forms of legitimation can be discerned as privacy engineering is mobilized for the making of future digital markets and infrastructures?