Article Text

Download PDFPDF
Assessing data protection and governance in health information systems: a novel methodology of Privacy and Ethics Impact and Performance Assessment (PEIPA)
  1. Concetta Tania Di Iorio1,
  2. Fabrizio Carinci2,
  3. Jillian Oderkirk3,
  4. David Smith4,
  5. Manuela Siano5,
  6. Dorotea Alessandra de Marco5,
  7. Simon de Lusignan6,7,
  8. Paivi Hamalainen8,
  9. Massimo Massi Benedetti9
  1. 1Executive Office, Legal, Serectrix snc, Pescara, Italy
  2. 2Department of Statistical Sciences, University of Bologna, Bologna, Italy
  3. 3Health Division, Directorate for Employment, Labour and Social Affairs, Organisation for Economic Co-operation and Development (OECD), Paris, France
  4. 4Former Deputy Commissioner, Information Commissioner's Office (ICO), Wilmslow, UK
  5. 5Department of International and EU Relations Services, Department of Digital Technologies and Information Security, Data Protection Authority, Rome, Italy
  6. 6Nuffield Department of Primary Care and Health Sciences, University of Oxford, Oxford, UK
  7. 7Department of Clinical and Experimental Medicine, University of Surrey, Guildford, UK
  8. 8National Institute of Health and Welfare (THL), Helsinki, Finland
  9. 9Executive Office, Hub for International Health Research (HIRS), Perugia, Italy
  1. Correspondence to Dr Concetta Tania Di Iorio, Legal, Serectrix, Pescara 65121, Italy; ct.diiorio{at}serectrix.eu

Abstract

Background Data processing of health research databases often requires a Data Protection Impact Assessment to evaluate the severity of the risk and the appropriateness of measures taken to comply with the European Union (EU) General Data Protection Regulation (GDPR). We aimed to define and apply a comprehensive method for the evaluation of privacy, data governance and ethics among research networks involved in the EU Project Bridge Health.

Methods Computerised survey among associated partners of main EU Consortia, using a targeted instrument designed by the principal investigator and progressively refined in collaboration with an international advisory panel. Descriptive measures using the percentage of adoption of privacy, data governance and ethical principles as main endpoints were used for the analysis and interpretation of the results.

Results A total of 15 centres provided relevant information on the processing of sensitive data from 10 European countries. Major areas of concern were noted for: data linkage (median, range of adoption: 45%, 30%–80%), access and accuracy of personal data (50%, 0%–100%) and anonymisation procedures (56%, 11%–100%). A high variability was noted in the application of privacy principles.

Conclusions A comprehensive methodology of Privacy and Ethics Impact and Performance Assessment was successfully applied at international level. The method can help implementing the GDPR and expanding the scope of Data Protection Impact Assessment, so that the public benefit of the secondary use of health data could be well balanced with the respect of personal privacy.

  • right to healthcare
  • confidentiality/privacy
  • regulation
  • technology/risk assessment
View Full Text

Statistics from Altmetric.com

Footnotes

  • Contributors All authors provided a substantial contribution to the development and implementation of the method as well as for the production of the manuscript. CTdI, JO, DS, MS, DAdM, SdL and PH were members of the international advisory panel (AP). CTdI designed the survey questionnaire and led the study on behalf of Serectrix, the private company in charge of this activity as a subcontractor of the Bridge Health project. FC assisted with the design and conduction of the analysis for the paper. JO, DS, MS, DAdM, SdL and PH participated to the design of the instrument and evaluated the data collected for the production of the paper. MMB coordinated the task in the Bridge Health project. All authors revised and agreed on the contents of the present manuscript.

  • Funding The study has been funded through granting provided by DG-SANCO, the European Commission for WP8, Task 2, EU Project Bridge Health (grant agreement number: 664691–BRIDGE Health–HP-PJ-2014).

  • Disclaimer The opinions expressed in this article are those of the authors alone; neither those of the OECD, nor of its member countries.

  • Competing interests None declared.

  • Patient consent for publication Not required.

  • Provenance and peer review Not commissioned; externally peer reviewed.

  • Data availability statement Data are available upon request.

Request Permissions

If you wish to reuse any or all of this article please use the link below which will take you to the Copyright Clearance Center’s RightsLink service. You will be able to get a quick price and instant permission to reuse the content in many different ways.