Abstract
The sharing and linking of medical data across borders is now a key enabler of new medical discoveries. Data are no longer simply collected and used at a single physical site, such as a laboratory or a research institute. Instead, communication flows between research teams within and across national borders bring together the necessary data and expertise to clarify previously unknown disease aetiologies. Integration of medical data and secure health records systems now allows clinicians to develop early treatment strategies tailored to a specific patient. As policymakers, patient advocacy groups, and biomedical researchers gravitate toward recognizing the benefits of global data sharing, they may be challenged by regulatory systems that were developed when the norm was using and sharing medical data only within a single jurisdiction. This chapter describes and compares key data privacy legal frameworks (Canada, US, UK, EU, Council of Europe, OECD) and discusses data sharing policies adopted by major biomedical research funding organisations (the NIH, Canadian Institutes of Health Research, Genome Canada, Wellcome Trust) in the context of their impact on medical data privacy. In so doing, the chapter explains not only the content, significance, and practical usefulness of these laws, regulations, and policies as they relate to medical data, but also identifies lingering barriers to global data sharing and suggests ways to overcome them while maintaining robust data privacy protection.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Academy of Medical Sciences: Personal data for public good: using health information in medical research. http://www.acmedsci.ac.uk/policy/policy-projects/personal-data/ (2006). Accessed 22 June 2015
Agaku, I.T., Adisa, A.O., Ayo-Yusuf, O.A., Connolly, G.N.: Concern about security and privacy, and perceived control over collection and use of health information are related to withholding of health information from healthcare providers. J. Am. Med. Inform. Assoc. 21, 374–378 (2014)
Arias, J.J., G, G.P.K., Campbell, E.G.: The growth and gaps of genetic data sharing policies in the united states. J. Law Biosci. 2, 56–58 (2015)
Article 29 Data Protection Working Party: Opinion 15/2011 on the definition of consent. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp187_en.pdf (2011). Accessed 22 June 2015
Article 29 Data Protection Working Party: Opinion 05/2014 on anonymisation techniques. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf (2014). Accessed 22 June 2015
Article 29 Data Protection Working Party: Letter from article 29 working party to paul timmers, director of sustainable and secure society, directorate, dg connect, regarding health data in apps and devices (5 february 2015). http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2015/20150205_letter_art29wp_ec_health_data_after_plenary_annex_en.pdf (2015). Accessed 22 June 2015
BC IPC (British Columbia Office of the Information & Privacy Commissioner): A prescription for legislative reform: improving privacy protection in BC’s health sector. https://www.oipc.bc.ca/special-reports/1634 (2014). Accessed 22 June 2015
Beyleveld, D., Townend, D., Rouille-Mirza, S., Wright, J.: The Data Protective Directive and Medical Research Across Europe. Ashgate, Aldershot (2005)
Boniface, M.A.: Privacy and Data Protection in Africa. Scholars Press, Saarbrucken (2014)
Bygrave, L.A.: Data Privacy Law: An International Perspective. Oxford University Press, Oxford (2014)
Bygrave, L.A.: Information concepts in law: generic dreams and definitional daylight. Oxf. J. Leg. Stud. 35, 91–120 (2015)
Canada: 1983 privacy act. http://laws-lois.justice.gc.ca/eng/acts/P-21 (1983). Accessed 22 June 2015
Canada: Personal information protection and electronic documents act. http://laws-lois.justice.gc.ca/eng/acts/P-8.6 (2000). Accessed 22 June 2015
Canadian Institutes of Health Research: Cihr open access policy. http://cihr-irsc.gc.ca/e/46068.html (2013). Accessed 22 June 2015
Cavoukian, A., Emam, K.E.: De-identification protocols: essential for protecting privacy. http://www.privacybydesign.ca/content/uploads/2014/06/pbd-de-identifcation_essential.pdf (2014). Accessed 22 June 2015
Contreras, J.L.: NIH’s genomic data sharing policy: timing and tradeoffs. Trends Genet. 31, 55–57 (2015)
Council of Canadian Academies: Accessing health and health-related data in Canada. http://www.scienceadvice.ca/en/assessments/completed/health-data.aspx (2015). Accessed 22 June 2015
Council of Europe: Convention for the protection of individuals with regard to automatic processing of personal data. http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm (1981). Accessed 22 June 2015
Council of Europe: Recommendation no. r (97) 5 of the committee of ministers to member states on the protection of medical data. http://wcd.coe.int/ViewDoc.jsp?id=571075 (1997). Accessed 22 June 2015
Council of Europe: Additional protocol to the convention for the protection of individuals with regard to automatic processing of personal data regarding supervisory authorities and transborder data flows. http://conventions.coe.int/Treaty/en/Treaties/HTML/181.htm (2001). Accessed 22 June 2015
Council of Europe: Consultative committee of the convention for the protection of individuals with regard to automatic processing of personal data [ets no. 108]: proposals of modernisation. http://www.coe.int/t/dghl/standardsetting/dataprotection/TPD_documents/T-PD(2012)4Rev3E%20-%20Modernisation%20of%20Convention%20108.pdf (2012). Accessed 22 June 2015
DeCew, J.: In Pursuit of Privacy: Law, Ethics, and the Rise of Technology. Cornell University Press, Ithaca (1997)
Emam, K.E., Alvarez, C.: A critical appraisal of the article 29 working party opinion 05/2014 on data anonymisation techniques. Int. Data Priv. Law 5, 73–87 (2015)
Emam, K.E., Jonker, E., Arbuckle, L., Malin, B.: A systematic review of re-identification attacks on health data. PLoS One 6 (2011)
European Commission: Proposal for a regulation of the european parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (general data protection regulation). http://ec.europa.eu/justice/data-protection/document/review2012/ com_2012_11_en.pdf (2012). Accessed 22 June 2015
European Commission: Proposal for a regulation of the european parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (general data protection regulation) - preparation of a general approach. http://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf (2015). Accessed 22 June 2015
European Parliament: Committee on civil liberties, justice and home affairs draft report on the proposal for a regulation of the european parliament and of the council on the protection of individual with regard to the processing of personal data and on the free movement of such data (general data protection regulation). http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf (2012). Accessed 22 June 2015
European Union: Directive 95/46/ec of the european parliament and of the council of 24 october 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML (1995). Accessed 22 June 2015
European Union: Charter of fundamental rights of the european union. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2010:083:0389:0403:en:PDF (2010). Accessed 22 June 2015
Expert Advisory Group on Data Access: Statement for EAGDA funders on re-identification. http://www.wellcome.ac.uk/stellent/groups/corporatesite/@policy_communications/documents/web_document/wtp055972.pdf (2013). Accessed 22 June 2015
Genome Canada: Data release and resource sharing. http://genomecanada.ca/medias/PDF/EN/DataReleaseandResourceSharingPolicy.pdf (2008). Accessed 22 June 2015
Government of Canada: Tri-agency open access policy on publications. http://www.science.gc.ca/default.asp?lang=En&n=F6765465-1 (2015). Accessed 22 June 2015
Greenleaf, G.: Global data privacy laws: 89 countries, and accelerating, queen mary university of London, school of law legal studies research paper no. 98/2012. http://ssrn.com/abstract=2000034 (2012). Accessed 22 June 2015
Greenleaf, G.: Asian Data Privacy Laws: Trade & Human Rights Perspectives. Oxford University Press, Oxford (2014)
Greenleaf, G.: Global data privacy laws 2015: 109 countries, with european laws now a minority. Priv. Laws Bus. Int. Rep. 133, 18–28 (2015)
Hallinan, D., Friedewald, M.: Open consent, biobanking and data protection law: can open consent be ‘informed’ under the forthcoming data protection regulation? Life Sci. Soc. Policy 11, 1 (2015)
HEW (US Department of Health, Education and Welfare): Records, computers and the rights of citizens: report of the secretary’s advisory committee on automated personal data systems. http://www.justice.gov/sites/default/files/opcl/docs/rec-com-rights.pdf (1973). Accessed 22 June 2015
Homer, N. et al.: Resolving individuals contributing trace amounts of DNA to highly complex mixtures using high-density snp genotyping microarrays. PLoS Genet. 4, e1000167 (2008)
ILRDP Kantor Ltd: Comparative study on different approaches to new privacy challenges, in particular in the light of technological developments. http://ec.europa.eu/justice/policies/privacy/docs/studies/new_privacy_challenges/final_report_en.pdf (2010). Accessed 22 June 2015
Institute of Medicine: Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. National Academies, Washington (2009)
International Conference of Data Protection and Privacy Commissioners: International standards on the protection of personal data and privacy: the madrid resolution. http://www.privacycommission.be/sites/privacycommission/files/documents/international_standards_madrid_2009.pdf (2009). Accessed 22 June 2015
Kenyon, A.T., Richardson, M.: New Dimensions in Privacy: International and Comparative Perspectives. Cambridge University Press, Cambridge (2010)
Knoppers, B.M., Dove, E.S., Litton, J.E., Nietfeld, J.J.: Questioning the limits of genomic privacy. Am. J. Hum. Genet. 91, 577–578 (2012)
Knoppers, B.M., Saginur, M.: The babel of genetic data terminology. Nat. Biotechnol. 23, 925–927 (2005)
Kuner, C.: Transborder Data Flows and Data Privacy Law. Cambridge University Press, Oxford (2013)
Laurie, G., Sethi, N.: Towards principles-based approaches to governance of health-related research using personal data. Eur. J. Risk Regul. 4, 43–57 (2013)
Lowrance, W.W.: Privacy, Confidentiality, and Health Research. Cambridge University Press, Oxford (2012)
Moraia, L.B. et al.: A comparative analysis of the requirements for the use of data in biobanks based in finland, germany, the netherlands, norway and the united kingdom. Med. Law Int. 14, 187–212 (2014)
National Institutes of Health: Policy for genome-wide association studies. http://grants.nih.gov/grants/guide/notice-files/NOT-OD-07-088.html (2007). Accessed 22 June 2015
National Institutes of Health: Modifications to genome-wide association studies (GWAS) data access. https://gds.nih.gov/pdf/Data%20Sharing%20Policy%20Modifications.pdf (2008). Accessed 22 June 2015
National Institutes of Health: NIH genomic data sharing policy. http://gds.nih.gov/PDF/NIH_GDS_Policy.pdf (2014). Accessed 22 June 2015
National Institutes of Health: Supplemental information to the national institutes of health genomic data sharing policy. http://gds.nih.gov/PDF/Supplemental_Info_GDS_Policy.pdf (2014). Accessed 22 June 2015
NIH-DOE Joint Subcommittee: NIH-DOE guidelines for access to mapping and sequencing data and material resources (adopted 7 December). http://www.genome.gov/10000925 (1992). Accessed 22 June 2015
Nissenbaum, H.: Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford University Press, Stanford (2010)
Nuffield Council on Bioethics: The collection, linking and use of data in biomedical research and health care: ethical issues. http://nuffieldbioethics.org/wp-content/uploads/Biological_and_health_data_web.pdf (2015). Accessed 22 June 2015
OECD: The OECD privacy framework. http://oecd.org/sti/ieconomy/oecd_privacy_framework.pdf (2013). Accessed 22 June 2015
O’Neill, O.: Some limits of informed consent. J. Med. Ethics 4 (2003)
Phoenix SPI: Survey of canadians on privacy-related issues. final report. https://www.priv.gc.ca/information/por-rop/2013/por_2013_01_e.asp (2013). Accessed 22 June 2015
Power, M.: The Law of Privacy. LexisNexis Canada, Markham (2013)
Smith, R., Shao, J.: Privacy and e-commerce: a consumer-centric perspective. Electron. Commer. Res. 7, 89–116 (2007)
Solove, D.J., Schwartz, P.M.: Information Privacy Law, 5th edn. Wolters Kluwer, New York (2015)
Taylor, M.: Genetic Data and the Law: A Critical Perspective on Privacy Protection. Cambridge University Press, Cambridge (2012)
Tene, O.: Privacy law’s midlife crisis: a critical assessment of the second wave of global privacy laws. Ohio State Law J. 74, 1217–1261 (2013)
Tzanou, M.: Data protection as a fundamental right next to privacy? ‘reconstructing’ a not so new right. Int. Data Priv. Law 3, 88–99 (2013)
United Kingdom: Data protection act 1998. http://legislation.gov.uk/ukpga/1998/29 (1998). Accessed 22 June 2015
United Kingdom: The data protection (processing of sensitive personal data) order 2000. http://www.legislation.gov.uk/uksi/2000/417/schedule/made (2000). Accessed 22 June 2015
United Nations: General assembly resolution 2450 of 19 December 1968. Doc E/CN.4/1025 (1968)
United Nations: Points for possible inclusion in draft international standards for the protection of the rights of the individual against threats arising from the use of computerized personal data systems. Doc E/CN.4/1233 (1976)
United Nations: Guidelines concerning computerized personal data files (UN general assembly resolution 45/95 of 13 December 1990). Doc E/CN.4/1990/72 (1990)
United States: Code of federal regulations. title 45: public welfare. part 160: general administrative requirements. http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title45/45cfr160_main_02.tpl (2014). Accessed 22 June 2015
United States: Code of federal regulations. title 45: public welfare. part 164: security and privacy. http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title45/45cfr164_main_02.tpl (2014). Accessed 22 June 2015
United States Department of Commerce: Safe harbor privacy principles. http://www.export.gov/safeharbor/eu/eg_main_018475.asp (2000). Accessed 22 June 2015
US Privacy Protection Study Commission: Personal privacy in an information society. US Government Printing Office, Washington (1977)
Wallace, S.E., Gaye, A., Shoush, O., Burton, P.R.: Protecting personal data in epidemiological research: DataSHIELD and UK law. Public Health Genomics 17, 149–157 (2014)
Weber, R.H.: Transborder data transfers: concepts, regulatory approaches and new legislative initiatives. Int. Data Priv. Law 3, 117–130 (2013)
Wellcome Trust: Policy on data management and sharing. http://www.wellcome.ac.uk/about-us/policy/policy-and-position-statements/wtx035043.htm (2010). Accessed 22 June 2015
Wellcome Trust: Summary report of qualitative research into public attitudes to personal data and linking personal data. http://www.wellcome.ac.uk/About-us/Publications/Reports/Public-engagement/WTP053206.htm (2013). Accessed 22 June 2015
World Health Organisation: Legal frameworks for ehealth: based on the findings of the second global survey on eHealth. http://whqlibdoc.who.int/publications/2012/9789241503143_eng.pdf (2012). Accessed 22 June 2015
Younger Committee: Report of the committee on privacy. Home Office, Cmnd 5012. HMSO, London (1972)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Dove, E.S., Phillips, M. (2015). Privacy Law, Data Sharing Policies, and Medical Data: A Comparative Perspective. In: Gkoulalas-Divanis, A., Loukides, G. (eds) Medical Data Privacy Handbook. Springer, Cham. https://doi.org/10.1007/978-3-319-23633-9_24
Download citation
DOI: https://doi.org/10.1007/978-3-319-23633-9_24
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-23632-2
Online ISBN: 978-3-319-23633-9
eBook Packages: Computer ScienceComputer Science (R0)