The Law and Ethics of Data Sharing in Health Sciences

This chapter outlines the dynamic context and multiple challenges of data sharing in the contemporary data ecosystem, specifically as it relates to healthcare. Here, we define “data sharing” as the practice of sharing health-related data between a number of data controllers and processors. Data collected in this manner can come from the provision of health, clinical trials, observational studies, public health surveillance programs, and other health data collection methods. Several justifications for such sharing are introduced. Our main contention is that the regulatory environment today is an increasingly complex and rapidly evolving combination of norms and principles. To navigate this environment successfully requires careful analysis and judgment from all stakeholders across diverse fields of technology and the law. The purpose of this volume, therefore, is to offer a series of case studies that integrate theoretical and practical perspectives and illustrate how to effectively navigate this complex and rapidly evolving space.

The Global Alliance for Genomics and Health (GA4GH) is an international not-for-profit organization dedicated to the development of standards and policies to expand the use of genomic data within a human rights framework, improving health for everyone. The GA4GH benefits from the participation of more than 500 leading organizations in healthcare, patient advocacy, research and ethics, government, life science, and information technology. This chapter charts the key accomplishments of the Regulatory and Ethics Work Stream (REWS) of the GA4GH. The REWS is a founding Work Stream of the GA4GH responsible for the landmark Framework for Responsible Sharing of Genomic and Health-Related Data (2014/19). On the organization’s tenth anniversary, the authors highlight what, in their unique perspective as present or former leaders of the REWS, they consider to be its major contributions to interdisciplinary, participative, and international policy developments in genomics. Considerations for future REWS objectives and outputs are presented in closing.

Data is an integral part of healthcare delivery. A growth in digital technologies has produced large swaths of health data that contain individuals’ personal, and often sensitive, information. A key question for policymakers is how to regulate the collection, storage, sharing, and disclosure of this information. In this chapter, the authors evaluate two different types of regulatory enforcement mechanisms: public rights of action (where the government sues) and private rights of action (where private persons sue). They use a recent case to illustrate the advantages and drawbacks of private rights of action in health data privacy cases, and then use this analysis to contrast them with public rights of action. Their analysis suggests that public and private rights of action should be viewed as complementary regulatory tools, rather than competing alternatives. In short, both public and private rights of action have important roles in regulating health data. To ensure private rights are effective regulatory tools, policy makers should pay particular attention to how those rights of action are designed and implemented.

Data sharing is key for artificial intelligence and for future healthcare systems, but the perspectives of patients are seldom included in the larger debates of how, when, and what data to share. This chapter provides an overview of research on patient perspectives on data sharing and associated aspects, including patients’ motivations, concerns, and views on privacy and conditions for sharing. Moreover, these perspectives are put into the evolving context of informed consent and today’s European context of the General Data Protection Regulation (GDPR) and Data Governance Act (DGA). Overall, there seems to be a discrepancy between the patients’ perspective on data sharing and the reality in which their data are to be shared. The current patient views are researched within relatively ‘local’ contexts, where the patient would consent to collecting data for primary use and on patients’ preferences regarding consent and what they see as barriers and motivators for data sharing. However, the reality of data use is moving towards re-use of data for secondary purposes and a context of more altruistic consent such as the DGA. Questions remain regarding how patients perceive sharing and the role of their data in the larger governance of data; seemingly, patient views are lost in the wider debate of innovation and jurisdictional competitiveness. Ensuring that patients’ voices are heard is essential for public acceptance of data sharing, and thus for inclusiveness and equity of results and innovations originating from patients’ shared data.

Advancements in science and technology has created an expectation and demand on research and innovation to address some of the greatest societal challenges, particularly in the health and biomedical fields. There is an inherent promise associated with the potential of breakthrough technologies, particularly when combined with quality health-related data, to deliver significant improved health outcomes globally. However, science and innovation alone are not sufficient to achieve societal transformation towards global health. There is an observed reluctance to operationalize the use of existing data, mainly due to privacy and security concerns, as well as a palpable apprehension around how, for what purpose, and by whom data will be used. Research and innovation need to be supported by behavior and attitude change in order to foster inclusive participation and effective societal uptake of the resulting solutions. This chapter explores how the principles of Responsible Research and Innovation can be applied to provide a legally supported, inclusive, and sustainable approach to operationalizing the use of existing data in support of health-related innovations. By incorporating a deliberative and responsive process to citizen science practices, the root causes underlying this observed reluctance can be identified and addressed. The overall aim is to gain a fundamental understanding of the real and perceived barriers to utilizing data for research and innovation purposes, which can then be used to proffer solutions to create a responsive and inclusive culture to sustainably support the ongoing responsible use of data.

In June 2022, the U.S. Supreme Court issued its opinion in Dobbs v. Jackson Women’s Health Organization, overturning 50 years of precedent by eliminating the federal constitutional right to abortion care established by the Court’s 1973 decision in Roe v. Wade. The Dobbs decision leaves the decision about abortion services in the hands of the states, which created an immediately variegated checkerboard of access to women’s healthcare across the country. This, in turn, laid bare a profusion of privacy issues that emanate from our technologized world. Here, we review these privacy issues, including healthcare data, financial data, website tracking and social media. We then offer potential future legislative and regulatory pathways that balance privacy with law enforcement goals in women’s health and any domain that shares this structural feature.

The secondary use of health data offers great potential for health research. Technological developments, for instance the progress in the field of artificial intelligence, have improved the reusability of datasets. However, the GDPR and ethical guidelines regularly restrict the reuse of personal data when the data subject has not given their informed or explicit consent. In retrospective studies, where researchers use personal data and sensitive data from previous medical examinations, the retrospective collection of the patient's consent can be challenging. This chapter will focus on the potential legal and practical hurdles associated with obtaining consent from the data subject for a new processing purpose. In addition, it will present the ethical considerations associated with consent and retrospective data collection in health and medical research. This chapter will discuss several Horizon 2020 funded research projects in the areas of health and medical research. These research projects will be used as practical examples to demonstrate the issues faced with consent as a legal basis in retrospective research.

Medical devices based on machine learning (ML) promise to have a significant impact and make advances in healthcare. This chapter analyzes to what extent data protection law, de lege lata and de lege ferenda, enables the development of ML-based medical devices. A key aspect of this is the processing of health data, which does not originate with the developers but with the healthcare providers. ML-based medical devices are trained with a large amount of health data. According to the current legal situation under the General Data Protection Regulation (GDPR), secondary use of health data is possible in principle (Article 6 (4) GDPR). However, the consent of the data subjects faces certain difficulties, and as the following analysis shows, the development of an ML-based medical device does not necessarily constitute scientific research within the meaning of the GDPR. Therefore, this chapter argues that a separate legal basis is needed. This must be accompanied by technical-organizational measures that safeguard the rights of the data subject to a large extent and should only be allowed if the general public benefits from the research on and/or deployment of the ML-based medical device. In addition, there is a need for infrastructural measures such as the establishment or expansion of intermediary bodies, given the lack of incentives, personnel capacity, and expertise among healthcare providers to share health data with a broad range of interested parties. Furthermore, to ensure a reliable output from ML-based medical devices, standards for data preparation must be established. Finally, this chapter discusses the proposal of the European Health Data Space (EHDS) and briefly examines whether this is a step in the right direction.

In July 2020, the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (“Schrems II”) invalidated the EU-US Privacy Shield adequacy decision but found that Standard Contracting Clauses (SCCs) are a valid mechanism to enable GDPR-compliant transfers of personal data from the EU to jurisdictions outside the EU/EEA, as long as various unspecified “supplementary measures” are in place to compensate for any gaps in data protection arising from the third country law or practices. The effect of this decision has been to place regulators, scholars, and data protection professionals under greater pressure to identify and explain these “supplementary measures” to facilitate cross-border transfers of personal data. This chapter critically examines the current framework for cross-border transfers after Schrems II, including the new SCCs adopted by the European Commission, as well as the current European Data Protection Board (EDBP) guidance on “supplementary measures.” We argue that the so-called “supplementary measures” are not “supplementary” and that the CJEU’s characterization of such measures as “supplementary” undermines the original clarity of GDPR with regards to the required standards for the security of processing as well as the available mechanisms for cross-border transfers of personal data. We conclude that despite the legal uncertainty introduced by the CJEU several post-Schrem II developments have been helpful to increase awareness and improve the overall safeguards associated with cross-border transfers of personal data. These include the new SCCs and an increased understanding of the capabilities and limitations of the technical and organizational measures, including encryption, pseudonymization, and multi-party processing. Technical solutions such as multiparty homomorphic encryption (HE) that combine these three technical measures while still allowing for the possibility to query and analyze encrypted data without decrypting it has significant potential to provide effective security measures that facilitate cross-border transfers of personal data in high-risk settings.

Sharing extensive healthcare information is essential for the advancement of medicine and the formulation of effective public health policies. However, it often contains sensitive or personal information, or trade secrets. Certain safety measures are needed to strike a balance between the sharing of data and the protection of such information. A firewall is one of the major safety measures designed to prevent the delivery of protected information by severing harmful connections or limiting the formation of new connections between relevant parties in an information exchange network. Although very simple models suggest firewall vulnerabilities, such models often oversimplify real-world scenarios, neglecting factors like internal connections among nodes and the influence of other information held by nodes. Therefore, we propose several improved models and use them to explore some of the reasons why firewalls fail. Our study finds that firewalls are less effective as the number of network nodes increases, and that both high- and low-degree nodes pose non-negligible risks. The study also raises awareness about the role of internal monitors in preventing leaks. The effectiveness of information leakage control could be increased with the monitor's proximity to the information source. This necessitates a greater focus on internal monitoring, perhaps using information and communication technology.