In one of our early blogposts we presented the results of the early ethical assessment conducted in the context of ASCLEPIOS, and the approach that would be followed throughout the project to ensure that the sensitive data and the rights of the patients are not at any point infringed by the processing activities that take place in the project.
As required by the General Data Protection Regulation (GDPR) any entity acting as a data controller, prior to any data processing activity, shall conduct an assessment of the impact of the operation when the processing is likely to result in a high risk to the rights and freedoms of natural persons. In the ASCLEPIOS project, we systematically assessed whether the data processing activities of the project impose ethics risks and, consequently, require a Data Protection Impact Assessment (DPIA) under Article 35 of the GDPR, following the framework for the implementation of data protection within ASCLEPIOS, that was presented in our previous blogpost. In consultation with the ASCLEPIOS data protection officer (DPO), we analysed all data processing activities taking place within ASCLEPIOS using this framework.
For one data processing activity, the conduction of DPIA to assess the level of risk it might pose to the rights of the patients was required. We conducted the DPIA, following the process depicted in Figure 1, with the objective of satisfying the minimum features of a DPIA as set out by the GDPR.
More specifically, for the specific data processing activity, we had to provide:
- a description of the envisaged processing operations and the purposes of the processing
- an assessment of the necessity and proportionality of the processing
- an assessment of the risks to the rights and freedoms of data subjects
- the measures envisaged to:
- address the risks
- demonstrate compliance with this Regulation
The DPIA on the specific data processing activity has concluded that it poses low risk to the rights and freedoms of patients.