ASCLEPIOS aims to innovatively combine and extend existing encryption approaches to build a secure cloud-based e-health framework. The results of the project will be demonstrated using healthcare use cases by three hospitals in Europe, such as stroke acute care, inpatient and outpatient sleep medicine, and monitoring and benchmarking of antibiotics prescriptions.
The three use cases involve processing of highly sensitive personal data by various actors (patients and their families, healthcare practitioners and their IT support team, cloud infrastructure providers etc.). Consequently, the use cases raise ethical and trust issues regarding data privacy and safety. Since these use cases are the results of existing scientific studies, data collection and ethical approvals have already taken place. Nevertheless, the addition of cloud technology makes it necessary to reconsider potential risks, and proper measures need to be taken in the project. Moreover, the project will also carry out questionnaires to collect requirements and information about data protection awareness, a process that involves humans and raises issues about the protection of personal data.
Based on an early ethical assessment, three specific areas have been identified as potential ethical issues and thus require appropriate measures:
- Processing of personal data for secondary use in the demonstrators
- Involvement of human subjects in assessment and awareness studies
- Potential misuse of research results in cybercrime
All activities in the project involving sensitive personal data processing, either for secondary use or as collection of primary data from individuals, need to be reviewed by the relevant Institutional Review Board (IRB) of the organisation or country. For example, for the sleep research case, ethical approval of data processing will be reviewed by the IRB of the University hospital in Berlin.
IRBs require compliance with the General Data Protection Regulation (GDPR), the relevant national regulations, and international medical ethical guidelines.
Good clinical practice guidelines are followed for clinical studies related to the project. The medical device regulations are followed according to the medical product act, when medical devices or medical software is used as part of the project generated data. The appropriate class of the medical product needs to be documented and tracked. All this needs to be tracked by the Data Protection Officer of the ASCLEPIOS project.
Figure 1 shows how data protection is implemented within the project with consideration of personal data. ‘DPIA’ stands for Data Protection Impact Assessment, a process designed to help projects identify and minimise underlying data protection risks.
Data handling and potential risks will be monitored throughout the project, in order to address any issues raised by new available data. Additionally, the foreseen guidelines will be extended in order to keep up with progress made in the development of the ASCLEPIOS framework and any ethical issues that are raised when the demonstrators are put in action.