Research with sensitive data requires high legal, ethical and security standards

Research with sensitive data requires high legal, ethical and security standards

Modern medical science has been able to improve human health tremendously during the last decades. Many diseases are much better understood than before leading to better treatments and more effective drugs. And the advances are rapidly continuing as we speak, for example towards precision medicine tailored for the patient's individual genomic characteristics.

Biomedicine is just one of the fields in which research including the analysis of personal data allows researchers to make new discoveries. Other such areas are for example language research or social sciences, or any other field that studies humans or the society.

It is clear that the use of personal data in research must always be based on high legal and ethical standards, as well as high security of the data and analysis environments.

Biomedicine is just one of the fields in which research including the analysis of personal data allows researchers to make new discoveries.

Collecting and managing personal data has received lot of attention in recent years not least because of the new EU legislation, the General data protection regulation GDPR, and its influence in member states’ national legislation. The GDPR makes several clarifications in how personal data can be processed, for instance data subject’s right to know about processing and right to be forgotten. These conditions translate into requirements that sensitive data service providers need to match.

The term personal data is used for data that relates to an identifiable individual, either directly or indirectly. Thus name, address, personal ID number and passport photo are clearly personal data, but so are also location information, health records, genetic information, economic status and so on.

When personal data is used in research the directly identifying information is typically first removed and replaced with a random identifier, so that the mapping between these new identifiers and real persons is not visible to researchers.

This procedure decreases risks of accidental identification of people in further processing, although the data is still considered as personal data. Such data sets are said to be pseudonymized.
 
At CSC we are developing and providing services for our research customers to manage sensitive data securely and reliably, in a way that it is accessible only for authorized persons. The purpose is to offer effective and reliable services for research on sensitive data in the same way as CSC has done for other research for decades.

We also want to support the process of bringing valuable data collections available for research.

Such research needs a secure processing environment that has connections to various data sources.

Using legal terminology, CSC acts as a data processor whereas the data owner acts as a data controller. In practice this means that the owner defines who can access the data and under what conditions, and CSC provides tools and environment that are specially designed for secure data processing. CSC’s sensitive data services currently combine secure processing in ePouta cloud, secure data archiving and strict access control.

This platform has been used, for instance, to pilot combining health cohort data with health records as a pre-study for national genome center in Finland. However, CSC specializes in the secondary use of health data, meaning that aim is in supporting research, not the clinical care directly. More information on the management of sensitive data in CSC environment will be discussed in the webinar by CSC experts on 25 September 2018.
 
Taking biomedical research again as an example, novel research combining genomic data with health information, data from longitudinal studies, register data and so on can be used to study diseases on unprecedented accuracy leading to quicker diagnoses and personalized medicine.

Such research needs a secure processing environment that has connections to various data sources and that combines usability with high security and tight access control. This is what CSC is currently working on.

The development work is done in close collaboration with key European players in the field, for example within the European ELIXIR research infrastructure and the Nordic NeIC Tryggve collaboration.
 
Regardless of the international collaboration, CSC as national actor stores sensitive data only inside Finland and will not move it outside of country borders – unless specifically instructed and authorized by the data controller. CSC has no commercial interests in the data stored in CSC’s services, since CSC as a public institution is not aiming for financial profit. Instead CSC's mission is to benefit research and the Finnish society.

 

Picture: Adope Stock

 

Published originally 19.9.2018.

Lisää tästä aiheesta » Siirry sisältöihin ja uutisiin »

Antti Pursula

Writer is the Project Leader of Tryggve project.

antti.pursula@csc.fi