Data Protection and Ethics Requirements for Multisite Research with Health Data: A Comparative Examination of Legislative Governance Frameworks and the Role of Data Protection Technologies

Abstract

Our paper compares legislation on data protection and research ethics requirements for health-related data and particularly personalised medicine across seven jurisdictions. Personalised medicine can improve both public and individual health by providing targeted preventative and therapeutic healthcare. For these benefits to be realised, doctors, healthcare providers, and researchers must be encouraged to share patient health data between institutions. Data sharing is an integral part of multisite research, and may require transfer across jurisdictional boundaries. However, whilst data protection, privacy, and research ethics laws protect patient confidentiality, safety, and security, they also may act as impediments to multisite research. This effect is exacerbated when transferring data across jurisdictions due to the divergences in data protection and research ethics laws. Accordingly, we adopt a comparative approach using the concept of data accessibility when examining data protection and research ethics laws in seven jurisdictions. These jurisdictions include Switzerland, Italy, Spain, the United Kingdom (which have implemented the General Data Protection Regulation), the United States, Canada, and Australia. Our paper then identifies the most significant regulatory barriers to the sharing of health-related data for multisite research. According to our research, we identify these barriers as the requirements for consent, the standards for anonymisation or pseudonymisation, and adequacy of protection between jurisdictions. We also identify differences between the European Union and other jurisdictions as a significant barrier for data accessibility in cross jurisdictional multisite research. Our paper then concludes by considering how contractual and organisational solutions can be used to overcome these legislative differences. These solutions include data transfer agreements and organisational collaborations designed to 'front load' the process of ethics approval, so that subsequent research protocols are standardised. We also allude to the potential of technical solutions, such as distributed computing, secure multiparty computation and homomorphic encryption.