BIOLYTICA platform and GDPR compliance: the key role of BIOLYTICA’s pseudonymisation feature

Author: Prof. Dr.Jos Dumortier (ICT Lawyer at time.lex – Honorary Professor )

The BIOLYTICA platform provides a framework for Big Data analytics for healthcare and was designed for researchers and medical practitioners alike. The design of the platform, which started in 2015 and will end in August 2018, coincides with a change in the European rules for data protection. The scientific sector is of course at the heart of this evolution. While the scientific method has always been based on the analysis of data, technical changes enable the analysis of data at a new scale. However, this technological evolution may be a cause for concerns for the privacy of individuals and the respect of their rights and freedom. The new European framework for data protection takes the form of a General Data Protection Regulation (GDPR) and aims to further enable the use of these new technics while safeguarding the privacy of individuals.

These new rules set new challenges for processing of personal data both in terms of cost and feasibility, as well as in terms of legal responsibility. The BIOLYTICA platform provides solutions for users who wish to process data in a safe environment.

Legal requirements for privacy

The GDPR became applicable on the 25th of May 2018 bringing many new obligations for entities processing personal data. Such entities should notably comply with the principles of data protection by design and by default[1]. These two principles ensure that the rights and interest of the data subject are taken into account from the inception of the processing activity, and that they will be respected when data will be processed. This means that privacy should be ensured at every stage of the processing, from the genesis of the processing to its conclusion and that no additional action of the user should be required during the process. The measures satisfying those two principles should be proportional to the costs and the available technology, but also account for the nature, scope, context and purposes of the processing.

GDPR also requires that the platforms performing analysis on behalf of their users  guarantee a certain level of safety by providing adequate support to their users to enable security measures such as pseudonymisation and encryption of personal data[2].

In the case of scientific research[3], the obligations of privacy by design and by default, as well as the implementation of adequate and proportional security measures are complemented by additional safeguards. A prominent example of such is pseudonymisation of data used for scientific purposes. Pseudonymisation means that data can no longer be attributed to a specific person without using additional information. This is achieved by separating the identifying data such as a name, an address, time stamps etc., from the data set.

However, when considering scientific research, in particular in the field of health, national legislations should not be forgotten. Inevitably national legislations differ from one country to another, even though they are based on the same principles. A tool designed for international use should be able to cater to the requirements of different legal systems at the same time and apply standards recognised in different countries. This is why the BIOLYTICA Platform is designed to meet a number of criteria for security of data processed and privacy requirements of all countries it is used in.

Privacy ingrained in the design of the BIOLYTICA platform

The BIOLYTICA platform pseudonymises datasets of its users by removing direct identifiers. This service is provided on both local and cloud-level infrastructure of BIOLYTICA. This means that before the data is uploaded to the platform to be analysed and stored, it is already de-personalised.

Despite the fact that the Platform also analyses data that has been pseudonymised at an earlier stage, it goes through the privacy and security procedure developed by the AEGLE Consortium to ensure that every dataset uploaded to the BIOLYTICA Platform complies with the principles of data protection by design and by default. The BIOLYTICA anonymiser is embedded in a component of the platform and is not an additional step that users should take to ensure the protection of data analysed.

Privacy requirements were also satisfied when designing the data storage and data access functionality of the platform. Compliance with the GDPR does not simply require security of data but also easy access by the users to their data stored, as well as ensuring their availability during the agreed time-period.

Conclusion:

The BIOLYTICA Platform provides analytics for scientific biomedical research but also health care practice in a manner that is compliant with the rules of data protection while meeting the high ethical standards of both scientific research and health care. Acknowledging the importance of these aspects, while at the same time anticipating global regulatory changes in EU privacy during the lifetime of the project, and the long-standing disparities of legal regimes between different countries, the AEGLE consortium investigated all three matters and produced public, re-usable GDPR guidelines to facilitate and boost healthcare research in Europe. and the key elements to consider in the case of transnational projects have been produced alongside the development of the BIOLYTICA Platform, in order to provide support to research teams using resources from different countries. Reports for every EU country on rules regarding the processing of health data for scientific research purposes can be found on the AEGLE website. Feel free to download the one that applies to your country and spread the word!

[1] Article 25 GDPR

[2] Article 32 GDPR

[3] Article 89 GDPR