Center for Data Protection (CDP)
From a legal point of view, the ACGT project must enforce EC security and privacy policies on clinical trials. The primary aim of the ACGT Data Protection Framework is to create a Data Protection Architecture allowing to process anonymized data, assisting in broadening the scope of the European Data Protection Regulations onto clinical trials.
The Data protection architecture for data flows within ACGT is set up with the prior aim to work with anonymous data wherever this is possible. Anonymization is the best way to protect patients' privacy.
Apart from this it has to be taken into account that the proposed ACGT platform has to be compatible with the ICT infrastructure and policies of all participating healthcare organizations. Therefore a Data Protection architecture within ACGT will be characterized by a multiplicity of security and network infrastructures. Thus it will be of high importance to have minimal impact on the local IT infrastructure of every healthcare organization for two major reasons: firstly, it is most likely that access from the outside to the hospitals' IT infrastructure is heavily restricted if not forbidden, secondly, and from a legal point of view even more important, ACGT should only be responsible for data protection compliance within the GRID infrastructure. The proposed Data Protection Architecture therefore has to run independently from the local IT-infrastructures being a self-contained data protection framework in compliance with the applicable data protection legislation.
The following figure 1 illustrates the planed solution for the de facto anonymization of genetic data within ACGT.
Genetic data of the patient that is taken by the treating physician in the hospital is analyzed and stored within the hospital. The hospital and its different departments are obligated to work with pseudonymized patient's data, where the physical examinations do not need the identification of the patient.
If a patient agrees to participate in an ACGT trial the physician transmits his or her data to an ACGT database located within the specific hospital, which is physically as well as organizationally disconnected from the hospitals database. During the transmission to the ACGT-database the genetic data will be de facto anonymized by a pseudonymization tool that guarantees an equivalent high standard for all genetic data transmitted from the participating hospitals to ACGT with the effect that all genetic data processed within ACGT is pseudonymized on a level that is state-of-the-art. ACGT will provide such a pseudonymization tool, but hospitals are not bound to use such tool, ACGT only can commit the hospitals by binding contracts to guarantee a state-of-the-art pseudonymization. The link of this pseudonymization is held by a security authority named "Trusted Third Party" (TTP). After this pseudonymization the data is stored in the ACGT database, possibly located in the hospitals or at the Trusted Third Party. In this moment the data are de facto anonymous. The de facto anonymous data and the links from the pseudonymization will be stored in different data bases. ACGT-end users will only work with de facto anonymous genetic data.
Figure 2. Deanonymization procedure
However, if a patient needs to be identified, in case of an end user (researcher) detecting a new treatment, the cooperation of the Trusted Third Party, as indicated in figure 2 above, is necessary - as only this security authority has the link for the re-identification. From a practical point of view, the ACGT project founded, in August 2007 a non-profit organization: the Cancer for Data Protection (CDP). The CDP is the central data controller within ACGT grid infrastructure.
A patient, who is willing to participate in an ACGT-trial, has to sign after having received all information wanted from his or her treating healthcare organization an informed consent regarding the processing of his or her data within ACGT.
Beside this there will be contracts between the data exporters (e.g. healthcare organizations) and the CDP on the one hand and the ACGT end users and the CDP on the other hand to guarantee compliance of all participants with the set up Data Protection Framework.
Figure 3. Contract with hospital
Each data exporter organization will have a contractual agreement with ACGT concerning the data transfer (see under 4). The production of this contract is part of this deliverable. It will rule in particular the obligation to de facto anonymize all data transferred to the ACGT database. It also states that regarding the processing and storage of the patient's data within their own organization the data exporters will be responsible for the compliance with both, data protection regulations and the procedures and policies provided by ACGT. Additionally, ACGT will commit the data exporters to guarantee for the fact that its employees (physicians, IT-staff etc) adhere to the procedures and policies provided by the framework. They have to make sure that the access to the anonymous data is protected by the security mechanisms defined in the ACGT framework. Taking into account the multitude of IT-infrastructures and different national legislation the execution of these contracts will be both, of crucial and substantial importance.
Moreover agreements with the ACGT end users are needed, which bind them to the data protection and data security policies of ACGT and make sure, that they agree with the general terms of the Framework.
Figure 4. Contract with ACGT end user
These contracts will be concluded with the CDP and will in the first place set up regulations concerning the use of the data.