By the legal team of ProCAncer-I, The University of Vienna Department of Innovation and Digitalisation in Law (UNIVIE)
Given the innovative nature of the technology being developed in the ProCAncer-I project, complex legal questions have arisen concerning the processing of personal data. The technical process of anonymisation can be a complex one, particularly when considering whether medical images can lead to the re-identification of a data subject. The University of Vienna Department of Innovation and Digitalisation in Law, known as UNIVIE on the ProCAncer-I project, leads WP2 on the legal and ethical aspects of the project. Therefore, UNIVIE is working closely with all partners to assist in ensuring that all personal data is anonymised before being processed in the project, thereby minimising or altogether eliminating risks to the rights and freedoms of the data subject.
The project aims to process data related to prostate imaging. Within the EU data protection regime, the EU General Data Protection Regulation (GDPR) regulates the processing of personal data. Personal data is defined according to Article 4(1) GDPR as “any information relating to an identified or identifiable natural person”, known as the data subject. However, not all personal data is created equally. The GDPR distinguishes between standard personal data such as one’s name, phone number or photograph, and special categories of personal data. Special categories are those which are more sensitive and due to their nature may pose higher risks to the rights and freedoms of the data subjects when processed. As defined in Article 9(1) GDPR, data concerning health is considered to be one of these special categories. Given that medical images showing prostate cancer (PCa) with the attached patient data constitute data concerning health, any such processing is forbidden unless it is permitted in line with one of the exceptions in Article 9(2) GDPR. However, the aim of the ProCAncer-I project is to anonymise all personal data related to PCa before bringing the data to the project to assist in the development of the project. According to Recital 26 of the GDPR, the GDPR does not apply to anonymous data, that is, data that does not relate to an identified or identifiable natural person. However, the task of determining whether data relates to an identified or identifiable natural person is not a simple one. The GDPR asks data controllers to consider the means reasonably likely to be used to re-identify the data subject either by the controller or another person whether directly or indirectly. Consideration should be given to “objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments” (GDPR, Recital 26).
Guidance from the Article 29 Data Protection Working Party (Opinion 05/2014 on Anonymisation Techniques, page 7) says that “anonymisation is a technique applied to personal data in order to achieve irreversible de-identification”, in such a case there is an assumption that the personal data originally collected must have been done so in compliance with data protection law. As such, the partners in the ProCAncer-I project must ensure not only the suitability of the anonymisation techniques, but they must also ensure that the personal data being anonymised was collected in accordance with the GDPR and EU ethics standards. Furthermore, the act of anonymisation itself must be compliant with data protection law because until the personal data is anonymised, it remains subject to the GDPR.