Introduction
In 2017, The Economist proclaimed that the world's most valuable resource is no longer oil, but data (https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data). The article stated that a very profitable data economy has emerged and warned that this phenomenon will lead to the need to revise and update the legislation.
While there are many criticisms of data versus oil comparison, especially in relation to the of oil being finite as a resource versus data, the underlying problem of a highly profitable and underregulated data economy in health care is very real.
The healthcare data economy is really growing at a significant pace, especially in the US, UK, China and several other countries. It happens as a result of hundreds of start-up companies looking for opportunities to improve medicine and healthcare through innovative data processing and new technologies, including artificial intelligence.
BIS Research has estimated that by 2025 the big data market for medicine and healthcare will reach more than $ 68 billion. In contrast, in 2017 it amounted to about $ 14 billion. Global health data will grow to an unprecedented 2,314 exabytes by 2020 (https://www.prnewswire.com/news-releases/global-big-data-in-healthcare-market-to-reach-6875-billion-by-2025-reports-bis-research-678151823.html).
Access to high-quality health big data is vital for the development of products in the field of artificial intelligence systems for medicine. In the overwhelming majority of cases, it is enough to use de-identified data to create mathematical models and algorithms based on machine learning.
Without this data, no interesting idea can be translated into a product, as high-quality machine learning requires high-quality data in large quantities. At the same time, sometimes you can hear that since it is de-identified data that is needed to create artificial intelligence, it means that it is not regulated by the protection of personal data legislation.
However, This is a big misconception. Any de-identified data is, nevertheless, personal data; it cannot be simply taken and collected from the information systems of medical organizations. In order to do this competently and legally, you need to know important nuances and document the process of collecting and processing such de-identified data correctly. We will tell you how this can be done in detail.
General concepts of personal data and its processing
In 2005, Russia adopted Federal Act No. 160 of December 19, 2005 “On Ratification of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data”. The ratification procedure was completed on May 15, 2013. The Convention entered into force with regard to Russia on September 1, 2013 (https://www.garant.ru/products/ipo/prime/doc/70281462/).
As a result of the ratification of the Convention, Federal Act No. 152 of July 27, 2006 "On Personal Data" was adopted, which entered into force on January 26, 2007. It defines the concepts, principles and conditions for processing personal data as well as reflects the requirements of the Convention, reflecting European fundamental approaches to the protection and processing of personal data, taken as fundamental in Europe.
Article 3 of the Federal Act No. 152 defines personal data as any information relating directly or indirectly to a specific or identifiable individual (the subject of personal data).
The processing of personal data is any action (process) or a set of actions (processes) performed with personal data using automation tools or without using such tools, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), de-identification, blocking, deletion and/or destruction of personal data.
Automated processing of personal data is the processing of personal data using computer technology.
De-identification of personal data includes actions, as a result of which it becomes impossible to determine the belonging of personal data to a specific subject of personal data without using additional information.
The personal data processor includes a state or municipal body, a legal entity or an individual, independently or jointly with other persons organizing and (or) processing personal data, as well as determining the purposes of processing and the composition of personal data to be processed and actions (processes) performed with personal data.
At the same time, these bodies and persons are processors regardless of the inclusion in the register of processors performing personal data processing, which is maintained by Roskomnadzor (The Federal Service for Supervision of Communications, Information Technology and Mass Media) (http://www.consultant.ru/document/cons_doc_LAW_186584/).
The dissemination of personal data includes actions aimed at disclosing personal data to any number of unspecified persons; the provision of personal data includes actions aimed at disclosing personal data to a specific person or a specific scope of persons.
The processing of personal data must be carried out in compliance with the principles and rules provided for by Federal Act No. 152 (Article 5 of the Federal Act No. 152) and is allowed only in cases specified by law. Art. 6 of the Federal Act No. 152 requires that the processing of personal data must be carried out with the consent of the subject of personal data.
Is it necessary or not to take consent to personal data processing from the patient?
Article 9, part 1 and 2 of the Federal Act No. 152 determines that the subject of personal data decides on the provision of their personal data and agrees to their processing freely, of their own free will and in their own interest. Consent to personal data processing must be specific, informed and conscious. It can be given by the subject of personal data or his representative in any form that allows confirming the fact of its receipt unless otherwise provided by federal law.
The subject of personal data can revoke consent to the processing of personal data. If the subject of personal data revokes the consent to the processing of personal data, the processor has the right to continue processing without the consent of the subject only if there are grounds specified in paragraphs 2-11 of part 1 of Art. 6, part 2 of Art. 10 and part 2 of Art. 11 of Federal Act No. 152.
Part 4 of Article 9 of FZ 152-FZ regulates the composition of the consent of the subject of personal data to the processing of his personal data, which, in particular, should include:
- surname, first name, patronymic, address of the subject of personal data, number of the main document proving their identity, information on the date of issue of the specified document and the issuing authority;
- surname, first name, patronymic, address of the representative of the personal data subject, number of the main document proving their identity, information on the date of issue of the said document and the issuing authority, POA details or other document confirming the authority of the representative (upon receipt of consent from the representative of the personal data subject);
- name or surname, first name, patronymic and address of the processor who receives the consent of the subject of personal data;
- the purpose of personal data processing;
- a list of personal data for the processing of which the consent of the personal data subject is given;
- name or surname, first name, patronymic and address of the person who processes personal data on behalf of the processor, if the processing is entrusted to such a person;
- a list of actions with personal data, for which consent is given, a general description of the methods used by the processor for personal data processing;
- the period during which the consent of the subject of personal data is valid, as well as the method of its withdrawal, unless otherwise established by federal law;
- the signature of the personal data subject.
The obligation to provide proof of obtaining the consent of the subject of personal data to their personal data processing rests with the processor (part 3 of article 9 of the Federal Act No. 152).
By virtue of Article 5 of the Federal Act No. 152, the processing of personal data should be limited to the achievement of specific, predetermined and legitimate goals. Processing of personal data that is inconsistent with the purposes of collecting personal data is not allowed. Taking into account clause 1 of part 1 of article 6, in general, the processing of personal data should be carried out with the consent of the subject to such processing only. Let us recall that de-identification of data is data processing as well.
Thus, in order to obtain de-identified data, it is imperative to take consent from the patient.
How to collect de-identified data correctly?
In order to comply with the requirements of the law and at the same time provide the ability to collect and process de-identified medical data, we suggest that the following requirements must be met:
- An appropriate information system must be implemented in a medical organization collecting the required personal medical data.
- When collecting data in such an information system, patients must be explicitly asked for consent to the processing of their personal data.
- The text of the consent must contain an explicit indication that the patient has granted the Processor (medical organization) the right to process personal data, incl. de-identification. For example, we recommend including the following text in the consent: "I grant the Processor the right to carry out all actions (processes) with my personal data, including collection, systematization, accumulation, storage, updating, modification, use, de-identification, blocking, destruction." Thus, after signing such consent, a medical organization acquires the right to de-identify patients' medical data without any additional conditions other than those specified by law.
- An appropriate agreement on the collection of de-identified data must be signed between the processor of medical data and the developer of the artificial intelligence system, which must clearly indicate the purposes of collection, processing methods and the composition of the data.
- Deidentification of data before sending it to the Developer must be carried out strictly in the information system of the Processor (medical organization). You cannot take personal medical data, for example, from a medical information system, PACS or laboratory system and send it “as it is” to an AI developer, who will then de-identify it as this would be a clear violation of the law. Deidentification must be done by the Processor and the already de-identified data, as a result of their legal processing with the permission of the subject of such data (patient), can be transferred to the information system of the AI Developer only on the basis of a signed agreement.
- The transfer of data is carried out strictly in an impersonal form in compliance with the requirements of the legislation of the Russian Federation regarding the protection of personal data;
- The use of the obtained de-identified data is carried out on the territory of the Russian Federation only.
By virtue of clause 9 of part 1 of article 6 of the Federal Act No. 152, the processing of personal data without the prior consent of the subject of personal data may be carried out for statistical or other research purposes, subject to the mandatory deidentification of personal data. An exception is the processing of personal data in order to promote goods, works, services on the market by making direct contacts with a potential consumer using communications, as well as for political campaigning. The processing of personal data for such purposes is allowed only with the prior consent of the subject of personal data.
The agreement on the transfer of impersonal data between the medical organization (Processor) and the Developer of the artificial intelligence system must explicitly indicate the list of research purposes for using the obtained impersonal patient data, for example:
- for research purposes, including analysis, generalization, comparison with data of third parties, determination of novelty and originality, creation of databases related to the planning of future research and development activities;
- in order to create structured datasets necessary for machine learning in artificial intelligence systems, as well as for use in expert systems.
If the consent to the processing of data and the agreement between the Processor and the Developer for the transfer of data for research purposes is correctly completed, a request for additional permission from the patient to use his de-identified data for these purposes will not be required.
In addition to this, we note that in accordance with part 2 of Art. 91 of the Federal Act No. 323 of November 21, 2011 (as amended on May 29, 2019) "On the basics of protecting the health of citizens in the Russian Federation" (hereinafter Federal Act No. 323), the processing of personal data in information systems in the healthcare sector is carried out with compliance with the requirements established by the legislation of the Russian Federation in the field of personal data and compliance with medical confidentiality.
In Art. 91.1. of Federal Act No. 323 the unified state information system in the field of health care includes information about the persons who receive medical care, as well as about the persons in respect of whom medical examinations are carried out, including social data and information about the medical care provided. This information is stored as specified in Article 94 of Federal Act No. 323 and de-identified in the manner established by the authorized federal executive body in agreement with the federal executive body performing functions of control and supervision in the field of mass media.
Thus, deidentification of personal data is, among other things, an inevitable obligation of a medical organization when working with the Unified State Health Information System, which means that consent to de-identification of data is, in fact, a typical condition in the provision of m