Representation of Personal and Person-Generated Data with HL7 FHIR and HAPI Endpoint Security with TSD: Proof-of-Concept Study (Preprint)

2021 ◽  
Author(s):  
AYAN CHATTERJEE ◽  
Andreas Prinz
Keyword(s):  
Data Protection ◽  
Data Exchange ◽  
Service Providers ◽  
Application Programming Interface ◽  
Information Model ◽  
Behavioral Data ◽  
Health Records ◽  
Standard Format ◽  
General Data Protection Regulation ◽  
Health Level 7

BACKGROUND Interoperability is a challenge in healthcare information systems because of heterogeneity in semantic and technical levels of data. It creates a problem in exchanging data from different sources. Person-Generated Health Data (PGHD) is health-related data created, recorded, or collected by individuals or family members, or caregivers. PGHD can be captured passively and continuously to create a more accurate and comprehensive picture of the individual. PGHD is a category of Personal Health Records (PHR) that helps people to store and manage their health records. The rapid growth of PHRs and standards to exchange PHRs in a secure way have improved different aspects of health practices and personal care. OBJECTIVE This is a two-fold study. First, this study aims to investigate Health Level 7’s (HL7) new standard, Fast Healthcare Interoperable Resources (FHIR), as a standard format to explain information model (personal, physiological, and behavioral data from heterogeneous sources, such as activity sensor, questionnaire, and interview) and clinical terminologies together. Second, we explore the protocol’s advantages in some detail and critically analyze endpoint security of the HL7 application programming interface (HAPI). METHODS To address the interoperability problem, we combine FHIR and internationally acclaimed medical terminologies and use JavaScript object notion (JSON) to represent and exchange PGHD. We develop a secure digital infrastructure with TSD (services for sensitive data) as Infrastructure as a Service (IaaS), where we deploy the HAPI FHIR server as a docker image. We integrate the concepts such as authentication, authorization, and identity brokering to protect HAPI REST interfaces. PGHD inside TSD are protected following the Norwegian Data Protection Policies (NORMEN) and General Data Protection Regulation (GDPR). We use personal, physiological, and behavioral data involved in health monitoring and store them in the TSD database using the HAPI FHIR server. Storage and retrieval of PGHD from TSD are HL7 compliant. RESULTS First, we discuss storing PGHD in TSD and retrieving it from TSD following HL7 protocol using the HAPI FHIR server in JSON format, combining the information model and medical terminologies. Second, it describes how to secure HAPI REST APIs with the TSD platform. CONCLUSIONS FHIR resources can establish a coherent view of PGHD collected from heterogeneous sources by enabling flexible data exchange between stakeholders and service providers. Besides, the study reveals that TSD is a secure platform for the management of PGHD. CLINICALTRIAL NA

scholarly journals OpenEHR and General Data Protection Regulation: Evaluation of Principles and Requirements (Preprint)

2018 ◽  
Author(s):  
Duarte Gonçalves-Ferreira ◽  
Mariana Sousa ◽  
Gustavo M Bacelar-Silva ◽  
Samuel Frade ◽  
Luís Filipe Antunes ◽  
...  
Keyword(s):  
Data Protection ◽  
Personal Data ◽  
Design Principles ◽  
Security And Privacy ◽  
The European Union ◽  
Health Records ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
General Data ◽  
The Common

BACKGROUND Concerns about privacy and personal data protection resulted in reforms of the existing legislation in the European Union (EU). The General Data Protection Regulation (GDPR) aims to reform the existing directive on the topic of personal data protection of EU citizens with a strong emphasis on more control of the citizens over their data and in the establishment of rules for the processing of personal data. OpenEHR is a standard that embodies many principles of interoperable and secure software for electronic health records (EHRs) and has been advocated as the best approach for the development of hospital information systems. OBJECTIVE This study aimed to understand to what extent the openEHR standard can help in the compliance of EHR systems to the GDPR requirements. METHODS A list of requirements for an EHR to support GDPR compliance and also a list of the openEHR design principles were made. The requirements were categorized and compared with the principles by experts on openEHR and GDPR. RESULTS A total of 50 GDPR requirements and 8 openEHR design principles were identified. The openEHR principles conformed to 30% (15/50) of GDPR requirements. All the openEHR principles were aligned with GDPR requirements. CONCLUSIONS This study showed that the openEHR principles conform well to GDPR, underlining the common wisdom that truly realizing security and privacy requires it to be built in from the start. By using an openEHR-based EHR, the institutions are closer to becoming compliant with GDPR while safeguarding the medical data.

scholarly journals BRIDG: a domain information model for translational and clinical protocol-driven research

2017 ◽  
Vol 24 (5) ◽  
pp. 882-890 ◽  
Author(s):  
Lauren B Becnel ◽  
Smita Hastak ◽  
Wendy Ver Hoef ◽  
Robert P Milius ◽  
MaryAnn Slack ◽  
...  
Keyword(s):  
Clinical Data ◽  
Biomedical Research ◽  
Data Exchange ◽  
Information Model ◽  
International Standards ◽  
Data Standards ◽  
Health Level 7 ◽  
Health Level ◽  
Analysis Experiment ◽  
Domain Information

Abstract Background: It is critical to integrate and analyze data from biological, translational, and clinical studies with data from health systems; however, electronic artifacts are stored in thousands of disparate systems that are often unable to readily exchange data. Objective: To facilitate meaningful data exchange, a model that presents a common understanding of biomedical research concepts and their relationships with health care semantics is required. The Biomedical Research Integrated Domain Group (BRIDG) domain information model fulfills this need. Software systems created from BRIDG have shared meaning “baked in,” enabling interoperability among disparate systems. For nearly 10 years, the Clinical Data Standards Interchange Consortium, the National Cancer Institute, the US Food and Drug Administration, and Health Level 7 International have been key stakeholders in developing BRIDG. Methods: BRIDG is an open-source Unified Modeling Language–class model developed through use cases and harmonization with other models. Results: With its 4+ releases, BRIDG includes clinical and now translational research concepts in its Common, Protocol Representation, Study Conduct, Adverse Events, Regulatory, Statistical Analysis, Experiment, Biospecimen, and Molecular Biology subdomains. Interpretation: The model is a Clinical Data Standards Interchange Consortium, Health Level 7 International, and International Standards Organization standard that has been utilized in national and international standards-based software development projects. It will continue to mature and evolve in the areas of clinical imaging, pathology, ontology, and vocabulary support. BRIDG 4.1.1 and prior releases are freely available at https://bridgmodel.nci.nih.gov.

SEVERAL QUESTIONS REGARDING THE RULES FOR THE PROTECTION OF PERSONAL DATA IN KINDERGARTEN

2021 ◽  
Vol 12 (1) ◽  
pp. 261-268
Author(s):  
Angel Manchev ◽  
Keyword(s):  
Data Protection ◽  
Technological Progress ◽  
Data Exchange ◽  
Personal Data ◽  
The European Union ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
The Core ◽  
General Data ◽  
The Republic

The protection of personal data is one of the core values of modern European societies. This protection is provided by the law of the European Union and by the national legislations of the Member States, to which the Republic of Bulgaria also belongs. As of May 25, 2018, the protection of personal data is being expanded and updated in response to technological progress and the increasingly accelerated data exchange. The reason for this is the entry into force of Regulation (EU ) 2016/679 (General Data Protection Regulation, GDPR) and the changes in our national law that it imposes. In the sense of what has been said so far, the issues of personal data protection in children’s institutions are especially relevant, because these organizations actively handle personal data at any level of children, parents, teachers and staff. In this article, we will try to give short answers to some of the most important questions regarding personal data and the rules for their protection, according to European and Bulgarian legislation.

scholarly journals Identity Management and Protection Motivated by the General Data Protection Regulation of the European Union—A Conceptual Framework Based on State-of-the-Art Software Technologies

Technologies ◽  
2018 ◽  
Vol 6 (4) ◽  
pp. 115
Author(s):  
Pascal Birnstill ◽  
Erik Krempel ◽  
Paul Wagner ◽  
Jürgen Beyerer
Keyword(s):  
Data Protection ◽  
Service Providers ◽  
State Of The Art ◽  
Personal Data ◽  
Legal Rights ◽  
Data Provenance ◽  
The European Union ◽  
Usage Control ◽  
General Data Protection Regulation ◽  
General Data

In times of strongly (personal) data-driven economy, the inception of the European General Data Protection Regulation (GDPR) recently reinforced the call for transparency and informational self-determination—not only due to the penalties for data protection violations becoming significantly more severe. This paper recaps the GDPR articles that should be noticed by software designers and developers and explains how, from the perspective of computer scientists, the summarized requirements can be implemented based on state-of-the-art technologies, such as data provenance tracking, distributed usage control, and remote attestation protocols. For this, the challenges for data controllers, i.e., the service providers, as well as for the data subjects, i.e., the users whose personal data are being processed by the services, are worked out. As a result, this paper proposes the ideal functionality of a next-generation privacy dashboard interacting with data provenance and usage control infrastructure implemented at the service providers to operationalize the legal rights of the data subject granted by the GDPR. Finally, it briefly outlines the options for establishing trust in data provenance tracking and usage control infrastructures operated by the service providers themselves.

scholarly journals The General Data Protection Regulation and its Violation of EU Treaties

2018 ◽  
Vol 27 ◽  
pp. 36-40
Author(s):  
Mario Rosentau
Keyword(s):  
Data Protection ◽  
Service Providers ◽  
Fundamental Rights ◽  
European Law ◽  
Member States ◽  
General Data Protection Regulation ◽  
European Constitution ◽  
General Data ◽  
The Eu ◽  
Draft Constitution

While the EU General Data Protection Regulation, which entered force on 25 May, is generally good and necessary in its vigorous protection of the fundamental rights of self‑determination and identity of European people, the article identifies a core issue that has gone unnoticed: the GDPR violates EU treaties. It is, at base, a ‘European law’, yet European laws are banned under the TEU and TFEU. The article examines the background for this conflict. The ambitious plan for ratification of 2003’s draft treaty establishing a constitution for Europe fell at the first hurdle in 2005. The draft Constitution envisaged a legislative innovation: the European law and European framework law, directly applicable in the Member States and superior to them. These legal instruments, envisaged as replacing EU regulations, could readily be cited as a major federalist pillar of the draft. Yet there would be no European laws – they were rejected with the draft constitution in the 2005 referenda, and the current treaties do not foresee any law-like European legislation. The author outlines the GDPR’s nature as a European law thus: the regulation 1) potentially concerns all residents of Europe, albeit by adding to the rights of individuals and protecting their freedoms; 2) addresses virtually all legal entities and undertakings acting, physically or through a network, in the European judicial area; 3) addresses the Member States and the EU itself; 4) and has cross-border applicability and covers the whole EU. Furthermore, its reach extends to service providers outside the EU if their service targets EU data subjects. There are substantial impacts on subjects on whom obligations are substantial. Hence, the author concludes that the GDPR’s scope, depth, and impacts exceed all the limits that the EU treaties permit for regulations. Furthermore, the treaties do not even know the term ‘general regulation’. Since the GDPR possesses the characteristics of a ‘European law’ – and even is ‘seamlessly’ positioned in a place reserved by the draft EU Constitution for the ‘European law on data protection’ – while such laws have been rejected, a key issue is highlighted: how deep an EU-level political integration and relinquishment of the individual European nations’ sovereignty do the Member States actually want? For instance, most analyses of the causes of Brexit cite loss of sovereignty of the UK as one of the main factors in the decision. The author concludes that, since the GDPR is with us to stay, amendment of the EU treaties can no longer be avoided. Noble objectives cannot justify infringements of the present ‘European Constitution’ and the constitutions of the Member States.

Cookie Banners and Privacy Policies: Measuring the Impact of the GDPR on the Web

2021 ◽  
Vol 15 (4) ◽  
pp. 1-42
Author(s):  
Michael Kretschmer ◽  
Jan Pennekamp ◽  
Klaus Wehrle
Keyword(s):  
Data Processing ◽  
Data Protection ◽  
Interface Design ◽  
Service Providers ◽  
Personal Data ◽  
Online Services ◽  
General Data Protection Regulation ◽  
Opt Out ◽  
Public Data ◽  
The Impact

The General Data Protection Regulation (GDPR) is in effect since May of 2018. As one of the most comprehensive pieces of legislation concerning privacy, it sparked a lot of discussion on the effect it would have on users and providers of online services in particular, due to the large amount of personal data processed in this context. Almost three years later, we are interested in revisiting this question to summarize the impact this new regulation has had on actors in the World Wide Web. Using Scopus, we obtain a vast corpus of academic work to survey studies related to changes on websites since and around the time the GDPR went into force. Our findings show that the emphasis on privacy increased w.r.t. online services, but plenty potential for improvements remains. Although online services are on average more transparent regarding data processing practices in their public data policies, a majority of these policies still either lack information required by the GDPR (e.g., contact information for users to file privacy inquiries) or do not provide this information in a user-friendly form. Additionally, we summarize that online services more often provide means for their users to opt out of data processing, but regularly obstruct convenient access to such means through unnecessarily complex and sometimes illegitimate interface design. Our survey further details that this situation contradicts the preferences expressed by users both verbally and through their actions, and researchers have proposed multiple approaches to facilitate GDPR-conform data processing without negatively impacting the user experience. Thus, we compiled reoccurring points of criticism by privacy researchers and data protection authorities into a list of four guidelines for service providers to consider.

Sign in / Sign up

Export Citation Format

Share Document