If you don't remember your password, you can reset it by entering your email address and clicking the Reset Password button. You will then receive an email that contains a secure link for resetting your password
If the address matches a valid account an email will be sent to __email__ with instructions for resetting your password
Large scale use of real world data in vascular research projects has become a central point for discussion among scientific collaborations worldwide. As there is a distinct diversity of patients with various vascular diseases undergoing a broad range of diagnostic and treatment approaches, it remains unclear whether results from randomised controlled trials (RCTs) can always reflect the non-homogeneous treatment reality. In addition, the design of a RCT is not suited for quality improvement. To improve the paucity of evidence and to implement quality improvement in vascular maintenance, several national registries and international collaborations such as VASCUNET (including 12 registries in Europe, Australia, and New Zealand) or the International Consortium of Vascular Registries (ICVR) are collecting an increasing amount of data.
Cross border merging and comparison of these data are valuable in terms of rare events (outcomes) or diseases. In the field of rare entities such as genetic aortic diseases, the European Union (EU) Reference Networks on Rare Diseases (ERNs) support cross border exchange and collection of medical data in terms of research and quality improvement.
To date, the scientific discussion mostly considers external and internal validation of registry data.
However, in the light of so called “big data” applications in modern medicine, another topic has recently arisen. Although the term “big data” is diversely used, it is commonly characterised by its big volume, variety, velocity, and variability.
To meet changing requirements in the field of digital health care, the European Commission proposed a comprehensive reform of data protection rules in the EU. After a transition phase, the EU General Data Protection Regulation (EU-GDPR) will come into force from May 25, 2018 and then replace the existing Federal Data Protection Act. All 28 governments of the EU are working to adapt their national data protection legislation to be in line with the EU-GDPR. New EU data protection legislation
introduced the term “k-anonymity” as a model for protecting privacy in real world data systems, the importance of this aspect has been increasingly noted. A crosslink between growing data sources potentially allows for re-identifying single individuals. The reform of the data protection legal framework aims to consider these aspects and to harmonise data privacy across the EU through a total of 99 articles and 173 recitals. Local Data Protection Authorities will monitor compliance. A fine of up to 20 million Euros or 4% of global annual turnover means a significant increase in the cost of non-compliance. Several aspects must be highlighted: A local data protection officer must be involved before and during processing of personal data on genetics and health. The controller, who determines the purposes and means of the processing of personal data, shall maintain a record of processing activities under their responsibility. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures to ensure the protection of personal data. A mandatory data protection impact assessment (DPIA)
must be carried out, describing all potential harms and suitable safeguards especially for information on health or race. The EU-GDPR facilitates the data processing for scientific research. Article 89 is devoted to this purpose.“Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organizational measures are in place in particular in order to ensure respect for the principle of data minimization. Those measures may include pseudonymization provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.”
If data are transferred to countries that have not been approved by the EU authorities, legal arrangements are necessary.
Clear informed consent is necessary to process data and plain language is recommended to clarify who exactly is collecting what data for what reason and how long it will be stored or forwarded. The EU-GDPR specifies in recital 33:“It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.”
The EU-GDPR introduces the requirement for a personal data breach to be notified to the competent national supervisory authority within 72 h and, in certain cases, to the individuals whose personal data have been affected by the breach.
For example, if medical records in a hospital are unavailable for a period of 30 h because of a cyber attack, the hospital is obliged to notify the supervisory authority and the data subject because of the high risk to patients' well being and privacy. In the field of medical research, advances in capabilities of big data analytics and artificial intelligence have made it easier to make automated decisions, but these have associated impacts on individuals' rights and freedoms.
The EU-GDPR introduces new provisions to address risks arising from profiling and automated individual decision making,
notably privacy. A DPIA is required in the case of“a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.”
“Privacy by design” will become an essential principle and will incentivise business to innovate and develop new projects and methods for the security and protection of personal data.
Nonetheless, several aspects of the EU-GDPR remain controversial. For instance, processing genetic data (e.g. genetic mutations in aortic diseases) necessitates informed consent not only by the patients but also by their relatives. Furthermore, depending on the rarity of the mutation and the volume of data within the registry project, it might be impossible to de-identify the patient. Lastly, because of the growing volume and variety of data, safeguards that are reasonable today might lose validity in the future. Therefore, regular re-evaluation is necessary.
Editor's choice: contemporary treatment of popliteal artery aneurysm in eight countries: a Report from the Vascunet collaboration of registries.
To submit a comment for a journal article, please use the space above and note the following:
We will review submitted comments as soon as possible, striving for within two business days.
This forum is intended for constructive dialogue. Comments that are commercial or promotional in nature, pertain to specific medical cases, are not relevant to the article for which they have been submitted, or are otherwise inappropriate will not be posted.
We require that commenters identify themselves with names and affiliations.