Dear Phil and all, Replies below. Two documents that may be of interest. The project was initially stopped by Parliament and after the PIA two documents were produced: one on ethical standards <http://aquas.gencat.cat/web/.content/minisite/aquas/projectes/visc/garanties_etiques_us_dades_visc_aquas2015.pdf> and one on anonymisation <http://aquas.gencat.cat/web/.content/minisite/aquas/projectes/visc/dades_proces_anonimitzacio_visc_aquas2015.pdf>. They are very ambitious and included opt-out. However, the project has been now rushed by the government regardless of Parliament, and it is going ahead with no info whatsoever. A Privacy Officer was to be appointed and as far as we know the post hasn't even been announced. On Thu, Apr 2, 2015 at 1:46 PM, Phil Booth < [log in to unmask]> wrote: > Dear Gemma, > > > > This is deeply concerning. I’m afraid I don’t read Catalan/Spanish so I > have only been able to read the articles via Google Translate. > > > > Please could you clarify a few things: > > > > 1) If I understand correctly, the government’s plan boils down to > identifiable patient data being passed to a commercial entity, as yet > undetermined, where it will be pseudonymised in some way and then sold on > to third parties. > The procedure is not clear. In theory anonymisation will happen before the data is sold to research centres (first phase), who can then sell it to third parties. > > > · Do patients have a right to opt out? > No info at the moment. But the info available is strange, as it says people will be able to opt out of anonymisation... > · If so, how are they to be informed and how do they exercise it? > No info yet. A 'procedure' is mentioned in the documents, but no further news. > · How will the company that will be receiving the population’s > identifiable medical records be chosen? Who owns it, etc. etc.? (I’m not > clear on the difference between ICS, AQuAS, etc. – though that may not be > relevant.) > ICS is like the NHS. AQuAS is a public agency that will act as data controller. initially the data will only be shared with research centres, who can then resell it. Grey area still. > · Which third parties will be able to buy data? Who will approve > them, and how? > An internal committee and an external board, in theory. But the system has been launched and such entities don't yet exist. > · Will the (pseudonymised)data itself be passed to the third > parties or will they only have access to it, e.g. via a ‘safe setting’? > It will be passed to 3rd parties after it is anonymised. No safe setting. > · What independent oversight mechanisms, audit and transparency > processes are in place? > External evaluation every two years. Privacy Officer. Internal control body. External board. On paper, looks great. But after rushed process and non-existence of any of the things announced, we fear the PIA will just be a paper exercise. We'll monitor process as much as we can. > > > 2) Is the proposal to sell data that has been pseudonymised merely by > means of hashing one (or more) identifiers, i.e. they are doing nothing > about quasi-identifiers, and are ignoring all the evidence on > re-identification of linked individual-level data? > See anonymisation document. It is pretty complete. Hashing of all identifiers + use of broad ranges for location, weight, height, rare conditions... > > > medConfidential has found it helpful to frame secondary uses of patient > data in terms of “consensual, safe and transparent”. From what I’ve read so > far, the Catalan government’s plans meet none of these criteria. > Again, the documents mention the need to justify the scientific and societal value of what will be done with the data. > > > Please feel free to contact me direct or give me a call on +44 7974 230 > 839, if it would be helpful to chat. > Basically, we need to monitor this very strange process. The response to initial criticism was spot on (PIA + guidelines), but we are unaware of any of the provisions mentioned being in place. We will keep you posted and thank you for all the links provided. They are most helpful! > > > Kind regards, > Happy Easter! > > > Phil > > > > *From:* [log in to unmask] [mailto: > [log in to unmask]] *On Behalf Of *Gemma > Galdon Clavell > *Sent:* 02 April 2015 11:16 > *To:* Javier Ruiz > *Cc:* Discussion list on Data Anonymisation; > [log in to unmask]; <[log in to unmask]>; > mydata-open-data > *Subject:* Re: [globalpriv-discussion] Catalonia to sell "anonymised" > medical records > > > > Dear all, > > As you can see below, the Catalan government has agree to sell medical > records. A PIA was conducted by the regional DPA and there should be a CPO, > but the initiative has been launched despite the opposition from Parliament > and info on the implementation of the PIA recommendations is not available. > > I raised some of the issues in El País last year > http://ccaa.elpais.com/ccaa/2014/10/24/catalunya/1414172573_550596.html, > and this led the Parliament to position itself against the initiative. But > the government has decided to move ahead anyway. > > > > Any 'noise' you can make about this issue will be greatly appreciated. > While I think that Big Data carries a lot of potential in the field of > heath, without robust pseudonimity (hashing is clearly not enough), > transparency and guarantees this is and extremely irresponsible move. > > Kind regards, > > > *Gemma G. Clavell*, PhD > > Eticas Research & Consulting > > C/ Ferlandina 49 (08001 Barcelona) / Reloj 2 (28770 Madrid) > > +34 936 005 400 - www.eticasconsulting.com - @eticasconsult > > > > On Thu, Apr 2, 2015 at 12:07 PM, Javier Ruiz <[log in to unmask]> > wrote: > > HI, sorry it is only in Spanish. > > > > Catalonian authorities agree to sell medical records to researchers > despite a vote by the regional Parliament to stop the project. > > > > > http://politica.elpais.com/politica/2015/04/01/actualidad/1427892067_062214.html > > > > Catalonian data protection authorities and academics had raised concerns > about anonymisation in the context of big data. > > > > http://ccaa.elpais.com/ccaa/2014/11/01/catalunya/1414870966_992102.html > > > > > > > **************************************************** This is a message from the SURVEILLANCE listserv for research and teaching in surveillance studies. To unsubscribe, please send the following message to <[log in to unmask]>: UNSUBSCRIBE SURVEILLANCE For further help, please visit: http://www.jiscmail.ac.uk/help ****************************************************