For medical researchers, handling protected health information (PHI) and contending with a patchwork of regulations is already challenging. However, the problem has recently been exacerbated across the pond.
The UK is attempting to reinvent EU protections for health data and personal protected information for when the UK officially departs from the EU in December 2023.
In anticipation, the British government has issued another round of modifications to its proposed replacement for the EU’s General Data Protection Regulation (GDPR), which has regulated the processing and transference of personal information – including patient data – since its enactment in 2018.
The latest draft of the UK’s Data Protection and Digital Information Bill (DPDIB) exemplifies the difficulty of compliance for medical researchers operating with data sourced from multiple sites or jurisdictions, especially in a post-Brexit regulatory environment.
Medical researchers require access to diverse data from multiple sites and populations in order to ensure that data sets are comprehensive, unbiased, and reflective of broader populations.
But as it stands, many data privacy laws prohibit data from being moved outside the country of origin, preventing medical data from being centralised for research analyses and algorithm training.
The draft UK bill promises to “unlock the power of data” while still “retaining a global gold standard for data protection.” But can the power of data be “unlocked” and “secured” simultaneously? And what does this mean for international research collaborations?
If the DPDIB were to be enacted, the proposed changes would likely streamline medical research projects, at least nationally. The bill would expand the definition of scientific research to make it easier for data to be used and reused. At the same time, there are concerns about the potential for misuse and the loosening of stringent protective requirements.
Some of the notable changes in the bill centre around privacy definitions and anonymisation protocols. As it stands, anonymised data, which cannot be reidentified or attributed to an individual, is not subject to GDPR requirements.
GDPR only governs the handling of pseudonymised data – data from which personal identifiers have been removed and replaced with random identifiers – as well as personally identifiable information (PII).
While prior iterations consider pseudonymised data to be personal data if anyone can identify the individual from the given information, this new bill focuses on whether the living individual is identifiable by the data controller or processor by “reasonable means.”
By specifying the definition of personal data, the proposed amendment drifts slightly from GDPR. Still, most experts do not believe it will impact the UK’s ability to maintain data adequacy with the EU.
Simultaneously, the bill relaxes requirements for record keeping, seeking to reduce the operational burden on private organisations. However, this amendment has been heavily criticised for lacking protections and potential for large-scale access to personal private records.
For multi-site clinical trials, particularly those with hybrid study designs that incorporate real-world data (RWD), it is already incredibly challenging to use data from multiple health institutions, and the challenge is only exacerbated if the sites are operating under different regional or national jurisdictions.
Since these new regulations would apply in the UK only, British research institutions that collaborate in Europe may not opt to amend their existing approach to data protection. Instead, they might simply ensure that they are still compliant with the GDPR and can share and access information from European clinical trials and recruitment.
It is important to note here that GDPR has an extraterritorial scope, meaning it applies to non-EU organisations processing the personal data of individuals within the European Economic Area (EEA). This already creates compliance complexities for international research collaborations involving EEA data subjects.
GDPR then restricts the transfer of personal data outside the EU/EEA to countries that are not deemed to provide an adequate level of data protection. While some countries have received an “adequacy decision” from the European Commission, allowing data transfers without additional safeguards, many countries lack this status.
Consequently, researchers need to establish appropriate safeguards, such as standard contractual clauses or binding corporate rules, to ensure lawful data transfers.
The jury is still out on whether the EU would consider the UK protections as “adequate” once the Data Protection and Digital Information Bill is passed. Otherwise, there will be additional hurdles implemented for UK researchers wishing to handle the personal information of EU subjects.
With all these complications in mind, let us talk about solutions. One way forward is with federated learning (FL), a method for training artificial intelligence models with data from multiple sources that can prevent reidentification, thus removing many barriers to data sharing.
Federated learning connects health care records located across different institutions. In this approach, by employing FL and processing data ‘on the edge’, a concept known as federated computing, copies of an AI model travel to local sites while the data itself remains on the original server, maintaining patient privacy and leaving data sovereignty intact. So, the model travels to the data as opposed to the reverse.
This approach eliminates the need to transfer data to a centralised server, enabling the compilation and use of a broader range of data sets while avoiding privacy violations.
Moreover, it limits the number of individuals who have access to the data, because the AI performs its computations on-site and only reports the results of analysis. Federated computing avoids many bureaucratic hurdles because the data itself does not migrate nor is it stored.
The federated learning approach is ideal for researchers looking to remain compliant across multiple jurisdictions – letting researchers unlock the power of data while still putting patient privacy first.
Life sciences AI developers and researchers worldwide have started to adopt FL as an important tool in preserving patient privacy while also unlocking the value of previously siloed data.
Top global pharmaceutical companies are applying FL across the drug lifecycle – from drug discovery to clinical trial recruitment, evidence-generating studies and post-market surveillance – to access rich clinical data sets in a secure, compliant manner.