Legal report

Below there is a brief overview of the legal aspects of the CovidScipy app. It includes relevant parts of the recent law on data protection and how it affects the app, as well as what measures have to be taken.

Law

Starting May 2018, a new law regarding data protection comes into place. The required legal information which must be displayed to the user is the following:

  • Existence of the file, its use and who can use it.
  • Rights of access, correction, cancellation and opposition.
  • Contact information of the Database delegate.
  • Judicial basis of the treatment.
  • How long is information kept and based on what criteria.
  • Existence of automated decisions or profile elaboration.
  • Transfer of information to other countries.
  • Right to make a claim to the Control Authorities.
  • Origin of the data [data not obtained from patient].
  • Category of the data [data not obtained from patient].

Database delegate: Person in charge of the data that is being kept. Required information must be made available in these time frames:

  • Data obtained from patient: Right after the data is obtained.
  • Data not obtained from patient: Before a month or before first communication with patient or before communicating to other parties.
  • No requirements to ask for information. The completion of this right must be documented.
  • This information can be processed via web forms or email. The information that can be requested includes:

  • Confirm whether or not their personal data is being processed.
  • Provide a copy of the personal data of the patient.
  • Provide information about the processing (such as purposes, categories of personal data, recipients, etc.).
  • Regarding Data elimination, this must be done at the user’s request except when:

  • The personal data is needed to exercise the right of freedom of expression.
  • There is a legal obligation to keep the data.
  • For reasons of public interest (e.g. public health, scientific, statistical or historical research purposes).
  • Another thing to take into account in this new law is that premarked checkboxes are not allowed (e.g. premarked checkbox for receiving advertising). Breaches of security must be informed to users in less than 72 hours.

Display of legal information

Information displayed by levels: first level displays basic information with a short description while the second level displays additional, more detailed information which can be accessed by expanding the first level. This information is split in 5+1 sections:

  • Person in charge.
  • Objective of the treatment.
  • Legal legitimacy.
  • Third parties that may receive the information.
  • Rights of the people involved.
  • Origin of the data [in case they are not obtained from the patient.

Anonymity
The degree of anonymity must be defined for two groups of individuals:

  • Patients: From which the data is acquired. This data is then processed.
  • Users: People/entities that provide the data. These are required to register and must therefore provide personal information.

Patients

The information on the patients consists on the methilation of the DNA of the aforementioned. Name, last name or other identificators are not recorded in the website’s database so this information could be considered anonymus. Still, because genetic information is treated, it is possible data protection legislation applies.

Legislation on data protection does not apply if there is no way the information can be traced back to the patient. Else, the information falls in to the sensitive information category and must therefore satisfy more security checks. Sensitive data can only be processed with the explicit consent of the user or if it falls into these categories:

  • The data is processed for the purposes of preventive or occupational medicine, assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services on the basis of EU or national law, or on the basis of a contract as a health professional
  • The data is processed for reasons of public interest in the field of public health on the basis of EU or national law.
  • The data is processed for archiving, scientific or historical research purposes or statistical purposes on the basis of EU or national law.

Users

Users are prompted to put their username, affiliation, email, password etc. This falls into the data protection law as the information is not anonymous. Therefore, a checkbox in which the user agrees with the terms and conditions of the website needs to be checked when registering.

Research or diagnosis tool

An important detail is if the classificator will be used as a research tool or as a diagnosis tool. In case of use as a research tool, an indicator of this condition must be displayed to the user (similar to what is done in the german website) and the hospital is therefore not responsible for the use that is made of said classificator. If, on the other hand, the classificator is used as a diagnosis tool that can influence the treatment that is provided to the patient, it must then be compliant with more legislation and go through more exhaustive validation processes.