GDPR Compliance Challenges for Interoperable Health Information Exchanges (HIEs) and Trustworthy Research Environments (TREs) Dr Ed Conley 1 and Matthias Pocs 2 1 SHiELD Horizon 2020 and Connected Health Cities Projects, AIMES, Liverpool Innovation Park, L7 9NJ, United Kingdom . 2 SHiELD Horizon 2020 Project, Stelar Security Technology Law Research 21035 Hamburg, Germany 18 th International HL7 Interoperability Conference Portsmouth July 12 th 2018
19
Embed
GDPR Compliance Challenges for Interoperable Health ...ihic.info/wp-content/uploads/2018/07/Conley.pdf · Trustworthy Research Environments (TREs) Dr Ed Conley1and Matthias Pocs2
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
GDPR Compliance Challenges for Interoperable Health Information Exchanges (HIEs) and Trustworthy Research Environments (TREs)
Dr Ed Conley1 and Matthias Pocs2
1 SHiELD Horizon 2020 and Connected Health Cities Projects, AIMES, Liverpool Innovation Park, L7 9NJ, United Kingdom.
2 SHiELD Horizon 2020 Project, Stelar Security Technology Law Research 21035 Hamburg, Germany
18th International HL7 Interoperability ConferencePortsmouthJuly 12th 2018
North West Coast CHC Footprint North of England CHC Footprint
Connected Health Cities (CHC)Learning Health through Trustworthy Research Environments
2
OpenNCPCore
Technology Providers Use Case Providers
Shared Infrastructure - Enabling Exchange
Embedded cybersecurity,Privacy, Data
Protection Extensions
DEPLOY SecureDevOps
OpenNCP uses the HL7 International Patient Summary model to exchange information
3
National Contact Point (NCP) RelayUses HL7 IPS to exchange information internally
Mapping between epSOS and C-CDA CCD is completed and will not be updated.
UKPS
ESPS
ITPS
4
Packaging operational systems at run-timeAnalysis à Design à Deploy à Run
LEGALPRIVACY
SecDevOps
Driven by GDPR Principles Privacy-by-Design” and “Data Protection by Default”
For security, privacy and trust, static pre-definition will be
replaced by run-time computed bindings of policies (contextual
rules for processes) continuously calculating risks / trust scores…
8
What damage is GDPR trying to prevent?Controllers must assess the “likelihood and severity of the risk” of any personal data processing operation
relating to any use that “from personal data processing could lead to physical, material or non-material damage”.
DAMAGE EXAMPLES DAMAGE EXAMPLES
9
SHiELD System Vulnerability/Security Modelling
10
Domain Knowledge Interoperability “Interoperability is not just about exchanging data”
Use case and requirements methodology needs to evolve to provide the right knowledge to run processes in human contexts…
This is not a data formats challenge, its about learning how people who use the system think…
Understanding the real stakeholder concerns first through domain knowledge ontologies à each use case can be combined with those created in the past and future
11
Consistent Matching of Information Governance Requirements to Data Processing