Biomedical Data Protection

Introduction

Data could be non-personal data generated by a production machine or personal data: name, address, localization, online identifier, cultural profile, income, and health information of one subject. Within personal data, we find Biomedical Data: all those data and information that belong to a patient. The main kinds are:

• Medical examination - all data concerning all examinations that depict medical condition.
• Inpatient health monitoring - all data generated and stored when we are submitted to some clinical practice (i.e. an ECG recording).
• Medical imaging - those images we have associated a report where it is interpreted and where it is written what kind of illnesses you may have.
• Laboratory data - data obtained from analysis in the laboratory.
• Patient-generated health data - data generated with some application on our smartphone.

All biomedical data must be protected from physical falls in structures of falling in the protection system of the same structure.

General data Protection Regulation (GDPR): involves EU citizens everywhere they are and must be observed by any entity company and institution that treated personal data.

Network and Information System Directive: it is about system, for a more technological aspect that handle personal data, it applies to critical infrastructure that cannot be block, here data flow continually.

Minimal measure of security ICT and data treatment: they are a practical reference for evaluating and improving the level of IT security of administrations, in order to counter the most frequent cyber threats. The measures consist of controls of a technological, organizational and procedural nature and useful for the Public Administrations to assess their level of IT security. There are other regulations that are optional, so the hospital could choose to comply with this control.

GDPR: General Data Protection Regulation (GDPR) is a European regulation, valid in all the UE countries, for protecting personal data.

Enforced on 25 May 2018, aims to harmonize data privacy laws across Europe, and to protect and empower all EU citizens data privacy, both from legal both from technical point of view.

- Art. 5 GDPR – principles relating to processing of personal data. Personal data shall be: processed lawfully, fairly and in a transparent manner in relation to the data subject. They are collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

- Art. 9 GDPR – Processing of special categories of personal data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, biometric data for the purpose of uniquely identifying a natural person, data concerning health or person's sex life or sexual orientation, shall be prohibited. It does not applies if the data subject has given explicit consent to the processing of those personal data for some specified purposes.

- Art. 32 GDPR –

1. Security of processing: the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the pseudonymisation and encryption of personal data; the ability to ensure confidentiality (the state of keeping or being kept secret or private), integrity (internal consistency or lack of corruption in electronic data), availability (the quality of being able to be used or obtained) and resilience (resilient to accidents, made with redundancy) of processing systems and services.
2. GDPR Actors
• European Data Protection Board - the board is composed of the head of a supervisory authority of each Member State and of the European Data Protection Supervisor. Its role is to review what is working and what is not working and to give advice and guidance. The Board has a Chair/President. There's consultation between the European Union commission and the Board.
• Supervisory Authority - an independent

A data protection authority is a public authority established by a Member State to enforce legislation locally. Its role is to ensure that regulations are implemented in each state and it is responsible for imposing and managing administrative fines on controllers and processors. The authority must also coordinate with other supervisory authorities in cases where there are multiple actors in more than one member state involved in a dispute.

A data processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. Processors do not determine the purpose or means of the processing; they simply process the data as requested by the controller. This can also occur when data processing is outsourced to a third party, such as a cloud service provider. In the past, only the data controller would be fined for non-compliance. However, under the new legislation, the processor is also liable.

A data controller is the entity that determines the purposes and means of the processing of personal data.

Report directly to the highest level of management and not carry out other tasks that could result in a conflict of interest.

GDPR - key elements:

• Breach notification: is mandatory for any data breach that is likely to "result in a risk for the rights and freedoms of individuals". It must be done within 72 hours after discovering the breach. Data possessors must notify data controllers "without undue delay" after directly becoming aware of a data breach.
• Right to access: obtain from the data controller confirmation as to whether a citizen's personal data are being processed, where and for what purpose. The controller shall provide a copy of the personal data, free of charge, in an electronic format.
• Right to be Forgotten: the data subject can request the data controller to erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.

parties halt processing of the data.

Data portability: the data subject has the right to receive his/her personal data in a 'commonly use and machine-readable format' and has the right to transmit that data to another controller

Privacy by Design and by Default: inclusion of data protection from the onset of the designing of systems, rather than an addition

Data minimization: controllers must hold and process only the data necessary for the completion of their duties. Access to personal data must be limited to those needing to perform their processing

Security of processing: the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

Pseudonymization and anonymization – The two main measure used for data protection are:

- Pseudonymization: data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one

or more artificial identifiers, or pseudonyms.

Pseudonymized data can still go through re-identification to associate them again with a subject. Some Pseudonymization techniques are:

• Scrambling: mixing or obfuscation of letters, the process may be reversible or not;
• Encryption (symmetric): reversible for there who know the secret key;
• Masking: some important/unique part of the data is replaced with random characters or other data;
• Tokenization: non-mathematical approach that replaces sensitive data with non-sensitive substitutes, referred to as token;
• Blurring: uses an approximation of data values-

Anonymization: personal data are rendered anonymous in such a fashion that the data subject is no longer identifiable, and GDPR does not apply to anonymous data. Data cannot be re-identified.

k-Anonymity is a special form of anonymization in which info of each subject cannot be distinguished from that of at least other k-1 individual. For example, you have 10 individuals with the same data (allBorn in August but we don't know the day). The greater k, the more ambiguous is the identification. Let RT(A_1, ….. , A_n) be a table and QI is a “quasi identifier” assoc