...
Informed consent (IC) is a process by which a patient or research participant is fully informed about the nature, purpose, risks, and potential benefits of a study or treatment. It ensures that individuals agree to participate voluntarily, with a full understanding of what their involvement entails. In the context of health data, informed consent is also vital for GDPR compliance, as processing personal data (especially sensitive health data) often requires explicit consent from the data subject. Obtaining patients’ informed consent for collecting their data for scientific purposes is usually required [De novo]. Furthermore Furthermore, patient consent may be is necessary for, for example, archiving and , sharing [uu_consent] and linkage with e.g. external registries.
When sharing or linking health data with external registries (e.g., disease-specific databases, national health registries, or international research databases), the informed consent process must clearly define:
What data will be shared or linked: The type and nature of the health data (e.g., genetic data, medical history, treatment outcomes) that will be shared or linked with external registries.
Who the data will be shared with: This includes identifying the external registries, research institutions, or third parties that will have access to the data.
Purpose of data sharing/linking: The consent form should explicitly state the research purposes for which the data will be shared, such as epidemiological research, clinical studies, or public health monitoring.
Data security and anonymisation/pseudonymisation: Participants should be informed about how their data will be protected, whether the data will be anonymised or pseudonymised, and what security measures are in place during data sharing.
Furthermore, consent information is necessary for the data to be machine-actionable, as without such data a computer cannot know whether it is allowed to use the data [FAIR].
...
It ensures that the consent form is written in a way that participants in that particular region can understand.
The local committee will assess whether the consent form adequately explains the data processing activities, the purpose of data collection, and participants' rights (e.g., the right to withdraw consent).
The committee ensures that the study adheres to local regulations regarding the use of personal and sensitive health data.
It Furthermore, consent information is necessary for the data to be machine-actionable, as without such data a computer cannot know whether it is allowed to use the data [FAIR].
A general informed consent form is availableon the website of the CCMO, but a local Institutional Ethical Review Board may demand changes after reviewing and assesses whether the IC aligns with ethical standards, legal requirements and takes considerations into account such as age. This is important because:
It ensures that the consent form is written in a way that participants in that particular region can understand.
The local committee will assess whether the consent form adequately explains the data processing activities, the purpose of data collection, and participants' rights (e.g., the right to withdraw consent).
The committee ensures that the study adheres to local regulations regarding the use of personal and sensitive health data.
It is crucial that essential data sharing aspects are explicitly handled in the informed consent form [De Novo]. The consent information should be made available as metadata.
[uu_consent] https://www.uu.nl/en/research/research-data-management/guides/informed-consent-for-data-sharing
Obtaining patients’ informed consent for collecting their data for scientific purposes is usually required [De novo]. Furthermore, patient consent may be necessary for archiving and sharing [uu_consent] and linkage with e.g. external registries. Furthermore, consent information is necessary for the data to be machine-actionable, as without such data a computer cannot know whether it is allowed to use the data [FAIR].
A general informed consent form may be available, but a local Institutional Ethical Review Board may demand changes after reviewing. It is crucial that essential data sharing aspects are explicitly handled in the informed consent form [De Novo]. The consent information should be made available as metadata.
[uu_consent] https://www.uu.nl/en/research/research-data-management/guides/informed-consent-for-data-sharing
Obtaining patients’ informed consent for collecting their data for scientific purposes is usually required [De novo]. Furthermore, patient consent may be necessary for archiving and sharing [uu_consent] and linkage with e.g. external registries. Furthermore, consent information is necessary for the data to be machine-actionable, as without such data a computer cannot know whether it is allowed to use the data [FAIR].
A general informed consent form may be available, but a local Institutional Ethical Review Board may demand changes after reviewing. It is crucial that essential data sharing aspects are explicitly handled in the informed consent form [De Novo]. The consent information should be made available as metadata.
[uu_consent] https://www.uu.nl/en/research/research-data-management/guides/informed-consent-for-data-sharing
SdR: The step is call Obtain informed consent. Can you “obtain” IC with an opt-out model?
Do we want to mention things like dynamic IC, electronic IC, Toestemming aan de poort?
Does a PIF also contain information about data collection / how data will be used? Or is the PIF only medical?
Why is this step important
The FAIR principles encourage making data more useful for both immediate research purposes and future secondary purposes, such as replication, validation and meta-analysis, while still protecting participants' privacy and rights. To accommodate for the FAIR data principles in the Informed Consent (IC) for health research data, the IC must include specific information that addresses both the immediate use of the data and its potential future uses in a way that aligns with GDPR requirements.
Current Research Purpose: The IC should clearly explain the primary purpose for which the health data is being collected (e.g., a specific clinical study, disease research, or a longitudinal health survey).
Potential Future Use: To align with the FAIR principles, the IC should also mention the possibility that the data may be used for future research purposes, which may not yet be fully known at the time of data collection. However, the scope of future research should be described as broadly but as clearly as possible, respecting GDPR’s transparency principle.
FAIR Data Goals: The IC should include a statement that aligns with the goals of FAIR data, explaining that the data will be made findable, accessible, interoperable, and reusable by other researchers and stakeholders in the scientific community.
Data Registries or Repositories: If applicable, the IC should state that the data will be deposited into data repositories or registries that adhere to FAIR principles, allowing it to be discoverable and reusable by others.
Who Will Access the Data: Provide clarity on who will be allowed to access the data. This includes mentioning both internal and external researchers and potential data-sharing partnerships.
Controlled vs. Open Access: Explain whether the data will be made available via open access (where anyone can access the data) or via controlled access (where only approved researchers or organizations can access it).
Cross-border Data Transfers: If the data may be shared internationally, the IC must comply with GDPR’s rules on cross-border data transfers. Explain if the data will be shared with researchers outside the EU and what safeguards are in place to protect the data in international transfers.
How to
Opt-in, opt-out? What about the PIF?
[Miriem]
Zoals net besproken zou het ook interessant zijn om te kijken naar
Welk type consent heb ik nodig:
Prospectief onderzoek: expliciet informed consent
Retrospectief:
opt-in of opt-out consent: wat is het verschil en wanneer pas je welke toe?
Expliciet consent wanneer je de retrospectieve data ook weer opnieuw zou willen gebruiken of beschikbaar willen stellen: voor hergebruik moet expliciet consent zijn gegeven.
Vraag bij de METC welke templates van informed consent worden geaccepteerd. Een ethische commissie mag geen adviezen geven, maar alleen beoordelen of een informed consent voldoet aan alle wettelijke eisen en verplichtingen.
Stel bij Privacy (functionaris gegevensbescherming of privacy officer) vragen over eventuele aanpassingen of toevoegingen van het informed consent.
Zijn er standaardzinnen of paragrafen die je per onderwerp zou kunnen toevoegen aan een ICF-template?
Toevoegingen over het koppelen van data aan externe registries
Toevoegingen over samenwerkingen met externe partijen, bijvoorbeeld voor opschoning en analyses van de data
[Sander / Miriem]
Question: what is specific information that should be in your IC to accomodate for FAIR data and its further usage. IC information concerning secondary use of data / materials, potential data linkage to external registries (e.g. PALGA, IKNL)?
Step-wise how about something like:
...
Check your institute for an IC template
Miriem: Zou hier niet ook verwezen moeten worden naar de CCMO templates: Subject information, informed consent and informed consent procedure | Onderzoekers | Centrale Commissie Mensgebonden Onderzoek (ccmo.nl)
...
Check whether it allows for “whatever it is we need for making this data FAIR and its sharing”
I know there are factors which depend on the study, like e.g. linkage with PALGA, IKNL, etc.
Does this depend on FAIR Objectives? Does “I want to publish the study in the HRI Catalogue” require something different in an IC than “I want to use a patient’s data for federated querying?”
Miriem: Meestal moet er voor gezondheidsdata een data sharing agreement opgezet worden. Binnen het informed consent wordt de context van de dataverzameling beschreven en mag data binnen eenzelfde context gedeeld worden (indien er toestemming is gegeven voor data delen). Dit betekent dat er voor iedere data aanvraag gecontroleerd moet worden of de doelen voor het gebruik overeenkomen met de doelen die beschreven staan in het informed consent.
Het is nog wel een idee om hier iemand met kennis van wetgeving naar te laten kijken.
Sander: The first, I want to publish the study in the HRI Catalogue, doesn’t require anything special in the IC I think? Only when the data owner actually wants to share your data does the IC become relevant?
Meriem: De metadata over welke gegevens er zijn verzameld mogen vrij gedeeld worden (tenzij dit mogelijk valt onder geheimhouding vanwege mogelijke patenten oid). Maar ook hier zou ik iemand met meer kennis over het opzetten van (DSA) contracten naar laten kijken. Zij kunnen misschien meer toevoegen over de uitzonderingen.
Sander: Is “sharing” by sending someone the data and “sharing via federated querying” different? If federated querying is anonymous by default, since the data never leaves a center, does IC about sharing the data still matter?
Meriem: Ik weet niet of federated querying by default anoniem is. Volgens mij kan deze data nog steeds gepseudonimiseerd zijn. Daarom moet er nog steeds een goede infrastructuur worden opgezet waarbij de bescherming van persoonsgegevens gewaarborgd kan worden.
Federated querying is a method of querying and accessing distributed datasets without physically centralizing the data. In the healthcare context, federated querying allows researchers, clinicians, or data scientists to access and analyze health data across multiple systems (e.g., hospitals, research institutions) without transferring sensitive patient data to a central location.
When sharing or accessing health data via federated querying, compliance with the GDPR is crucial, particularly because health data is classified as special category data under Article 9 of the GDPR. Health data includes information such as medical history, diagnosis, treatment, and genetic data. Key GDPR principles relevant to federated querying include:Lawfulness, Fairness, and Transparency
Lawful Basis for Processing: You must have a lawful basis to access or share health data, such as explicit consent from the data subject, or processing for research purposes under Article 9(2)(j).
Transparency: Data subjects must be informed about how their data is used, even if it’s queried remotely. Transparent data-sharing policies and consent mechanisms are essential.
Data Minimization and Purpose Limitation
Minimization: The GDPR requires that only the data necessary for the specific purpose is accessed or processed. In federated querying, this means limiting access to the minimum amount of data required to answer the query.
Purpose Limitation: Health data accessed through federated queries must only be used for the specific purpose (e.g., research) for which it was originally collected, and not for secondary purposes unless additional consent is obtained or a legal basis exists.
Data Security and Confidentiality
Security of Processing: Federated querying must implement robust technical and organizational measures to secure health data. This includes encryption, anonymization, pseudonymization, and access controls to prevent unauthorized access.
Data Localization: Since data remains on local servers, federated systems reduce the risks associated with transferring health data, but the data controllers (entities holding the data) must ensure secure query execution and auditability.
Accountability and Governance
Data Controllers and Processors: Each institution participating in a federated querying system is likely to act as a data controller, responsible for ensuring GDPR compliance. Federated systems often require detailed Data Processing Agreements (DPAs) between the entities to govern how data is accessed and used.
Data Protection Impact Assessments (DPIAs): If federated querying involves high-risk processing of health data, organizations may need to conduct a DPIA to assess risks and ensure GDPR compliance.
...
Make sure the necessary lines are in the IC
...
SdR: The step is call Obtain informed consent. Can you “obtain” IC with an opt-out model?
Do we want to mention things like dynamic IC, electronic IC, Toestemming aan de poort?
Does a PIF also contain information about data collection / how data will be used? Or is the PIF only medical?
Why is this step important
The FAIR principles encourage making data more useful for both immediate research purposes and future secondary purposes, such as replication, validation and meta-analysis, while still protecting participants' privacy and rights. To accommodate for the FAIR data principles in the Informed Consent (IC) for health research data, the IC must include specific information that addresses both the immediate use of the data and its potential future uses in a way that aligns with GDPR requirements.
Current Research Purpose: The IC should clearly explain the primary purpose for which the health data is being collected (e.g., a specific clinical study, disease research, or a longitudinal health survey).
Potential Future Use: To align with the FAIR principles, the IC should also mention the possibility that the data may be used for future research purposes, which may not yet be fully known at the time of data collection. However, the scope of future research should be described as broadly but as clearly as possible, respecting GDPR’s transparency principle.
FAIR Data Goals: The IC should include a statement that aligns with the goals of FAIR data, explaining that the data will be made findable, accessible, interoperable, and reusable by other researchers and stakeholders in the scientific community.
Data Registries or Repositories: If applicable, the IC should state that the data will be deposited into data repositories or registries that adhere to FAIR principles, allowing it to be discoverable and reusable by others.
Who Will Access the Data: Provide clarity on who will be allowed to access the data. This includes mentioning both internal and external researchers and potential data-sharing partnerships.
Controlled vs. Open Access: Explain whether the data will be made available via open access (where anyone can access the data) or via controlled access (where only approved researchers or organizations can access it).
Cross-border Data Transfers: If the data may be shared internationally, the IC must comply with GDPR’s rules on cross-border data transfers. Explain if the data will be shared with researchers outside the EU and what safeguards are in place to protect the data in international transfers.
How to
Opt-in, opt-out? What about the PIF?
[Miriem]
Zoals net besproken zou het ook interessant zijn om te kijken naar
Welk type consent heb ik nodig:
Prospectief onderzoek: expliciet informed consent
Retrospectief:
opt-in of opt-out consent: wat is het verschil en wanneer pas je welke toe?
Expliciet consent wanneer je de retrospectieve data ook weer opnieuw zou willen gebruiken of beschikbaar willen stellen: voor hergebruik moet expliciet consent zijn gegeven.
Vraag bij de METC welke templates van informed consent worden geaccepteerd. Een ethische commissie mag geen adviezen geven, maar alleen beoordelen of een informed consent voldoet aan alle wettelijke eisen en verplichtingen.
Stel bij Privacy (functionaris gegevensbescherming of privacy officer) vragen over eventuele aanpassingen of toevoegingen van het informed consent.
Zijn er standaardzinnen of paragrafen die je per onderwerp zou kunnen toevoegen aan een ICF-template?
Toevoegingen over het koppelen van data aan externe registries
Toevoegingen over samenwerkingen met externe partijen, bijvoorbeeld voor opschoning en analyses van de data
[Sander / Miriem]
Question: what is specific information that should be in your IC to accomodate for FAIR data and its further usage. IC information concerning secondary use of data / materials, potential data linkage to external registries (e.g. PALGA, IKNL)?
Step-wise how about something like:
Check your institute for an IC template
Miriem: Zou hier niet ook verwezen moeten worden naar de CCMO templates: Subject information, informed consent and informed consent procedure | Onderzoekers | Centrale Commissie Mensgebonden Onderzoek (ccmo.nl)
Check whether it allows for “whatever it is we need for making this data FAIR and its sharing”
I know there are factors which depend on the study, like e.g. linkage with PALGA, IKNL, etc.
Does this depend on FAIR Objectives? Does “I want to publish the study in the HRI Catalogue” require something different in an IC than “I want to use a patient’s data for federated querying?”
Miriem: Meestal moet er voor gezondheidsdata een data sharing agreement opgezet worden. Binnen het informed consent wordt de context van de dataverzameling beschreven en mag data binnen eenzelfde context gedeeld worden (indien er toestemming is gegeven voor data delen). Dit betekent dat er voor iedere data aanvraag gecontroleerd moet worden of de doelen voor het gebruik overeenkomen met de doelen die beschreven staan in het informed consent.
Het is nog wel een idee om hier iemand met kennis van wetgeving naar te laten kijken.
Sander: The first, I want to publish the study in the HRI Catalogue, doesn’t require anything special in the IC I think? Only when the data owner actually wants to share your data does the IC become relevant?
Meriem: De metadata over welke gegevens er zijn verzameld mogen vrij gedeeld worden (tenzij dit mogelijk valt onder geheimhouding vanwege mogelijke patenten oid). Maar ook hier zou ik iemand met meer kennis over het opzetten van (DSA) contracten naar laten kijken. Zij kunnen misschien meer toevoegen over de uitzonderingen.
Sander: Is “sharing” by sending someone the data and “sharing via federated querying” different? If federated querying is anonymous by default, since the data never leaves a center, does IC about sharing the data still matter?
Meriem: Ik weet niet of federated querying by default anoniem is. Volgens mij kan deze data nog steeds gepseudonimiseerd zijn. Daarom moet er nog steeds een goede infrastructuur worden opgezet waarbij de bescherming van persoonsgegevens gewaarborgd kan worden.
Federated querying is a method of querying and accessing distributed datasets without physically centralizing the data. In the healthcare context, federated querying allows researchers, clinicians, or data scientists to access and analyze health data across multiple systems (e.g., hospitals, research institutions) without transferring sensitive patient data to a central location.
When sharing or accessing health data via federated querying, compliance with the GDPR is crucial, particularly because health data is classified as special category data under Article 9 of the GDPR. Health data includes information such as medical history, diagnosis, treatment, and genetic data. Key GDPR principles relevant to federated querying include:Lawfulness, Fairness, and Transparency
Lawful Basis for Processing: You must have a lawful basis to access or share health data, such as explicit consent from the data subject, or processing for research purposes under Article 9(2)(j).
Transparency: Data subjects must be informed about how their data is used, even if it’s queried remotely. Transparent data-sharing policies and consent mechanisms are essential.
Data Minimization and Purpose Limitation
Minimization: The GDPR requires that only the data necessary for the specific purpose is accessed or processed. In federated querying, this means limiting access to the minimum amount of data required to answer the query.
Purpose Limitation: Health data accessed through federated queries must only be used for the specific purpose (e.g., research) for which it was originally collected, and not for secondary purposes unless additional consent is obtained or a legal basis exists.
Data Security and Confidentiality
Security of Processing: Federated querying must implement robust technical and organizational measures to secure health data. This includes encryption, anonymization, pseudonymization, and access controls to prevent unauthorized access.
Data Localization: Since data remains on local servers, federated systems reduce the risks associated with transferring health data, but the data controllers (entities holding the data) must ensure secure query execution and auditability.
Accountability and Governance
Data Controllers and Processors: Each institution participating in a federated querying system is likely to act as a data controller, responsible for ensuring GDPR compliance. Federated systems often require detailed Data Processing Agreements (DPAs) between the entities to govern how data is accessed and used.
Data Protection Impact Assessments (DPIAs): If federated querying involves high-risk processing of health data, organizations may need to conduct a DPIA to assess risks and ensure GDPR compliance.
Make sure the necessary lines are in the IC
Get the IC approved
[Meriem]
When sharing or linking health data with external registries (e.g., disease-specific databases, national health registries, or international research databases), the informed consent process must clearly define:
What data will be shared or linked: The type and nature of the health data (e.g., genetic data, medical history, treatment outcomes) that will be shared or linked with external registries.
Who the data will be shared with: This includes identifying the external registries, research institutions, or third parties that will have access to the data.
Purpose of data sharing/linking: The consent form should explicitly state the research purposes for which the data will be shared, such as epidemiological research, clinical studies, or public health monitoring.
Data security and anonymisation/pseudonymisation: Participants should be informed about how their data will be protected, whether the data will be anonymised or pseudonymised, and what security measures are in place during data sharing.
WMO-studies
Step 1
The CCMO has published a standardised Patient Information Form (PIF), which includes informed consent questions. (?) a
[ELSI Servicedesk]
Hoi Sander,
...