Cornerstone – Data Protection in ORCHESTRA
Management of patient data
Keeping patient data as secure as possible is a central concern in the implementation of the ORCHESTRA network. Work Package 7, responsible for data management, addresses this task. The interview with Prof. Dr. Fabian Prasser from partner Berlin Institute of Health @Charité provides an insight into the challenges and the implications of the project for future research collaboration – and shows the importance of communication between the different partners.
What is your task in ORCHESTRA?
Fabian Prasser: ORCHESTRA is a large-scale data integration and data sharing project with a specific focus on COVID-19. In our task within Work Package 7 we work on related data protection challenges.
What does this mean precisely? How would you explain your work for ORCHESTRA to friends from a totally different background?
Fabian Prasser: In medical research, protecting the privacy of patients and study participants is a very important task. This means that patients or study participants are typically not identified by their name, for example, or their living address. Instead, individuals are identified by a protected code, a so-called pseudonym. The specific data protection technologies and mechanisms to be implemented are of course regulated to a large extent by European law, such as the General Data Protection Regulation (GDPR). But there are also country specific differences on how these laws are interpreted and implemented. Our main task within ORCHESTRA is to coordinate what the different sites and partners are doing in this regard, and to develop an overall approach that works for ORCHESTRA. We are doing that by creating reports, overviews of best practices and typical implementations in the participating countries and hospitals but also by providing tools that can be used within ORCHESTRA to implement some of the protection mechanisms mentioned.
Interesting. How challenging is it to actually find a common ground that works for each ORCHESTRA partner and works for all the different countries?
Fabian Prasser: This is actually quite challenging, which has to do with two facts – I would say. Fact number one: quite a large number of sites, hospitals from different countries or cohorts participate in Orchestra. So there is a great need for coordination and for coming up with a common approach. Fact number two: data protection is always a challenge. It is not just a technical problem, and it is not only a legal issue – but it rather is a challenge on the intersection of legal requirements and technical implementation options. To bring all this together: the different technical implementations that we have at the different hospitals or different cohorts as well as the different legal views and policies in the different participating countries on how research need to be conducted.
This is, of course, a challenging issue to deal with, right? I would imagine it almost like a puzzle and you are crafting the pieces that will actually link all the participating countries. – How do you identify the detailed requirements in each country?
Fabian Prasser: Yes, this requires a lot of communication. A basic approach is to review general reports on the subject. For example, the European commission has just relatively recently published an extensive report on how the GDPR is interpreted with a specific focus on the processing of health data in the various European countries. Such reports are an important source of information, but of course they are on a relatively abstract level. We also need to engage with representatives of the different cohorts and different hospitals and discuss in detail which protection mechanisms they implement and how. And, of course, we also need to communicate a lot with other partners in Work Package 7, and also with the various work packages within ORCHESTEA that are establishing prospective or retrospective studies. We need to talk to all these people to find ways that will work for them. For this reason, we have established a weekly meeting, which we use to take a very close look and coordinate with the partners, how we would suggest to implement data protection measures within ORCHESTRA.
Interesting – it sounds like you are doing something that has not been done before. Is your job somewhat pioneering work?
Fabian Prasser: I would not exactly call this pioneering work, because Orchestra is of course not the first large-scale European research infrastructure that has been established, but there have already been quite a lot of projects that have worked on creating similar structures. Of course, with a slightly different focus. The particular challenge in this project is that it is happening in the context of the COVID-19 pandemic. This means that there is considerable pressure to generate evidence in a very timely manner. We can’t spend a year or two discussing how to implement ORCHESTRA before we actually implement it. We have to get something up and running very, very quickly. So that is a very special challenge with Orchestra and in this regard, it is pioneering work.
If I understand correctly, there are some solutions you can actually draw from? Please, carve out a little more precisely what it is that is particularly new and hence challenging.
Fabian Prasser: What is particularly interesting from my point of view is the fact that although this requirement to set up such a research network in a way that it is as privacy-preserving as possible and complying with all the legal and regulatory requirements has been addressed multiple times before – there are still no readily available or easily deployable solutions for basic challenges.
May you give us an example to give us a clearer picture?
Fabian Prasser: Let us consider the example of pseudonymisation that I mentioned in the beginning. You actually wish that there were some tooling available – readily available – that you could integrate into the hospitals and that you could use in such large-scale networks. But this is actually not yet the case. This is definitely something that we hope to be able to address with our work, to create something that is viable not only for ORCHESTRA, but also for the community at large.
Yes, I can see that creating an improvement for national and international cooperation in the future is great motivation…
Fabian Prasser: Yes, we see that ORCHESTRA offers us a great opportunity. After the ORCHESTRA project, hopefully its solutions can be used to build such infrastructures faster in the future.
ORCHESTRA seems to provide the potential to create a common ground in many ways – also in data protection. Why reinvent the wheel each time, right?
Fabian Prasser: Exactly.
What are your greatest learnings in the ORCHESTRA project?
Fabian Prasser: That is a good question. The biggest thing I have learned is that coordination and communication requirements regarding data protection technologies are even higher than I would have expected. We are really seeing different approaches throughout Europe. The landscape was even more heterogeneous than I would have expected. Let’s take the example of pseudonymisation that I mentioned in the beginning where you replace the directly identifying data of study participants or patients with a secure code. Where are you storing the pseudonyms? Are you storing them locally or are you storing them in some central form for the project? Is it a project specific platform or national platform? Many paths lead to Rome – but the walk is faster and easier if you find a common route…
Is there a topic we have forgotten to cover that is important to you?
Fabian Prasser: Maybe that ORCHESTRA is a project that aims to produce rapid evidence, while putting a significant focus on protecting the privacy of patients and study participants. And there is really a multi-layered approach. There is a privacy by design methodology that is so deeply baked into the way ORCHESTRA is constructed with the national hubs. It integrates national data and makes it accessible and readily available for analysis across the different participating countries and cohorts. This is being performed in a privacy-preserving way by implementing innovative and modern technologies from the areas of federated learning and federated data analytics.
Thank you very much for the interview!
Prof. Dr. Fabian Prasser, Head of the Medical Informatics Group, Berlin Institute of Health @ Charité – Universitätsmedizin Berlin.
Interview by Marlene Nunnendorf, ORCHESTRA Communication