The success of the HARMONY Data Platform is based on cooperation and trust. Gathering and analyzing data on such a broad, international scale means that we have to ensure all the stakeholders that we handle the uploaded data with extreme caution. Data safety is a promise we make to all the stakeholders in the project.
At the earliest stage, we established guidelines for data safety, reliability, security, privacy, and anonymity, far more restrictive than applicable regulations, including all the requirements related to the General Data Protection Regulation (GDPR).
Next, we moved past considering legislative frameworks and created an internal ethical code that articulated a clear vision of what we wanted to achieve, setting out rules that bound all the stakeholders and were relevant at every stage of the project. All the data processing guidelines also included the principles of fairness, transparency, and accountability.
The HARMONY Anonymization Concept
It has long been argued that anonymization (i.e. redacting data such that the data subject is not or is no longer identifiable) cannot be guaranteed without rendering data useless for medical research. However, anonymization in a legal sense does not require that data be redacted in a way that makes it entirely impossible (for example through legal or technical means) to identify the individual concerned. Rather, de-facto anonymization is sufficient in order to exclude the qualification of the relevant data as “personal data”; i.e. sufficient anonymity is ensured, as identification of the data subject would require an unreasonable amount of effort. In light of this, anonymization can be achieved through a combination of technical methods, such as suppression, generalization, and perturbation to the extent that any such effort does not compromise the scientific goals of the study; these techniques are supplemented by data access restriction and organizational security measures.
It is in this manner that we developed the HARMONY Anonymization Concept, which ensures that the intended import of data into the HARMONY Big Data Platform, as well as the subsequent use of such data as envisaged by the HARMONY Project, comply with ethical guidelines and all applicable data protection laws at the EU level, which include meeting the requirements of the General Data Protection Regulation (GDPR), without impacting the clinical value of the relevant data. The HARMONY Anonymization Concept takes into account all necessary factors to ensure that the case‑by-case assessment of every single database is complete, and that no provisions required by applicable data protection laws are omitted. Furthermore, HARMONY is also committed to regularly revisiting its anonymization protocols in light of new technical developments in order to ensure that the direct or indirect identification of individuals remains “impossible without unreasonable effort”.
Read our article published in February 2019: HARMONY Anonymization Concept Reconciles Data Quality, Safety, and Privacy >