Open Call applicants' Guide to required legal and ethical documents:
Table of Contents
The EUCAIM open call was closed on the 10th of June. The aim of the open call was to onboard new cancer image data holders, enhancing the platform’s geographic dimensions, data modalities, and to include reliable AI algorithms trained on the repository’s cancer image data. The successful applicants will join the EUCAIM Consortium around December 2024. For more information on the closed call, click here.
Overall, 69 applications were submitted either as a data holder or data user in response to the EUCAIM call. Currently, the EUCAIM Access Committee is evaluating the applications from a technical point of view. Once the evaluation is ready, the highest scoring applicants will be contacted and moved to the legal assessment phase.
In this article, we will explain the legal and ethical documents that will be requested (if not provided already during the application process) from successful applicants and reviewed by EUCAIM’s legal team. Please note that all documents must be translated to English before submitting them to us (in-house translations are welcomed).
For Data Holders
Who is a Data holder?
For the purpose of this Call, we consider data holder to be any applicant that proposes the sharing of data sets as such or linked to a use case[1].
[1] Future European Health Data Space Regulations defines:
‘health data holder’ means any natural or legal person, public authority, agency or other body in the healthcare or the care sectors; including reimbursement services when needed as well as any natural or legal person developing products or services intended for the health, healthcare or care sectors; developing or manufacturing wellness applications; performing research in relation to the healthcare or care sectors; or acting as a mortality registry; as well as any Union institution, body, office or agency; who has either:
(a) the right or obligation, in accordance with applicable Union law or national legislation, to process personal electronic health data for the provision of healthcare or care or for public health, reimbursement, research, innovation, policy making, official statistics, patient safety or regulatory purposes, in its capacity as a controller or joint controller; or
(b) the ability to make available, including to register, provide, restrict access or exchange non-personal electronic health data, through control of the technical design of a product and related services.
The legal assessment of data holders is divided into two phases:
Assessment and approval of the application from a legal and ethical point of view.
The following documents may be requested (depending on the type of use case and what has been already provided):
- Report/self-declaration from your Data Protection Officer (DPO) certifying compliance and that there are legal conditions for sharing the data with the Consortium. For a template, please click here. Restrictions regarding the data use must be expressly included
- Prohibitions on commercial use of the data.
- Restrictions due to intellectual property rights.
- Restrictions on use depending on the conditions of the expression of consent by the data subject.
- Report of the chief security officer and/or ISO 27001 security certification (only if the applicant indicated Tier 3 compliance). The IT team will need a complete description in terms of security, interoperability and cataloguing.
- Certifications, adherence to code of conduct (GDPR) when declared.
- DPIA of the federated infrastructure (summary or report signed by the DPO) (only in case of Tier 3 compliance.
- In all other cases, it is appropriate to share this information if the DPIA was carried out in accordance with the requirements of GDPR or the positive list of cases of the national data protection authority.
- If the DPIA was not legally required and was not performed, it should be expressly stated in the DPO’s report.
- Ethical approval
- If ethical approval is not required in your country, this should be stated in the DPO’s report.
- In the event that the national legislation imposes some kind of ethical self-assessment process or ethical self-reporting process, a copy of these should be included.
- Legal representation (certification and identification of the persons who can legally bind the entity such as Power of Attorney)
Prior to the transfer of datasets or their access:
On the condition that the above-mentioned documents in phase 1 are reviewed and accepted, we will ask for the following before sharing data:
- Proof of data anonymisation (if anonymisation services are provided by EUCAIM, a data processor contract must be signed).
- Signing of Data Sharing Agreement (for federated processing scenarios) or Data transfer Agreement.
For Data Users:
Who is a Data User?
For the purposes of this call, a data applicant is considered to be a data applicant who is participating in this call for the purpose of processing data for legitimate purposes[1].
[1] Future European Health Data Space Regulations defines:
‘health data user’ means a natural or legal person, including Union institutions, bodies or agencies, which has been granted lawful access to electronic health data for secondary use pursuant to a data permit, data request or an access approval by an authorized participant in Health Data @ EU;
IMPORTANT:
- in the event that your proposal for participation may involve the contribution of your own data sets, you must provide the documentary evidence required in the previous section for data holders.
- If you provide your own software, you must comply with the requirements of the software suppliers
Evidence required:
- Ethical evidence (ethical approval)
- If ethical approval is not required in your country, this should be stated in the DPO’s report.
- In the event that the national legislation imposes some kind of ethical self-assessment process or ethical self-reporting process, a copy of these should be included.
- Legal representation (certification and identification of the persons who can legally bind the entity such as Power of Attorney)
- Signature of Terms&Conditions by the legal representative
- Signature of security obligations and non-re-identification commitments for each user of the data access requester.
In case of processing personal data including pseudonymised data:
- Report/self-declaration from your Data Protection Officer (DPO) certifying that the organisation is GDPR-compliant and the future EUCAIM’s users have been duly trained in this topic.
- Impact assessment carried out if required
- AI impact assessment (ALTAI) and AI Fundamental Rights impact assessment (FRIA).
- Data Protection Impact Assessment (DPIA)
For applicants sharing or developing software or any related technology or electronic product
In the case of providing software to EUCAIM or proposing the development of tests on any type of software, including the verification of algorithms must be provided:
- Ownership (proprietary, licensed) & IP rights declaration including any restriction for authorising access/or use to/of the product by data users with an EUCAIM permission.
- In case you request to develop a software tool or any related technology or electronic product:
- Status of the tool (marketed, research, prototype pending approval (medical device).
- In case the purpose of the software is the processing of personal data:
- Report/self-declaration from your Data Protection Officer (DPO) certifying that the organisation is GDPR-compliant and the future EUCAIM’s users have been duly trained in this topic.
- Impact assessment carried out if required
- AI impact assessment (ALTAI) and AI Fundamental Rights impact assessment (FRIA).
- Data Protection Impact Assessment (DPIA)
- Any supporting documentation of the product development conditions:
- Security risk analysis including risks related to IA.
- Security measures applied.
- Documentation related to the software (requirements, code, etc.).
- Technical documentation on development conditions required by law (AI ACT technical annexes, Data protection By Design and by Default in GDPR).
- Legal representation (certification and identification of the persons who can legally bind the entity such as Power of Attorney)
- Signature of Terms&Conditions by the legal representative
- Signature of security obligations and non-re-identification commitments for each user.
Please note that we will contact you in due course should we need any of the listed document from you regarding your application. However, we appreciate if you can take a proactive approach and already compile some of these documents, so that we can proceed with your application as soon as possible.
FAQ
Rationale for providing evidence on regulatory and ethical compliance.
The purpose of the calls involves at least three scenarios:
- Participants willing to share datasets that are made available to third parties.
- Participants requesting access to datasets for legitimate purposes such as health research.
- Participants who may share software and in particular artificial intelligence tools or systems.
In all three cases, legal requirements apply:
- General Data Protection Regulation and/or national laws.
- National laws on research and/or research ethics.
- National laws applicable to the health/healthcare sector.
- Intellectual property laws.
- National laws or standards relating to the security of processing environments.
- Specific EU legislation (Artificial Intelligence Act, Data Act (data from wellness applications with patient consent), Data Governance Act (Data Altruism) and the future European Health Data Space Regulation (admissible secondary uses, obligations of data holders, obligations of data users, etc.)
The accountability principle DOES NOT ONLY APPLY TO DATA PROTECTION ISSUES. All EUCAIM operations governed by law and for which liability may arise must be supported by documentary evidence.
Why is it necessary to identify the legal representative of the participant?
In most legal systems it is logical that binding expressions of will of a legal person should be made by the person duly authorised for this action. For example:
- A data set may have been prepared by a hospital service or research unit.
- A researcher from a university or a hospital wishes to access the datasets.
- A programmer or researcher is interested in verifying his AI tool.
But they are usually all employees with a business or civil service relationship. For this reason, IF,
(a) The dataset was created in breach of the GDPR
(b) The researcher is using the data in breach of the law
(c) The programmer has stolen code from a third part
LIABILITY FOR DAMAGES AND INFRINGEMENT SHALL BE INTENDED BY THE EMPLOYER and subsidiarily by the subject. And if EUCAIM IS NOT INVOLVED IN ENSURING THAT ONLY THOSE WHO CAN COMMIT THE WILL OF THE ENTITY DO SO THROUGH THE PERTINENT DOCUMENT can incur at least IN VIGILANDO LIABILITY.
Therefore, they can only:
(a) Sign a data sharing/transfer agreement.
(b) Agree to terms and conditions
(c) Authorise the testing and use of software.
- Legal representatives of the entities
- Natural persons when acting in their individual capacity and under their sole responsibility.
- Natural persons when they have been expressly authorised to represent the entity with which they work or collaborate.
It is therefore essential to identify the legal representative of the entity and the legal title of his or her representation.
Why do we need to demonstrate that the entity is GDPR compliant and that the entity can share data?
Properly anonymised datasets are ‘apparently’ not regulated by the GDPR. However, in Opinion 5/2014 on anonymisation the data protection authorities[1] required:
- That the data had been legitimately obtained.
- That there was a coherent relationship with the purpose for which the data was collected.
- Transparency and respect for the data subject’s expectation of Privacy.
- Any other requirement such us the developing of a data Protection impact assessment (DPIA) or risk analysis has been implemented.
Moreover, under Article 9(2)(j) and 9(4) of the GDPR there may be further obligations under national law. It is therefore essential that the Data Protection Officer certifies that the data set complies with the law, that its origin is legitimate and that sharing with EUCAIM is authorised. In addition, a properly anonymisation is needed.
[1] https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf
Why do we need documentation related to ethical approval or an ethical risk assessment?
In many countries the sharing of health datasets or their use for research or secondary uses requires:
- Submitting an ethical protocol
- Obtaining ethical approval from a committee with the competence to do so.
In other countries it is sufficient to:
- – Carrying out the corresponding risk analysis
- – Have an internal protocol in place to manage the risks detected.
In the field of Artificial Intelligence, the recently published AI ACT states that in the case of mere research or experimentation, it is sufficient to ensure compliance with ethical requirements.
EUCAIM therefore REQUIRES ONE OF THE FOLLOWING EVIDENCE:
- – Copy of the ethical approval issued by a committee competent to do so.
- – Certification that there is no obligation to have ethical approval issued by a committee with competence to do so.
- – Protocols and/or risk self-assessments. In the case of artificial intelligence, it must be ensured that the objectives, values and control domains of the ALTAI[1] model are met.
Why is it necessary to provide information attesting to the security standard guaranteed by the participant entity?
EUCAIM is conceived as a data infrastructure that will preferably process data in a secure data space through federated data processing methods. If the entity does not demonstrate that it meets the required maturity conditions, it will only be possible to process data on EUCAIM facilities. In such a case the entity must be able to perform a secure data transfer.
Additional legal requirements for data sets
Data sets to be shared with EUCAIM must be properly catalogued. Until the publication and entry into force of the proposed European Health Data Space Regulation, national restrictions on secondary use of data in accordance with national law must be made public to data access requesters. For example, there could be:
- Prohibitions on commercial use of the data.
- Restrictions due to intellectual property rights.
- Restrictions on use depending on the conditions of the expression of consent by the data subject.
These restrictions must be expressly communicated to EUCAIM.
Additional legal requirements for software /Information Systems/AI Systems reuse.
In the case of sharing software resources, information systems, artificial intelligence systems, legal risks and liabilities may arise for the provider, for EUCAIM or for any user. For example:
– It should be stated whether the development is proprietary, open source, or subject to reuse conditions such as a Creative Commons License or equivalent.
– In the case of experimental software, potential risks arising from its use should be disclosed.
– Transparency about the code should be provided, or where this is not possible, the legal basis or reason for maintaining business secrecy about the code should be stated.
– Sufficient information (AI Literacy) should be provided to ensure adequate knowledge about the nature, conditions, mode of use and risks in the use of an artificial intelligence system.
– If the software is subject to prior authorisation requirements (Medical Device Regulation), supporting documentation should be provided.