Table 4 Identified overarching themes.
Organizational measures | |
Soft law | Transparency [44] |
To be transparent, fair and accountable [45] | |
Limiting data access e.g., trough safe havens, TTP’s [14] | |
Limiting data use e.g., trough formal agreements [14] | |
Individuals should be provided with reasons for not honoring data processing objections or requests [20] | |
Individuals should be able to express preferences regarding the processing of their personal health data [20] | |
Informed consent [43] | |
Accurate logging and auditing [25] | |
A comprehensive security policy, organization and infrastructure, including both organizational and state-of-the- art technical security measures [25] | |
Literature | |
Promote transparency and trust [17] | |
Broader openness and accountability [2] | |
Accountability [15] | |
Extensive governance [15] | |
Responsible data governance [16] | |
Increased transparency regarding data protection and governance, as well as regarding research objectives [46] | |
Clear and transparent policies on a multitude of issues [4] | |
Clear and transparent governance procedures that oversee the use of data [4] | |
Patients are made aware of how their data may be used [22] | |
Individual notification [18] | |
Allow individuals and the public to access clear information about the use of their data and their rights concerning this usage [3] | |
Provide individuals with sufficient information and control over their data [3] | |
Have patient representatives involved in crucial decisions about how their data will be used [21] | |
Soliciting the attitudes of the involved parties regarding the associated risks [36] | |
Specific targeted information provision [38] | |
Training of personnel [47] | |
Imposition of duties of confidentiality [47] | |
Offering an opt-out mechanism [18] | |
Introducing opt-out mechanisms before data collection [46] | |
Adhere to relevant legal provisions [24] | |
Inform health professionals about the outcomes of REC approved research [24] | |
Researchers must ensure that their research proposals are trustworthy and reasonable [2] | |
Take into account the pertinent individual or social concerns that may not be explicitly outlined in the legal provisions [36] |
Technical measures | |
Soft law | Data minimization, anonymization and data security [44] |
The use of privacy enhancing technologies [25] | |
A comprehensive security policy, organization and infrastructure, including both organizational and state-of-the- art technical security measures [25] | |
Literature | |
Individual privacy is carefully safeguarded [22] | |
Data are aggregated when used for research and development [22] | |
Proportionate technical measures [3] | |
The use of IT and participant interfaces [3] | |
The data should be key-coded [24] | |
Encryption, pseudonymization, minimization of sensitive data processed [47] | |
Using data that are de-identified to the fullest extent compatible with research aims [23] | |
The use of safe houses, distributed databases and best practice in data management [23] | |
Downstream control over access to data and samples [15] |
Oversight and review mechanisms | |
Soft law | |
Independent ethics committee [29] | |
Research ethics committees or comparable oversight mechanisms [30] | |
Research ethics committee or an appropriate authority [30] | |
An authorized entity such as a research ethics committee [30] | |
Competent bodies or institutions [26] | |
Oversight committees authorizing access to data [14] | |
Research Ethics Committees (RECs) and Data Access Committees [14] | |
Independent, multidisciplinary and pluralist ethics committees [31] | |
An authorized human subject/ethics committee [32] | |
Ethics committees [25] | |
Literature | Oversight by the Research Ethics Committee or Data Protection Officer [16] |
A research ethical assessment of projects [33] | |
Institutional oversight mechanisms [22] | |
Authorization by research ethics committees [34] | |
Authorization body [19] | |
An independent necessity and proportionality test, for instance by an (data access) ethics committee [3] | |
Research ethics committees [23] | |
Ethical review boards [35] | |
Competent oversight bodies such as ethics committees and data access committees [36] | |
Coordinated and well-functioning oversight bodies [37] | |
Both REC’s and DAC’s [37] | |
Independent and interdisciplinary review and oversight [4] | |
Institutional oversight that may include approval by an ethics committee or some other body [4] | |
Approval by an ethics review board [48] |
Public engagement and participation | |
Soft law | Making public the results of such assessments [DPIA’s ed.] [25] |
Literature | |
Genuine engagement with stakeholders and public groups [19] | |
Stimulate participation by relevant stakeholders [3] | |
Continuing public engagement [39] | |
Public education about research [38] | |
Broad notification [18] | |
Community consultation [18] | |
Greater input into research and research policies [18] | |
Public awareness about research approved by ethics committees [24] | |
Inform the public about the outcomes of REC approved research [24] | |
The public needs to be made aware of medical research without consent [49] | |
The circumstances for medical research without consent need to be discussed and consensus formed as to when that should be permitted [49] | |
Public outreach and education explaining the benefits of well-designed EHR-based research performed under stringent privacy protection [23] | |
Provide evidence that the public in general and ethnic minority populations in particular not only have participated in fully informed discussion of the issues, but also that these discussions have led to positive approval of what is proposed [50] |
