Skip to main content

Legal and ethical framework for global health information and biospecimen exchange - an international perspective

Abstract

Background

The progress of electronic health technologies and biobanks holds enormous promise for efficient research. Evidence shows that studies based on sharing and secondary use of data/samples have the potential to significantly advance medical knowledge. However, sharing of such resources for international collaboration is hampered by the lack of clarity about ethical and legal requirements for transfer of data and samples across international borders.

Main text

Here, the International Clinical Trial Center Network (ICN) reports the legal and ethical requirements governing data and sample exchange (DSE) across four continents. The most recurring requirement is ethical approval, whereas only in specific conditions approval of national health authorities is required. Informed consent is not required in all sharing situations. However, waiver of informed consent is only allowed in certain countries/regions and under certain circumstances. The current legal and ethical landscape appears to be very complex and under constant evolution. Regulations differ between countries/regions and are often incomplete, leading to uncertainty.

Conclusion

With this work, ICN illuminates the unmet need for a single international collaborative framework to facilitate DSE. Harmonising requirements for global DSE will reduce inefficiency and waste in research. There are many challenges to realising this ambitious vision, including inconsistent terminology and definitions, and heterogeneous and dynamic legal constraints. Here, we identify areas of agreement and significant difference as a necessary first step towards facilitating international collaboration. We propose the establishment of a working group to continue the comparison across jurisdictions, create a standardised glossary and define a set of basic principles and fundamental requirements for DSE.

Peer Review reports

Background

Over recent years, topics like “big data”, “biobanks” and “data sharing” have gained momentum in the health science community. The widespread adoption of electronic health records has raised the interest of researchers in exchanging clinical data for secondary use [1]. Patient data can be merged on a large scale for epidemiological studies or disease monitoring [2, 3]. Besides health information technology, biobanks of human specimens have a growing role in the creation of actionable knowledge in health science [4, 5]. Over the last three decades, these repositories have evolved, and the information associated with biological samples has increased enormously [6]. Multiple international initiatives are currently promoting collaboration between existing biobanks to enable larger research projects [7,8,9,10].

Despite the increasing opportunities for the advancement of biomedical research through DSE and the availability of data/sample to exchange, this promise has not yet been fully realised through an actual increase in data and sample sharing [11]. This mismatch may be explained by the obstacles presented to researchers of having to navigate the regulatory framework governing the sharing of data/samples. International exchange can be particularly challenging due to conflicting regulations and overlapping terminologies [2, 12]. Adding further complexity, regulations continue to evolve. Some tools have been developed to support researchers, but many cover a limited geographical region or are not sufficiently mature or current [2, 13,14,15].

Legal restrictions are not the only barriers to seamless DSE. Among others, further limiting factors may be the reluctance of investigators who are aiming to publish first, as well as the interests of research funders. However, we believe that a clearer regulatory landscape would help to overcome also this hindrance to fully enable robust, ideally patient-controlled DSE [16]. In this article, the International Clinical Trial Center Network (ICN) [17], a network that brings together top-tier experience and knowledge of 19 clinical trial centres from across the globe, draws a simplified picture of the regulatory requirements to exchange health data and biospecimens across four continents and highlights differences that could influence the conduct of international projects. The ICN brings together different non-profit institutions with the common objective to encourage continuous international dialogue, to provide guidance to researchers, and to promote international collaboration. Relevant terms concerning data protection are also compared. This work should help to advance the global exchange of data and samples as well as to support the development of a valuable tool that helps researchers in large-scale international research projects.

Main text

We surveyed members of the ICN between July 2018 and October 2019, collecting detailed information on local guidelines, regulations and restrictions concerning the international exchange of data and samples, centred on 3 out of the 4 key dimensions of health information exchange defined by Holmgren and colleagues [18].

  1. 1.

    What defines the “Rules” of Exchange?

We collected information on policies applying in the context of international DSE and authorities involved in its approval.

  1. 2.

    Who is exchanging? Relationship between exchanging partners

Special requirements/restrictions concerning data/samples receivers (e.g. specific countries or for-profit organizations) were assessed.

  1. 3.

    What is exchanged? Types of information

Here, we focused specifically on the further use for research purposes of already available clinical data/samples rather than the collection of new data/samples, distinguishing between: a) genetic data, non-genetic data and biological samples; b) different data formats; and c) different levels of subject’s privacy protection. The present report is not concerned with data format.

Thirteen centres from eleven countries contributed to data gathering (ISO 3166 code in brackets): Austria (AUT), China (CHN), United Kingdom (GBR), Italy (ITA), Japan (JPN), Singapore (SGP), Sweden (SWE), Switzerland (CHE), Turkey (TUR), Uganda (UGA) and United States of America (USA). Hong Kong (HKG) and Taiwan (TWN) are described as separate regions since they have local regulations governing the international transfer of data/samples that differ from Mainland China. The regulatory requirements collected for the United Kingdom are applicable for England, Northern Ireland, Scotland and Wales. However, different health authorities may be involved in the approval of specific research projects. For each participating ICN country/region, a matrix showing the applicable requirements in specific sharing situations was created. Differences between the regulatory frameworks of represented countries/regions were identified and are reported in this article, together with differences in the terms related to data protection.

The regulatory framework is in continuous evolution

For all participating countries/regions, this article provides a cross-sectional appraisal of the current situation, recognising continuous evolution that requires frequent revision. In some countries/regions, a number of regulatory aspects are not currently precisely defined. At the time of writing, a certain degree of regulatory uncertainty also affects the European Union (EU). On 25th May 2018, the General Data Protection Regulation (GDPR) was enforced within EU. The GDPR creates new exemptions for research and leaves some room to member states to specify their own rules [19]. In response, many EU member states are reviewing national regulations governing data protection in the field of clinical research, addressing areas in which flexibility is permitted by the GDPR.

According to the GDPR, personal data may only be transferred to third countries if an adequate level of data protection within the meaning of Art. Forty-five is guaranteed in the receiving country or if the data transfer is subject to an exception pursuant to Art. 49. Thirteen adequacy decisions have been adopted so far, as reported on the website of the European Commission. Of the countries/regions participating in this project, only Japan, Switzerland, and the USA (limited to the Privacy Shield framework) have been recognized as providing adequate protection.

Data protection terminology is not consistent across countries/regions

In all participating countries/regions, information which may be used to identify a specific person indirectly is also considered personal data. However, in Japan and Singapore, coded information can be regarded as non-personal information where the access to the original personal information is unlikely or prevented. Interestingly, the Japanese definition specifically distinguishes between different personal information recording forms (documents, drawings or electromagnetic records). The latter includes electronic, magnetic and other recording forms not otherwise specified that cannot be recognized directly through the human senses. In Singapore, all data pertaining to an individual, whether true or false, is considered personal data. In Hong Kong, Japan and the United Kingdom, deceased persons do not have personal data. This also applies to China and Taiwan, although not directly specified in the local definition of personal data. According to recital 27 of the GDPR, deceased persons do have personal data. However, the regulation only protects living persons. This leaves member states the possibility to regulate the processing of personal data of deceased persons. Austria and Sweden do not provide for special provisions in this regard. In Italy, the rights described in articles 15 to 22 of the GDPR for deceased persons can be exercised by those who have an interest, or act to protect the data subject or for family reasons deserving protection [20]. In Switzerland, deceased persons’ data fall under the doctor-patient confidentiality agreement, but is not considered personal data. Special regulations apply for research with deceased persons, i.e. surrogate consent can be provided by the ethics committee [21]. In the other countries, the respective data protection regulations apply in respect of deceased individuals, but this is limited to 10 years in Singapore and 50 years in the USA [22, 23].

Only the European countries, Singapore and Taiwan could provide a legal definition for the term “pseudonymization” or “coding”. In these countries/regions, pseudonymized (coded) data can no longer be attributed to a specific subject without the use of additional information. Only Singapore distinguishes between reversible and irreversible coding. In the latter case, original values are properly disposed of and the pseudonymisation is done in a non-repeatable fashion. In Mainland China, the term “de-identification” is used when pseudonyms, encryption, hash functions or other technical methods are used to replace identifiers [24]. In the USA, data are considered de-identified if they have been stripped of common identifiers and there is no reasonable basis to believe that the information can be used to identify an individual [25]. Hong Kong, Taiwan and Uganda do not have a single, pervasive legal definition for data which cannot be traced to a specific person, whereas the European countries, China, Singapore and Turkey prefer the term “anonymized”. However, some definitions differ in how strictly the possibility of re-identification is limited. While GDPR and Swiss law set a relatively low bar for “identifiable”, anonymized data should be impossible to link with an individual according to the Turkish law. In all cases, anonymized data are not considered as personal data, nor are de-identified data in the USA.

The Japanese Data Protection Law distinguishes three categories of information: personal information, anonymously processed information and non-personal information [26]. Under other laws such as the GDPR, anonymously processed information and non-personal information correspond to pseudonymized information and anonymized information, respectively.

The only countries/regions having a legal definition for the term “encrypted” are Singapore, Taiwan and the United Kingdom. In the United Kingdom and Singapore, encrypted data are considered as personal data. In Taiwan, encryption is the process of making personal data irreversibly unidentifiable. In other countries/regions, this would probably be considered as anonymization. Of note, Taiwan does not have a definition for the term “anonymized”.

A list of definitions is provided in the supplementary information (see Additional file 1).

Data privacy level affects transferability

As shown in Table 1, following the respective country-specific regulations it is possible to transfer data/samples with any privacy protection level from Austria, Switzerland, Mainland China, United Kingdom, Hong Kong, Japan, Sweden, Taiwan and USA [19, 21, 27,28,29,30,31,32,33,34,35,36]. In the other countries/regions, including Italy as the only European representative, the transfer of data/samples containing directly identifiable information (i.e. uncoded data/samples) is not permitted [20, 22, 37,38,39,40]. According to the Turkish Data Protection Law, uncoded data/samples can be transferred with participants’ consent [41]. However, regulations on clinical research and personal health data state that personal data must be coded or anonymized for privacy [38, 42, 43].

Table 1 Transferability of data/samples with different level of subject’s privacy protection

Informed consent may not be always required

As shown in Table 2, informed consent is always required to transfer any data/samples for research from Mainland China, Italy and Singapore. This also applies to Japan, although the requirements for biological samples are not fully defined yet. In Turkey, Hong Kong, Taiwan, USA and the European countries except Italy, informed consent is not required to transfer anonymized data. In these same countries, except for Austria, informed consent is not required for the transfer of anonymized biological samples either. However, in Switzerland and Turkey, the patient has to be informed about the planned anonymization of biological samples and has the right to refuse (opt-out consent) [21].

Table 2 Requirements for informed consent (IC) to transfer data/samples abroad

In Uganda, Switzerland and the United Kingdom, waiver of informed consent is permitted by Ethic Committee and applicable regulatory authority in situations where it is problematic or challenging to obtain consent or where the public interest of research outweigh the interests of the subjects [21, 37, 44, 45]. In the United Kingdom, an additional approval from a health authority is required in these cases [44]. In Sweden, research may be carried out without informed consent if weakened state of health prevents the subject from expressing an opinion. There is to be consultation with the patient’s closest relatives and a custodian or other legal representative. However, proxy consent is not required, as only the research subject (if > 18 years old) can give consent in this country [46].

National health authorities are involved less often than ethics committees

A comparison of the required approvals is displayed in Table 3. In countries/regions where informed consent is not required to transfer anonymized data/samples, approval from the ethics committee is not required either, except for Turkey. In this country, ethical approval but no informed consent is required to transfer anonymized data/samples. In the United Kingdom, ethical approval is only required to transfer coded and uncoded data/samples for specific research projects. This also applies to Switzerland where, furthermore, approval is only required if the Swiss institution transferring the data/samples is involved in the project. The creation of databases and biobanks does not require approval in neither of the two countries just mentioned [21, 47]. However, British researchers have the option to seek a five-years lasting generic ethical approval for a range of research within the conditions of the ethical approval [47]. In all other countries, ethical approval is always required to transfer coded and uncoded data/samples.

Table 3 Required approvals to transfer data/samples abroad

In Austria, Hong Kong, Italy, Japan, Singapore and the USA, no national health authority is involved in the international transfer of data/samples for research purposes. In contrast, Uganda, Taiwan and Turkey require the approval of the local health authority (Uganda National Council for Science and Technology, the Ministry of Health and Welfare and Ministry of Health, respectively) in all sharing situations [37, 43, 48]. In the remaining countries/regions, health authorities are only involved in certain types of transfer.

Conclusions

The heterogeneous nature and complexity of several diseases and the deep characterization of individuals have led to the rapid development of personalized medicine. Access to large amount of health data is the next challenge for this medical model [49]. Where the available data in one country may not be sufficient to efficiently develop new pharmacogenetic-based treatment strategies and new algorithms to diagnose patients, DSE represents a huge resource to gain validity of findings and increase the impact of research. However, the lack of a unified ethical and legal environment presents an obstacle for the scientific community [2, 12]. The present work demonstrates that researchers currently operate within a very complex legal and ethical landscape. Regulations differ between countries/regions and are often incomplete, leading to uncertainty. Differences can also be found between regulations within a single country. In Turkey for example, although the data protection law allows the usage of uncoded data with subjects’ consent, sub-regulations restrict the usage of uncoded data relating to health. In addition, the rapid evolution of regulations over time make it impractical for researchers to keep abreast of the latest regulations across all jurisdictions. There is an unmet need for an accessible resource that provides information on country-specific requirements for DSE. Despite this, the complexity of this field means that in many cases, researchers may still require the guidance of experienced professionals [12]. This might be facilitated by International networks of research institutions such as ICN.

The most universal requirement for transferring data or samples across national borders identified in this work is ethical approval, whereas approval of national health authorities is required only in specific settings. Informed consent is not required in all sharing situations. However, waiver of informed consent is only allowed in certain countries/regions and under certain conditions.

When considering individuals’ privacy, the transfer of solely anonymized data may seem to be a practical solution. However, anonymization terminates the ability to link records with new datasets or to re-contact participants. Further, some argue that complete anonymization is impossible as long as the original records still exist [2, 50], leading to concerns over potential data misuse and compromised privacy. This work shows that transfer of anonymized data may also not be subject to less stringent regulation.

The ideal would be a single unified global legal and ethical framework to which all countries/regions could subscribe and that would permit seamless data and sample exchange. Sets of ethical principles for medical research already exist, such as the Declaration of Helsinki, the Declaration of Taipei, the Council for International Organizations of Medical Sciences (CIOMS) international ethical guidelines for biomedical research involving human subjects and the Organization for Economic Co-operation and Development (OECD) Guidelines on human biobanks and genetic research databases. However, these are not legally binding instruments under international law. Discordances can also be found between these internationally recognized guidelines. Given the heterogeneous regulatory and legal landscape reported here, and disagreement even in simple terminology and definitions, much work is needed in order to achieve the above-mentioned goal of a unified framework.

To address the need of global harmonization, we propose a collaborative and interdisciplinary approach trough the establishment of a working group including researchers, patient representatives, information technology experts and legal expertise from different geographical regions. This will require engagement of all relevant stakeholders. The first step will be a further detailed description of the current regulatory landscape, ideally with representation from all regions. This will allow generation of a library of shared and differing terms, identifying areas in greatest need of harmonization. It has become clear through this work that all regions share a desire to adequately protect the rights of the individual in DSE, and that the differences outlined in this manuscript lie in interpretation of data protection and the way in which it is defined. A key step will be agreeing a glossary of standardized terms and definitions. Next, guidance on the principles of responsible data and sample exchange should be agreed and published, allowing governments and regulators to benchmark and harmonize national regulations and laws. Finding the balance between a subject’s right to privacy and the public interest in advancing medical research in a manner that would be widely acceptable will be challenging, as already anticipated by the existing conflicts between current requirements to deposit data in research repositories and the GDPR [51]. The work of other groups such as the Global Initiative for the Ethical Use of Human Specimens (GIFT), who elaborated a set of recommendations for standardizing informed consent, should also be taken into consideration during this phase [52].

We recognise that harmonization of DSE will not in itself solve the limited extent of DSE. Even when DSE is possible, whether sharing takes place depends on many other factors including the attitudes of the investigators, the interests or requirements of research funders and others. However, we believe that a clearer regulatory landscape would help to overcome also this hindrance to fully enable robust, ideally patient-controlled health data/sample usage [16].

Our report is the first to compare the requirements for DSE across multiple jurisdictions spanning four continents and is strengthened by its representativeness. However, there are important limitations, including the lack of representation from South America and Australasia. Furthermore, a comprehensive and in-depth review of all legal considerations for each jurisdiction is beyond the scope of this preliminary survey. Data were provided by relevant ICN members, which represent leading clinical trials centres within the represented jurisdictions. We consulted with legal experts but have not sought input and verification from individual regulators. Additionally, an official English translation of the national regulations does not always exist. There is a need for further detailed work in collaboration with regulators where possible, but we consider the present overview a crucial first step towards identifying obstacles and opportunities from DSE. While we cannot directly mandate change, we hope that this work can form the basis for progress through increasing awareness, standardization and guidelines.

Availability of data and materials

Not applicable.

Abbreviations

AUT:

Austria

CHE:

Switzerland

CHN:

China

CIOMS:

Council for International Organizations of Medical Sciences

DSE:

Data and sample exchange

EU:

European Union

GBR:

United Kingdom of Great Britain and Northern Ireland

GDPR:

General Data Protection Regulation

HKG:

Hong Kong

ICN:

International Clinical Trial Center Network

ITA:

Italy

JPN:

Japan

OECD:

Organization for Economic Co-operation and Development

SGP:

Singapore

SWE:

Sweden

TUR:

Turkey

TWN:

Taiwan

UGA:

Uganda

USA:

United States of America

References

  1. 1.

    Global diffusion of eHealth: making universal health coverage achievable. Report of the third global survey on eHealth. Geneva: World Health Organization; 2016. Licence: CC BY-NC-SA 3.0 IGO.

  2. 2.

    Elger BS, Iavindrasana J, Lo Iacono L, Muller H, Roduit N, Summers P, et al. Strategies for health data exchange for secondary, cross-institutional clinical research. Comput Methods Prog Biomed. 2010;99(3):230–51. https://doi.org/10.1016/j.cmpb.2009.12.001.

    Article  Google Scholar 

  3. 3.

    Tian TY, Zlateva I, Anderson DR. Using electronic health records data to identify patients with chronic pain in a primary care setting. J Am Med Inform Assoc. 2013;20(e2):e275–80. https://doi.org/10.1136/amiajnl-2013-001856.

    Article  Google Scholar 

  4. 4.

    Capocasa M, Anagnostou P, D'Abramo F, Matteucci G, Dominici V, Destro Bisol G, et al. Samples and data accessibility in research biobanks: an explorative survey. PeerJ. 2016;4:e1613. https://doi.org/10.7717/peerj.1613.

    Article  Google Scholar 

  5. 5.

    Kinkorova J. Biobanks in the era of personalized medicine: objectives, challenges, and innovation: overview. EPMA J. 2015;7:4. https://doi.org/10.1186/s13167-016-0053-7.

    Article  Google Scholar 

  6. 6.

    De Souza YG, Greenspan JS. Biobanking past, present and future: responsibilities and benefits. AIDS (London). 2013;27(3):303–12. https://doi.org/10.1097/QAD.0b013e32835c1244.

    Article  Google Scholar 

  7. 7.

    ISBER : https://www.isber.org/ Accessed 14 Mar 2019.

  8. 8.

    BBMRI-ERIC: http://www.bbmri-eric.eu. Accessed 14 Mar 2019.

  9. 9.

    ESBB: https://esbb.org/. Accessed 14 Mar 2019.

  10. 10.

    P3G2: http://www.p3g2.org. Accessed 14 Mar 2019.

  11. 11.

    Mascalzoni D, Dove ES, Rubinstein Y, Dawkins HJ, Kole A, McCormack P, et al. International charter of principles for sharing bio-specimens and data. Eur J Hum Genet. 2015;23(6):721–8. https://doi.org/10.1038/ejhg.2014.197.

    Article  Google Scholar 

  12. 12.

    Sariyar M, Schluender I, Smee C, Suhr S. Sharing and reuse of sensitive data and samples: supporting researchers in identifying ethical and legal requirements. Biopreservation Biobanking. 2015;13(4):263–70. https://doi.org/10.1089/bio.2015.0014.

    Article  Google Scholar 

  13. 13.

    Kuchinke W, Krauth C, Bergmann R, Karakoyun T, Woollard A, Schluender I, et al. Legal assessment tool (LAT): an interactive tool to address privacy and data protection issues for data sharing. BMC Med Inform Decis Making. 2016;16(1):81. https://doi.org/10.1186/s12911-016-0325-0.

    Article  Google Scholar 

  14. 14.

    Woolley JP, Kirby E, Leslie J, Jeanson F, Cabili MN, Rushton G, et al. Responsible sharing of biomedical data and biospecimens via the “automatable discovery and access matrix” (ADA-M). NPJ Genomic Med. 2018;3:17. https://doi.org/10.1038/s41525-018-0057-4.

    Article  Google Scholar 

  15. 15.

    DLA Piper handbook: https://www.dlapiperdataprotection.com/. Accessed 14 Mar 2019.

  16. 16.

    Mikk KA, Sleeper HA, Topol EJ. The Pathway to Patient Data Ownership and Better Health. JAMA. 2017;318(15). https://doi.org/10.1001/jama.2017.12145.

  17. 17.

    ICN: https://www.icn-connect.org/. Accessed 14 Mar 2019.

  18. 18.

    Holmgren AJ, Adler-Milstein J. Health Information Exchange in US Hospitals: The Current Landscape and a Path to Improved Information Sharing. J Hosp Med. 2017;12(3):193–8. https://doi.org/10.12788/jhm.2704.

    Article  Google Scholar 

  19. 19.

    Regulation (EU) 2016/679 of the european parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Mai 2018: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN. Accessed 14 Mar 2019.

  20. 20.

    The Italian Decree no. 101/2018 of 10 August 2018: https://www.garanteprivacy.it/home_en/italian-legislation. Accessed 14 Mar 2019.

  21. 21.

    Swiss Federal Act on Research involving Human Beings (Human Research Act), 30 September 2011 (Status as of 1 January 2014): https://www.admin.ch/opc/en/classified-compilation/20061313/index.html. Accessed 14 Mar 2019.

  22. 22.

    Singaporean Personal Data Protection Act No. 26 of 2012: https://sso.agc.gov.sg/Act/PDPA2012. Accessed 14 Mar 2019.

  23. 23.

    USA, 45 CFR §160.103(2)(iv)): https://www.law.cornell.edu/cfr/text/45/160.103. Accessed 31 Oct 2019.

  24. 24.

    Information Security Technology –Personal information security specification of People's Republic of China, December 2017: https://www.tc260.org.cn/upload/2018-01-24/1516799764389090333.pdf. Accessed 14 Mar 2019.

  25. 25.

    USA, 45 CFR § 164.514: https://www.law.cornell.edu/cfr/text/45/164.514. Accessed 31 Oct 2019.

  26. 26.

    The Japanese Act on the Protection of Personal Information (Act No, 57), May 30, 2003, latest amended in May 30, 2017: https://www.ppc.go.jp/files/pdf/Act_on_the_Protection_of_Personal_Information.pdf. Accessed 14 Mar 2019.

  27. 27.

    Austrian Act on Research Organisation, BGBl. Nr. 341/1981, 25.05.2018: https://www.ris.bka.gv.at/GeltendeFassung.wxe? Abfrage=Bundesnormen&Gesetzesnummer=10009514. Accessed 14 Mar 2019.

  28. 28.

    Austrian Federal Act concerning the Protection of Personal Data, BGBl. I Nr. 165/1999, 25.05.2018: https://www.ris.bka.gv.at/Dokumente/Erv/ERV_1999_1_165/ERV_1999_1_165.pdf. Accessed 14 Mar 2019.

  29. 29.

    General Austrian Civil Code of Law, JGS Nr. 946/1811, version of 14.08.2018: https://www.ris.bka.gv.at/GeltendeFassung.wxe? Abfrage=Bundesnormen&Gesetzesnummer=10001622. Accessed 14 Mar 2019.

  30. 30.

    Swiss Federal Act on Data Protection , 19 June 1992 (Status as of 1 January 2014): https://www.admin.ch/opc/en/classified-compilation/19920153/index.html. Accessed 14 Mar 2019.

  31. 31.

    Japanese Ethical Guidelines for Medical and Health Research Involving Human Subjects, Dec 22, 2104 (latest amended in Feb 28, 2017): http://www.mhlw.go.jp/file/06-Seisakujouhou-10600000-Daijinkanboukouseikagakuka/0000153339.pdf. Accessed 14 Mar 2019.

  32. 32.

    Swedish Biobanks in Medical Care Act (2002:297), 1 January 2003: https://skl.se/. Accessed 14 Mar 2019.

  33. 33.

    Interim Measures for the Administration of Human Genetic Resource Administration of the People's Republic of China, June 1998: http://www.most.gov.cn/bszn/new/rlyc/wjxz/200512/t20051226_55327.htm. China. Accessed 14 Mar 2019.

  34. 34.

    Personal Data (Privacy) Ordinance (CAP 486 of the laws of Hong Kong), Dec 1996, last amendment 2012: https://www.elegislation.gov.hk/hk/cap486 Accessed 14 Mar 2019.

  35. 35.

    Taiwanese Human Subject Research Act, released on 28 Dec. 2011: https://law.moj.gov.tw/Eng/LawClass/LawAll.aspx? PCode=L0020176. Accessed 14 Mar 2019.

  36. 36.

    USA Health Insurance Portability and Accountability Act of 1996: https://www.govinfo.gov/content/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf. Accessed 31 Oct 2019.

  37. 37.

    National guidelines for research involving humans as research participants of Uganda, July 2014: http://www.uncst.go.ug/. Accessed 14 Mar 2019.

  38. 38.

    Turkish Good Clinical Practice Guideline, 13.11.2015: https://www.titck.gov.tr/. Accessed 14 Mar 2019.

  39. 39.

    Singaporean Personal Data Protection Commission Sector Specific Advisory Guidelines for the Healthcare Sector, issued 11 September 2014, revised 28 March 2017: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Sector-Specific%20Advisory/advisoryguidelinesforthehealthcaresector28mar2017.pdf. Accessed 14 Mar 2019.

  40. 40.

    Taiwanese Personal Information Protection Act, released on 30 Dec. 2015: https://law.moj.gov.tw/Eng/LawClass/LawAll.aspx? PCode=I0050021. Accessed 14 Mar 2019.

  41. 41.

    Turkish Law on the Protection of Personal Data No. 6698, 24.03.2016: https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/aea97a33-089b-4e7d-85cb-694adb57bed3.pdf. Accessed 14 Mar 2019.

  42. 42.

    Turkish Guideline for Biological Material Management in Clinical Research, 05.08.2015: https://www.titck.gov.tr/. Accessed 14 Mar 2019.

  43. 43.

    Turkish Regulation on Personal Health Data, 21.06.2019: http://www.resmigazete.gov.tr/eskiler/2019/06/20190621-3.htm Accessed 27 June 2019.

  44. 44.

    MRC. Medical Research Council (MRC) Data Sharing Policy: https://mrc.ukri.org/research/policies-and-guidance-for-researchers/data-sharing/. Accessed 14 Mar 2019.

  45. 45.

    UK National Health Service Legislation 2006: http://www.legislation.gov.uk/ukpga/2006/41/part/13/crossheading/patient-information. Accessed 31 Oct 2019.

  46. 46.

    The Swedish Ethical Review Act (2003:460), 5 June 2003: https://www.epn.se/media/2348/the_ethical_review_act.pdf Accessed 14 Mar 2019.

  47. 47.

    Integrated Research Application System (IRAS): https://www.myresearchproject.org.uk/help/hlpcollatedqsg-sieve.aspx#1309. Accessed 14 Mar 2019.

  48. 48.

    Taiwanese Human Biobank Management Act, issued on 8 Aug. 2012 by Ministry of Health and Welfare: https://law.moj.gov.tw/Eng/LawClass/LawAll.aspx? PCode=L0020164. Accessed 14 Mar 2019.

  49. 49.

    Kalra D. The importance of real-world data to precision medicine. PerMed. 2019;16(2):79–82. https://doi.org/10.2217/pme-2018-0120.

    Article  Google Scholar 

  50. 50.

    Sariyar M, Schlunder I. Reconsidering Anonymization-related concepts and the term “identification” against the backdrop of the European legal framework. Biopreservation Biobanking. 2016;14(5):367–74. https://doi.org/10.1089/bio.2015.0100.

    Article  Google Scholar 

  51. 51.

    Mascalzoni D, Bentzen HB, Budin-Ljosne I, Bygrave LA, Bell J, Dove ES, et al. Are requirements to deposit data in research repositories compatible with the European Union's general data protection regulation? Ann Intern Med. 2019;170(5):332–4. https://doi.org/10.7326/M18-2854.

    Article  Google Scholar 

  52. 52.

    Warner AW, Moore H, Reinhard D, Ball LA, Knoppers BM. Harmonizing global biospecimen consent practices to advance translational research: a call to action. Clin Pharmacol Ther. 2017;101(3):317–9. https://doi.org/10.1002/cpt.461.

    Article  Google Scholar 

Download references

Acknowledgements

The authors thank ICN for encouraging and supporting this project. In particular, the authors would like to thank Maria De Medina Redondo, Yann Reydelet and Anja Eskat from the Clinical Trials Center of the University Hospital Zurich; Harriet Hudd from the Karolinska Trial Alliance; Mohammed Lamorde and Andrew Kambugu from the Infectious Diseases Institute of Kampala; the paralegal officer Surinder Kaur from the Singapore Clinical Research Institute; attorney Jill Niu and the managers Shu-Ting Chuang, Chin-Ting Hsu, Cheng-Li Lin, Chung-Hsuan Yang, Yu-Wen Chen, Feng-Shuo Pai, I-Hsuan Chiang from the China Medical University Hospital Clinical Trial Center and Taiwan Center for Drug Evaluation for supporting the data collection and the realization of this manuscript.

Funding

The authors have nothing to disclose. ICN has no financial interest in this work, and the authors have not received direct or indirect funding for this project.

Author information

Affiliations

Authors

Contributions

LB contributed to project design, project conduct, data curation, data interpretation and manuscript drafting. SŞ contributed to data acquisition, data interpretation and manuscript drafting. TFH contributed to project conception, data acquisition and manuscript drafting. DHYH, MW, CW and HY contributed to project conception, data acquisition and manuscript revision. FJ contributed to project design, data acquisition and manuscript revision. FT contributed to project conception, project design and manuscript revision. LA, APB, MH, CYH, TI, WK, ATP, RL, LS and CVHW contributed to data acquisition and critically revised the manuscript. YU and GS contributed to project conception, supervised the project and critically revised the manuscript. All authors approved the final version submitted.

Corresponding author

Correspondence to Gabriela Senti.

Ethics declarations

Ethics approval and consent to participate

Not applicable.

Consent for publication

Not applicable.

Competing interests

The authors declare that they have no competing interests.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Supplementary information

Additional file 1.

List of definitions: the Excel file “List of definitions_data protection.xlsx” includes legal definitions for the terms “personal data”, “anonymized”, “de-identified”, “pseudonymized” and “encrypted”, as provided by the participating ICN countries/regions.

Rights and permissions

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The Creative Commons Public Domain Dedication waiver (http://creativecommons.org/publicdomain/zero/1.0/) applies to the data made available in this article, unless otherwise stated.

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Bernasconi, L., Şen, S., Angerame, L. et al. Legal and ethical framework for global health information and biospecimen exchange - an international perspective. BMC Med Ethics 21, 8 (2020). https://doi.org/10.1186/s12910-020-0448-9

Download citation

Keywords

  • Data sharing
  • Biobanking
  • Big data
  • Research policies
  • International exchange