Modelling and enforcing privacy for medical data disclosure across Europe

Abstract

The harmonization of data protection legislation in Europe has been theoretically achieved by means of the EU directive on data protection. In practice the harmonization is not absolute and conflicts and inconsistencies continue to exist in the way Member States are implementing the directive. The integration of different European medical systems by means of grid technologies will continue to be challenging if technology does not intervene to enhance interoperability between national regulatory frameworks on data protection. In this paper we present an approach to automate privacy requirements for the sharing of patient data across Europe on a healthgrid domain and ensure its enforcement internally and within external domains where the data might travel. This approach is based on the semantic modelling of privacy obligations that are of legal, ethical or cultural nature. These requirements are for the sharing of personal data between different European Member States. Our model reflects both similarities and conflicts, if any, between the different Member States. This allows us to reason on the safeguards a data controller should ask from an organization belonging to another Member State before disclosing medical data to them. The system will also generate the relevant set of policies to be enforced at the process level of the grid to ensure privacy compliance before allowing access to the data.