Evaluating the adequacy of foreign laws

European countries shared examples where project approval decisions have been complicated by a lack of information regarding whether the legislations protecting personal health data in the foreign country of the applicant provide an adequate level of protection when compared with the national laws; and where the legislative protections of the country of the applicant have been found to be inadequate.

Finland shared an example where a researcher from Australia requested access to de- identified microdata for a project. The researcher and THL worked together to explain to the Data Protection Authority why the detailed data needed to be provided to the Australian Researcher. The document went back and forth to the DPA several times before the DPA could be satisfied to release the de-identified data to the researcher. This process took 34 months.

In a second example from Finland, a researcher from the United States was seeking access to de-identified microdata for a project. In this case, the legal framework in the United States was found to be very different from that of Europe. If a US institution is included within a safe harbour agreement, which means that it has been verified to have similar data protections to Europe, then the institution can be treated similarly to a European applicant. However, the experience of THL was that many institutions doing credible scientific research in the United States were not included in the safe harbour agreement. As a result, THL decided not to share data with US institutions outside of the safe harbour agreement. US researchers have been granted access to de-identified data only when they are able to work in Finland and access the data on-site at THL.

In an example from the United Kingdom (Wales) SAIL project, it was possible to grant an applicant from Australia access to de-identified microdata because there was no need to transfer the data to them. Instead, the approved researcher is able to work with the data within a secure remote data access system, just as would any domestic applicant for access to de-identified data.

< Prev   CONTENTS   Source   Next >