Patient privacy

Patient privacy and the GDPR - an interview with Adrian Thorogood


The legal and ethical work steam in EPND is developing a governance framework composed of legal, ethical, and regulatory principles, to guide the responsible discovery and sharing of data and samples. This framework will ensure that EPND users comply with these principles and the associated best practices. 

EPND’s work package 2 is the central hub for all ethical, legal and societal issues (ELSI), including business and regulatory considerations. The EPND platform will enable sharing of biosamples and clinical data from patients and research participants. Therefore, it must respect data protection laws and ethical principles governing health research and biobanking. 

To find out more, we spoke to Adrian Thorogood, a key contributor to the work on legal and ethical aspects in EPND. Together with his colleagues, Adrian led the development of EPND’s Data Protection Impact Assessment (DPIA). The goal of EPND’s DPIA is to identify, assess, and help address risks to the rights and freedoms of data subjects arising from data processing. Importantly, a DPIA is legally required by the EU General Data Protection Regulation (GDPR) for processing of personal data that is likely to pose a high risk to the fundamental rights of natural persons

Adrian completed this work as part of his role as a Research and Development Specialist at the Luxembourg Centre for Systems Biomedicine in the University of Luxembourg. Currently, Adrian works as a Data Governance Manager for the Terry Fox Research Institute, based in Montreal, Canada.  

Hi Adrian! What is your background and position at your institution?

I am a Canadian lawyer and legal researcher who supports cross-border data sharing initiatives in genomics and biomedicine. From 2020-2022 I was based at the University of Luxembourg, Luxembourg Centre for Systems Biomedicine, where I worked on ethical and legal challenges related to EU-wide data sharing platforms.

What is your role in the EPND project?

While working on EPND, I was the academic lead of the Ethical, Legal, Social Issues (ELSI) Work Package. In this role I was fortunate to work closely with my industry co-lead Phil Scordis from UCB, a tireless advocate for getting ELSI right in research consortia, and Davit Chokoshvili from the University of Luxembourg, EPND’s dedicated ELSI Officer. The Work Package brings together industry and academic partners to develop ethical and legal guidelines for the responsible discovery and sharing of dementia research data and biospecimens. It focuses on efforts to identify compliance requirements, conduct risk assessments, and provide support services to partners.

What do you hope to contribute to EPND?

The aim is to develop governance frameworks that lend confidence to EPND partners that their activities comply with legal and ethical requirements, even where resources are shared broadly across borders and sectors.

Could you give us a short summary of the deliverable on Data Protection Impact Assessment (DPIA)?

Our DPIA is a framework that guides EPND partners to mitigate privacy risks when sharing dementia samples and data. It also helps partners to demonstrate compliance and foster trust. More specifically, the DPIA defines the flows of personal data across EPND; supports Cohorts to conduct local risk assessments; and informs the design and operation of EPND’s federated data infrastructure.

Which partners were involved in the development of this deliverable?

Developing this DPIA framework was a collaborative and interdisciplinary effort between legal and ethical experts, biomedical researchers, and technologists across EPND. Workshops were held with EPND technologists to co-develop an innovative, privacy-preserving federated data sharing platform. Surveys were conducted with Cohorts and biobanks to understand and ensure EPND addresses their local concerns and requirements.

How does this deliverable relate to the larger mission of EPND?

EPND aims to support collaboration and resource sharing between academic and industry researchers to accelerate progress in dementia research. Ethical and legal compliance is a mission-critical challenge for this network. The EU General Data Protection Regulation provides a robust and harmonized standard for protecting personal data within the EU, but important legal and interpretive differences still need to be handled across Member States and institutions.

How will the DPIA be implemented in EPND?

Contributing Cohorts and biobanks can integrate the DPIA framework directly into their local risk assessments and can also use it as a reference in conversations with research ethics committees and data protection authorities. The DPIA also identifies a number of privacy and security safeguards that will be implemented by EPND Cohorts, platform providers, and users.

How could the deliverable be useful for the neurodegeneration community and the general public?

This is a first version of the DPIA that will be improved in the next years through patient engagement activities. In fact, DPIA methodologies include consultation with data subjects and communities to develop a shared understanding of privacy risks and appropriate safeguards. Ultimately, as confidence builds in privacy protection, communities can become a key advocate for collaborative, networked research.

What is your favourite aspect of working on EPND?

EPND gave me the opportunity to work with wonderful and motivated professionals across sectors, countries, and disciplines. In a short time, I learned so much about the inter-related challenges and opportunities of biomedical research, IT management and infrastructure, and patient engagement in the EU context.

What is challenging about your work on the project? How do you address this?

The fundamental challenge of such a big and complex pan-European research network is effectively communicating across a matrix organization, where multiple disciplinary work packages interface with potentially hundreds of Cohorts, infrastructure providers and research organizations. We addressed this by targeting our workshops and surveys for maximum efficiency, and by relying on excellent leadership and project management to coordinate cross-network communications.

What in your opinion is the importance of EPND for the wider field of neurodegenerative research?

Everyone acknowledges that increased scale and collaboration are critical for data-intensive biomedical research. Everyone acknowledges that modern data management platforms and analytics can accelerate progress. The underlying standardisation and coordination challenges, however, can be truly daunting. EPND is an incredibly important effort to solve these issues on a foundational level, enabling seamless collaboration between neurodegenerative researchers.