Regulatory frameworks

Abstract

In this chapter, we review ethical and legal regulatory frameworks as relevant to the topic of linking sensitive databases that contain personal information. With reference to the declarations of Helsinki and Taipei, the resulting importance of research ethics committees is explained. Thereafter, we describe formal regulations for linking databases in selected countries. The European Data Protection Regulation (GDPR) and its implementation in different European countries are outlined first (Austria, Germany, UK). We discuss the Caldicott principles, important in the UK but not well known in Europe. We then describe the basic principles of the Common Rule and the Health Insurance Portability and Accountability Act (HIPAA) in the US. For comparison, the legal regulations in Australia and Switzerland are outlined. We then introduce best practice approaches, such as separating microdata and identifiers, using technical and organisational measures to restrict data access, and implementing organisational structures and procedures such as the Five Safes. Finally, we highlight the importance of the embedding of research involving sensitive databases within organisational and societal settings, both for the evaluation of privacy as well as preconditions for research.