You are currently viewing a new version of our website. To view the old version click .
MDPIMDPI
Search all articles
Healthcare
Download PDF
  • Article
  • Open Access

8 February 2023

A GDPR-Compliant Dynamic Consent Mobile Application for the Australasian Type-1 Diabetes Data Network

,
,
and
School of Computing and Information Systems, The University of Melbourne, Melbourne, VIC 3010, Australia
*
Author to whom correspondence should be addressed.
The ADDN Study Group: https://www.addn.org.au/governance.
Healthcare2023, 11(4), 496;https://doi.org/10.3390/healthcare11040496
This article belongs to the Special Issue Computer-Based Medical Systems
Version Notes
Order Reprints

Abstract

Australia has a high prevalence of diabetes, with approximately 1.2 million Australians diagnosed with the disease. In 2012, the Australasian Diabetes Data Network (ADDN) was established with funding from the Juvenile Diabetes Research Foundation (JDRF). ADDN is a national diabetes registry which captures longitudinal information about patients with type-1 diabetes (T1D). Currently, the ADDN data are directly contributed from 42 paediatric and 17 adult diabetes centres across Australia and New Zealand, i.e., where the data are pre-existing in hospital systems and not manually entered into ADDN. The historical data in ADDN have been de-identified, and patients are initially afforded the opportunity to opt-out of being involved in the registry; however, moving forward, there is an increased demand from the clinical research community to utilise fully identifying data. This raises additional demands on the registry in terms of security, privacy, and the nature of patient consent. General Data Protection Regulation (GDPR) is an increasingly important mechanism allowing individuals to have the right to know about their health data and what those data are being used for. This paper presents a mobile application being designed to support the ADDN data collection and usage processes and aligning them with GDPR. The app utilises Dynamic Consent—an informed specific consent model, which allows participants to view and modify their research-driven consent decisions through an interactive interface. It focuses specifically on supporting dynamic opt-in consent to both the registry and to associated sub-projects requesting access to and use of the patient data for research purposes.

1. Introduction

In 2022, Optus, the second-largest telecommunication company in Australia, and Medibank, one of the major Australian private health insurance providers, suffered major data breaches [,,]. These resulted in a range of sensitive data being released on the Internet, including Medicare numbers and health claims data. The increasingly frequent occurrence of such data breaches has placed millions of Australians’ personal data at risk. Through such breaches and many others, individuals have become more aware of what data are collected about them, where those data are located and how/why that information is being used.
Since 2020, the Australian government has been actively seeking public opinion on its current Australian privacy legislation—Privacy Act 1988 (The Act) [,,], to bring it in line with international frameworks such as the European Union proposed General Data Protection Regulation (GDPR) []. Amongst other things, the Privacy Legislation Amendment 2022 aims to increase the penalties for serious privacy breaches [,]. GDPR recognises that companies and organisations across Australia and globally need to consider the protection and use of data over its lifetime. This is especially the case with health data. In contrast to the current Privacy Act, GDPR is a more advanced regulation that provides the definition of “personal data” instead of “personal information”, it broadens the scope of data under protection and gives individuals (“data subjects”) more control over their own data. It also outlines several legal bases that businesses and organisations are required to rely on to process personal data, among which the idea of consent is key. GDPR enumerates the conditions for legitimate consent to ensure the unambiguity, granularity and informativeness of consent and the autonomy of individuals when giving consent []. Individuals also have the right to withdraw their consent and hence data at any time with no recourse to themselves or the healthcare they may be receiving.
Personal data are ever-increasingly digitised and subsequently hosted by various organisations (GDPR “data controllers”). In the health context, this data can include personal data related to the individuals health, e.g., through Electronic Health Records (EHRs) []. Medical registries, biobanks, and clinical trials often collect and store health data to serve many diverse research purposes. For many research projects, a one-off opt-in or opt-out static consent model is the primary means of recording an individual’s agreement to engage in research and allow access to the use of their data. This is currently compliant with national legal and ethical requirements in Australia and New Zealand; however, the legal and ethical landscape is changing, especially with the rise and adoption of GDPR. The Australasian Diabetes Data Network (ADDN—www.addn.org.au) is one example of a one-off opt-out consent model. ADDN collates the health data of patients with diabetes from both paediatric and adult centres across Australasia to provide a national registry for approved researchers. Once an individual consents to be involved in ADDN, or more specifically, they do not opt-out of being involved in the registry, their data can be used for many diverse purposes (www.addn.org.au/publications accessed on 20 December 2022). For example, Couper et al. []. used patient Body Mass Index (BMI) data from ADDN to measure the impact on cardiovascular risk factors for youths with type-1 diabetes (T1D). There are also several international studies using ADDN data. For example, Bratina et al. [] examined the prevalence of diabetic retinopathy among youths with type-1 diabetes (T1D) from 11 countries, where the Australian data were extracted from ADDN. The cross-border usage of ADDN data makes complying with international data sharing frameworks increasingly important. However, it is very likely that the patients themselves are unaware of these studies and how their data might be used. Furthermore, once they have not opted-out of the registry, their data are continually updated over time with no need to periodically check that they still consent to have their data stored in the registry.
The ADDN platform has been developed within the context of Australian legislation such as the Privacy Act 1988 (The Act) and its national equivalents (such as the NZ Privacy Act 2020) []. In [], we explored the various technical, legal and ethical issues of ADDN that may be raised in the context of GDPR with a specific focus on fulfilling GDPR consent requirements, and the impact of GDPR on ADDN motivated us to design an application that resonates with the more advanced privacy regulation framework. This paper is an extension of []. Specifically, we present a prototype mobile Health (mHealth) application realising a GDPR dynamic consent model for ADDN that brings patients “into the loop” regarding data in the registry and how those data can be accessed and used. We present the conceptualisation and design of the new ADDN consent process, describing how dynamic GDPR-compliant consent is supported through the mHealth application that addresses the legal and ethical demands on the downstream use of the data by researchers, as well as the patients’ right to know what is happening with their data. We discuss the ramifications this has on the ADDN business as usual processes and how these need to be counter-balanced by the increasing demands of an individual’s right to know what is happening with their data.

2. Background

2.1. The ADDN Project

Australia’s prevalence of type-1 diabetes (T1D) is rated the sixth highest in the world, and the incidence in children aged 0–14 is the seventh highest. In September 2022, there were 134,735 people with type-1 diabetes registered with the National Diabetes Service Scheme (NDSS) []. The Australasian Diabetes Data Network (ADDN) registry is a clinical database comprising data from patients with T1D. It was established in 2012 and funded by the Juvenile Diabetes Research Foundation (JDRF) []. Currently, the data populated within the ADDN registry are uploaded from 42 paediatric and 17 adult diabetes centres across Australia and New Zealand. This comprises extensive data on over 20,000 patients with over 230,000 visits/treatments. ADDN has been established to enable the collection of health information from individual centre databases onto a single unified platform. This allows monitoring long-term outcomes for people with T1D; to facilitate T1D and related research studies, and ultimately to improve the clinical care of T1D patients across Australasia. The ADDN registry is developed, supported, and maintained by the Melbourne eResearch Group (MeG—www.eresearch.unimelb.edu.au) at the University of Melbourne.
Clapin et al. [] describe Phase 1 (2012–2015) of the ADDN registry development. In this phase of ADDN, the focus was primarily on collecting and using data on paediatric patients coordinated with the Australasian Paediatric Endocrine Group (APEG []) and the Australian Diabetes Society (ADS []). ADDN Phase 1 realised a web-based registry with an agreed dataset and data dictionary. This included a core and extended (optional) set of data agreed on by all sites, clinicians, and researchers involved in APEG and ADS. This phase also included an overarching governance structure and guidelines for data access, and for the national reporting of diabetes outcomes in children and adolescents. A selected subset of diabetes centres made their data available through the ADDN registry in Phase 1. The ADDN project established operational practices for the cleaning and processing of the site data for incorporation into a unified, national registry.
Following the success of Phase 1, ADDN Phase 2 (2016–2020) included additional paediatric centres and a multitude of adult diabetes centres. These centres upload data to ADDN twice a year and receive a site-specific benchmarking report as a benefit (see Figure 1b). They are also informed of studies that might be occurring or propose their own studies using the aggregated T1D data. During this phase, ADDN data were made available for an extended set of research projects. These projects went through a light-touch ADDN-specific process for approval. However, communication of this to patients was not made, hence they were unaware of the projects that were proposed and/or taking place using their data.
Figure 1. (a) A representative example of de-identified data based on a subset of the ADDN schema. (b) A screenshot of the HbA1c section of the benchmarking report. “P-“ indicates a paediatric centre.
The technical implementation and governance structure of the Phase 2 ADDN registry focused more on the security of data by de-identifying the data at the source and obtaining opt-out patient consent before populating to ADDN. Figure 1a gives a representative example of de-identified patient data based on the current ADDN schema, where the identifying data of patients have been removed and replaced by unique subject identifiers (USI) generated by the BioGrid data linkage platform (shown as bioGridId), together with a centre-specific LocalId and associated centre name. The date that the person decided not to opt-out of the ADDN registry is recorded as dateOfAddnConsent.
The current Phase 3 of ADDN (2021–2024) focuses on delivering better health outcomes for people with T1D and expanding the registry to many additional centres across Australia and New Zealand, as well as supporting international collaborations. Importantly, the project wishes to support deeper analytics and the linkage of ADDN data with data from external agencies such as the Australian Institute of Health and Welfare [] national death index, the Australian medical benefits scheme [] and the Australian pharmaceutical benefits scheme []. Such linkages necessitate the inclusion and use of more (fully) identifying data, i.e., fully identifying data are to be released from hospitals and included in the ADDN registry. The ethics approval for this has already been granted; however, this raises both technical, legal and broader ethical issues regarding data collection and usage that go beyond any given ethics review committee decision. As such, the impact of GDPR needs to be thoroughly considered, and especially what this means to the ADDN patients themselves.

2.2. GDPR Concepts

2.2.1. Controller, Processor and Data Subjects

Articles 4.7 and 4.8 of GDPR [] define Data Controller as an “entity that determines the ’why’ and the ’how’ of processing personal data”, whilst the definition of Data Processor is “the entity that actually performs the data processing on the controller’s behalf”. ADDN is a multi-party collaboration that has a complex chain of parties performing the duties of both the data controller and data processor. An ADDN governance team consisting of independent (external) investigators, ADDN investigators, JDRF representatives, and patient advisory group representatives determines the primary direction of operations of ADDN. The software developers at the Melbourne eResearch Group (MeG) are in charge of processing the data that comes from hospital systems and aligning it with ADDN governance structures. For example, site data can only be accessed by the sites directly, and only aggregated data can be released to researchers.
It is noted that GDPR defines the concept of a data subject as “any living individual whose personal data is collected, held or processed by a particular organisation.” (Article 4.1 []). Many of the patients in ADDN have since become deceased, so they are not data subjects in the GDPR sense. The personal data about living individuals (data subjects) fall into the scope of GDPR, and are thus under protection. GDPR then gives the definition of what personal data are.

2.2.2. Personal Data, Pseudonymisation and Safeguards

According to Article 4.1 of GDPR [], personal data are considered to be “any information concerning an identified or identifiable natural person”. Though there are no specific examples of personally identifiable information (PII) given by GDPR, we can refer to the instructive list of 18 identifiers (Box 1) introduced by the US Health Insurance Portability and Accountability Act (HIPAA) [].
Box 1. Personally identifiable information defined by HIPAA.
(1)
Name.
(2)
Address (all geographic subdivisions smaller than state, including street address, city county, and zip code).
(3)
All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89).
(4)
Telephone numbers.
(5)
Fax number.
(6)
Email address.
(7)
Social Security Number.
(8)
Medical record number.
(9)
Health plan beneficiary number.
(10)
Account number.
(11)
Certificate or license number.
(12)
Vehicle identifiers and serial numbers, including license plate numbers.
(13)
Device identifiers and serial numbers.
(14)
Web URL.
(15)
Internet Protocol (IP) address.
(16)
Finger or voice print.
(17)
Photographic image—photographic images are not limited to images of the face.
(18)
Any other characteristic that could uniquely identify the individual.
Pseudonymisation is a de-identification procedure by which identifiable information is replaced by a unique key code; for example, by hashing or other suppression and obfuscation technologies []. It is recognised as a safeguard of personal data under GDPR, but pseudonymised data are still personal data if “it can be attributed to a natural person by the use of additional information” (Recital 26 []). GDPR describes appropriate safeguards as technical (e.g., pseudonymisation, encryption) or organizational measures (e.g., ethics committee responsible for governance) that should be used to minimize data leakage and privacy erosion (Recital 156 []). The data controller and processor need to align with such technical and organizational measures when processing personal data (Article 23 []) for public interest or for scientific research (Article 9.2 []) to be labelled as GDPR-compliant.

2.2.3. Legal Bases

Data controllers are required to provide a legal basis to ensure the lawfulness of processing personal data under GDPR. In [], we summarised the five legal bases researchers should rely on when involved in a medical research project, and more specifically, the six legal bases for processing sensitive personal data, i.e., “special categories of personal data”. For medical research where sensitive data are involved, such as ADDN, we rule out irrelevant legal bases, for example, the contractual service, legal obligation or vital interest are obviously not applicable. We concluded that informed consent would eventually become mandatory for processing sensitive health data without a public interest certificate or scientific research exemption in place with appropriate safeguards. The immediate challenge faced by ADDN is the current opt-out consent model is insufficient to comply with the conditions of GDPR consent.
Box 2. Conditions of consent (Article 7).
(1)
Freely given—the data subjects must not be cornered into agreeing, noting that the imbalance between the data subject and controller can often make unencumbered consent difficult, e.g., patients may feel obliged or have concerns that the treatments they receive may be inferior if they do not agree. Furthermore, each usage of personal data should be given separate consent.
(2)
Specific—the consent must be collected for certain agreed activities or purposes unless explicitly identified as “general” research.
(3)
Informed—the data subject must fully understand the consent before making the decision, including an understanding of data processing activities and their purpose and any associated risks or consequences.
(4)
Unambiguous—it should be immediately clear whether the data subject has consented. Consent under GDPR cannot be implied, and explicit opt-in consent is required.
(5)
Withdrawal—individuals can withdraw their consent at any time, and this withdrawal should be made as easy as obtaining the original consent.

2.2.4. GDPR Consent Conditions

Informed opt-in consent is the legal basis upon which ADDN needs to rely upon moving forward to be aligned with GDPR. Consent is only valid when it meets the five conditions summarised in Box 2 above. There has been a long debate that the strict restrictions of GDPR legal bases and consent may be a “threat to hamper medical research” [] since the purpose of medical research is often vague at the time of data collection and hence it would fail the “specific” conditions identified above. GDPR recognises “Consent to Certain Areas of Scientific Research” or “Broad Consent” for scientific use in Recital 33. That is, with appropriate safeguards, data subjects should be allowed to consent to certain areas of research using their data. However, Broad Consent is subject to a range of limitations, e.g., it cannot be used for primary research and is only limited to secondary research []. Additionally, the opponents of Broad Consent argue that it is by its nature uninformative [], and the absence of a “broadness” standard may put personal data at risk of abuse, as the actual “broadness” can vary significantly depending on often subjective research-driven interpretations [].

2.3. Dynamic Consent

2.3.1. mHealth

Mobile health is the terminology used to define the usage of mobile communication devices including mobile phones, tablets and wearable devices, which pertain to the field of clinic research, health services and health monitoring []. The use of mHealth is growing rapidly as communication technologies improve. In 2022, Australia had the second-highest smartphone penetration rate in the world []. Diverse mobile health applications [,,,] have been developed based on the widespread adoption of smartphones.
Most mHealth applications are often concerned with removing temporal, geographic, and organizational barriers to clinical research and health services []. They enable patients, doctors, and researchers to easily access clinical data through mobile devices anytime and anywhere. Previous research projects have explored the benefits patients gained from mHealth applications by being active participants. For example, Qudah et al. [] found mHealth would affect the relationship between patients and health providers positively and could ultimately improve health outcomes. Baysari et al. [] identified that by enhancing the design of mHealth applications, “human factors” would facilitate patient-centred care coordination. Many mainstream apps from technology providers such as Apple have many health-related apps included directly onto the phone as part of the core operating system that track a range of health-related phenomenon, e.g., steps taken each day.

2.3.2. eConsent and Dynamic Consent

Whilst most surveys focus on the user experience and efficacy of mHealth apps, only a few focus on their benefits from the perspective of personal data protection, privacy regulations and ethics. Schairer et al. [] highlight the importance of electronic informed consent (eConsent) in mHealth applications. This mitigates the unforeseen privacy risks that patient data may be exposed to when existing in complex mHealth ecosystems by handling their data in a transparent manner.
The benefits of eConsent can only be realized with proper patient-focused co-design processes, where patients are at the heart of the technology design and evolution. Different models of consent have been put forward to be in line with changing regulations, evolving ethical requirements and diverse research needs, but these are rarely exposed directly to the needs, demands and understanding of patients themselves. Wiertz et al. [] focused on different models of consent and their ethical concerns. They considered Tiered Consent, Meta Consent involving Broad Consent, and specific Dynamic Consent through interactive and personalised interfaces. Dynamic Consent was first implemented in the Ensuring Consent and Revocation (EnCoRe) project []. Dynamic Consent was formally defined by Kaye et al. in []. It was initially designed for biobanks where personal (physical) data were often reused by many research projects and researchers. However, Broad Consent is often not immediately informative in this context to patients, since the complexities of genomic data processing and the ramifications this might have to patients are often complex. With Dynamic Consent, research participants are allowed to dynamically revise their granular consent options to new or existing data access requests over time and constantly communicate with research teams through interactive software interfaces []. The nature of Dynamic Consent enables participant-centred research and resonates with the GDPR consent requirements focused on inclusive design, i.e., instead of being passive research subjects in one-off static consent settings, data subjects are actively involved in the consent process, and can consent or withdraw their consent in a free, unencumbered, and real-time manner to many diverse research projects that the patients are made aware of through a mobile app.

2.3.3. Implementation of Dynamic Consent

Over the past decade, Dynamic Consent has been implemented in various biobank and clinical data network projects. The Cooperative Health Research in South Tyrol (CHRIS) explored Dynamic Consent [,]. They recruited over 13,000 participants who agreed to the storage of their biological (physical) data in a biobank. Michigan’s BioTrust for Health [] piloted a dynamic consent web solution with 187 testers and found a strong preference for active engagement in biobank-related research. Dynamic Consent has also been used in disease registries such as the Rare UK Diseases of bone, joints and blood vessels study (RUDY) [,]. RUDY provides a rare disease research network that aggregates clinical events provided by patients with a range of rare diseases. RUDY uses dynamic consent as part of its broader software solution. Both RUDY and CHRIS adopted dynamic consent at their inception. There has been no system that focused on embedding a dynamic consent process into an existing complex national infrastructure where the consent model was based on a less dynamic and non-granular, one time opt-out consent model.
From a GDPR consent perspective, Dynamic Consent helps to fulfil several key consent requirements. For example, CHRIS offers no financial compensation for participation, thereby ensuring that consent is freely given. RUDY allows participants to select their involvement in different sub-studies and allows them to change their consent at any time. Educational videos and FAQ pages are provided in the BioTrust project. These aim to support informed consent. An explicit “Yes” option is compulsory for participation in CHRIS, i.e., it is based on an unambiguous opt-in decision made by data subjects. However, the withdrawal conditions associated with GDPR consent are often neglected when implementing Dynamic Consent. Taking the CHRIS project as an example, whilst most choices are editable in the online platform, a complete withdrawal from the study is only available by contacting the study centre. This violates the GDPR “withdraw” conditions, as the withdrawal is made more difficult than the original giving consent, which only requires a click of “yes” on the platform.
Additionally, most Dynamic Consent implementations require identifying data for further patient contact. For example, the RUDY and CHRIS projects send letters and/or email notifications to participants to advise them of new requests they may wish to consent to. Dynamic Consent in these projects is built upon a secure web interface. However, without identifying data such as phone numbers or email, notifications cannot be sent to participants. The BioTrust project found that participants had concerns about the identity verification process and would prefer their samples to be de-identified. Mobile app-based push notifications can provide a potential solution to this. That is, a message can be sent by a server such as the ADDN registry to an mHealth app and hence to a participant without the details of the individual patient details leaving the ADDN registry, so long as they have the app installed on their mobile device and suitable activation codes are used to activate and target the mobile app to the specific patient on the registry. Such de-identification is an essential safeguard recognised by GDPR to lower the risk of potential data leakage and privacy erosion.

2.3.4. Challenges of Dynamic Consent

There are various criticisms of Dynamic Consent. Most notably, significant resources and cost are required for its implementation [], this challenge is exacerbated when building a dynamic consent process for large, complex (national) systems. A de-coupled, lightweight, and reusable application would be preferred. Dynamic Consent can also be a burden for research and potentially lower the research value due to lower patient opt-in rates []. It may also cause “consent fatigue”, as participants may stop paying attention and give “superficial consent” if they receive too many consent requests []. Data controllers need to consider such challenges when choosing a consent model for their research project. We discuss this in the context of ADDN in Section 3.5.

4. Conclusions

Our previous paper [] explored the impact of GDPR on the ADDN platform with a focus on the various technical, legal and ethical problems associated with a national registry storing a large amount of health data originating from many health systems. As an extension, this paper focuses on the challenges of improving the consent process to better meet the conditions of GDPR for ADDN, i.e., moving from a one time, opt-out model to an explicit patient-centred opt-in model. We presented a prototype mobile app utilising a GDPR dynamic consent model: ADDN Consent and compared it to existing implementations of dynamic consent. We identified how the app provides a specific mapping of the GDPR conditions as part of an existing large data-sharing framework with associated data collection and patient interaction processes. We discussed the major challenges of the Dynamic Consent model and its suitability in ADDN, and how it can be incorporated into the current routine healthcare processes. A complete workflow of ADDN with a dynamic opt-in consent process along with the potential ramifications was presented. Currently, the prototype consent mobile app is built in the context of the ADDN project, but the application is de-coupled from the project and can be adopted in other clinical or medical research contexts for GDPR compliance with project-specific modifications.
The future work of ADDN Consent is to recruit participants to test the mobile application. Specifically, we plan to test the mobile application in a whole data load workflow to serve as an additional consent data source for the existing routine healthcare processes. We will also collect patient feedback and improve the solution. We also propose to build a real-time statistics dashboard recording the consent process to help save researcher time and facilitate the consent process, e.g., identify which research projects obtain consent and those that do not.
Moving forward, we will explore more GDPR-related functionalities in the app, including the right to be forgotten and the right to data portability, to better empower participants.

Author Contributions

Conceptualization, Z.W., A.S. and R.O.S.; methodology, Z.W., A.S. and R.O.S.; software, Z.W.; validation, Z.W., A.S. and R.O.S.; writing—original draft preparation, Z.W.; writing—review and editing, A.S. and R.O.S.; visualization, Z.W.; supervision, A.S. and R.O.S.; project administration, Z.W., A.S. and R.O.S.; funding acquisition, A.S. and R.O.S. All authors have read and agreed to the published version of the manuscript.

Funding

This research is funded by Juvenile Diabetes Research Foundation (JDRF). Australian Type 1 Diabetes Clinical Research Network-Australasian Diabetes Data Network (ADDN) Strategic Vision and Framework 2021-2024 (ADDN 3.0), JDRF submission number 201308620.

Institutional Review Board Statement

This study received ethical approval from Monash Health. (ERM Reference Number: 57836, Monash Health Ref: RES-20-0000-066L, June 2020).

Data Availability Statement

Not applicable.

Acknowledgments

This research was conducted as part of the Australasian Diabetes Data Network. We are grateful to JDRF Australia, the Australian Research Council and to the children and young people with diabetes and their families who provided the data. This research was supported by JDRF Australia, the recipient of the Australian Research Council Special Research Initiative in Type 1 Juvenile Diabetes.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Optus Notifies Customers of Cyberattack Compromising Customer Information. 2022. Available online: https://www.optus.com.au/about/media-centre/media-releases/2022/09/optus-notifies-customers-of-cyberattack (accessed on 20 December 2022).
  2. Arnold, B.B. Into the Breach—The Optus Data Hack. 2022. Available online: https://lsj.com.au/articles/into-the-breach/ (accessed on 20 December 2022).
  3. Medibank Private Cyber Security Incident-Australian Cyber Security Centre. 2022. Available online: https://www.cyber.gov.au/acsc/view-all-content/alerts/medibank-private-cyber-security-incident (accessed on 20 December 2022).
  4. Privacy Act Review—Discussion Paper. 2021. Available online: https://consultations.ag.gov.au/rights-and-protections/privacy-act-review-discussion-paper/ (accessed on 20 December 2022).
  5. Attorney-General’s Department. Review of the Privacy Act 1988 (Cth)—Issues Paper; Attorney-General’s Department’s: Barton, ACT, Australia, 2020.
  6. OAIC. Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022; OAIC: Sydney, NSW, Australia, 2022.
  7. European Union. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA Relevance); European Union: Strasbourg, France, 2016. [Google Scholar]
  8. Dreyfus, M. Tougher Penalties for Serious Data Breaches. 2022. Available online: https://ministers.ag.gov.au/media-centre/tougher-penalties-serious-data-breaches-22-10-2022 (accessed on 20 December 2022).
  9. Bietz, M.J.; Bloss, C.S.; Calvert, S.; Godino, J.G.; Gregory, J.; Claffey, M.P.; Sheehan, J.; Patrick, K. Opportunities and challenges in the use of personal health data for health research. J. Am. Med. Inform. Assoc. 2016, 23, e42–e48. [Google Scholar] [PubMed]
  10. Couper, J.J.; Jones, T.W.; Chee, M.; Barrett, H.L.; Bergman, P.; Cameron, F.; Craig, M.E.; Colman, P.; Davis, E.E.; Donaghue, K.C.; et al. Determinants of Cardiovascular Risk in 7000 Youth with Type 1 Diabetes in the Australasian Diabetes Data Network. J. Clin. Endocrinol. Metab. 2021, 106, 133–142. [Google Scholar] [PubMed]
  11. Bratina, N.; Auzanneau, M.; Birkebæk, N.; de Beaufort, C.; Cherubini, V.; Craig, M.E.; Dabelea, D.; Dovc, K.; Hofer, S.E.; Holl, R.W.; et al. Differences in retinopathy prevalence and associated risk factors across 11 countries in three continents: A cross-sectional study of 156,090 children and adolescents with type 1 diabetes. Pediatr. Diabetes 2022, 23, 1656–1664. [Google Scholar] [PubMed]
  12. OAIC. Privacy Act 1988; OAIC: Sydney, NSW, Australia, 1988.
  13. Wang, Z.; Stell, A.; Sinnott, R.O.; ADDN Study Group. The Impact of General Data Protection Regulation on the Australasian Type-1 Diabetes Platform. In Proceedings of the 2022 IEEE 35th International Symposium on Computer-Based Medical Systems (CBMS), Shanghai, China, 21–23 July 2022. [Google Scholar]
  14. The National Diabetes Services Scheme (NDSS). Available online: https://www.ndss.com.au/about-the-ndss/diabetes-facts-and-figures/ (accessed on 20 December 2022).
  15. Juvenile Diabetes Research Foundation. Available online: https://jdrf.org.au/ (accessed on 20 December 2022).
  16. Clapin, H.; Phelan, H.; Bruns, L., Jr.; Sinnott, R.; Colman, P.; Craig, M.; Jones, T.; Australasian Diabetes Data Network (ADDN) Study Group. Australasian diabetes data network: Building a collaborative resource. J. Diabetes Sci. Technol. 2016, 10, 1015–1026. [Google Scholar] [PubMed]
  17. Australia and New Zealand Society for Paediatric Endocrinology and Diabetes. Available online: https://apeg.org.au/ (accessed on 20 December 2022).
  18. Australian Diabetes Society. Available online: https://diabetessociety.com.au/ (accessed on 20 December 2022).
  19. Australian Institute of Health and Welfare. Available online: https://www.aihw.gov.au/ (accessed on 20 December 2022).
  20. Australian Medical Benefits Scheme. Available online: www.mbsonline.gov.au (accessed on 20 December 2022).
  21. Australian Pharmaceutical Benefits Scheme. Available online: www.pbs.gov.au (accessed on 20 December 2022).
  22. 18 HIPAA Identifiers. Available online: https://www.luc.edu/its/aboutits/itspoliciesguidelines/hipaainformation/18hipaaidentifiers/ (accessed on 20 December 2022).
  23. Cybersecurity, E.U.A. Pseudonymisation Techniques and Best Practices—Recommendations on Shaping Technology According to Data Protection and Privacy Provisions; ENISA: Attiki, Greece, 2019.
  24. Data overprotection. Nature 2015, 522, 391–392. [CrossRef]
  25. Maloy, J.W.; Bass, P.F., 3rd. Understanding Broad Consent. Ochsner J. 2020, 20, 81–86. [Google Scholar] [PubMed]
  26. Whitley, E.A.; Kanellopoulou, N.; Kaye, J. Consent and research governance in biobanks: Evidence from focus groups with medical researchers. Public Health Genom. 2012, 15, 232–242. [Google Scholar]
  27. Wiertz, S.; Boldt, J. Evaluating models of consent in changing health research environments. Med. Health Care Philos. 2022, 25, 269–280. [Google Scholar] [CrossRef] [PubMed]
  28. Singh, K.; Landman, A.B. Mobile Health. In Key Advances in Clinical Informatics: Transforming Health Care through Health Information Technology; Elsevier Inc.: Amsterdam, The Netherlands, 2017; pp. 183–196. [Google Scholar]
  29. Australia: Smartphone Penetration Rate 2017–2025|Statista. Available online: https://www.statista.com/statistics/321477/smartphone-user-penetration-in-australia/ (accessed on 20 December 2022).
  30. iOS-Health-Apple (AU). Available online: https://www.apple.com/au/ios/health/ (accessed on 20 December 2022).
  31. Healow–Apps on Google Play. Available online: https://play.google.com/store/apps/details?id=com.ecw.healow&hl=en_AU&gl=US (accessed on 20 December 2022).
  32. Glucose Buddy Diabetes Tracker on the App Store. Available online: https://apps.apple.com/us/app/glucose-buddy-diabetes-tracker/id294754639 (accessed on 20 December 2022).
  33. Google Health Studies—Apps on Google Play. Available online: https://play.google.com/store/apps/details?id=com.google.android.apps.health.research.studies&hl=en_AU&gl=US (accessed on 20 December 2022).
  34. Silva, B.M.C.; Rodrigues, J.J.; de la Torre Díez, I.; López-Coronado, M.; Saleem, K. Mobile-health: A review of current state in 2015. J. Biomed. Inform. 2015, 56, 265–272. [Google Scholar] [CrossRef] [PubMed]
  35. Qudah, B.; Luetsch, K. The influence of mobile health applications on patient-healthcare provider relationships: A systematic, narrative review. Patient Educ. Couns. 2019, 102, 1080–1089. [Google Scholar] [PubMed]
  36. Baysari, M.T.; Westbrook, J.I. Mobile Applications for Patient-centered Care Coordination: A Review of Human Factors Methods Applied to their Design, Development, and Evaluation. Yearb. Med. Inform. 2015, 24, 47–54. [Google Scholar]
  37. Schairer, C.E.; Rubanovich, C.K.; Bloss, C.S. How Could Commercial Terms of Use and Privacy Policies Undermine Informed Consent in the Age of Mobile Health? AMA J. Ethics 2018, 20, 864–872. [Google Scholar]
  38. Mont, M.C.; Sharma, V.; Pearson, S. EnCoRe: Dynamic Consent, Policy Enforcement and Accountable Information Sharing within and Across Organisations; Technical Report HPL-2012-36; HP Laboratories: Palo Alto, CA, USA, 2012. [Google Scholar]
  39. Teare, H.J.A.; Prictor, M.; Kaye, J. Reflections on dynamic consent in biomedical research: The story so far. Eur. J. Hum. Genet. 2021, 29, 649–656. [Google Scholar] [CrossRef] [PubMed]
  40. Mascalzoni, D.; Melotti, R.; Pattaro, C.; Pramstaller, P.P.; Gögele, M.; De Grandi, A.; Biasiotto, R. Ten years of dynamic consent in the CHRIS study: Informed consent as a dynamic process. Eur. J. Hum. Genet. 2022, 30, 1391–1397. [Google Scholar] [CrossRef] [PubMed]
  41. Pattaro, C.; Gögele, M.; Mascalzoni, D.; Melotti, R.; Schwienbacher, C.; De Grandi, A.; Foco, L.; D’elia, Y.; Linder, B.; Fuchsberger, C.; et al. The Cooperative Health Research in South Tyrol (CHRIS) study: Rationale, objectives, and preliminary results. J. Transl. Med. 2015, 13, 348. [Google Scholar] [CrossRef] [PubMed]
  42. Thiel, D.B.; Platt, J.; Platt, T.; King, S.B.; Fisher, N.; Shelton, R.; Kardia, S.L. Testing an online, dynamic consent portal for large population biobank research. Public Health Genom. 2015, 18, 26–39. [Google Scholar] [CrossRef] [PubMed]
  43. Teare, H.J.A.; Hogg, J.; Kaye, J.; Luqmani, R.; Rush, E.; Turner, A.; Watts, L.; Williams, M.; Javaid, M.K. The RUDY study: Using digital technologies to enable a research partnership. Eur. J. Hum. Genet. 2017, 25, 816–822. [Google Scholar] [PubMed]
  44. Javaid, M.K.; Forestier-Zhang, L.; Watts, L.; Turner, A.; Ponte, C.; Teare, H.; Gray, D.; Gray, N.; Popert, R.; Hogg, J.; et al. The RUDY study platform—A novel approach to patient driven research in rare musculoskeletal diseases. Orphanet. J. Rare Dis. 2016, 11, 150. [Google Scholar] [PubMed]
  45. Steinsbekk, K.S.; Kåre Myskja, B.; Solberg, B. Broad consent versus dynamic consent in biobank research: Is passive participation an ethical problem? Eur. J. Hum. Genet. 2013, 21, 897–902. [Google Scholar] [CrossRef] [PubMed]
  46. Spencer, K.; Sanders, C.; Whitley, E.A.; Lund, D.; Kaye, J.; Dixon, W.G. Patient Perspectives on Sharing Anonymized Personal Health Data Using a Digital System for Dynamic Consent and Research Feedback: A Qualitative Study. J. Med. Internet Res. 2016, 18, e66. [Google Scholar] [PubMed]
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Article Metrics

Citations

Article Access Statistics

Journal Statistics
Multiple requests from the same IP address are counted as one view.
Download PDF
Determinants of Physical Activity among Children with Disabilities
Previous
Effect of Intramuscular Tramadol on the Duration of Clinically Relevant Sciatic Nerve Blockade in Patients Undergoing Calcaneal Fracture Fixation: A Randomized Controlled Trial
Next