Cancer Information and Data Protection

The EU General Data Protection Regulation: 18 Months Later

99 Articles, 11 chapters, additional 173 texts with explanatory remarks – the European General Data Protection Regulation (GPDR) is challenging to read. The European Union passed the GPDR in 2016 and scheduled the enforcement for May 25, 2018. At the end of 2018, many institutions in the German health sector felt more or less insecure about new requirements: The German data protection laws already had been quite rigorous. Research organizations and hospitals as well as non profit-organizations and patient initiatives were afraid of costly adjustments.

The German Cancer Information Service was in a quite fortunate situation: Based at the German Cancer Research Center (DKFZ), we could rely on the expertise of DKFZ’s Information Technology Core Facility and its Data Protection Officer. For them, data protection even in large-scale projects like nationwide epidemiological surveys or international genome databases was “daily business”.

Nevertheless, we had to invest time and workforce:

  • Legal subjects: The experts specified the relevant requirements for a cancer information service in Germany.
  • Assessing all workflows: Where, when and how do we process confidential data? Who was involved? Could we identify situations, in which such data incur unintentionally?
  • Checking our documentation: We re-considered the routine record form for calls and emails, and the routine statistics for internet and social media usage. Other items for a close review were our questionnaires for quality management surveys and research projects including the sampling of health related data.  Which data were eligible, and for which purpose? Which categories were expandable? 
  • Providing transparency: Was our policy on data protection accurate? Was it provided in an appropriate manner for phone and email users, easy to find and easy to understand on the internet? How to inform people about data protection, who order our brochures, subscribe to our newsletters or register for our patient congresses?

Between September 2017 and May 2018, talking about data protection became daily business for the German Cancer Information Service – and sometimes, also a nightmare.
Some questions asked by the DKFZ Data Protection Officer seemed to be simple, but turned out to be rather sophisticated:
Anonymization, for example, had already been mandatory for many years, achieved by omission of surnames from any documentation. The European regulation, however, not only defines personal data, but also personally attributable data.  Could we unintentionally identify a certain caller, by recording his or her questions regarding a rare medical condition and treatment in a phase-I-trial with only six patients included?

Other questions addressed the duration of storage and time of erasure, including suitable pathways for all users of the CIS for consent or objection and premature removal of data.

In February, an update of the previous privacy policy was written, edited, discussed, rewritten and discussed again, and at last published on www.krebsinformationsdienst.de

Today, we feel that the effect justified the effort: We passed all tests, and feedback was positive and approving. Our users do not have to pay for cancer information – neither with money nor with their data.

Contact details for further questions:

Susanne Weg-Remers, German Cancer Information Service, s.weg-remers@dkfz.de