D8.1 Ethical trial protocols, scenarios and requirements · D8.1 – Ethical trial protocols,...

D8.1 – Ethical trial protocols, scenarios and requirements Version: 1.0 – FINAL, Date: 28/10/15

[OPERANDO] www.operando.eu of 52 Contract No. H2020 - 653704

Project Number: H2020 - 653704

Project Title: OPERANDO

Title of Deliverable: Ethical trial protocols, scenarios and requirements

Due Date of Delivery to the EC: 31/10/2015

Work Package: WP8

Contributor(s):

Brian Pickering (ITI), Lisa Catanzaro (FCSR), Rachael Bartholomew (OCC), Luigi Clivati (PDI), Bassem Nasser (ITI), Matthias Pocs (STL)

Reviewer(s): Leire Orue-Echevarria Arrieta (TCN)

Approved by: All Partners

Document Revision History

Version Date

Modifications Introduced

Reason by

0.1 11.08.15 Draft Table of Contents Brian Pickering, ITI

0.2 21.09.15 Inclusion of guiding ethic principles Brian Pickering, ITI

0.3 26.09.15 Inclusion of Application Scenarios Bassem Nasser, ITI

0.4 09.10.15 FCSR contributions Lisa Catanzaro, FCSR

0.5 09.10.15 OCC contributions Rachael Bartholomew, OCC

0.6 13.10.15 Consolidation of inputs (including Brian Pickering, ITI

0.7 14.10.15 FCSR contributions Lisa Catanzaro, FCSR

0.8 14.10.15 OCC contributions Rachael Bartholomew, OCC



0.9 15.10.15 PDI contributions; Consolidate inputs Luigi Clivati, PDI;

Brian Pickering ITI

0.10 18.10.15 Preparation of internal draft for review Brian Pickering, ITI

0.11 20.10.15 Inclusion of WPL comments; sent to reviewer

Brian Pickering, ITI

0.12 27.10.15 Reviewer feedback Leire Orue-Echevarria Arrieta, TCN

1.0 28.10.15 Final version for submission, addressing reviewer comments.

Brian Pickering, ITI



OPERANDO Consortium Partners and Acronyms

OCC Oxford Computer Consultants

AVO Arteevo Technologies

PDI Progetti di Impresa

STL Stelar

RMS RomSoft

TCN Tecnalia

ITI IT Innovation Centre, University of Southampton

UPRC Piraeus University Research Center

FCSR Fondazione Centro San Raffaele

Glossary of Terms and Abbreviations

A&E Accident and Emergency

ASLBG Azienda Sanitaria Locale della Provincia di Bergamo

BMBC Barnsley Metropolitan Borough Council

EHR Electronic Health Record

EMR Electronic Medical Record

G2C Government to Consumer

HGG Ospedale Istituto Giannina Gaslini di Genova

ILAHS Independent Living At Home Service

OSP Online Service Provider

PSP Privacy Service Provider

PSW Prevention and Safety in the Workplace

UAB User Advisory Board

UI User Interface

WLA West London Alliance

Definitions

Anonymization The process whereby “data [is] rendered anonymous is such a way that the data subject is no longer identifiable” [1, Paragraph 26, 2]

Personal data

“‘Personal data’ relate to any personal information which can be used to identify [a living person] directly or indirectly, such as [their] name, […] telephone number, […] email address, […] place and data of birth, etc.” [2]. Further, “'personal data ' shall mean any information relating to an



identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified , directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental , economic, cultural or social identity” [1, Article 2 Definitions, paragraph (a)]. See also [3, 4]

Sensitive personal data Current categories of sensitive personal data include: “racial or ethnic origin […] political opinions, religious or philosophical beliefs [and] health-related data” [4]



Table of contents

EXECUTIVE SUMMARY ..................................................................................................................................... 8

1 INTRODUCTION ....................................................................................................................................... 9

1.1 ABSTRACT ....................................................................................................................... 10

1.2 PURPOSE OF THIS DOCUMENT .............................................................................................. 10

1.3 TARGET AUDIENCE ............................................................................................................ 10

2 APPLICATION SCENARIOS ...................................................................................................................... 10

2.1 BUILDING ON TRADITIONAL SERVICE PROVIDER PLATFORMS ......................................................... 10

2.2 PUBLIC ADMINISTRATION ................................................................................................... 13 2.2.1 Trial scenarios description ........................................................................................................... 13

2.3 HEALTHCARE TRIALS .......................................................................................................... 14 2.3.1 Trial scenarios description ........................................................................................................... 14

2.4 PUBLIC ADMINISTRATION & HEALTHCARE AUTHORITIES ............................................................. 15 2.4.1 Trial scenarios description ........................................................................................................... 15

2.5 SUMMARY OF USE CASE REQUIREMENTS ................................................................................ 16

2.6 CROSS-TRIAL FUNCTIONAL REQUIREMENTS ............................................................................. 17

2.7 CROSS-TRIAL SYSTEM REQUIREMENTS ................................................................................... 19

3 ETHICAL OVERSIGHT AND PROCEDURES ................................................................................................ 20

3.1 ETHICAL PRINCIPLES .......................................................................................................... 20

3.2 IDENTIFICATION OF ETHICAL ISSUES ....................................................................................... 22 3.2.1 Public Administration................................................................................................................... 22 3.2.2 Healthcare Trials .......................................................................................................................... 24 3.2.3 Public Administration & Healthcare Authorities .......................................................................... 26

4 ETHICAL PROTOCOL FOR TRIALS ............................................................................................................ 28

4.1 RECRUITMENT OF PARTICIPANTS .......................................................................................... 29 4.1.1 Public Administration................................................................................................................... 30 4.1.2 Healthcare Trials .......................................................................................................................... 31 4.1.3 Public Administration & Healthcare Authorities .......................................................................... 32

4.1.3.1 GASLINI Hospital ..................................................................................................................................... 32 4.1.3.2 ASL Bergamo........................................................................................................................................... 33

4.2 SAFEGUARDS ................................................................................................................... 33 4.2.1 Public Administration................................................................................................................... 34 4.2.2 Healthcare Trials .......................................................................................................................... 35 4.2.3 Public Administration & Healthcare Authorities .......................................................................... 36

4.3 DATA COLLECTION AND MANAGEMENT ................................................................................. 37 4.3.1 Public Administration................................................................................................................... 38 4.3.2 Healthcare Trials .......................................................................................................................... 39



4.3.3 Public Administration & Healthcare Authorities .......................................................................... 40

5 VERIFICATION AND VALIDATION ........................................................................................................... 41

5.1 VALIDATING THE OPERANDO PLATFORM ............................................................................. 41

5.2 VALIDATING THE TRIAL PROCESS ........................................................................................... 42

5.3 PUBLIC ADMINISTRATION ................................................................................................... 43

5.4 HEALTHCARE TRIALS .......................................................................................................... 43

5.5 PUBLIC ADMINISTRATION & HEALTHCARE AUTHORITIES ............................................................. 44

6 CONCLUSION ......................................................................................................................................... 44

APPENDIX A. EXAMPLE RESEARCH PROTOCOL MATERIALS ........................................................................ 45

6.1 PARTICIPANT INFORMATION ................................................................................................ 45 6.1.1 Template ...................................................................................................................................... 45

6.2 INFORMED CONSENT .......................................................................................................... 46 6.2.1 Template ...................................................................................................................................... 46

6.3 ETHICS APPROVAL ............................................................................................................. 47

APPENDIX B. DETAILS OF THE FCSR TRIAL ................................................................................................... 48

7 REFERENCES .......................................................................................................................................... 51



Executive Summary The purpose of this document is threefold:

1. To identify ethical risks and mitigation associated with the running of the use case trials

planned in OPERANDO. This should be seen against the framework identified for the legal

background in Europe and the associated normative ethics (D3.1) and the requirements of the

trials from an end-user (D2.1) and service provider (D2.2) perspective.

2. To identify the technical requirements associated with the ethical treatment of participants,

data subjects, and the real and simulated data used in the trials.

3. To identify how the trials and the platform may be validated and tested in the context of the

use case trials.

Each of the trials is reviewed in terms of the normative legal and ethical requirements outlined for the

project, but also in relation to the target domain and any Member State specific requirements.

In consequence, this document is an important milestone in moving towards the successful and ethical

execution of the planned OPERANDO trials.



1 Introduction As an Innovation Action, OPERANDO is focused on building innovative solutions to current problems on the basis of known technology. In this context, a number of trials are planned to explore the benefits of OPERANDO components in a real life environment. Further, since the overall objective is to demonstrate that privacy and security can be provided in a cloud environment, these benefits must include the perceptions and experiences of users, both service providers, but especially service users. OPERANDO WP8 is responsible for the testing and validation of components and procedures developed in other work packages.

This deliverable, D8.1 Ethical trial protocols, scenarios and requirements, is the first report from the work package. Taking the overall legal and ethical landscape presented in D3.1 Guidelines on legal aspects, it reviews the functional and procedural structure of each of the planned trials from a specifically ethical point of view: namely, how might the work carried out during test and validation affect any human participants. This leads in turn to an investigation of three specific areas as they relate to each trial:

1. The recruitment of participants: who can and should be asked to take part in the trials with a view to providing appropriate feedback on issues such as trust and security?

2. Any safeguards which may be introduced to contain any known risks, but also to ensure appropriate protection and support for participants. And finally

3. How data collection and management will be optimised to balance the requirements of the trials and the project itself against the legal and ethical aspects identified.

On this basis, any specific issues and challenges are presented, along with possible mitigation to contain any resulting risks. This is then taken further to map the basic features of each of the three trial types and develop initial trial protocols which can be used to present applications for ethical approval to the necessary authorities.

The trials themselves need to be representative and test OPERANDO function and claims in appropriate real-world settings. Since social and health care, as well as public administration, are areas where data sensitivity is well known, some five trials are envisaged covering these areas. Social- and healthcare trials will occur in Italy, and to some extent the UK, while Public Administration trials will run in both countries. Each shares common issues, as will be seen. However, the Healthcare trials planned for Italy (Ospedale San Raffaele, run by FCSR) will involve real patients and medical staff; the other trials will use simulated but representative data. In consequence, there is a need to greater detail in identifying and describing specific challenges, and appropriate mitigation. This is reflected in the Ethical research protocols, and in an Appendix at the end. Additionally, requirements are identified to be fed back to the technical work packages as identified through the ethical overview of the trials as documented here.

For all of the trials, and the project itself, there is also a need to be able to monitor, report to stakeholders, and adjust plans if appropriate. To this end, OPERANDO has identified the ECOGRAI methodology, an approach to the cyclical review of project progress towards interim and overall objectives, as a suitable approach to objective tracking and progress reporting. A final section below outlines the approach and aligns a general, high-level view of each of the trials with the overall testing and validation objectives of the project. This will provide a basis for the evaluation of the progress and effectiveness of the trials once started.

Finally, this deliverable will be followed with updates later in the project (M12) which, based on the results outlined here, will define specific plans for deployment of the OPERANDO platform at the trial sites and the execution of the trial protocols themselves in moving forward.



1.1 Abstract

This document covers the ethical challenges associated with the OPERANDO trials, identifying mitigation and the plans for their implementation. It identifies associated risks and mitigation, therefore, but also technical requirements on the platform. Finally, it provides an initial set of objectives to review the progress of the platform and the trials intended to validate its acceptability.

1.2 Purpose of this Document

This document therefore has as a primary objective to identify ethical challenges and associated mitigation and technical needs to meet those challenges. This document forms part of a set of documents about the use cases and ethical aspects of the trials including:

D2.1 Consumer User Cases

D2.2 Online Service Provider Use Cases

D3.1 Guidelines on Legal Aspects

D3.6 Ethical Committee Approvals

D3.7 Approval for the Collection of Personal Data

This deliverable therefore covers the ethical issues associated with the trials, rather than the legal aspects or any specific request for ethical approval.

1.3 Target Audience

Primary audience:

Trial Partners in the OPERANDO project, in particular Data Controllers and Data Processors

Members of the Ethics Advisory Committee

Technical Partners in the OPERANDO project, needing to understand the ethical requirements of the trials.

Others:

Researchers in data security and privacy

Companies producing software tools/apps for data security and privacy

Authorities approving use of data security and privacy software tools/apps

2 Application scenarios In this chapter, we briefly describe the typical interactions between service users, service providers and the platform that connects them both. Part of the innovation in OPERANDO is to build on top of existing work, but to introduce novel mechanisms to allow those platforms to extend their reach and provide additionally flexibility. Having identified the specific requirements of the OPERANDO trials in relation to the existing and proposed platform, the chapter concludes with a section summarising requirements and, where necessary, extending the set of potential requirements for assessment and prioritisation elsewhere in the project.

2.1 Building on traditional service provider platforms

Traditionally service users (data subjects or others acting on their behalf) subscribed to services directly with the OSP. During service usage, the OSP may collect and store the data directly (e.g. asking the user to provide the data) or indirectly (e.g. monitoring the usage pattern) according to their advertised privacy policies. The OSP then has legal and contractual obligations when managing the users’ data. Service users therefore look for transparency as well as control of their data.



OSPs may be managed in different ways (e.g. consent to use all data, user’s ignorance of the privacy policy, updating the policy during service usage) in order to derive benefit from the data available, for instance by allowing third parties (e.g. advertising companies) to access and query the data. Commercially, this provides a significant revenue source, but can lead to service user dissatisfaction [5-7]. Service providers therefore need to consider accountability and trust.

Finally, legal/privacy auditors would need some visibility of how the OSP (or any publicly available breaches information) manages service user data in order to decide whether the data processing they provide complies with relevant legislation and advertised policies. Therefore, this stakeholder would need oversight and audit support.

The extant situation is presented by the use cases in Figure 1, including the role of third parties interested in gaining access to personal data for analytical purposes.

Figure 1 Before Operando

In addition to appropriate user interface (UI) based services (logging in and out; searching for data; viewing data; different access channels), OPERANDO mediates the direct interaction between service users and OSPs with a set of privacy enhancing features (Figure 2). In the G2C scenarios, the user subscribes to the PSP privacy services. Their data will be stored at the PSP and they will be able to manage data access by:

1- Understanding the consequences of providing data access to OSP’s

2- Specify privacy preferences in terms of who can access/update what data.

3- Providing access to data in exchange for benefits (e.g. financial benefits)

The service provider will be able to search for users to access their data, if granted access. In addition, they will be provided with control of service management within the boundaries defined by the specific privacy policies used by the service user in relation to their data. Finally, the privacy auditor can then

Service Operator

Define Privacy Policies

Audit Services

Service User

Data subject

Subscribe/unsubscribe to Service

Use serviceOperate Service

Manage user subscription

Create and configure a service

<<include>>

<<include>>

Allow Use of Personal Data

<<extend>>

Store personal data

<<include>>

Privacy Auditor

Privacy policy publication<<include>>

Analyse Data

Third party



use the compliance check service from Operando to collect access information to the users data and check it against the advertised OSP policies and regulations.

Figure 2 Operando Services

In contrast, Figure 2 shows the service platform use cases with proposed OPERANDO extensions. As previously stated, the PSP offered by OPERANDO changes the relationship between the Client of the service user and the OSP platform. Specifically, OSP:

Provides additional services for the service user in terms of data management, in terms of managing access to their data as well as specifying their privacy policy preferences;

Assumes responsibility from the PSP service provider to manage the storage of and access to the service users data; but additionally, mediates the relationship to the privacy auditor in the automatic checking of policies as well as the specification of those policies;

Finally, mediates any relationship with a third party wishing to access data, specifically providing anonymization services and privacy management around the service user data stored and managed by the OSP.

In the following sections, how these innovative services relate to the different trial scenarios is described.

Service User

Data subject

Subscribe/unsubscribe to Service

Use service

PSP operator

Allow Use of Personal Data

<<extend>>

Define Privacy Regulations

Manage Data Access

Manage User subscription

<<extend>>

Automated Compliance checks

<<include>>

Store/Access Personal Data

<<include>>

Privacy for benefit

<<include>>

Analyse DataSpecify Privacy

Preferences

<<include>>

Service Operator


Audit Services

Operate Service

Manage user subscription

Create and configure a service

<<include>>

<<include>>

<<include>>

Privacy Auditor

Privacy policy publication

<<include>>

<<include>>

Annonymisation

Third Party

<<include>> Privacy risks analysis



2.2 Public Administration

In the UK, public administration trials will be conducted at two sites: London with the West London Alliance (WLA) and in Barnsley, with the Barnsley Metropolitan Borough Council (BMBC); both are members of the OPERANDO User Advisory Board (UAB). These trials will focus on using OPERANDO in representative scenarios involving vulnerable adults.

Currently citizens are assumed to consent to sharing sensitive personal data in a system, which does not provide flexible support for the protection of privacy (such as a record of accesses, the control of data release and personal policies). On the other hand, local authorities and service providers are required to adhere to data protection laws with little specialist knowledge.

Trials in such organisations will determine the effectiveness of OPERANDO for the controlled release of personal data for the provision of social services and in particular, enabling citizens to manage the complex flow of personal data between organisations. In social care and support scenarios, there is a triad of actors sharing information: the citizens, organisations providing services and the Local Authority.

2.2.1 Trial scenarios description

The trials for the UK sites will involve three roles: OSP (ILAHS monitoring centre and Telecare assistants, Re-ablement support worker, A&E health professional, volunteer), Service User (vulnerable adult), PSP (OPERANDO PSP provider). Each of these roles will be role-played for the trial by OCC and professional social and health care workers.

The Service User will be able to:

Log in to an OPERANDO dashboard

View the dashboard on a desktop

These are covered by standard UI features as mentioned above.

View and update privacy preferences (from a default set)

View requests and grant/deny access to OSP’s requests for data

View and update personal data held

o (not including updating medical records, this is referring to updating personal data in terms of address, phone number)

View a history of access to their personal data (including reasons for access)

These functions are provided as part of the Manage Data Access use case in Figure 2. For this trial, the service user will provide feedback on the usability of the system, their feeling of security and trust in the system, the ease of understanding around privacy preferences and access history, and the relevance of the privacy preferences.

The OSP will be able to:

Request access to a service user’s data

Search for a service user

Receive service user data fields on request if accepted

Use current system to view data

These functions will be covered by the Operate Service and Store/Access Personal Data use cases in Figure 2.

For this trial, via survey and questionnaire, the OSP will give feedback on the ease of requesting a user’s data, and compare using an OPERANDO-enabled system to their current system (this will be an OCC product adapted to use OPERANDO components).



The PSP will be able to:

Set the privacy policy questionnaire

Update OSP on legislation changes, and ensure legal compliance with UK legislation

These are part of the Automated Compliance Checks and Define Privacy Regulations use cases.

Track use of personal data

Minimise personal data stored

These form part of the Store/Access Personal Data use case in Figure 2.

For this trial, OCC will role-play the PSP and consider the feasibility of the OPERANDO platform to provide services to OSPs, the ease of use for the system, and also the ease of modifying OCC products to use the OPERANDO platform.

2.3 Healthcare Trials

The Ospedale San Raffaele (Milan) will provide a site for trialling the OPERANDO platform integrated with a vertical hospital service to manage patients’ diet and monitor their physical activity regimes. Unlike the other trials, the OSR trial will involve real users already using an existing nutritional platform along with the healthcare professionals involved in their care. The ultimate goal for this trial is to establish the perceived trustworthiness and reliability of the OPERANDO framework.

On the one hand Service users, or patients, will provide nutritional data, information about their physical activity habits as well as standard health and well-being data (e.g. weight, height, BMI, etc..). On the other, healthcare professionals (Service providers) will be able to monitor and control the day-to-day habits of their patients in real time. All the data collected during the FCSR trial will be hosted in Italy at FCSR facilities.

In summary, the trial will enable the testing of the OPERANDO platform, first from the perspective of patient trust, but also in terms of impact on the doctors and other care professionals engaged with those patients.


Stakeholders will benefit from the following services.

The OSP Service Integrator (Eservices4Life) for healthcare trials that will create and configure a service that defines privacy policies and includes privacy policy publication. This will be the main point of contact for managing user subscriptions for the patients and health care team. The user will therefore make use of these services:

Search for privacy policies

Edit privacy policies

These are part of the Define Privacy Regulations use case in Figure 2 above.

Configure services

Publish privacy policies

These are part of the Create and configure a service as well as Define Privacy Policies use case in Figure 2 above.

PSP (Privacy Service Provider): the OPERANDO interface to manage data access along with any privacy questionnaire. This will include the tools for the user to specify privacy preferences; to enable user- friendly privacy enforcement including a privacy risk analysis; to allow the user to grant their care team access to their personal data, to view data and make updates to a personalized care plan. The following will be explored in the trial, whereby the user will engage in the following service:



Seamless patient care/user experience that provides safety, trust and user satisfaction

Role-based permissions to access user data to the various care team members.

Grant access to personal data (with/without time settings)

Limit the time during in which personal data is stored These form part of the Allow Use of Personal Data and Manage Data Access use case in Figure 2.

Specify privacy preferences

Enable privacy policy enforcement

Revoke access to personal data These are part of the general Management of User Preferences, specifically Manage Data Access, Specify Privacy Preferences and Privacy Risk Analysis use cases above.

Track personal data use

View personal data

Update personal data These are part of the Store/Access Personal Data and Manage Data Access use cases.

Update care plan Assuming that the “care plan” may be seen as the aggregation of a specific type of personal data, then this will be part of the same use cases (Store/Access Personal Data and Manage Data Access) as well.

OPERANDO dashboard will implement privacy by design with automated compliance checks that will define privacy regulations. This will allow the enforcement of Italian and European privacy laws, along with best practices and user privacy preferences. This will include international laws and standards and privacy protection in cross border services [1-3, 8, 9] . This may allow users to communicate with the OSP a person’s sensitivity in relation to disclosure of their personal data. The dashboard should therefore allow:

Automated compliance checking

Entry of compliance / privacy regulations

Multiple policy enforcement depending on context

These are part of the Automated Compliance Checks and Define Privacy Regulations. Context checking as implied in the final requirement here will need to be considered as a requirement on the implementation of function in support of the use cases in Figure 2.

2.4 Public Administration & Healthcare Authorities

In Italy, public administration & healthcare authority trials will be conducted at: ASL Bergamo (ASLBG) and the Hospital Gaslini (HGG); both are members of the OPERANDO User Advisory Board (UAB). Trials in such entities will determine the effectiveness of OPERANDO for the controlled release of personal and sensitive data, for the provision of statistical analysis and also for enabling citizens to manage access and the sharing of information.


The trials for the ASLBG and HGG sites will use simulated data and will involve the main three roles:

OSP employees (played by personnel of the Healthcare Promotion Unit of ASLBG and ICT department o HGG)

Patient / Service User (played by personnel of ALSBG, HGG and PDI); and

The PSP (OPERANDO PSP provider acted by PDI personnel).

The OSP will be able to:

Request access to a patient / user’s data

Search for a patient



Receive patient data fields on request if accepted

Use the current system to view data.

These functions will be covered by the Operate Service and Store/Access Personal Data use cases in Figure 2.

The Patient will be able to:

Log in to an OPERANDO dashboard

View the dashboard on a desktop

View and update privacy preferences (from a default set)

These should be part of general OPERANDO platform utilities.

View requests and grant/deny access to OSP’s requests for data

View and update personal data held

View a history of access to their personal data (including reasons for access)

These functions are provided as part of the Manage Data Access use case in Figure 2.

The PSP will be able to:

Set the privacy policy questionnaire

Update OSP on legislation changes, and ensure legal compliance with Italian legislation

These are part of the Automated Compliance Checks and Define Privacy Regulations use cases.

Track use of personal data

Minimise personal data stored

These form part of the Store/Access Personal Data use case in Figure 2.

The overall purpose of the trial is to gauge via survey and observation how users interact with the system (usability), and the level of trust and reliance perceived when using the platform.

2.5 Summary of Use case requirements

In the preceding sections, an overview was provided for each of the trials in terms of the functions required by the main actors in each case. Table 1 below summarises the functional requirements and provides an initial mapping of the requirements against the use cases shown for the proposed OPERANDO extensions in Figure 2 above.

Table 1: Summary of user requirements from an analysis of the trials

REQUIREMENT OSP

PSP

SER

VIC

E U

SER

PU

BLI

C A

DM

IN

HEA

LTH

CA

RE

PU

BLI

C A

DM

IN &

HEA

LTH

CA

RE

AU

THO

RIT

IES

Standard UI Functions

Logon on to dashboard x x x

View dashboard x x x

Manage Data Access

View and update privacy preferences x x x x

View access requests x x x



REQUIREMENT OSP

PSP

SER

VIC

E U

SER

PU

BLI

C A

DM

IN

HEA

LTH

CA

RE

PU

BLI

C A

DM

IN &

HEA

LTH

CA

RE

AU

THO

RIT

IES

Grant/deny access x x x x

View and update data x x x x

View history of data access x x x x

Operate Service & Store/Access Personal Data

Request access to user data x x x x

Search for service user x x x

View user data fields x x x

Automatic Compliance Check & Define Privacy Regulations

Set privacy policy x x x

Alert OSP to legislation change x x x

Ensure legal compliance x x x x

Store/Access Personal Data

Track use of personal data x x x

Minimise storage of personal data x x x

Update care plan x x


Search for privacy policies x x

Edit privacy policies x x

Configure services x x

Publish privacy policies x x

With the exception of the Update care plan function from the Healthcare Trials (Section 2.3), all of the functional requirements appear to be part of the use cases defined above. This latter requirement (Update care plan) should be considered and included appropriately in the implementation of the use cases shown.

The requirements in this and subsequent sections should now be made available to the technical work packages.

2.6 Cross-trial Functional Requirements

In support of the execution of the trials in view of the scenarios listed in the previous sections along with the use cases shown, there will be a need specifically for:

activity logging and reporting during the various testcases within each trial, it will be necessary to be able to validate that an intended activity or action has taken place. There will be some need to hide or otherwise obscure any or all fields with a log record. This should include an adequate description of the activity and any associated content. More details are provided below. PROBLEM: to validate test runs, it should be possible to generate a real-time record of what is being or has been done on the platform. This can also be used in conjunction with user feedback



to identify causes of (dis)satisfaction for instance.

support for a “super user” role with access to all data and function some test scenarios will involve the (controlled) misuse of data or unauthorised access. By definition, this is not supported by OPERANDO and should have been tested prior to release to the trial sites. It will be necessary, therefore, to be able circumvent such controls and allow a user to effect changes or gain access not otherwise permissible. PROBLEM: for test purposes only, there may be a legitimate reason to circumvent access control procedures to interact with data.

Since the function of the trials is to gauge user satisfaction and confidence round data integrity, it is assumed that there is no requirement to introduce load into the system. Table 2 below summarises these requirements and assigns a priority to each based on the legal and ethical consequences of omission, where E = Essential, H = High, M = Medium and L = Low. An attempt has been made to avoid identifying a specific solution, such that the table therefore includes only a high-level description of a requirement.

REQUIREMENT DESCRIPTION PRIORITY

ACTIVITY LOGGING

Keeping a record of user activities and system events during trials

Generate a log file Activity during a testrun should be logged to an appropriate file. The fields to be available should include:

TIMESTAMP: this should be a unique identifier to include the date and the time, down to an appropriate level of detail to distinguish tests

SYSTEM: this could be <hostname> or similar

SYSTEM_INFO: this should provide any ancillary information such as a session id in the case of a multi-channel system so that individual sessions can be distinguished

USER: the identifier of the user initiating the action

INITIAL STATE: relevant information about the system and settings before the ACTION is initiated

ACTION: the function or equivalent making the log entry

DESCRIPTION: a brief description of what has been done

CONTENT: any data associated with the ACTION which may include INPUTS and OUTPUTS

OUTCOME: the result / state after the ACTION completes

E

The ability to set duration of logging activity

Either via a configuration parameter or dynamically from a command line, being able to switch logging on and off would be helpful

H



REQUIREMENT DESCRIPTION PRIORITY

The ability to redirect output As above, though with the added feature of being able to send output to a file, another location (port) or to the screen

M

The ability to configure the contents of the report

It would be nice to be able to decide which fields go into the report and which are left out

M

The ability to hide or obscure fields within the log report

Whilst retaining a given field, it would be helpful to be able to hide the contents in some way, such as overwriting personal identifiers with an obscuring character such as “X” or retrieve from another source (such as the index for linked anonymized data)

E

The ability to control the level of detail

To be able to specify, for instance, a full (“verbose”) report, and one that simply includes descriptors only

M

The ability to control access to the report

Set access permissions on any file produced E

The ability to print the report Allow, with suitable permissions, a report to be printed (i.e., to a file, a printer or similar device)

M

The ability to export the report to a standard format

Allow, with suitable permissions, a copy or version of the log report to be exported to a CSV file, for instance, or spreadsheet.

H

‘SUPER USER’ ACCESS

Being able to circumvent specific controls for the purpose of a given test case

The ability to assign access controls to a given user

One of the main motivations behind the trials is to establish user confidence when using the OPERANDO platform. Being able to assume control and modify content and activities would not normally be supported. However, this type of function would allow specific exception testing to be done to provoke user concern.

H

The ability override user actions As above M

The ability to impersonate a specific user

Behaving “as if” is a specialised form of deception. This is not a high priority but should be considered.

L

Table 2: Cross-trial functional requirements

Table 2 above describes various test functions which would be needed to be able to run the trials effectively; logging is very much an essential function, though the ‘super user’ type support is probably optional. The most important factor is that there must be adequate control on content and test subject identity to avoid inadvertent disclosure of personal data.

2.7 Cross-trial System Requirements

In addition to those actor-centric requirements identified for the three different trial types in the preceding sections and mapped against the proposed use cases for OPERANDO extensions to the service provider platform, the following system requirements should be taken into account.

OPERANDO Data Vault that will enable the cloud-based storage of personal and sensitive data may be understood as:

Personal data is any information relating to natural persons who may be identified, even indirectly, by reference to any information held such as name, address, date of birth, etc., or when cross-linked with any related data.



Sensitive personal data is information, which fall into specific categories requiring specific handling, such as health, behavioural and preferences information, etc.1.

The Data Vault should therefore allow:

Data to be securely stored

Data to be classified (personal/sensitive)

Data to be handled in accordance with classification

These help define the implementation of the Manage Data Access use case above. As opposed to confidentially, whereby data or information is held in confidence and only disclosed under specific conditions and to identified individuals or organizations, anonymization involves specific processing of data to ensure that irrespective of confidentiality and/or disclosure “the data subject is no longer identifiable” [1, Paragraph 26, 2]. OPERANDO anonymization services should provide anonymization which will allow data to be identified as related to a specific individual (linked anonymity). All data will be considered confidential and bound by the restrictions imposed by an ethics approval body as well as by local legislation. The platform should therefore allow:

Anonymization of all personal data

Compliance checking with appropriate laws or regulations These services relate specifically to utilities and function required for the safe and appropriate storage and handling of personal data by the OPERANDO platform, and relate to all trial areas. They will help define what should be implemented for the Anonymization, Automatic Compliance Checks and Define Privacy Regulations use cases.

3 Ethical Oversight and Procedures On this basis of the Normative Ethics outlined in D3.1 Guidelines on legal aspects, this Chapter considers the specific implications of the legal framework outlined as it applies specifically to the trials in OPERANDO. For each of the three trials – Public Administration, Healthcare and Public Administration & Healthcare – any specific issues are identified along with the assumed impact and any mitigation strategies that need to be considered.

3.1 Ethical Principles

In the context of privacy by design [9], a set of ethical norms have been identified which relate specifically to the ethical and legal framework within which the trials in OPERANDO should operate [op.cit.9, Section 2: Normative Ethics]. These are summarised here and briefly described in terms of how they relate to the nature of the work undertaken as part of the trials.

i. Fair decision-making [9, Section 2.1]: this relates to a participant’s expectation that they have effective recourse in the case of complaint or concern, including that any false alerts or inappropriate conclusions reached by the system will be resolved. For the OPERANDO trials, this implies a requirement to monitor performance (specifically decision-making and reporting) and transparency towards the participant.

ii. Privacy and data protection [9, Section 2.2]: the most commonly cited legal and ethical right relates to the secure management of personal data, including the right to access, modify and request deletion of such data. Notwithstanding this basic requirement, it is also reasonable for

1 Specific definitions are provided in the various instruments of the European Commission. See above.



participants to assume that their data will be treated in accordance with the laws of their local country.

iii. Consent & autonomy [9, Section 2.3]: the basis of consent requires that participants understand the implications of what they are about to do (“informed”), that they should take some action to signal such consent (“explicit”), and that they are not coerced and in fact able to make the decision themselves (“freely given”, and legal competence).

iv. Non-discrimination [9, Section 2.4]: the equal and appropriate treatment of all participants requires the careful selection, management and interactions with participants. This will require trials to maintain the necessary controls to ensure that all are treated to the same standards, irrespective of any subjective or other response to individuals.

v. Human dignity [9, Section 2.5]: we all have the right to be who and what we are, and to be respected as such. Given that this is an inviolable human right enshrined in the EU Charter, this is at the foundation of all principles here, and must be respected, including but not confined to non-creep of personal data use or unfounded inferences made.

vi. Health care, public security & online business freedoms [9, Section 2.6]: in addition to other rights and expectations, it is essentially that all be given access to appropriate healthcare, as well as respect and protection from anything which may compromise it.

vii. Proportionality & mission creep [9, Section 2.7]: any interaction between parties in the trials is based on trust. Irrespective of any legal requirements, this also includes what happens to data albeit covered by informed consent. Participants have the right to assume that any disruption or other effect on them, as well as the use of their data and any trial results will be controlled to respect the best interests of participants.

Since this deliverable is about the fair and appropriate execution of the identified trials, but also about the associated societal benefits, we need to consider how best to handle these overall principles within the context of the proposed trials.

With regard to human participants in social science experiments and trials, a number of basic principles apply [British Psychological Society (BPS), 10, Chapter 2, American Psychological Association (APA), 11, General Principles]. These may be summarised as follows:

There is a need to respect individual participants and ensure that they are appropriately selected and treated during trials (APA, Principle E “Respect for People’s Rights and Dignity”; also Principle A “Beneficence and Nonmaleficence”; BPS, “Respect for the autonomy, privacy and dignity of individuals and communities”). This all relates to how participants are recruited, their consent requested and managed, and so forth. We will refer to this as Recruitment of participants.

Additionally, there needs to be procedures

o To safeguard data and participants [BPS, 10, "Scientific integrity", "Maximising benefit and minimsing harm", APA, 11, Principles B "Fidelity and Responsibility", C "Integrity" and D "Justice"]; and

o To manage (personal) data [BPS, 10, "Respect for the uatonomy, privacy and dignitiy of individual and communities", "Social responsibility" and "Maximising benefit and minimising harm", APA, 11, all principles].

Using these fundamental principles, it is possible to outline basic guidance for the design and execution of the various trials within OPERANDO.

Table 3Table 3 below summarises how the normative ethics summarised above and derived from [9] relate to the specific features of the trials discussed in more details in Chapter 4.



FAIR

DEC

ISIO

N-M

AK

ING

PR

IVA

CY

& D

ATA

PR

OTE

CTI

ON

CO

NSE

NT

& A

UTO

NO

MY

NO

N-D

ISC

RIM

INA

TIO

N

HU

MA

N D

IGN

ITY

HEA

LTH

CA

RE,

PU

BLI

C

SEC

UR

ITY

& O

NLI

NE

BU

SIN

ESS

FREE

DO

MS

PR

OP

OR

TIO

NA

LITY

AN

D

MIS

SIO

N C

REE

P

RECRUITMENT OF PARTICIPANTS √ √ √ √ √ (√)

SAFEGUARDS √ √ (√) (√) (√) (√)

DATA COLLECTION & MANAGEMENT √ √ √ √ √ √

Table 3: Relationship between the ethical considerations for trials and the normative ethics discussed in D3.1

For each cell in the table, a tick highlights the direct overlap between the normative ethics and the areas to be covered specifically in the Ethical Research Protocols; a bracketed tick shows a relationship between the normative ethics topic and the Ethical Research Protocols.

In the following sections in this Chapter, we will highlight specific concerns and risks for each of the individual trials. Then in Chapter 4, we will outline specific guidelines based on the basic principles summarised here and how they relate to the trials.

3.2 Identification of Ethical Issues

In light of the discussion in the previous section, it is important to attempt to identify potential ethical issues and risks for each of the trial and trial areas involved in OPERANDO. For each such risk identified, we also need to provide a mitigation strategy. The following table summarises the approach for the trials.

RECRUITMENT OF PARTICIPANTS

RISK DESCRIPTION MITIGATION

What is the issue? e.g., participants may be classed as ‘vulnerable’

Why is this an issue? e.g., special care needs to be taken

What can be done to reduce the risk? e.g., consent will only be requested once participants fully understand what is being done and why; consent will be renewed on a regular basis, with regular check-points with participants.

… … …

Table 4: Template to summarise issues identified for each trial

3.2.1 Public Administration

For WLA and Barnsley trials, any real sensitive personal data to be exchanged and interacted within the OCC platform for OPERANDO will be simulated: no actual personal data will be used for the scenarios. These simulated data will be stored in a cloud operated by OCC in the UK, set up and managed specifically for the trials. By using fictional data, the OPERANDO platform may be tested for feasibility and usability without risk of security breach. That being said, some personal data will be



collected for the UK trials, restricted to details of the participants for the trial. These will not however be exchanged with any other party or partner. The data will be treated as described in the sections below.

The trial applications and scenarios chosen will not be specific to individuals or groups with unusual social circumstances, lifestyles or medical status whereby participation in the trial may present a risk of increased vulnerability or stigmatisation. The OPERANDO trials will not involve vulnerable individuals or groups, as employees in the respective authorities will be asked to role-play either service users or service providers. In recruiting experienced professionals from the authorities, there will be no need to provide specific training. However, due to the nature of the scenarios used (using vulnerable adult use cases) levels of stress of the participants in the trials will be monitored throughout via regular feedback.

For the UK trials, it is necessary for all participants to be asked for their ongoing informed consent during the scenarios. This will be captured on certificate of consent forms distributed to the participants, and signed before the start of the trial. These ethical considerations are given in more detail in Deliverable 3.6 – Ethical committee approvals [12].

The following tables summarise the risks and mitigation in respect of the Recruitment of Participants (Table 5), appropriate Safeguards for the trial (Table 6), and surround Data Collection and Management (Table 7). These provide an overview of issues already identified and what has been planned to alleviate any potential problem.

RECRUITMENT OF PARTICIPANTS


OPERANDO trial participation may be challenging for users who are less technologically able

As a project focused on innovative technology solutions, and a trial aiming to test the feasibility of software, there is a risk that the trial may be difficult for less technically able individuals to participate

Enable a user friendly interface that is intuitive for users from a broad skill set and age range. This will mitigate discrimination against elderly or those who are less technologically trained. Adopt best practices and policies and incorporate ease of use into the trial user feedback

OPERANDO trial participants may be selected from more technologically able groups, which could potentially bias results

As participants for the trial will be employees of authorities, these individuals may be more technically able than the intended end user group for the project.

Ensure recruitment of participants covers as wide a range of abilities as possible to ensure the trial thoroughly validates the ease of use of the system for the end users

Service users included in the trial may be stigmatised

Service users could be stigmatised because they are taking part in the trial for a specific scenario above other groups or individuals

The OPERANDO trials will not involve vulnerable individuals or groups, as employees in the respective authorities will be asked to role-play either service users or service providers.

Service user expectations of a service may be altered by involvement in the trial

Service users could feel that they will receive preferential treatment, or a change to the service they receive through taking part in the OPERANDO trials

The OPERANDO trials will not involve real service users, as employees in the respective authorities will be asked to role-play either service users or service providers.



Table 5: Risks and mitigation associated with Participant Recruitment for Public Administration Trials

SAFEGUARDS


Disclosure of sensitive information may occur during trials

As trial systems in the UK will involve social care systems for vulnerable adults there is a risk that sensitive information about vulnerable individuals may be disclosed

Only fictional data will be used for the scenarios, avoiding the possibility of a security breach involving real sensitive data

Unrealistic data may be used for trial scenarios, affecting trial feedback

As data used for scenarios in the UK will be fictional data, there is a risk that this synthetic data may be unrealistic

OCC will use our expertise as a social care system provider and review the data to be used with the appropriate authority to assess its relevance

Table 6: Safeguards to be in place for Public Administration Trials

DATA COLLECTION AND MANAGEMENT


Data belonging to a patient remains who has withdrawn consent

Upon withdrawal of consent from a participant, we are legally required to remove their data from the trial dataset and cease processing of this data

Implement a mechanism and appropriate procedures for allowing the deletion of data upon participant’s request, or upon withdrawal of consent.

Table 7: Risks and mitigation associated with Data collection and management for Public Administration Trials

3.2.2 Healthcare Trials

This section builds on the previous D3.1 and D3.6 deliverables by discussing relevant ethical principles pertaining specifically to health care trials to have a full understand of guidelines that protect information privacy of trial participants. These should be considered as sources of requirements for the information system under development. The construction of an ethical framework for OPERANDO will guide stakeholders in addressing ethical issues in personal data management by building on the Fair Information Principles, normative ethics and including principles from the following sources.

The Fundamental Principles of Biomedical Ethics:

Principle of Respect for Persons and Autonomy. All persons have a fundamental right to self-determination. Incorporates at least two ethical convictions: first, that individuals should be treated as autonomous agents, and second, that persons with diminished autonomy are entitled to protection.

Principle of Justice. All persons are of primary concern. The principle requires an account of what fairness among such agents involves. All persons are equal and have a right to be treated accordingly.

Principle of Beneficence. All persons have a duty to advance the good of others where the nature of this good is in keeping with the fundamental and ethically defensible values of the affected party and where advancing their good does not entail disproportionate harm to oneself.



Principle of Non-Maleficence. All persons have a duty to prevent harm to other persons insofar as it lies within their power to do so without undue harm to themselves.

Ethical principles can be applied to the assessment of the risks and benefits of tangible forms of harm such as harm to health, harm to life, or financial harm. In the context of data privacy, secure trusted environments provided by OPERANDO can prevent harm and take ethical responsibility to protect trial participants while securely managing data to support innovative research discoveries.

There are two overall distinct ethical issues arising in OPERANDO:

the need for the ethical treatment of participants in the trials, during their recruitment as well as during the full lifecycle of the trial;

the need to respect and protect the privacy of the trial participants.

The ethical risk framework in the following tables provides a way to ensure ethical implications are adequately examined by stakeholders before the deployment of the system. Specific examples are shown below.

RECRUITMENT OF PARTICIPANTS – FCSR


The San Raffaele Hospital Office of Clinical Research (Ethics Committee) will assure that subjects are selected fairly, however unjust social patterns may nevertheless appear in the overall distribution of the burdens and benefits of research therefore the disclosure of information that could lead to discriminatory circumstances could be mitigated.

Access knowledge of information that could inform a health insurance coverage or potential employer and prevent opportunity.

Do not allow access or checking of clinical or BMI information that could be discriminatory. Only authorized users will be allowed to see information.

Will the service or technology be made widely available or will it be restricted to user who are technologically sophisticated?

Adopt best practices and policies and incorporate into the trial user feedback.

Enable a user friendly interface that is intuitive for most users.

Table 8: Risks and mitigation associated with Participant Recruitment for Healthcare

SAFEGUARDS – FCSR


Data could be compromised or inaccurate in database.

Adopt procedures that check for data integrity. Address safety issues in a timely manner that could result from incorrect data.

Collect and check data based on a framework developed with privacy /security principles.

The technology may curtail a person’s right to liberty and security.

Technology and project can inspire public trust and confidence.

Privacy policies and publication sent out in a timely manner.

Table 9: Risks and mitigation associated with Safeguards for Healthcare



DATA COLLECTION AND MANAGEMENT – FCSR


Sensitive data will be collected as part of the trial

Additional procedures need to be in place to manage and protect sensitive personal data. Procedures to be adopted that align with Data Minimisation Principle.

All data must be anonymized and de-identified. Data will be gathered managed and stored per Legislative Decree 196/03. Information systems and software shall be configured by minimising the use of personal data and identification data, in such a way as to rule out their processing if the purposes sought in the individual cases can be achieved by using either anonymous data or suitable arrangements to allow identifying data subjects only in cases of necessity, respectively.

Undesired addition or modification of the data

Procedures need to be in place to ensure data integrity.

Provide a trusted access-control schema to control the accesses and ensure the originality of data.

Data belonging to a patient remains who has withdrawn consent.

Procedures need to be in place to document the deletion of data and withdraw of subjects.

Implement mechanism for allowing the deletion of data upon patient’s request.

Table 10: Risks and mitigation associated with Data Collection and Management for Healthcare

3.2.3 Public Administration & Healthcare Authorities

Since the PDI trials will not involve the use of real personal data, the ethical implications are not marked in this phase, but in order to better customize the OPERANDO platform for Italian Healthcare Administrations and Local Governments, the trial will be analysed and considered as if it were a real live system and operation.

RECRUITMENT OF PARTICIPANTS – ASL BERGAMO TRIAL


Participants don’t want to enroll online

Fear of lack of privacy Accurate and understandable description of the privacy protection system in the website homepage of the service.

Assurances during talks with ASL personnel

Display online advertisement related to gambling

Counterproductive related to the care of the addiction

Avoid use of keywords that can be detected by malicious software for displaying advertisement

Participants don’t want to share mail addresses

Fear of misuse Accurate and understandable description of the mail anonymization protection system.

Assurances during talks with ASL personnel



Table 11: Risks and mitigation associated with the Recruitment of Participants for ASL Bergamo

RECRUITMENT OF PARTICIPANTS – GASLINI HOSPITAL


Participants don’t want to enroll online

Fear of lack of privacy Accurate and understandable description of the privacy protection system in the website homepage of the service.

Assurances during talks with Hospital personnel

Participants don’t want to share mail addresses

Fear of misuse Accurate and understandable description of the mail anonymization protection system.

Assurances during talks with Hospital personnel

Participants don’t understand the utility of the system

Patients that are not familiar with digital instruments

The hospital will create an easy and understandable guide/brochure for explaining and advertising the service

Table 12: Risks and mitigation associated with Safeguards for Healthcare

SAFEGUARDS – ASL BERGAMO


Disclosure of sensitive information

E.g. a patient informs ASL of illegal activities in a public exercise

With the cooperation of patient and ASL personnel the information will be transferred to authorities protecting the identity of the patient.

Misuse of patient information E.g. an operator of ASL wants to publish information from a patient

The real identity of the patient is available only to the medical personnel who are in charge for the care path.

Table 13: Risks and mitigation associated with Safeguards for the ASL Bergamo

SAFEGUARDS – GASLINI HOSPITAL


Misuse of patient information E.g. an operator of the Hospital wants to access sensitive data

Sensitive data is available only to the medical personnel responsible for the care path or to the personnel authorized explicitly by the patient.

Table 14: Risks and mitigation associated with Safeguards for the Gaslini Hospital



DATA COLLECTION AND MANAGEMENT - ASL BERGAMO & GASLINI HOSPITAL


Fake sensitive data will be collected as part of the trial

Additional procedures need to be in place to manage and protect sensitive personal data

Everything will be collected and processed by PDI using the real IT system used by ASL/Hospital that has strong protections.

Security of all kinds of data Standard procedures to protect IT systems

To avoid errors and unauthorized access a new virtual machine will be created outside the normal permissions of IT personnel of ASL/Hospital

Table 15: Risks and mitigation associated with Data Collection and Management for ASL Bergamo and the Gaslini Hospitals

4 Ethical Protocol for Trials The motivation for creating a research protocol is to be able to summarise the main details of a given study, including the number and demographics of the participants, the data that will collected from or in association with them, and the general procedures in preparation for, during and after the study in question. Notwithstanding legal requirements to provide appropriate safeguards for participants as well as any associated data [see 9], there is an increasing realisation that trying to apply general ethical principles to specific environments may be problematic. ICT is different [13], with online engagement and participation creating issues not least around anonymity [14], a need to understand how to manage issues not restrict all activity [15], and perhaps even a need to spell out more pragmatic guidelines [16]. With all of this in mind, there is a need to be aware of some specific issues.

Against the initial realisation that context is important [13], there are some specifics which are relevant to OPERANDO. Beaulieu and Estalella [14] looked at the implications of ethnographic studies, where the researchers (one of the co-authors) developed an online presence to ensure that there was no deception. Now, if ecologically valid results are sought [see, for instance, 17], there’s no reason why properly managed deception should not be allowed [18]. However, for Estalella, this created two problems: contiguity and traceability [op.cit., 14]. In a nutshell, as the researcher was a participant in the online community he was studying, it was difficult to maintain strict separation between what was being studied and his other interests and research; secondly, in entering interactions with the researchers, individuals could no longer be guaranteed anonymity since association with him could easily lead to inferences about their participation. For the OPERANDO trials there are a number of conclusions, though: first, direct stakeholder involvement in simulation needs to be carefully managed in terms of contiguity, there needs to be clear delineation between the service-provider participant standing in for a service user and the former’s expectations of the latter; second, any service user participants must understand the implications of their participation, such as inferences being made about them.

Much of this will come down to appropriately managed informed consent. Here too there are issues. Moor [13] for instance highlights that automated services should be ‘invisible’, i.e., non-intrusive to the user; this comes at a cost, though, because it opens up the way for potential misuse. There is a compromise between the legitimate goals of the trials and those of the participants [cf. 15]. That being said, and especially in terms of health and social care, it is essential to be aware of the power relations which may appear between the different actors in a given scenario [19, 20]. Specifically, OPERANDO deals with sensitive, and perhaps even vulnerable, actors [19, 21]: their needs and expectations need



to be understood and factored into the design. Consent should be based on explicit and detailed participant understanding [15, 22].

Ultimately, though, any research involving societally significant areas such as health care and by extension social care, there really is a need for collaborative efforts working towards service and system improvement [16, espeially point 8]. This includes a moral obligation for participants to assist [23, item (7)]. Compromises may need to be made [15, 16, 20], but not at the expense of the dignity and interests of human participants [21, 22]. Within such a framework of practical and mutual benefit, the OPERANDO trials have identified potential risks and issues, but also appropriate mitigation (Section 3.2). In the following subsections, we will outline general and specific measures to protect and respect participants as well as pursuing the objectives of the trials and the project as a whole.

4.1 Recruitment of Participants

The general principles behind participant recruitment are summarised here, and then applied in the following subsections to each of the individual use case trials.

Participants We need to identify those who will be targeted as trial participants, how many are needed, board demographics, and why they are needed.

Ideally, participants should be adults and fully autonomous.

How they will be recruited It is important that participants are free to make an informed choice about whether or not they wish to participate. They should self-select and not feel under any constraint, such as wanting to curry favour, or believing that they have to participate because of their employment, their position in relation to the person asking, or preferential access to service or information.

Any inducement to participate Providing incentives for participation is fine such as a small monetary gift, and out-of-pocket expenses, so long as proportionate. However, any such inducement should be equitable (all participants receive the same amount) and is made on the basis that the participant may retain the incentive, even if they decide to withdraw.

What participants will be expected to do

To make an informed decision, and notwithstanding any well-motivated deception (see below), participants should be provided with detailed information about what they will be expected to do, how long it will take, and if there are any expectations on them.

This should also include some description of why they are being asked to behave in a given way, or provide information, or perform a given task.

What data will be collected Further, to make an informed decision, participants must be told what data will be collected, why, how long it will be kept, and where stored. This should include a brief description of why it is needed and what will be done with it (the processing) and by whom.

Any need / plan for participant debrief

It is a common courtesy to tell participants how and when they might see the results of any study they may have taken part in.

In addition, if deception is necessary (not telling the participant exactly why they are being asked to perform in the way they are), they should be told once their participation has reached an appropriate stage, or at the end of the trial period.



Similarly, if there is likely to be any discomfit or distress associated with the trial itself, there should be an opportunity for participants to discuss any concerns and receive appropriate support.

Any issues There may be some concerns around recruitment, such as willingness, availability or legal competency. These should have been highlighted above (see Section 3.2), but should be repeated here along with any related procedure to contain any such issues.

The following subsections contain the relevant information for each of the OPERANDO trials.


Participants Participants will be employees in the respective authorities, and will be professional health and social care providers. In recruiting experienced professionals, they will have very specific and rigorous expectations of what they should be able to do, what the frustrations might be of the specific users, and what the system should and should allow. As such, they represent an efficient participant group for the public administration trials.

How they will be recruited

They will be recruited by employees of the respective authority at the trial sites (either WLA or BMBC), or by OCC as appropriate, and given information about the project and the trial goals in order to make an informed choice of whether they would like to participate. BMBC and WLA have already signed letters of intent to provide support.

Any inducement to participate

There will be no inducement, only travel expenses if necessary to attend the trial may be considered. Any such payment will be equal across all participants. Should they subsequently choose to withdraw, they will be able to keep any monies provided.


UK trials will not involve vulnerable individuals or groups, as employees in the respective authorities will be asked to role-play either service users or service providers. They will be asked to perform a number of different, role-typical tasks. During these activities, the overall platform will be monitored to establish the validity of the activities attempted as well as the security and integrity of the data used. In addition, participants will be asked to evaluate their experiences in terms of how easy it was to complete the requested tasks, as well as whether they had only the access and control over data that they had assumed.

Example of role typical tasks: role-played ILAHS monitoring centre worker receives call from role-played vulnerable adult and responds, role-played service user accesses privacy dashboard

What data will be collected

Data collected before the role-play scenario will be the full name, job description, work experience (relevant experience to social and health care), familiarity with social care systems, familiarity with service users, contact information for use in case of queries (phone number, email address), informed consent.

During the trial, the participant’s system activity will be recorded, such as actions and a video of their use of the system and any spontaneous queries

After the role-play scenario the participant will be asked for their level of stress, views on ease of use, feeling of trust in the system, whether the system is fit for purpose, and any other views.

All data collected, stored and processed will be treated as strictly confidential, and kept for a specific period of time stated on the consent form. This time period shall be no longer than is



necessary to achieve the aims of the trial and validate the project objectives, and after this point, the data will be destroyed as required.


The participants will be informed about any upcoming deliverables which may include results from the trials performed, and how they will be able to view these.

The participants’ level of stress will be monitored throughout, and support offered as necessary.


There is a need to have a comprehensive secure interface offering a holistic view of personal data while drawing anonymized data directly from a patients’ electronic health record. Therefore, the OPERANADO trial will respect and protect the security and privacy of the personal data of the trial participants while maintaining full ethical treatment of participants throughout the lifecycle of the trial. OPERANDO trial will facilitate legal compliance and allow applied real-time access control decisions by the user, making it easy for the healthcare users and care team to securely access data. The trial will validate the trustworthiness and reliability of the OPERANDO framework in the privacy data management context. The validation and fine-tuning of OPERANDO will be informed from a dual perspective: 1. the users will provide insight into their perception of privacy and security, and 2. the doctors and care team will provide insight on how privacy and security impact the usability of the platform and their everyday routine. OPERANDO services will be built on top of existing Food Coach platform which will be fully validated prior to the start of the trial. A previous study will have examined the acceptability and effectiveness of the food coach platform therefore comparison results with and without OPERANDO can be evaluated.

Participants The FCSR healthcare trials will focus on personalized services that support healthy living for adults. Trials will not be designed to provide or recommend treatment, so no subjects will be incapacitated by medical conditions. The focus will be on adult users with full decision-making capacity to enable them to manage their own personal data.

How they will be recruited Identification of appropriate adult cohorts from the OSR medical records and OSR living lab database developed by investigators and study staff. Direct mailing and social media recruitment with the development of a

study‐specific letter.

Any inducement to participate The FCSR OPERANDO trial will not offer inducement to human subjects.


A maximum of 60 patients in two randomized groups will be enrolled in the OPERANDO trial for validation and proof of concept study. One group will test the previously validated food coach platform. The other group will test the Food Coach Platform with the added OPERANDO platform features. Compared to the Food Coach platform group, enrolled patients will be asked to complete a privacy setting questionnaire (details will be published later and as part of the application for ethical approval). They will be asked to engage with the OPERANDO dashboard which updates and tracks the flow of personal data. The study will be constructed in three phases: 1. The initial user requirements and assessment. 2. Additional responses and subsequent testing of the two different platforms. 3. Final evaluation stage of both the OPERANDO and Food coach platforms.



What data will be collected Data will be collected by the trial systems in operation, along with additional data needed to evaluate those systems in experiments. The patients will input the information regarding their nutritional behaviours, physical activity habits along with anthropometric and biological data to receive a calculation of calories expenditure for the day along with a personalized plan. The healthcare professionals (Service providers), through the nutritional platform, will have the possibility to monitor and control in real time the lifestyles habits of their patients, providing them personalized care guidelines. The study will test the usability, technical effectiveness, efficiency and user satisfaction of the platform and mobile app.


Debriefing will only occur with the collaboration of a staff psychologist. All interview questions will be developed by the staff psychologist. Debriefing to group allocation will be conducted in order to receive final feedback on patient perceptions on privacy and trusted environments for health data. This will be done with a semi-structured interview based on patient reported feedback given regarding system improvement. Questions will collect data about perceived trust, security and also about individuals' personal experience. Free text comments will be analyzed using a framework method for qualitative data. Protocol in terms of timing, length, and training will be developed at the final testing stage of the trial.

Users will be asked to perform a number of typical tasks to explore user privacy perception and satisfaction. A questionnaire will be developed by a licensed psychologist covering the perceived benefits of using the platform and any issues regarding data protection and privacy. The questionnaire will be included in the trial protocol to be approved by the ethics committee. Examples of the tasks to be performed include:

Task #1 Enter your personal privacy settings into the dashboard and save them Task #2 Enter your nutritional data for the data and post it to the care team.

Any issues Since this trial includes real rather than simulated data and scenarios, additional information is provided in Appendix B.


The Public Administration & Healthcare trials are based on two sites: the GASLINI Hospital and ASL Bergamo, both in Italy. The trials will use simulated data and experienced personnel to role-play the part of end-users. The sections below provide an outline of the two individual trials.

4.1.3.1 GASLINI Hospital

Participants To avoid the potential for unnecessary distress, users will be recruited and asked to role-play actual patients. Given their experience, they are well-placed to be able to provide realistic and representative responses.


As agreed with the Hospital, the manager of the ICT department and a member of the UAB, Mr. Lightwood, will take responsibility for recruiting participants. They will take every care to ensure that participants do not feel under any pressure to take part.




Data will be collected from the real HGG IT system, using a separate and controlled image hosted in a separate virtual machine. On this basis, participants will act as if they were real patients interacting with the OPERANDO platform to carry out typical tasks. (e.g. fill in a questionnaire form, subscribing to the newsletter system, send a question to the doctor, and so on).


Participants in the trial who role-play the various actors will provide

Personal data such as an identifier (name) and contact details (telephone number, eMail address)

Demographic information such as sex and age group

The data will be simulated but representative of the real system. These data will include:

Personal data for the role, such as an identifier (name) and contact details (address, etc)

Potentially sensitive information (i.e., EMRs, EHRs, diagnosis, examinations, etc.)

Data will be held in a simplified form

4.1.3.2 ASL Bergamo

The information and procedure for ASL Bergamo is much the same as the above. Where there are differences, these are noted here:

Participants As above


Upon agreement with ASL Bergamo, the manager of the Healthcare Promotion Unit and member of the UAB, Mr. Moretti, will take responsibility for recruiting employees to role play real participants. Care will be taken to ensure that no one feels pressed to take part.


As above, data will be collected from the real ASLBG IT system, in a separate virtual machine.


As above, but additionally including:

Potentially sensitive information such as alcohol and other substance use, previous PSW penalties, number of accidents

Geotagged information, such as the location of place where people play gambling games

These trials will require approval since they include human participants (those role-playing patients), though this will not be as stringent as those for the Healthcare trials using real patients.

4.2 Safeguards

In light of any risks and issues previously identified (Section 3.2), there are a number of specific safeguards which need to be put in place in respect of the specific issues associated with each of the trials. These are summarised here.

PARTICIPANTS

Using role play Theoretically, and ideally, participants in the trials would come from the actual targeted service users. For practical and/or ethical reasons, this may not be possible: for instance, the trial scenario may involve distressing or



sensitive situations which may not be containable within the trial setting. For this reason, there may be some cases where the trial scenario is simulated as indicated below.

Providing support Given the sensitivity and implications of the trial scenarios, involving health and social care, there may be a requirement to provide additional professional support to participants. Any such measures are described below.

3rd party referral As a consequence of any such stressful outcomes, or during the normal course of a given scenario, and in recognition of our duty of care to the participants, it may be advisable for participants to be referred to competent experts not related to the project at all. Procedures for the circumstances under which this would be done is provided below.

DATA ISSUES

Data controller / processor It should be clear for each trial whether and if data will be processed locally and solely by the partner responsible for the specific trial. In cases where data will be processed by another partner, this should be identified.

Storage Similarly, and not least because participants would have a reasonable expectation that their data would be stored and managed in accordance with the laws of their local country, it is important to identify if data will be transferred to another Member State.

DEBRIEFING

When If a debriefing for whatever reason becomes necessary, each trial should identify the schedule for any such session(s).

How Further, the trial protocol should include the circumstances under which (environment, medium etc.) any such debriefing will be delivered.

What Finally, the general contents of any such debriefing should be outlined.

The following subsections contain the relevant details pertaining to each of the OPERANDO trials.


PARTICIPANTS

Using role play The OPERANDO UK trial sites will track individuals role playing users (staff and service users), delivering and managing social care through systems adapted to use OPERANDO. The systems will be populated with fictional data. The trial participants recruited will be health and social care professionals who are accustomed to these types of scenarios and environments. In addition to this measure, the data collected during the trials will ask the participants to indicate a “level of stress” they feel during the exercise. Support will also be offered to the participants if they should feel this is necessary to manage stress in this situation.



Providing support The participants’ level of stress will be monitored throughout, and support offered as necessary. However, this distress is minimised by recruiting professional health and social care workers.

3rd party referral If stressful outcomes occur during a given scenario, participants may withdraw from the study and will be referred to a support service as necessary. This procedure will be defined and specified on the consent forms for the trial.

DATA ISSUES

Data controller / processor OCC is the data processor and controller for the UK trials.

Storage OCC will store the data from the trial in the OCC cloud under UK laws and following our ISO27001 standard. Any fictional data used for the scenarios will remain in the trial system.

DEBRIEFING

When The debriefing would be held following the scenario role-play, if required.

How The debriefing will occur on an individual participant basis by an OCC employee or a WLA or BMBC employee as appropriate

What The participants will be informed about any upcoming deliverables which may include results from the trials performed, and how they will be able to view these.

The participants’ level of stress will be monitored throughout, and support offered as necessary.


Once again, the FCSR-led Healthcare trials involve real service users and so is subject to stricter controls than in role play scenarios. These are outlined below.

PARTICIPANTS

Using role play This trial will not use role play. Instead, the targeted population will have a mixed level of knowledge coming from a health conscious population and or those seeking information about diseases, treatment options, physicians, lifestyle, and practices of wellness. There will be some users who are interested in management tools for chronic diseases. Age brackets will include a broad range so as not to discriminate against any group. It should be possible to include users that are inclined towards greater digital health care tool usage, women, heads of households and families and seniors. The trial scenario does not anticipate distressing or sensitive situations so role play is not included in the protocol. If the trial produces a negative outcome or incidental findings are discovered, the information may be given to a patient’s personal physician or other appropriate medical personnel responsible for the patient’s welfare, for treatment purposes. Simulated and or anonymized patient data maybe released to the patient



at the end of the trial in order to validate the delivery of anonymized aggregated user data in the OPERANDO personal data vault.

Providing support By definition, participation in the trial involves close monitoring by the investigator who will identify and mitigate any risks that may arise. Support of the care team will be present at all phases of the trial. Additional support via the psychologist will be provided only as deemed necessary by the care team.

3rd party referral If stressful outcomes occur during the normal course of a given scenario, participants may withdraw from the study.

DATA ISSUES

Data controller / processor All the data collected during the FCSR trial will be hosted in Italy, at the FCSR facilities, Ospedale San Raffaele, with its registered office in Milan, Via Olgettina 60 (from here Experimental Center. Patients’ data collected in Ospedale San Raffaele will remain in Ospedale San Raffaele).

Storage Data will remain in Italy and will not be transferred to another Member State without patient consent.

DEBRIEFING

When Debriefing will only occur with the collaboration of a staff psychologist. Debriefing to group allocation (use of system with or without OPERANDO) will be conducted in order to receive final feedback on patient’s perception on privacy and trusted environments for health data. This will be done with a semi-structured interview based on patient reported feedback given regarding system improvement. Questions will collect data about perceived trust, security and also about individuals' personal experience. All interview questions will be developed by the staff psychologist. Free text comments will be analyzed using a framework method for qualitative data. Protocol in terms of timing, length, and training will be developed at the final testing stage of the trial.

How

What


Safeguards for the Public Administration and Healthcare trails are outlined here. By contrast to the Healthcare trials above, these trials are based around role play, and so do not have the same level of risk.

PARTICIPANTS

Using roleplay The Italian trial sites will track individual role-playing users (staff and service users), delivering and managing a one-to-one cure path and a consensus registration through systems adapted to use OPERANDO. The systems will be populated with fictional data.



Providing support Further support in order to act as other final user can be done by PDI personnel. Moreover, the PDI helpdesk will help the players to act as authentically as possible during the roleplay.

DATA ISSUES

Data controller / processor PDI is the only data controller of the Italian trials; no data will be processed elsewhere or by any other partner.

Storage Data will be stored in the cloud systems managed for each authority under Italian laws and following our supplier’s ISO27001 standard. Only PDI will have access to the data.

DEBRIEFING

When Any debriefing that is considered necessary will be held following the scenario role-play.

How The debriefing will occur on an individual participant basis by a different (i.e., someone not involved in the roleplay) PDI employee or an ASLBG or HGG employee as appropriate

What An interview based on a structured questionnaire will be the feedback mechanism. Questions will collect data about individual experiences: ease of use, problems, and possible enhancements.

4.3 Data Collection and Management

The final consideration in the protocol for a given trial relates to any specific issues relating to how data will be processed, made secure and the circumstances under which they may be accessed, shared and or made public (if appropriate). A summary and explanation of the general principles here are outlined below.

GENERAL PRINCIPLES

Anonymization The process for anonymization (including pseudonymisation) should be described. This should also cover how, if at all, participants and their data might be linked if required.

Obligations or otherwise for data release / publication

In the spirit of open data initiatives2, there may be some expectation that datasets from the project will be made available beyond the life of the project. That being so, how the process of data publication is planned should be documented. Note that this is solely related to any research data which may be collected.

Data curation In addition, there may be an obligation to retain raw or processed data for a period of time. In such cases, how and where the data will be stored should be identified.

Data subject access to data

It is a basic right for all participants to be allowed access to the data they have contributed, including to modify and delete those data. Given devolved data controller responsibilities for the specific trials, the process

2 http://ec.europa.eu/digital-agenda/en/open-data-0; see also https://open-data.europa.eu/en/data/

http://ec.europa.eu/digital-agenda/en/open-data-0



whereby data subjects (participants) may access their data should be outlined.

Processing To make an informed decision on participation, participants need to understand what will be done with their data and why. How data will be processed, the motivation for that processing, and the expected outcomes should be described.

Storage There is an expectation that data will be stored appropriately and securely. Participants should be told something of how data are stored. More importantly, it is reasonable to assume that there is an a priori expectation that data will be stored and managed in accordance with the local laws and regulations of the Member State where they collected. If data are to be processed or stored in a different Member State, or outside the European Union, this should be documented along with the reasons for doing this.

The following subsections summarise the relevant details on data management pertaining to each of the OPERANDO trials.


Plans to handle data collection and its subsequent storage are outlined here.

Anonymization For the UK trials fictional but representative data will be used to role-play the scenarios, where the only real personal data collected will be the details of the participant, and no sensitive data will be collected. Both these data sets will be treated as confidential. Each trial participant will be given a fictional pseudonym and role-play identity for the trial. The user experiences and responses during the trial will be stored against this pseudonym so it cannot be linked to an individual. The real names linked to pseudonyms will only be available to authorised OCC staff.


There is no planned release or publication from the UK trials

Data curation All data collected, stored and processed will be treated as strictly confidential, and kept for a specific period of time stated on the consent form. This time period shall be no longer than is necessary to achieve the aims of the trial and validate the project objectives, and after this point, the data will be destroyed as required.


The synthetic data used for scenarios for the UK trials will be stored in the OPERANDO trial system, in the OCC Cloud, and remain in the UK. Access to the data will be granted to trial participants on an ongoing basis under their trial pseudonym. Access to the data would also be given to authorised members of the OPERANDO research team who require access to the data.

Participants in the trial would be able to withdraw their consent to data storage and processing at any point, which would result in the required destruction of the appropriate data.



Processing When giving the participants information about the project and the trials before they accept the invitation to join the trial, information about the use of data and processing will be included, in terms of the aims of the trial in validating the project objectives. In this way, the participants will be able to come to an informed decision before giving their consent to participate.

Storage The Data Controller, OCC, is ISO27001 certified and is familiar with the requirements of this standard. The project is therefore well placed to ensure the environment is secured to ISO 27001 standards. For example we will secure trial site services by familiar industry best practices for user authentication and authorisation, access control, firewall, SSL connections and by retaining input data validation features from the original application prior to conversion for use in OPERANDO. OCC will store the data from the trial in the OCC cloud under UK laws and any fictional data used for the scenarios will remain in the trial system.

A systematic software patching procedure will be used to maintain all the software in the trial system, ensuring that it is kept up to date and free of well-known vulnerabilities. These information security precautions will reflect the established best practice at least to the level specified in the UK Cyber Essentials security recommendations. Physical protection of the servers against theft will be ensured by the host organisation using cost-effective levels of security, including encryption of devices used for storage and backup of the system data

Any personal data storage would be compliant with UK legislation.


The Healthcare trials will run at FCSR facilities within OSR, and therefore be aligned directly with OSR practices and procedures.

Anonymization Each patient enrolled in the study will also be assigned a unique patient identification number (code). The investigator will identify data by code: only the research team, duly authorized, will be able to connect this code to a name or Health Services number. The patient names are not included in data sets. All data will be gathered, managed and maintained in electronic form. All data will be gathered, managed and maintained in electronic form.


Data may be stored and utilized for scientific research or statistical analysis with the informed consent of the individual concerned, with the exception of statistical surveys or scientific research requested by law. Data may be stored for scientific and statistical research purposes different from the ones for which the informed consent was originally obtained, but only if directly linked to the original purpose of the research. If this is not the case, it is required that a new approval is obtained from the Ethics Committee and also the consent of the interested party.

Data curation If the patient provides optional consent for storing data for future research the data will be destroyed no later than 5 years after the date of final closure of the clinical database or stored indefinitely or until they are exhausted.




Participants will have access to their data on an on-going basis. Participants can withdraw the authorization for the storage and utilization of their data at any moment. In this case the data must be destroyed according to the law.

Processing The data will be processed for the period of time explicitly indicated in the informed consent and no longer than is necessary to perform the analysis or to accomplish the aims of the study.

Storage The data will be stored at Ospedale San Raffaele, with registered office in Milan, Via Olgettina 60 (from here Experimental Center) in accordance with the responsibilities foreseen in the laws of Good Clinical Practice (Italian Regulation Legislative Decree 211/2003). The Ethics Committee and the Italian Health Authority and outsiders may learn about data which is part of the OPERANDO clinical trial, including contents of clinical documentation, with the aim of evaluating the correctness and accuracy of the data gathered, adopting in every case, all the safeguards necessary that the privacy of patient identity is guaranteed.


PDI trials will be hosted by the real IT systems of ASL Bergamo and Gaslini Hospital in order to guarantee the highest level of IT security. For avoiding any error or misuse, a new virtual machine will be created on the server managed by PDI.

Anonymization The trials will use databases that maintain a unique identifier for each patient registered in the organization, independently of the different types of contact. This way ensures that a patient is logically represented only once and with the same set of data in all systems and organizational levels.


Data may be stored and utilized for statistical analysis with the informed consent of the individual concerned, with the exception of statistical surveys or scientific research requested by law.

Data curation If the patient provides optional consent for storing data for future research the data will be destroyed no later than 10 years after the date of final closure of the clinical database or stored indefinitely or until they expire.


Participants will have access to their data on an on-going basis, until such times, as they are no longer available. Participants can withdraw authorization for the storage and utilization of their data at any time. In this case, the data must be destroyed according to the law.

Processing The data will be processed for the period shown explicitly on the informed consent form and no longer than is necessary to perform the analysis or to accomplish the aims of the study, and as agreed with any data subject.

Storage The data will be hosted by the real IT systems of ASL Bergamo and Gaslini Hospital in order to guarantee the highest level of IT security and legal



compliance. For avoiding any error or misuse, a new virtual machine will be created on the server managed by PDI.

5 Verification and Validation

The OPERANDO project is committed to providing an innovative privacy enforcement platform within the health and social care domain. In doing so, it will allow privacy to be built-in in any offering in this and any other domain which needs similar functions. In business terms, this will enable cloud-based PaaS models, which because of the sensitivity of the data involved has not been feasible up till now. Investment has therefore been fragmented and the management of ICT systems has diverted resource from the key strategic goal of such providers: the clients.

A key component of this is a demonstration of privacy by design implemented in a user-centric environment which all stakeholders, including clients and service providers, will be able to benefit from. To validate that its objectives are being met, a key project objective is to demonstrate and validate the solution [24, Table 1: Objective 4]. To this end, OPERANDO plans to use the ECOGRAI method to track objectives and report progress [25, 26]. Figure 3 summarises this approach.

Figure 3: the ECOGRAI method in a nutshell

As summarised here, the ECOGRAI method should be applied to the platform itself (see the next section). Part of this validation though is to check that trial execution is contributing towards the achievement of the objectives associated with the successful running of the trials.

5.1 Validating the OPERANDO Platform

Testing that the platform itself is acceptable will involve the validation that requirements are being met so that stakeholders, potential users (OSPs) and their customers (service users) provide positive feedback and confirm acceptance of the platform. This may be summarized in the following high-level objectives:



Identify and engage with stakeholders: the stakeholders provide input to the project to help identify both the commercial and technical requirements that the project should address and thereby highlight appropriate success criteria:

o Identify relevant stakeholders

o Engage with those stakeholders

o Elicit their requirements and expectations

o Negotiate prioritisation

Validate that OSP requirements are met: the service providers (OSPs) represent one of the main stakeholder groups, whose input will help identify what issues they face in support of the service users and the constraints imposed on them. This will lead to the identification and prioritisation of functional requirements:

o Engage with OSPs, identifying suitable test sites and scenarios

o Gather requirements and prioritise

o Arrange and run suitable user acceptance tests

Validate that service users have confidence in the platform: through its partners, OPERANDO should test the platform directly with potential service users. Without their acceptance, the OSPs will not succeed in adopting the platform:

o Identify service user issues

o Validate that these can be addressed by the platform

o Prioritise and implement support

o Run surveys with service users to quantify their acceptance

The main objectives (first order bullets and items in bold) and decision variable (the sub bullets) need to checked against the objectives and execution of each of the trials: see below. The items in italics identify those specific areas where the overall objectives and associated decision variables for the project in terms of Objective 4: Testing and Validation, which provide the impetus and motivation for running the trials described in this document. In the next iteration of this deliverable (D8.2), an update will be provided on these objectives and decision variables along with status at that time.

5.2 Validating the Trial process

At a high-level, the individual trials will contribute towards the overall objective to demonstrate and validate the OPERANDO platform with the following steps:

Engage OSPs: this is the primary objective here. To validate and appreciate the value of the offering, the partners must:

o Identify suitable candidate OSPs

o Discuss with those candidates their willingness and ability to support the development activities in terms of providing (feedback on) requirements and validating the implementation

o Commit to providing such support

Validate the platform

o Gather requirements, and prioritise

o Plan and execute appropriate User Testing (UT)

o Plan and execute appropriate Functional Verification Testing (FVT)

o Respond to input and change requests, where appropriate and agreed with/from users

Approve the platform in terms of



o Usability

o Functional integrity

o Functional completeness

The main objectives (first order bullets and items in bold) and decision variable (the sub bullets) will be checked against the plans of each of the trials. In the sections below, we outline the general features and objectives of those trials. In the next version of this deliverable (D8.2), we plan to provide confirmation of all objectives and decision variables along with status at that time.

5.3 Public Administration

Engage OSPs: The UK public administration trials will recruit trained social care professionals to role-play service users and service provider roles. We aim to run trials on two sites (Barnsley and London) using participants to role play social care professionals and service users. By recruiting experienced social care professionals, we hope to collect representative data for users of these systems. We will also record the participants’ roles and work experience and knowledge of existing systems in order to record the expertise of each participant in this field.

Validate Platform: The aim of the UK trials is to establish the feasibility of using OPERANDO-enabled social care systems to facilitate secure data storage, control for the users over access to their data to give their consent for the ability to share service user data between organisations. The data used for these trials will be fictional but representative data. We will determine that this trial data is appropriate by using our own experience in the social care sector, and by review of this data with site managers before the trials.

Approve the Platform: One key piece of feedback from the trial will be for the participants to indicate how easy the OPERANDO systems are to use. The users will be asked to compare the trial system to their existing systems, and how both affect their ability to complete tasks and perform their role. In addition to reviewing the usability of the system, the participants will also be asked to validate the scenario used for the trial. This will be captured as a rating as to how typical this scenario would be, and also another rating will indicate how applicable and how useful the system would be when applied to other common scenarios used in their daily work.

5.4 Healthcare Trials

Engage OSPs: (FOOD COACH) The FCSR OPERANDO trail aims to contribute to the entire ecosystem of online privacy stakeholders and to field test and validate the overall OPERANDO objectives. The trial will test the following OPERANDO objectives: enable user friendly privacy enforcement, implement Privacy-by-Design, create viable business and trust models, demonstrate and validate the solution, ensure that OPERANDO framework is sustainable. End users and healthcare professionals will be enrolled in order to understand how they perceive the privacy offered via OPERANDO, and how that impacts the service usage. Validate Platform: The FCSR OPERANDO trial will use the same methodology that will be previously conducted to validate the Food Coach Platform in order to have a comparison baseline that focuses on the patient care/user experience and evaluates for ethical issues. Evaluation and metrics for the Food Coach system/OPERANDO trial will adhere to the stated goals for overall effectiveness, resources, satisfaction, flexibility, and safety. Evaluation will also align with the promotion of Principles to be: Privacy, Perceived privacy, data minimization and meaningful use, consent and choice, accountability, responsibility, access availability and transparency. Approve the Platform: Approval will be given assuming: the system meets the specifications for chronic disease prevention and management. In addition, we will need to check that we can quantify



patient use and adoption of system (quantitative data). In addition, we will develop ongoing patient and user satisfaction privacy perception surveys (quantitative/qualitative data). Finally, in relation to the technical developments from the project, we will verify that the system has been created and installed per privacy specifications.

5.5 Public Administration & Healthcare Authorities

Engage OSPs: The trials in Italy will be played by experienced employees of the two authorities involved and by professionals from PDI in the roles of PSP. We think that we can collect representative data and real-use experience of the OPERANDO platform and of the ECM-Operando system.

Validate Platform: The goal of the Italian trials is to establish the feasibility of the ECM-Operando enabled platform in order to facilitate: secure data storage, control for the users over access to their data to give their consent for the ability to share data, extraction of anonymized data and implement a user privacy protection system in the public administration services. The data used for these trials will be fictional but representative data. We will determine that this trial data is appropriate by using our own experience in the sector, and by review of this data with authority managers before the trials.

Approve the Platform: The main feedback we need to collect is an indication on how easy to use the OPERANDO system is. The role players will be asked to compare the benefit of using the new platform instead of a traditional system and to compare it with other solutions if possible and appropriate.

6 Conclusion In light of the legal and normative ethics described in [9] and the associated legal documents of the

European Commission [1-4, 8]3, the potential ethical challenges associated with running trials in Health

and Social Care as well as Public Administration using both real and simulated data, with real and role-

play data subjects, have been analysed. In so doing, this report has identified:

Risks and mitigation associated with participant recruitment, safeguards and data collection

and management;

Technical requirements of the platform which are required in order to validate and test the

acceptability of the platform.

The ethical analyses provided will now go forward in support of application for ethical approval for

each trial. The technical requirements should now be reviewed and analysed by the technical partners,

including comparison with the Requirements (D2.6) and Architecture (D2.7) deliverables.

On account of these outcomes, the planning of the trials, along with the evaluation both of the trials

and the platform in terms of suitability for the target domain can now proceed with detailed

background of what needs to be in place, how the trials should be run, and how to assess the impact

of their outcomes.

3 For individual Member States, relevant discussion is provided in the individual project sections above.



In the following subsections, illustrative templates are provided by way of example for the generation of appropriate materials in support of the various trials suitably translated to the local language. These are based on proformas used in the University of Southampton, and are meant to be suggestive only. Individual ethics approval bodies will have their own specific requirements and guidance. Specifics for the Healthcare Trials, for instance, are shown in Appendix B.

6.1 Participant information

The participant information is meant for the participants themselves and should provide all the necessary details for them to decide what the study is about and whether or not they wish to participate. This should include:

The purpose of the study;

Any procedures involved, including the expected time they would need to commit, and an approximate idea of what they are likely to be asked to do;

That their participation is entirely voluntary;

That they may withdraw

o At any time

o Without prejudice

o Without even providing a reason, if they do not wish to

o Including requesting all personal data be removed

How they may access the results or outcomes of the study

How their data will be processed, including

o Where

o For what purpose

o Who will have access to it, and why

Specifically on data:

They should be told if the data will be anonymised, and how this will affect their access to it

How and where their personal data will be stored

That they have a right to access, modify and delete such data at any time and for whatever reason

How sensitive data (if any) will be managed

Who they should contact either to access their data or should they have any concerns.

Participants should understand, if they are to receive any reward for their participation, that they will be able to retain it should they withdraw.

If there are any risks involved with the study, participants should understand:

How risks are minimised

What support they will receive and when

If the study involves deception, participants should be told that there will be a debrief session after the study.

6.1.1 Template

< Provide descriptive information such as date, study title and any approval reference >

Appendix A. Example Research Protocol Materials



Please read the following information carefully and ask any questions you may have: it is very important that you understand what the study is about and why we would appreciate your participation. Once you have read the information and are happy you understand, you will be asked to sign a consent form.

What is the research about? < brief description >

Why have I been chosen? < why the participant is important to the study >

What will happen to me if I take part? < brief description of what is involved in taking part >

Are there any benefits in my taking part? < what, if anything, the participant will contribute or get out of participating >

Are there any risks involved? < delete if necessary; otherwise briefly describe and how such risks are managed >

Will my data be confidential? < describe data management >

What happens if I change my mind? < explain participant’s right to withdraw >

What happens if something goes wrong? < provide contact details; including an independent contact within the project >

6.2 Informed consent

Consent should be based on appropriate and comprehensive detail of the study. Ideally, consent should be reviewed and requested again at periodic intervals to ensure continued understanding and support.

Consent should be given explicitly, i.e., via signature or initials. Verbal consent and / or online tick boxes are only accepted under strict circumstances and where no personal data are to be collected.

If the study includes sensitive data, participants should be provided with information about the provisions of the relevant Data Protection Act4.

6.2.1 Template

< Provide descriptive information such as date, study title and any approval reference >

If you are happy that you understand the study and why we would like you to participate,

please initial and sign as appropriate below.

I have read and understood the Participant Information

provided <REF> and have had the opportunity to ask any

questions □

4 By way of example, in the UK, the Data Protection Act (1998) makes the following statement: “The DPA (1998) makes provision for an appropriate authority, such as the Police, to access data held by the study for the purpose of safeguarding national security; preventing or detecting crime; prosecuting or apprehending offenders; assessing or collecting tax; or protecting the vital interests of the participant or anyone else.”



I agree to take part in this study □

I understand that my participation is entirely voluntary and

that I may withdraw at any time, for any reason, and without

prejudice □

Data Protection

< Add appropriate statement(s) here, including any provisions of the relevant Data Protection

regulation >

Name of participant:

Signature of participant:

Date:

6.3 Ethics approval

Individual review boards will have their own forms to complete. In this section, we summarise the information which should be provided on those forms.

Participants

o Describe the typical participant

o Describe how participants will be approached to take part

o Describe any inclusion / exclusion criteria

o Describe how participants will decide whether or not to take part

Study Protocol

o Describe how the study will be executed

o Describe how this will affect / include the participants

o Describe the data to be collected

o Describe how the data will be collected

Data Processing

o Describe how the data will be processed

o Describe who is responsible for what

o Describe where the data will be processed

o Describe who will have access to the data and why



This section provides additional detail in relation to the Healthcare Trials described above since unlike the other trials it includes real service users and their data.

All trials will seek ethical approval.

Data to be collected.

The following table summarises the data to be collected in this trial.

Table 16: Type of data to be collected in the Healthcare Trial

An additional aim of the trial is to validate the trustworthiness and reliability of the OPERANDO framework in the privacy data management context therefore additional data regarding OPERANDO will be collected. Trial participants may be monitored to collect information about how they respond to the prototype system, and they will be asked to give their opinion along with some personal data that may be needed to analyse their experiences and feedback.

Data retention: Records and data must be retained by the Principal Investigator at the OSR site for at least 5 years after completion or discontinuation of the trial, or for the length of time required by relevant national or local health authorities, whichever is longer. After that period of time, the documents may be destroyed, subject to local regulations. No records may be disposed of without the written approval of the Trail Sponsor (FCSR). Written notification must be provided to the Sponsor prior to transferring any records to another party or moving them to another location in compliance with local regulation related to this category of data.

Data may be used for exploratory profiling, identification, and preventive health assessments. Any such profiling will only be carried out as outlined in relevant legislation [9, Section 3.2 Profiling prohibition]. The food coach platform aims to help prevent development of chronic disease and negative health outcomes by providing accurate and timely information to users, patients, and caregivers for supporting healthy diets and behaviours. Chronic disease can result from what individuals do or do not do and from the choices they make regarding lifestyle, physical activity and

Appendix B. Details of the FCSR Trial

DATA TYPE DESCRIPTION

General data ID, sex

Anthropometric Data

Weight (Kg), age (calculated automatically), height (cm), body circumferences (cm).

Clinical Data Blood exams, pathologies, allergies, intolerance, some genetic data, Body Mass Index2 (BMI), familiarity with the pathology, e.g., diabetic relatives, past or current assumption of drugs (e.g., anti-hypertensive drugs).

Behaviour and preferences data

Nutritional and lifestyle habits and food preferences, such as daily consumption of fruits and vegetables, level of physical activity (Sedentary: light activities, less than 3 times a week; Moderate activity: between 3 and 5 times per week; Vigorous activity: more than 5 times a week), Sedentary lifestyle; level of physical activity correlated to the working day (light, moderate, vigorous).



nutrition. Subsequent research studies and secondary data use maybe conducted with patients’ informed consent. If the patient provides optional consent for storing data for future research the data will be destroyed no later than 5 years after the date of final closure of the clinical database or stored indefinitely or until they have exceeded their usefulness or currency.

Issues that will be need to be considered.

Ethical Considerations and Issues. The San Raffeale Hospital Office of Clinical Research (Ethics Committee) are the local body responsible for ethical approval. The final trial protocol, the Informed Consent Forms, any information to be given to the patient, and relevant supporting information must be submitted to the Office of Clinical Research by the Principal Investigator and reviewed and approved by the Office of Clinical Research six months before the trial is initiated. In addition, any patient recruitment materials must be approved by the Office of Clinical Research. Status reports and any protocol amendments but be properly filed with the Office of Clinical Research.

The protocol must include: General introduction on the project, rational, specific objectives of the protocol, experimental design, population, experimental test population dimension and its justification, data collection instruments with some info regarding their validation, data management, data analysis methodologies, ethical aspects and data policy.

Compliance with Laws and Regulations:- This clinical trial will be conducted in accordance with the principles laid down by the 18th World Medical Assembly (Helsinki, 1964) and all applicable amendments laid down by the World Medical Assemblies, and the ICH guidelines for Good Clinical Practice. This clinical trial will be conducted in compliance with all international laws and regulations, and national laws and regulations in which the clinical trial is performed, as well as any applicable guidelines or the laws and regulations for Italy, whichever affords the greater protection to the individual. This trial will comply with the E.U. Clinical Trial Directive (2001/20/EC). The trial leaders will also ensure compliance with all relevant national as well as EU legislation including that concerning data protection as referenced in D3.6 Ethics Committee approval, section 4.7 Jurisdiction.

Informed Consent - The San Raffeale Hospital informed consent will be provided to all trial participants at the site.

Confidentiality. The trial sites maintain confidentiality standards by coding each patient enrolled in the study through assignment of a unique patient identification number. This means that patient names are not included in data sets. All data will be stored in the OPERANDO trial system at the FCSR/OSR testbed. Patient clinical, behavioural and preferences data and information obtained by this study is confidential and may be disclosed to third parties only as permitted by the Informed Consent Form (or separate authorization for use and disclosure of personal health information) signed by the patient, unless permitted or required by law. Clinical information may be given to a patient’s personal physician or other appropriate medical personnel responsible for the patient’s welfare, for treatment purposes.

Description of the process for OSR Ethical Approval

The clinical trial documents will be formally reviewed by voting members and a written ethics committee approval/favourable opinion will be granted. The clinical trial protocol as well as the Informed Consent form are to be submitted to the appropriate Ethics Committee, and it is mandatory to obtain the written and dated approval/ favourable opinion, signed by the chairman with ethics committee(s) composition. The formal documentation to be approved is as follows:

Consent Documents:

Informed Consent Form



Information sheet Other Study Documents:

Investigator’s brochure Recruitment materials, including copies of ads, notices, flyers, etc. Pamphlets and study handouts

Investigator’s CV

Data sheet Tables, charts, diagrams and overall timeline.

Statement for observational study

Regulations governing the collection, conservation and use of health data.

Cost and financial information

Physician authorization to be enrolled in trial. Letter of support from the patient care manager, clinical manager or medical doctor.

Conflict of interest form Additional Information:

Establish study number

Multicentre research approval EU Commission section of grant, proposal, or progress report

Protocol:

Trial protocol (title and version number) - Sponsor’s and/or multicentre protocol. Letters of support from collaborating or cooperating sites

Questionnaires and survey instruments (excluding standard questionnaires) Focus group or interview guides EU Commission section of grant, proposal, or progress report

Review Submission Checklist Initial Review June 1, 2015

Introduction of trial to ethical committee

Notes on difficult ethical issues, special considerations for review.

Summary SUBMIT documents to Office of Clinical Research (Ethics Committee) June 10, 2016. UPDATE and MEETING Office of Clinical Research (Ethics Committee) June 10-20 2016. OFFICIAL REVIEW Office of Clinical Research (Ethics Committee) July 7, 2016



7 References

[1] EC, "DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL," 1995. [2] EC, "Protection of personal data in the European Union," 2010. [3] WP29, "Opinion 05/2014 on Anonymisation Techniques," 2014. [4] WP29, "Advice paper on special categories of data ("sensitive data")," 2011. [5] S. Pearson and A. Charlesworth, "Accountability as a way forward for privacy protection in

the cloud," in Cloud computing, ed: Springer, 2009, pp. 131-144. [6] C. Dwyer, S. Hiltz, and K. Passerini, "Trust and privacy concern within social networking sites:

A comparison of Facebook and MySpace," AMCIS 2007 Proceedings, p. 339, 2007. [7] S. Stieger, C. Burger, M. Bohn, and M. Voracek, "Who commits virtual identity suicide?

Differences in privacy concerns, internet addiction, and personality between Facebook users and quitters," Cyberpsychology, Behavior, and Social Networking, vol. 16, pp. 629-634, 2013.

[8] EC, "Data Protection in the European Union," n.d. [9] M. Pocs, "OPERANDO: D3.1 Guidelines on legal aspects,"

http://www.operando.eu/servizi/notizie/notizie_homepage.aspx#2015. [10] BPS, Code of Human Research Ethics. Leicester, UK: The British Psychological Society, 2014. [11] APA, Ethical Principles of Psychologists and Code of Conduct. Retrieved from:

http://www.apa.org/ethics/code/principles.pdf: American Psychological Association, 2010. [12] B. P. ITI, Bassem Nasser, "D3.6 - Ethics Committee Approvals, OPERANDO deliverable," 2015. [13] J. H. Moor, "What is computer ethics?*," Metaphilosophy, vol. 16, pp. 266-275, 1985. [14] A. Beaulieu and A. Estalella, "Rethinking research ethics for mediated settings," Information,

Communication & Society, vol. 15, pp. 23-42, 2012. [15] R. Wiles, G. Crow, V. Charles, and S. Heath. (2007, Informed consent and the research

process: Following rules or striking balances? Sociological Research Online 12(2). [16] W. C. Van Den Hoonaard, "The social and policy contexts of the New Brunswick Declaration

on Research Ethics, Integrity, and Governance: A commentary," Journal of Empirical Research on Human Research Ethics, vol. 8, pp. 104-109, 2013.

[17] B. H. Bornstein, "The ecological validity of jury simulations: Is the jury still out?," Law and Human Behavior, vol. 23, p. 75, 1999.

[18] L. Bortolotti and M. Mameli, "Deception in psychology: Moral costs and benefits of unsought self-knowledge," Accountability in Research: Policies and Quality Assurance, vol. 13, pp. 259-275, 2006.

[19] V. Morrow and M. Richards, "The ethics of social research with children: An overview1," Children & society, vol. 10, pp. 90-105, 1996.

[20] R. V. Carlson, K. M. Boyd, and D. J. Webb, "The revision of the Declaration of Helsinki: past, present and future," British Journal of Clinical Pharmacology, vol. 57, pp. 695-713, 2004.

[21] M. J. Farah, "Emerging ethical issues in neuroscience," Nature neuroscience, vol. 5, pp. 1123-1129, 2002.

[22] R. Dresser, "Research ethics. Aligning regulations and ethics in human research," Science (New York, NY), vol. 337, pp. 527-528, 2012.

[23] R. R. Faden, N. E. Kass, S. N. Goodman, P. Pronovost, S. Tunis, and T. L. Beauchamp, "An ethics framework for a learning health care system: a departure from traditional research ethics and clinical ethics," Hastings Center Report, vol. 43, pp. S16-S27, 2013.

[24] OPERANDO, "Grant Agreement-653704," 2015. [25] M. Bitton, "ECOGRAI: Méthode de conception et d'implantation de systèmes de mesure de

performances pour organisations industrielles," Bordeaux 1, 1990. [26] G. Doumeingts, F. Clave, and Y. Ducq, "ECOGRAI—A method to design and to implement

Performance Measurement Systems for industrial organizations—Concepts and application

http://www.operando.eu/servizi/notizie/notizie_homepage.aspx#2015

http://www.apa.org/ethics/code/principles.pdf:



to the Maintenance function," in Benchmarking—Theory and Practice, ed: Springer, 1995, pp. 350-368.

D8.1 Ethical trial protocols, scenarios and requirements · D8.1 – Ethical trial protocols,...

Documents

Transcript of D8.1 Ethical trial protocols, scenarios and requirements · D8.1 – Ethical trial protocols,...