Jusletter IT

The creation of a Digital Single Market is one of the priorities of the European Union‘s political action. Indeed, the commitment of creating “A Europe fit for the digital age”, expressed by the European Commission at the beginning of its mandate in the Work Programme 2020¹, is confirmed in the Work Programme 2021² where, also in order to sustain the social and economic recovery from the pandemic currently shattering the global economy, the Commission pledged to propose a roadmap of political actions based on the principles of “right to privacy and connectivity, freedom of speech, free flow of data and cybersecurity”. The aim of the initiatives in this field is to inaugurate a change that could lead to consider the following years as a “digital decade”.

As regards personal data protection, we can argue that GDPR, despite being often perceived by institutions and companies as a further bureaucratic burden reducing productivity and increasing costs, currently represents the pivotal tool to enhance the economic value of data, transforming them into an economic strategic asset. Yet, the application of GDPR has shown some limits and difficulties in the short period passed since its initial enforcement. For example, it provides many obligations that a data controller has to abide by, without considering the entire ecosystem in which the information of the data subject is shared (e.g. big data). A further adaptation of the data protection to new technologies – especially Artificial Intelligence – is urgently required.

Specific issues arise from the processing of data concerning health (Art. 9 GDPR), precisely with the purpose of scientific research (Art. 89 GDPR). In this case, indeed, the protection of personal data overlays with pre-existing bioethical regulation, thus creating many uncertainties, for example as regards the rule of the consensus by the individual who embodies the role both of the data subject and of the patient. Moreover, this kind of data processing is particularly complex, involving many different actors with tasks so strictly integrated that it becomes difficult to detect the precise boundaries between “data controller” (Art. 4(7) GDPR) and “data processor” (Art. 4(8) GDPR). Furthermore, it is also still difficult to apply “soft law” facilitations since code of conducts (Art. 41 GDPR) or certification (Art. 42 GDPR) are uneasy to operate given the plurality and heterogeneity of the entities normally involved (hospitals, research centers, ethics committees, private clinics, suppliers of products or services). Furthermore, research projects more and more often expand to an international dimension, increasing the difficulty of maintaining a high level of protection of personal data. In short, the sector of medical research promises most significant benefits to the community, but also bears many challenges in data protection compliance.

This contribution addresses, under three different profiles, the issue of governance of personal data in medical research within the EU legal framework, analyzing how the current discipline represents an opportunity for all operators and for the healthcare system in general. It is noteworthy, on this regard, to point out that patients have a twofold rule, being on the one hand the source of the data and, on the other hand, the recipients of the benefits that can be drawn from them. To begin with, we describe how data governance effectively becomes a factor of innovation and not an obstacle to research, through the creation of a network of relationships between the actors which is not only structured in a dynamic and flexible way, but properly functional and proactive towards innovation. Secondly, we show how it is possible, in light of the state-of-the-art of legal informatics, to automate GDPR compliance processes not only increasing efficiency and transparency in data processing, but also promoting an effective cultural revolution in terms of accountability. Thirdly, we argue that compliance of the GDPR can trigger virtuous processes of aggregation between different organizations, and how paradoxically it is precisely from the integration of heterogeneous resources that innovation can be nurtured.

The remarks on the dimension of organizational change and institutional innovation addressed in this work are based on the experience (in progress) of UnityFVG (United Universities of FVG Technology Transfer)³ and directly involves two of the co-authors: (i) in the attempt to create an “institutional infrastructure”⁴ and to design a model of governance around the problem of the control of information produced in universities (ii) and the “adoption” of GDPR as “technology in use” for data management in scientific practice.

The theoretical premises of our research project lead to interpret the phenomenon as a case of institutional learning⁵, within the research tradition of the Actor-Network Theory (ANT), or “sociology of translation”⁶. The roots of this theoretical perspective and method are found in the sociology of scientific knowledge⁷, in the Science and Technology Studies (STS⁸) and in ethnographic studies of research laboratories⁹. In particular, the “translation into practice” of the GDPR is a matter of “organizational knowing” in which “a collective endeavour through which heterogeneous materials and entities, such as ideas, concepts, artifacts, texts, persons, norms, and traditions are mobilized, modified, translated, distorted, exposed, used, ignored or hidden in view of some practical accomplishment, such as safety in a construction site”¹⁰.

The overall research project aims to consider the issues of information security, personal data and digital evolution of public administrations (and, therefore, universities) in terms of “institutional infrastructure as the features that bind a field together and govern field interactions”¹¹. The processes of organizational change and institutional innovation are closely related to the “governance of organizational fields” that involves the “translation into practice” of the GDPR, a “technology in use” able to contribute to those “formal mechanisms that maintain the ‘rules of the game’ within a field, [including] field governance arrangements, but also other cultural, structural and relational elements that generate the normative, cognitive and regulative forces that reinforce field governance, and render field logics material and field governance performable”¹².

In this work, we will refer to the concept of “translation” that characterizes ANT as a tradition of research in the sociology of knowledge¹³. In other words, social, institutional and organizational changes are not accomplished with the “enactment of laws” or with the “rhetoric of change” alone¹⁴. Therefore, studying the process of adoption of the GDPR and the problem of data management, for example, in medical scientific practice concerns both “the way medicine enacts the objects of its concern and treatment”¹⁵, and the process of social transformation from a “technology” (the import of the GDPR into scientific practices) and a new vocabulary that competes with the cultural tradition of “other” social worlds. The organizational dimension of the phenomenon co-evolves when in hospitals, research centers, ethics committees, private clinics, suppliers of products and services come into play expressions such as: right to be forgotten, transparency, portability of personal data, “data breach”, impact assessment, “privacy by design/by default”, data protection officer, data processor, self-regulatory codes.

In this path, interpreting what constitutes the GDPR is linked to those particular artifacts that are the archives, “the set of all events which can be recalled across time and space”¹⁶. In a work considered seminal in ANT’s studies, “The Multiple Bodies of the Medical Record: Toward a Sociology of an Artifact”¹⁷, Marc Berg and Geoffry Bowker emphasize the importance of considering how “the modern patient’s body […] is produced through embodied, materially heterogeneous work, and the medical record plays a crucial role in this production. It does not simply represent this body’s history and geography; it is a central element in the material rewriting of these. Simultaneously, the record fulfils a core role in the production of a body politic” (p. 513: italics in original).

This phenomenon is crucial for the different types of privacy (“of the person, of behaviour and action, of communication, of data and image, of thought and feelings, of location and space, of association”¹⁸ that can be linked to different new technologies for the collection of data to be used in scientific practice in the medical field¹⁹: whole body imaging scanners, RFID-enabled travel documents, unmanned aircraft systems, second-generation DNA sequencing, human enhancement technologies, second-generation biometrics. In this regard, Berg and Bowker emphasize “as the record is involved in the performance of the patient’s body, it is also involved in the performance of the clinic in which that body comes to life. Finally, we argue that different records and different practices of reading and writing are intertwined with the production of different patient’s bodies, bodies politic, and bodies of knowledge. As organizational infrastructure, the medical record affords the interplay and coordination of divergent worlds”²⁰.

Within the sociology of translation, the governance of data in scientific (particularly medical) practice becomes a matter of organizational and institutional change. As suggests Czarniawska²¹, “translation is a concept that helps describe the movements of different forms of knowledge and cultural practices, but also forms of technology and artifacts. The key point is that moving anything from one place to another changes not only what is moved, but also the mover – the translator”²².

In the language of the ANT: “if we want to define a reform as a tool [the GDPR] (or an artifact [the ‘archives’ of data in scientific practice]) and understand it in its context of use, and not from the point of view of the person who designed it, this entails questioning how the worldview of those who use it has changed and what is the belief system of those who put it into practice in local contexts of application”²³.

The translation phases and the interpretative contribution of the ANT are based on two main concepts²⁴: “relational materialism” and “performativity”. In the first case, things (people, concepts, actions) have the features that they acquire through the relations in which they are included; in the second case, the attention of the phenomena focuses on “social ordering”, as the relations that they constitute, represent and stage the “actors” characterize the unstable dimension of the process (rather than a “given order”).

The process of adoption of the GDPR in the practice of scientific research follows some typical phases of “translation” processes²⁵. In a research dedicated to the introduction of management control systems in Italian public administrations, Silvia Gherardi and Andrea Lippi²⁶ provide a particularly effective account of the development of the “translation” phases. With the problematization, an actor (for example, the data protection officer, a member of the university’s technology transfer office, a group of scholars in charge of “sensitizing” colleagues on GDPR), triggering a process of circulation of “intermediaries” (anything that circulates between actors, defining the relation between them: scientific articles, legal notes, PowerPoint presentations, software, databases, etc.) establishes or changes existing relations trying to define the nature of the problems, a necessary “obligatory passage point” that allows the different (scattered) actors to identify themselves in the nature of the problem and to converge on it. Through the phase of interessement, problematization and alternative enrolments are excluded: the entities that have crossed the “obligatory passage point” negotiate the terms of their “participation in the network”. The enrolment phase aims to obtain a coordination and alignment between the elements of the network, proceeding for successive attempts regarding the forms of “negotiation”. Finally, with the phase of mobilization, “other actors and networks, appropriately ‘represented’ in the form of ‘intermediaries’, are mobilized to support the maneuvers of the actor on the basis of the interest that comes from the emerging configuration”²⁷. Giving a role and an identity to an “actor” (e.g. a data protection officer) allows him/her to act as an “spokesman” and to be “moved in the form of an intermediary to appear in the negotiating places”: i.e. to operate in a “local translation center” (the institutional dimension of the UnityFVG project) where the meaning of a label (the “GDPR”) is stabilized. Within a network of “knowledge/power relations”, a netted actor takes shape “representing the effect of the association of human and non-human materials in unstable alliances that are stabilized and perceived as a collective actor”²⁸.

In summary, the theoretical premises of this work and the overall research project concern: a) the interpretation of the GDPR as an “expert knowledge”, one of the expressions of “privacy technology”; b) the interpretation of public administration and governance of information security and personal data as a set of situated and emerging practices (how technology and its language have a place in the world); c) the interpretation of institutional learning as (competent) participation in a social practice that produces and spreads knowledge within a distributed knowledge of situated traditions; d) the interpretation of reform as a translation process by an “actor-network”, in which the reticular actor is the result of how “things, people, ideas become connected and assembled”²⁹.

Digital transformation includes legal aspects as well as sociological, economic and organizational aspects addressed in the previous paragraph. In fact, the introduction of new technologies in social organizations requires to adapt existing legal relationships to the additional possibilities offered by technologies. The risk is that of introducing further bureaucratic requirements, increasing costs and inefficiencies and thus neutralizing the advantages deriving from digitalization itself. This problem is even more complex when involving a plurality of entities of different nature (public bodies, companies, private individuals) interacting at an international level, as it happens easily in a globalized scenario. Even from a legal point of view, digitization is not a hard science, nor a magic trick, but an Art.

The crucial point of digitization, and of the governance that defines its strategies, is given by the management of data, in particular of personal data. From a practical point of view this is reflected in the fact that each actor pretends to impose his procedures and its forms on the others, exponentially increasing the bureaucracy. With particular reference to the data concerning research in the health sector, as explained in the introduction, there are specific problems concerning the overlapping of norms of different countries (in the increasingly frequent case of international research) and regulations of other sectors (e.g. bioethics in research and, administrative law in health care and social assistance).

It must be recognized that many solutions are currently offered by the market, and that these solutions are increasingly sophisticated. Indeed, there are platforms that provide services concerning the management of consents by data subjects, the compilation of treatment registers, the Data Protection Impact Assessment, the definition of privacy policies that are suitable to satisfy most of the needs (e.g. cookies). However, these solutions have significant intrinsic limits, as within the organizations they do not easily integrate with platforms provided by other operators for different purposes (e.g. customer care, business analytics) and they are not suitable to interact with similar platforms used by other actors, such as clients or suppliers. In some cases, they even result in distorting competition (e.g. lock-in phenomenon). There are additional difficulties that emerge in the field of medical research, since personal data often come from IT systems of a health and in particular assistance nature, and must be used by analysis platforms that have different operating principles, for example in bioinformatics. In this field, there is a specific problem given by the fact that the purpose of data is to spread knowledge, thus to circulate information, therefore privacy requires to be protected in a peculiar way. In particular, there is a need to ensure transparency in processing to allow for the control of compliance with the methodological standards required by the reference sector, which can be particularly rigorous (e.g. pharmaceutical research).

These difficulties can be addressed by adopting semantic representation technologies, which can be exploited for legal knowledge-based reasoning which can assist organizations in GDPR compliance tasks. Whereby, in fact, the dematerialization of data which results from digitalization is completed by the automation of the workflow required by its processing. In this field, the results achieved in the last ten years are astonishing³⁰. From the first proposals to implement Web Ontology Language (OWL)³¹ to the legal realm with Legal Knowledge Interchange Format (LKIF)³², to the development of a general mark-up language (RuleML)³³, to the frontier of combining legal ontologies with mining legal texts³⁴.

Many proposals have been put forward concerning special legal ontologies for data protection. Notably, SPECIAL (Scalable Policy-aware Linked Data Architecture For Privacy, Transparency and Compliance)³⁵ aims at exploiting Linked Data potentials in order to increase the value of shared data, thus enabling the creation of trust towards their producers. Usable Privacy is aimed at extracting key concepts from privacy policies presented in natural language facilitating user comprehension and interpretation³⁶ while PrivOnto³⁷ is more focused at building a semantic representation for annotated privacy policies. With special regard to the EU legal framework and GDPR, noteworthy are three initiatives, namely GDPRtEXT³⁸, PrOnto³⁹, and the Data Privacy Vocabulary (DPV)⁴⁰ built under the auspices of W3C. It is significant that these tools make it possible to extend Semantic Web technologies to the protection of personal data, incorporating GDPR compliance within the workflow of organizations and greatly increasing the efficiency of processes. The advantage of such technologies with respect to others more specific of the healthcare system, such as HL7⁴¹, is that this latter is too specific of the healthcare system.

The adoption of these technologies has a further advantage, given the possibility of making it easier to adopt privacy by design approaches. In fact, it is precisely by exploiting the automatisms of automatic calculation that it is possible to build platforms that, from the outset, process personal data in compliance with the law. In this regard, it is noteworthy the publication of the updated Guidelines by the EDPB on the 20th of October 2020⁴².

As stated above, the protection of personal data is the perfect environment in which it is possible to observe and study how different actors and realities interact among themselves and how they can evolve and mature from this interplay. The rights to privacy and data protection demand to be constantly balanced with other EU values, rights and public or private interests and this feature is particularly clear in the field of scientific research (European Data Protection Supervisor, 2020)⁴³.

The GDPR adopts a broad conception of research⁴⁴ (Recital 159), so that there is a wide and different range of data, actors, interests, achievements, and issues to consider in data governance. The complexity of providing a fair balance between interests at stake is even more evident in medical research, where the processing involves genetic data and data concerning health, which are under a special data protection regime (Art. 9 GDPR), ethical standards and controls have to be met, and a plurality and heterogeneity of entities are involved such as hospitals, research centres, ethics committees, private clinics, suppliers of products or services and data subjects.

Given the variety of factors to consider in this peculiar field of research, it is not difficult to understand that many and multifaceted issues regarding the governance of personal data arise and have to be solved by actors on a daily basis. These problems may concern the obligation to adopt and constantly update security measures that ensure an adequate level of protection of personal data (Art. 32 GDPR), how to implement them in every action, instrument and step of the processing (Art. 25 GDPR), and also how and when conduct a data protection impact assessment⁴⁵ (Art. 35 GDPR), since the processing of special categories of personal data may pose a high risk to the rights and freedoms of natural persons. The right to information of data subjects poses another data protection issue for actors, since the GDPR requires data controllers to give data subjects transparent information, communication and modalities for the exercise of their rights (Art. 12), so that data subjects can understand the details of the processing and make a responsible choice in order to defend their freedoms. Consequently, operators have to find, use or produce the appropriate instrument, i.e. the privacy policy (Art. 13 and Art. 14 GDPR), to provide any information related to the data processing, choose the best moment to submit it to the data subjects, keep track and constantly adjust and update the flow of information to submit to or acquire from the data subjects, and deal with the requests to exercise their rights. Another problem in such data governance is related to the intersection between data protection and ethical matters that leads to the obligation to ensure the protection of human dignity and integrity as well as the defence of the private aspects of a data subject’s life (European Data Protection Supervisor, 2020)⁴⁶. In addition, since research projects may not be confined to a national scenario, other daily data governance issues may regard cloud computing, data sharing and data transfer with companies, organizations and institutions that operate in a different country or at international level. Indeed, operators are constantly reminded that, even if cloud computing is helpful since it provides ubiquity of data, nonetheless it exposes data subjects’ sensitive data to the risks of the Internet. Additionally, when there is the need to transfer to or share data with actors from other countries, operators must verify if, in the selected country, the level of data protection ensured is adequate, and act responsibly and accordingly to Chapter V of the GDPR. Thus considered, it is not difficult to understand why operators demand and search for a data governance model to follow that can help them with their daily data protection issues.

As stated before, the GDPR is a ‘tool’ in the hands of operators that needs to be put into practice. It does not offer a specific solution to every material issue that arises in the field of scientific and medical research, so that it is the duty of the ‘actors’ to translate and apply its content to their needs. Obviously, the constant research of solutions leads the actors to dialogue and, since the compliance of the GDPR triggers processes of aggregation between different operators, it is precisely in the integration of heterogeneous resources that answers to data governance issues can be found.

It is exactly from this constant and continuous need of interaction and demand to design an effective model of data governance in universities that originates the UnityFVG project – an outline which involves University of Udine, University of Trieste and SISSA (Scuola Internazionale Superiore di Studi Avanzati) - whose main purpose is to arrange joint solutions to plan and coordinate the respective activities of the actors in the fields of educational offer, research and technology transfer⁴⁷. UnityFVG GDPR portal is meant to be a reference gateway for professors, researchers, students, offices and departments, through which satisfy their need for concrete answers to data protection issues, simplify procedures related to data protection, find all the answers about data processing and exercise their rights. It offers support for the making of privacy policies and for the fulfilment of data protection obligations related to research activities and gathers data protection set of rules to help operators with the decision-making process and problem solving of their issues. We can consider UnityFVG as an effective instrument whose strength is not to be pursued in giving common and joint forms to applicants but in the fact that it establishes a network of people that interact through data in order to fulfil their tasks or requirements, translating productively the GDPR into a technology in use for data management.

Organizations, institutions, individuals and artifacts form a network of action committed to “translate into practice” the dictates of GDPR when it enters the world of scientific practices, helping to generate a consistent and legitimate institutional infrastructure.

In the language of the ANT, the GDPR becomes a “black box”, designating not an entity with an unclear functioning, but the moment when “a set of disordered and unreliable allies becomes something organized”⁴⁸, able to act in a unified way: at the moment, the UnityFVG project is a step along the path that allows the problem of data management of scientific research to travel “in time and space”; moreover, through the “translation” of the GDPR, it is possible to include “actors and relations, power structures and also the materiality of fields as embedded in governance and inter-organizational and organizational structures” in the process of organizational change⁴⁹.

In this perspective, the process of organizational design and institutional innovation constitutes a considerable theoretical and operational implication.

This chapter is the result of joint research of the co-authors. Individual contributions can be attributed as follows: Federico Costantini, Introduction and paragraph 3; Francesco Crisci, paragraph 2 and Conclusions; Giada Soncini, paragraph 4.

• Bench-Capon, Trevor/Araszkiewicz, Michał/Ashley, Kevin/Atkinson, Katie/Bex, Floris/Borges, Filipe/Bourcier, Daniele/Bourgine, Paul/Conrad, Jack G./Francesconi, Enrico/Gordon, Thomas F./Governatori, Guido/Leidner, Jochen L./Lewis, David D./Loui, Ronald P./McCarty, L. Thorne/Prakken, Henry/Schilder, Frank/Schweighofer, Erich/Thompson, Paul/Tyrrell, Alex/Verheij, Bart/Walton, Douglas N./Wyner, Adam Z., A history of AI and Law in 50 papers: 25 years of the international conference on AI and Law, Artificial intelligence and law, volume 20, issue 3, 2012, p. 215–319.
   
• Berg, Marc/ Bowker, Geoffrey, The Multiple Bodies of the Medical Record: Toward a Sociology of an Artifact. The Sociological Quarterly, 1997.
   
• Bijker, Wiebe E/Hughes, Thomas P/Pinch, Trevor/Douglas, Deborah G, The social construction of technological systems: New directions in the sociology and history of technology, MIT press, 2012.
   
• Bowker, Geoffrey C., Memory practices in the sciences, Inside technology MIT Press, Cambridge, Mass, 2005.
   
• Bowker, Geoffrey/ Star, Susan Leigh, Sorting Things Out: Classification and Its Consequences, MIT Press, 1999.
   
• Callon, Michel, Some elements of a sociology of translation: domestication of the scallops and the fishermen of St Brieuc Bay, The Sociological Review, volume 32, issue S1, 1984, p. 196–233.
   
• Czarniawska, Barbara, Actor-Network Theory, The SAGE Handbook of Process Organization Studies SAGE, 2016, p. 160–175.
   
• Gad, Christopher/ Jensen, Casper Bruun, On the Consequences of Post-ANT. Science, Technology, & Human Values, 2010.
   
• Gherardi, Silvia/ Lippi, Andrea, Tradurre le riforme in pratica, Raffaello Cortina, 2000.
   
• Gherardi, Silvia/ Nicolini, Davide, To Transfer is to Transform: The Circulation of Safety Knowledge. Organization, 2000.
   
• Gutwirth, Serge/Leens, Ronald/de Hert, Paul/Poullet, Yves, European Data Protection: Coming of Age, Springer International Publishing, 2013.
   
• Hinings, C.R./Logue, Danielle/Zietsma, Charlene, Fields, Institutional Infrastructure and Governance, The SAGE Handbook of Organizational Institutionalism SAGE, 2017, p. 163–189.
   
• Hoekstra, Rinke/Breuker, Joost/Di Bello, Marcello/Boer, Alexander, The LKIF Core Ontology of Basic Legal Concepts, LOAIT, volume 321, 2007, p. 43–63.
   
• Latour, Bruno, Reassembling the social: An introduction to actor-network-theory, Oxford university press, 2005.
   
• Law, John, Power, Action and Belief. A New Sociology of Knowledge, The Sociological Review Volume 32, Issue S1, 32, Routledge, 1986.
   
• McGuinness, Deborah L/ Van Harmelen, Frank, OWL web ontology language overview. W3C recommendation, 2004-03, 2004.
   
• Mol, Annemarie, The Body Multiple. Ontology in Medical Practice, Duke University Press, 2002.
   
• Nimmo, Richie, Actor-Network Theory Research, SAGE, 2016.
   
• Oltramari, Alessandro/Piraviperumal, Dhivya/Schaub, Florian/Wilson, Shomir/Cherivirala, Sushain/Norton, Thomas B/Russell, N.  Cameron/Story, Peter/Reidenberg, Joel/Sadeh, Norman, PrivOnto: A semantic framework for the analysis of privacy policies, Semantic Web, volume 9, 2018, p. 185–203.
   
• Palmirani, Monica/Martoni, Michele/Rossi, Arianna/Bartolini, Cesare/Robaldo, Livio, PrOnto: Privacy Ontology for Legal Reasoning. Proc. Of The Electronic Government and the Information Systems Perspective, Cham, p. 139–152 (2018).
   
• Palmirani, Monica/Martoni, Michele/Rossi, Arianna/Robaldo, Livio, Legal Ontology for Modelling GDPR Concepts and Norms. In: Palmirani Monica (Ed.), Proceedings volume of the 31st International Conference on Legal Knowledge and Information Systems (JURIX 2018), Frontiers in Artificial Intelligence and Applications, 313, Ios Press, Amsterdam, p. 91–100.
   
• Pickering, Andrew, The mangle of practice: time, agency, and science, Univ. of Chicago Press, Chicago, Ill., 1995.
   
• Poplavska, Ellen/Norton, Thomas B./Wilson, Shomir/Sadeh, Norman, From Prescription to Description: Mapping the GDPR to a Privacy Policy Corpus Annotation Scheme (Short paper). In: Villata Serena, Harašta Jakub, Křemen Petr (Eds.), JURIX 2020: The Thirty-third Annual Conference, Brno, Czech Republic, December 9–11, 2020, Frontiers in Artificial Intelligence and Applications, 334, Ios Press, Amsterdam, 2020, p. 243–246.
   
• Star, Susan Leigh/ Griesemer, James R., Institutional ecology,translations‘ and boundary objects: Amateurs and professionals in Berkeley‘s Museum of Vertebrate Zoology, 1907-39, Social studies of science, volume 19, issue 3, 1989, p. 387–420.