How to implement ethics and data protection requirements in an EU-funded research and innovation action
Ethics and data protection requirements need to be addressed at project level. This is often difficult, due to the need to ensure coordination and consistency across all partners. If that coordination is absent or inadequate, the ethics and legal compliance framework for a project will be incoherent, if not detrimental to the project as a whole. The lessons learned in the OActive Action led to the preparation of a short standardised methodological note, summarised below, to address these issues. The note presents the main ethics and data protection challenges and proposes an overview of the actions to take to achieve or support compliance and responsible innovation. Identifying ethics values and compliance objectives The first step in any project is to identify the core ethical requirements for the execution of the project. The purpose is to identify the European ethical values that are at the center of the project: what is the benefit that it aims to achieve, who could be affected positively or negatively, and what are the trade-offs that might occur (including conflicts of ethical values)? The goal is not to resolve problems at this stage, but to draw ethical lines and imperatives. This step is challenging since objectives should always be tailored to the project. The note contains an initial list, identified based on the analysis of relevant EU level legislation, including the EU Charter of Fundamental Rights, the General Data Protection Regulation, and the Clinical Trials Regulation. Non-legislative policy and guidance documents have also been considered, such as the FP7 Data protection and privacy ethical guidelines, the Opinion of the European Group on Ethics in Science and New Technologies on the ethical implications of new health technologies and citizen participation, and the Declaration of Helsinki on ethical principles for medical research involving human subjects. Other relevant texts may need to be identified and consulted during the project’s initiation. The ethics and legal compliance objectives cover transparency, consent, the protection of vulnerable persons, approval of a research ethics committee(s), compliance with patient’s rights, and monitoring of risks. The identified data protection and privacy objectives address the fundamental principles of fair and lawful processing, quality of data, and limitation of storage duration, as well as data confidentiality and integrity. Finally, the communication of results objective addresses requirements specific to dissemination results as required by European funding programs. A 5 steps implementation method The identified high-level ethics objectives represent what should be achieved during the project to protect the research participants and eventually the users of the device(s) in development. These high-level objectives must then be translated in controls, demonstrating how these objectives are achieved. The determination and implementation of these controls take place in several steps, and ideally cover the entire lifecycle of the project. First, the ethics and safety objectives relevant to the research project must be identified. Then the data flow within the project must be mapped, the parties involved identified and responsibilities assigned. Afterwards a risk assessment must be carried out, and ethical and legal compliance measures implemented. Finally, the termination of the project must be considered, and the information assets processed and protected accordingly. For more information on the methodology outlined under the “General ethics, data protection and safety manual for EU funded projects” document in the OActive website: https://www.oactive.eu/downloads/dissemination-material/ *This document was created by Timelex, member of the OActive consortium.