Consent Mechanisms Research Articles

Data protection legislation in Africa and pathways for enhancing compliance in big data health research

BackgroundThe increasing availability of large volumes of personal data from diverse sources such as electronic health records, research programmes, commercial genetic testing, national health surveys and wearable devices presents significant opportunities for advancing public health, disease surveillance, personalized medicine and scientific research and innovation. However, this potential is hampered by a lack of clarity related to the processing and sharing of personal health data, particularly across varying national regulatory frameworks. This often leaves researcher stakeholders uncertain about how to navigate issues around secondary data use, repurposing data for different research objectives and cross-border data sharing.MethodWe analysed 37 data protection legislation across Africa to identify key principles and requirements for processing and sharing of personal health and genetic data in scientific research. On the basis of this analysis, we propose strategies that data science research initiatives in Africa can implement to ensure compliance with data protection laws while effectively reusing and sharing personal data for health research and scientific innovation.ResultsIn many African countries, health and genetic data are categorized as sensitive and subject to stricter protection. Key principles guiding the processing of personal data include confidentiality, non-discrimination, transparency, storage limitation, legitimacy, purpose specification, integrity, fairness, non-excessiveness, accountability and data minimality. The rights of data subjects include the right to be informed, the right of access, the right to rectification, the right to erasure/deletion of data, the right to restrict processing, the right to data portability and the right to seek compensation. Consent and adequacy assessments were the most common legal grounds for cross-border data transfers. However, considerable variation exists in legal requirements for data transfer across countries, potentially creating barriers to collaborative health research across Africa.ConclusionsWe propose several strategies that data science research initiatives can adopt to align with data protection laws. These include developing a standardized module for safe data flows, using trusted data environments to minimize cross-border transfers, implementing dynamic consent mechanisms to comply with consent specificity and data subject rights and establishing codes of conduct to govern the secondary use of personal data for health research and innovation.

“I don't care about cookies!” data disclosure and time-inconsistent users

Time-inconsistent internet users neglect future privacy costs and release too much data to digital firms. We study how regulation that requires user consent for data processing affects firm profits, user surplus, and welfare, depending on the degree of time inconsistency and on firms' business models. If the firm appropriates sufficiently high profits from data, consent mechanisms increase welfare only if their design facilitates consent refusal and time inconsistency is neither too high nor too low. If firms can make it difficult to opt out, it may be better for society to let the former choose the disclosure level. However, consent policies increase user surplus when time inconsistency is high. Voluntary caps on usage can raise profits by making some users disclose more data.

Christian perspectives on the regulation of posthumous medical data donation (PMDD): An empirical study

This article sets out the results of an empirical study exploring the intersection of religious views and perspectives and the regulation of post-mortem data donation (PMDD), particularly focusing on issues of consent and individual control. Through semi-structured interviews with practicing members of the Christian clergy of the United Kingdom, the study investigated the ethical and practical implications of integrating religious viewpoints into secular debates on data protection and privacy, using PMDD as a use case. The findings revealed a consensus among participants that religious perspectives, including Christian perspectives, can enhance the ethical robustness of PMDD regulatory frameworks by promoting values such as dignity, autonomy, and respect for individual preferences. However, the study also identified a possible gap in the systematic consideration of these views within existing regulatory practices pertaining to data protection and privacy. Pursuant to these findings, the article argues for the adoption of an "opt-out" consent mechanism, which balances public health benefits with individual rights, as a pragmatic approach to PMDD regulation. Additionally, the article highlights the potential for religious insights to enrich policy dialogues, ensuring that legal rules relating to data protection and information governance resonate with a broader array of societal values.

Linking survey and Facebook data: mechanisms of consent and linkage

ABSTRACT Using a German online panel, we investigate respondents’ propensity to consent to the linkage of publicly available Facebook data to their survey data and to enable linkage. We analyse the effects of three experimental variations on consent and linkage among Facebook users: (1) the consent question wording, (2) the position of the Facebook consent question in a series of consent questions, and (3) the incentive offered. To describe potential selection bias, we consider respondents’ attitudes and sociodemographic characteristics. We found effects of consent question placement on consent and linkage and effects of higher incentives on linkage, but we found no effects of question wording. Our analysis also showed that linkage was dependent on privacy and data security concerns, trust in the data-collecting actor, respondents’ attitudes toward surveys, and several sociodemographic characteristics.

CHILDRENS PRIVACY RIGHTS BASED ON THE THEORY OF DIGNIFIED JUSTICE IN INDONESIA

Child data protection is a mandate of the constitution of the Republic of Indonesia. The purpose of this study is first, to find out the provisions of childrens personal data protection in Indonesia, Second, critical notes on the regulation towards protection of childrens personal data. Third, the perspective of the theory of dignified justice related to the protection of childrens personal data. The research method used is normative legal research. The results of the study are first, the protection of childrens personal data in Indonesia has been regulated in the constitution, namely Law Number 27 of 2022 concerning the Protection of Personal Data (UU PDP), which is the embodiment of Article 28 G paragraph (1) of the 1945 Constitution of the Republic of Indonesia. Second, the PDP Law regarding the protection of childrens personal data still seems simple as assessed from the legal substance of the parental consent mechanism, verification, audit monitoring and the lack of a risk-based approach. Third, dignified justice aims to humanize humans as creatures of God Almighty, by placing children in their true position in technology and personal data. Dignified justice is carried out through a multi-stakeholder cooperation through the synergy of parents, companies, government, educational institutions, and the press. In the end, the goal is the creation of sustainable protection for childrens privacy data because children are the future assets of a nation.

Personal Information Protection in the Application of Facial Recognition Technology in Public Places - Taking the "First Facial Recognition Case" as an Example

In recent years, the widespread use of facial recognition technology in public places has raised challenges for personal information protection. By analyzing the "First Facial Recognition Case," this article reveals practical challenges under the current legal framework. Significant risks exist in the collection, use, and storage of information, particularly regarding the principles of legality, necessity, and informed consent. The article explores the ambiguity of these principles in legal applications and proposes improvements, including better evaluation of legality and necessity, introducing a tiered consent mechanism, and constructing a dynamic consent mechanism to enhance compliance and protect personal information security.

Enhancing privacy policy comprehension through Privacify: A user-centric approach using advanced language models

As the digital age advances, the collection, usage, and dissemination of personal data have become critical concerns for users, regulators, and the cybersecurity community. Questions surrounding the extent of identifiable data collection, its usage, sharing, selling, and the mechanisms of consent are increasingly central to discussions on user data privacy. These issues highlight the need for effective management and comprehension of privacy policies. To this end, this paper introduces Privacify— a production-ready web application designed to enhance the accessibility and understandability of privacy policies, thus empowering users to make more informed decisions about their data. At its backend, Privacify leverages a combination of text segmentation, summarization using Large Language Model (LLM), and map-reduce technologies to facilitate BASE analysis for single-document insights and WRT and REV for comprehensive cross-document analysis. Designed with a user-centric approach, Privacify features an intuitive interface that presents all relevant user privacy information in easy-to-understand language, complete with a detailed explainability component. This design not only simplifies privacy policies but also aids users in effortlessly navigating complex privacy terms, significantly boosting their ability to protect and manage their personal information. Our evaluation employs robust methodologies, including reliability and accuracy assessments, alongside rigorous functionality verification through ROUGE metrics and human analysis, validating the system’s efficacy and performance. Privacify’s architecture promotes scalability, replicability, and seamless deployment, advancing the domain of user data protection through improved privacy comprehension.

Crumbling Cookie Categories: Deconstructing Common Cookie Categories to Create Categories that People Understand

Users of online services often encounter cookie banners that ask them to consent to different categories of cookies. Frequently, these categories are labelled using the four categories defined by the 2012 Cookie Guide from the UK's International Chamber of Commerce (ICC). However, prior research suggests that users have difficulty understanding what these category labels actually mean. We conducted a four-part study to identify labels that more intuitively convey the four cookie categories. First, we crowd sourced new category labels. We then evaluated users' comprehension and sentiment towards the labels in a series of surveys focused on definitions and hypothetical scenarios. Finally, we selected a new slate of category labels based on the results of the prior surveys, and conducted a between-subjects, online behavioral experiment to compare the new slate with the original labels. We ultimately recommend that the industry adopt the category label ``anonymous analytics cookies'' in lieu of the term ``performance cookies'' and ``extra functionality cookies'' instead of ``functional cookies.'' Adopting our recommended terms would both improve the usability of current cookie consent interfaces and any future privacy consent mechanisms that use the same categorization. We also recommend revisiting the categories themselves as the distinctions between these categories do not seem to be well understood and may not reflect useful distinctions for privacy decision making.

Understanding Public Perception of Internet Security in the European Union

Abstract This paper presents an extensive analysis of Internet security experiences and perceptions among European Union (EU) citizens, as detailed by data within commented graphics highlighting awareness of online privacy practices, security-related aspects and data tracking methods. The paper also examines the implications of the General Data Protection Regulation (GDPR) regarding businesses operating within the EU and the European Economic Area (EEA). Via a thorough investigation of Internet users' awareness of cookies as tracking tools and the prevalence of security-related incidents, the paper provides insights into the evolving landscape of online privacy and security. It elucidates the challenges and opportunities presented by GDPR compliance for businesses, compliance requirements, spanning core principles and broader implications of data processing practices. The findings mark the imperative to align businesses’ operations with GDPR provisions, addressing key aspects such as consent mechanisms, lawful bases and the importance of robust data security measures. The conclusion reveals the significance derived from the intersection of internet security perceptions, GDPR compliance, and business operations within the EU and EEA. Synthesizing empirical data with regulatory analysis, the paper provides a valuable understanding of the challenges and opportunities within the evolving regulatory landscape, thereby equipping businesses with actionable strategies in order to safeguard data privacy rights and uphold regulatory compliance in the digital age.

Empowering Users: Towards User-Centric Consent Mechanisms in Single Sign-On Systems

Empowering Users: Towards User-Centric Consent Mechanisms in Single Sign-On Systems

Counterweight, Carrot, Crucible: Theorizing “Community” in Community Treatment Orders

The idea of community in community mental health has recently been criticized as problematic in that it has been ill defined, under-investigated and under-theorized. In this article we introduce actor-network theory as a useful framework for the analysis of everyday psychiatric and legal interventions and their effects. We focus on the community treatment order (CTO) in Alberta as one such intervention, showing how community positions people diagnosed with mental illness as risky subjects. In examining the CTO as an important actor in the construction of mental illness, we argue that the idea of community acts as a counterweight to balance rights, a carrot in a mechanism of consent, and as a crucible where interpretive work on a subject must be done in chains of examinations. Further, we propose a procedural and relational definition of community to inform scholarly work as well as professional practice.

Empowering Users: Towards User-Centric Consent Mechanisms in Single Sign-On Systems

Empowering Users: Towards User-Centric Consent Mechanisms in Single Sign-On Systems

Balancing AI innovation with data protection: A closer look at the EU AI Act

In this paper the authors explore the intricate relationship between artificial intelligence (AI) innovation and data protection within the framework of the EU AI Act.1 This groundbreaking legislation addresses the challenges posed by the rapid advancement of AI to safeguarding individual privacy rights. The paper analyses the EU AI Act's provisions, including in-scope entities, extraterritorial applicability, AI system classification, permitted usage and breach notification. It delves into the protection of individuals' fundamental rights, transparency and consent mechanisms. Ultimately, the study underscores the EU AI Act's significance in shaping responsible AI development amid evolving data protection concerns.

Enhancing the reuse of health data for research purposes: laws and regulations as pillars of trust

Abstract Background Routinely recorded health data are increasingly used for research purposes and indispensable to stimulating appropriate and sustainable health care. In many countries access to data has proven to be a challenge. Trust by researchers, organisations and the general public is key, and adherence to the rule of law is one of the key elements determining that trust. We investigated the laws and regulations regarding the reuse of health data and how they work out practically for researchers. Methods Our study focuses on France, Finland, Denmark, Germany, England and The Netherlands. We investigated consent mechanisms, the possibilities of record linkage, and how the sharing of data for research purposes was organised, with a combination of desk research and interviews with researchers in these countries. Results All countries investigated except England are subject to the General Data Protection Regulation. However, explicit consent is the default in Germany and the Netherlands, while other countries maintain an opt-out system or even a system of neither consent nor opt-out. A central data access authority is in place in all countries investigated except Germany and the Netherlands. The nature and level of detail of data varies widely. Conclusions GDPR does not dictate a specific modality for the reuse of data. In terms of the reuse of health data, Germany and the Netherlands are lagging. The Netherlands seems to be the only country with continuing discussions about consent modalities. A broader societal debate about the balance between trust and the reuse of health data is needed, also against the background of a European Health Data Space. In the Netherlands, widespread government distrust is one of the challenges. Options to counteract this distrust will be discussed. Key messages • European countries vary in the way routine health data are accessible for research purposes. • This will affect the feasibility of a uniform European Health Data Space.

Lost in Translation: Tangible and Non-Tangible in Conservation

This paper addresses the special issue theme of the response of conservation practice to shifts in heritage theory towards the intangible, through exploring some specific aspects of practice and statutory process in the UK. The paper starts with an overview of conservation in the UK, and the extent to which it does or does not interface with developments in heritage theory. It explores the conventional understanding of significance—here termed ‘subtractive’—which reflects the antiquarian concerns from which conservation developed. It then considers the Ecclesiastical Exemption, a parallel consent mechanism within UK law for Christian places of worship that remain in use, which specifically recognises their need to change over time to ensure their survival. Evidence for a growing appreciation of non-tangible value and community participation in heritage is provided in recent research by The National Churches Trust into the economic and social value of church buildings to local communities across the UK. The paper concludes that a positive response to changes in heritage theory requires conservation to undertake its own theoretical work; this will involve a recognition of living buildings as central rather than peripheral both to conservation and to heritage more broadly, and a move towards a ‘generative’ understanding of significance.

Metrics for Success

Assessing the usability of choice and consent mechanisms.

Engaging Stigmatised Communities in Australia with Digital Health Systems: Towards Data Justice in Public Health

IntroductionIn 2018, following government policy changes to Australia’s national electronic health record system, ‘My Health Record’, consumer advocates—including organisations representing people living with HIV, people who use drugs and sex workers—raised concerns about privacy and data security. Responding to these controversies, this study explores the practical, ethical and political complexities of engaging stigmatised communities with digital health systems.MethodsWe conducted 16 qualitative semi-structured interviews in 2020 with key informants representing communities who experience stigma, discrimination and marginalisation in Australia. These communities included people living with HIV, sex workers, people who inject drugs, gay and bisexual men and transgender and gender diverse people. We conducted a reflexive thematic analysis.ResultsKey informants were sceptical of proposed benefits of electronic health records for their communities, and concerned about privacy risks and the potential for discrimination. Meaningful consultation, consent mechanisms and tackling structural stigma were raised as solutions for engaging communities.ConclusionsAlthough communities could benefit from being included in digital health systems, significant cultural, legal and social reforms from government were believed to be necessary to build trust in digital health systems. We argue that these forms of data justice are necessary for effective future systems.Policy ImplicationsEngaging stigmatised communities—including in relation to gender, sexuality, sex work, drug use, HIV—requires a commitment to data justice. The design and implementation of digital health systems requires investment in ongoing and meaningful consultation with communities and representative organisations.

The impact of donor consent mechanism on organ procurement organization performance in the United States

Lack of donor organ availability represents a major limitation to the success of solid organ transplantation. The Scientific Registry of Transplant Recipients (SRTR) publishes performance reports of organ procurement organizations (OPO) in the United States, but does not stratify by the mechanism of donor consent, namely first-person authorization (organ donor registry) and next-of-kin authorization. This study aimed to report the trends in deceased organ donation in the United States and assess the regional differences in OPO performance after accounting for the different mechanisms of donor consent. The SRTR database was queried for all eligible deaths (2008-2019) which were then stratified based on the mechanism of donor authorization. Multivariable logistic regression was performed to assess the probability of organ donation across OPOs based on specific donor consent mechanisms. Eligible deaths were divided into 3 cohorts based on the probability to donate. Consent rates at the OPO level were calculated for each cohort. Organ donor registration among adult eligible deaths in the U.S. increased over time (2008: 10% vs 2019: 39%, p < 0.001), coincident with a decline in next-of-kin authorization rates (2008: 70% vs 2019: 64%, p < 0.001). At the OPO level, the increased organ donor registration was associated with lower next-of-kin authorization rates. Among eligible deaths with medium- and low-probability of donation, recruitment was highly variable across OPO's, ranging from 36% to 75% in the medium-probability group (median 54%, IQR 50%-59%) and 8% and 73% in the low-probability group (median 30%, IQR 17%-38%). Significant variability exists across OPOs in the consent of potentially persuadable donors after adjusting for population demographic differences and the mechanism of consent. Current metrics may not truly reflect OPO performance as they do not account for consent mechanism. There is further opportunity for improvement in deceased organ donation through targeted initiatives across OPOs, modeled after regions with the best performance.

Developing Data Sharing Models for Health Research with Real-World Data: A Scoping Review of Patient and Public Preferences.

For researchers to realize the benefits of real-world data in healthcare requires broader access to patient data than is currently possible given siloed data systems. To facilitate evidence generation, infrastructure must support integrated data collection and sharing enabled by patient consent. Critical to the success of data sharing is to design secured data sharing platforms around patient preferences and expectations.The objective of this review wasto characterize patient and public preferences for secured data sharing platforms and incentives to share real-world data for health research.We conducted a scoping review of the data sharing and health informatics literature capturing patient and public values for data sharing platforms and incentivization. We searched Embase and Medline (OVID) databases for primary data studies. Two reviewers participated in study selection and data abstraction. Findings were summarized according to preference frequency within each major theme.The final search produced 253 articles. After screening, 12 articles were included for data extraction. Two studies discussed preferences for data sharing platforms, 7 discussed incentives preferences, and 3 addressed both. We identified considerable variation of patient and public preferences according to preferred consent mechanisms and level of control, willingness to trade off risks and benefits, and the type of incentivization appropriate to offer for participation.This preference variation informs the conditions under which individuals may be willing to engage with secured data sharing platforms to support research. Our findings indicate that platforms will need to be flexible to meet the diverse preferences of users and facilitate uptake.

COVID-19 Vaccination in China: Adverse Effects and Its Impact on Health Care Working Decisions on Booster Dose.

Although many research studies have concentrated on people’s willingness to take the COVID-19 vaccine, little attention has been paid to the underlying mechanism of consent. An understanding of potential factors and mechanisms that affect the willingness to receive a vaccination can contribute information critical for containing the pandemic. This study explored the effects of post-vaccination adverse reactions on the willingness to take the booster dose and the role of decision regret. A self-administered online survey was carried out in Taizhou, China. Questionnaires were completed by 1085 healthcare workers (HCWs), 1054 (97.1%) of whom had completed two doses of the COVID-19 vaccine. Mediation analysis methodology was applied in this study. Our study showed that post-vaccination adverse reactions in HCWs could decrease their willingness to take the booster dose. Of note, HCWs who experienced adverse reactions after vaccination would be more likely to regret their previous vaccination decisions, which, in turn, further reduced their willingness to receive a booster shot. Decision regret mediated the relationship between adverse post-vaccination reactions and a willingness to take the booster dose. The findings implied inextricable relationships among post-vaccination adverse reactions, decision regret, and willingness to take the booster dose. It is suggested that notice of these post-vaccination adverse reactions should be further incorporated into vaccine communication campaigns and policy interventions advocating booster doses to improve vaccine uptake intent and increase the willingness to receive booster doses of a COVID-19 vaccine.