Reference no: EM133032199
CST4080 Legal, Ethical and Security Aspects of Data Science - Middlesex University
Assessment Brief - Case study on legal aspects of Data Science
CASE STUDY
Medix Research Ltd (MRL) is a medical research institution in the UK. They provide research services, market and sell various medical products and also treat patients. Some of their medical research include work in genomics which is the study of sequencing and analysis of genomes (that contain DNA and all the genes of an organism). Using data science tools, research scientists at MRL analyse genomic strands to search for irregularities and defects in them. They then try to identify connections between genetics and health of a person. One of the projects undertaken my MRL is the Cancer Genome Project (CGP), to identify genetic sequence variants and mutations relevant to the development of human cancers. Via the CGP project, MRL processes the personal data of thousands of patients including their age, sex, medical history and tumour pathology. Data science is also use to help in the diagnosis and treatment of patients. Patient data is usually stored in a database accessible by several hundred researchers employed by MRL. Other companies can access data from the CGP via a licence agreement attached at the end of this document.
Question 1: (Data Protection)
(a) At the start of its operations, MRL were advised to conduct a data protection impact assessment. An important aspect of a data protection impact assessment is the identification and assessment of the risks to the rights and freedoms of data subjects. Explain at least three different types of risks related to the processing activities of MRL.
(b) MRL wants to develop a new IT system to be used for their data science activities involving the extensive processing of personal data. They have been advised that any new IT system should comply with data protection by design and default. Citing legal authority advise MRL on what data protection by design and default means and give examples of the kind of measures that they can take to comply with this obligation.
(c) Citing relevant legal authority, advise MRL on their data protection obligations if they discover a cyber attack that resulted in an extensive data breach affecting thousands of identifiable medical records.
(d) Citing relevant legal authority, advise MRL on their legal obligations if issued with the following from the UK Information Commissioner:
(i) an information notice to provide a true account of any cyber attacks within the last year;
(ii) a request to inspect IT systems used to process personal data in order discharge an international obligation;
(iii) an information notice to produce communications that they had with their lawyers, in regard to any cyber attack.
Question 2: (Intellectual Property Rights) [24 marks]
In the context of Intellectual property law, advise MRL on the legality of undertaking the actions below. In your answers please cite relevant legal authority (legislation or case law).
(i) Six months ago, MRL entered secret talks with a French research institution to collaborate on a project. The French research institution showed MRL their secret blueprint to develop a new gene sequencing machine. Due to disagreements over financial issues MRL decided not to pursue the collaboration, however, they used information from the blueprint to develop their own gene sequencing machine.
(ii) An MRL researcher (David) interested in gene sequencing techniques photocopied an article (six pages) from a book on genetics (that he found in his colleague's office) so that he could read the article when relaxing at home.
(iii) An MRL researcher (Alan) who is a part-time student at a local university has access to a lot of data held in the university library. He downloaded 10GB of data from the university, to perform data mining to complete a commercial project for a client.
(iv) MRL recently produced a new food supplement, that is being marketed in a bottle similar to an existing bottle produced by a competitor. The design of the competitor's bottle is NOT registered as a trade mark, however, the competitor's bottle has been
well-known in the UK and popular for over 20 years.
(v) A researcher (Sarah) employed at MRL wrote a report based on various research experiments that she conducted at work over two years. Due to her hard work, she requested that her name should be published as part of the report. MRL published the report but did not include her name.
(vi) MRL recently imported a drug from a company located in a country, where the drug is manufactured without a licence from the UK pharmaceutical company who developed the drug.
Question 3: (Contract/Licencing)
Advise MRL on the legality of the actions taken by RECIPENTS (A1, A2, A3, A4) who are party to the licence agreement. Always reference specific sections of the licence agreement or legal authority (e.g., legislation or case law) to support your answers.
(a) RECIPENT A1 is a medical school in London. A1 wants to collaborate on a project with a research institute in Sweden. RECIPENT A1 has no formal relationship or contract with the institute in Sweden. After a telephone conversation, RECIPENT A1 gave the institute in Sweden access to the database for the purpose of deciding whether or not to take part in the project.
(b) RECIPENT A2 is a research hospital with a research department in London. A2 accessed the database to obtain data which was combined with other data to perform analyses. These analyses were used to develop new insights that led to the publication of a report on A2's website. The report generated widespread recognition and was used by the UK government in guiding certain healthcare policies. The report makes no reference to MRL and A2 claims ownership of copyright in the report.
(c) RECIPENT A3 is an independent research laboratory located in Germany. A3 conducts research for several medical institutions. Recently A3 used data from the database to conduct analyses for a client, which turned out to be incorrect (due to some errors in the database) resulting in the loss of a huge amount of money for the client. The client has contacted A3 to demand compensation in the amount of US$ 2 million. A3 in turn has brought legal action against MRL in the German courts stating that MRL's data was the incorrect and that MRL should bear responsibility for the loss.
(d) RECIPENT A4 is a medical centre in the UK which has a research department but also provides medical services to patients. A4 often uses data from the MRL database to train machine learning algorithms to develop predictive analyses for their patients. The MRL data is combined with other patient data to provide patients with specialised medical diagnosis regarding the risk of developing cancer in the future. As part of a study on survival rates of cancer patients, A4 also performs analyses with MRL data and other databases to determine the names of some of the data subjects in the MRL database. This data is useful is predicting the survival rates for their own patients.
Question 4: (Legal issues AI/Machine Learning)
Machine Learning (ML) algorithms are increasingly being used as part of decision-making processes in both the public and private sectors, with potentially significant consequences for individuals, organisations and societies. The governance of such algorithms (with social impacts) should include principles such as: Fairness, Transparency, Accountability, Explainability and Accuracy. Carry out individual research and for each principle, explain to MRL (i) the meaning of the principle and what it involves/entails and (ii) why it is important to MRL. In your answer cite any relevant legal authorities or sources of information used.
Attachment:- Ethical and Security Aspects of Data Science.rar