The Spanish Data Protection Agency (AEPD) has published the guide "Approach to data spaces from the perspective of the GDPR" (General Data Protection Regulation), in which it analyzes the creation and use of data spaces in relation to personal data protection regulations. The document, in which Professor Ricard Martínez Martínez has collaborated in its preparation and review, aims to facilitate the many initiatives, both national and European, compliance and respect for the rights and freedoms of individuals in relation to the protection of their data.
A data space can be defined as a federated and open infrastructure to enable sovereign access to data, based on governance, policies, rules and standards that define a framework of trust for all stakeholders. Today, technology enables both businesses and public administrations to use personal data on an unprecedented scale, and digital transformation brings new risks and challenges both for those who design and intervene in services and for the citizens whose data is processed.
Therefore, its implementation must be carried out in compliance with the principles set out in the GDPR, which strengthens the control of individuals over their own personal data and reinforces the legal security of companies and public administrations involved in this ecosystem, among others.
The guide addresses both the basic regulatory framework that affects Data Spaces and that which is under development, such as the applicability of data protection from design in data spaces or risk management for the rights and freedoms of natural persons. It is intended for data controllers and processors, delegates and, in general, personnel who process personal data or who authorize, supervise or facilitate such processing.
Doctor Ricard Martínez Martínez, a collaborator in the development of the aforementioned guide, directs the chair of Privacy and Digital Transformation Microsoft-Universitat de València and is part of the team of the research line on computer security, data protection and privacy of the LISITT group. "This research area has collaborated in recent years in projects directly linked to the generation of repositories that are aligned with the European Health Data Space (EHDS)", Martínez points out.
The EHDS is a health-specific ecosystem consisting of common rules, standards and practices, infrastructure and a governance framework that aims to empower individuals to have greater control and digital access to their electronic personal health data, both at national and EU level.
It also aims to support their free movement, so as to foster a genuine single market for electronic health record systems, relevant medical devices and high-risk Artificial Intelligence (AI) systems. Providing a coherent, reliable and efficient framework for the use of health data in research, innovation, policymaking and regulatory activities is another of its aims.
Among the initiatives referred to by Martínez, "BigMedilytics, CHAIMELEON and the recently launched EUCAIM, whose objective is to build a European digital infrastructure of cancer images to improve medical treatment and research, should be highlighted". The experience in these research projects has been successfully transferred to the project "Healthdata29: Legal guide and repository to promote the sharing of health data" awarded in 2021 by the AEPD with the Proactivity and Good Practices Award.
The team of the research line, in turn, has collaborated on projects related to the development of technology based on health data in CRANE, ROSIA and, currently, AI4HealthyAging. It also collaborates as an external advisor in RESILIENT RULES, HEALTHYCLOUD and European federation of Data Driven Innovation Hubs (EUHubs4Data).
In these projects, the LISITT team contributes in the legal and ethical areas, security, anonymization and platform design. Some of the challenges faced by researchers in these areas, notes the privacy expert, are "the challenges of a constantly evolving legal framework that forces to foresee needs to adapt to additional requirements to the General Data Protection Regulation and new approaches to risks in AI design."
"A large part of the EHDS proposal lies in the control of these data spaces, and for them everything related to IT security is essential," says IRTIC member Francisco Soriano. "From the research institute, we are working on all the controls and security measures that need to be taken into account from the National Security Scheme (ENS), at national level, or from ISO27001, at global level," adds the expert.
Therefore, IRTIC is prepared to develop data spaces in any of its dimensions, since it has specialized personnel in areas such as database development, security and anonymization.
In addition, the institute has lines focused on more technical aspects that add to its versatility and wide range of services, such as the management of European projects, secretariats, studies and technical audits on traffic and intelligent technology systems applied to transportation (ITS); systems for monitoring, control and advanced representation of traffic data; location, transaction and mobile communications systems; applications for the dissemination of information through the Internet and wireless networks; and applications for the exchange of information between systems and dynamic navigation; database applications and systems architecture.
