Understanding the ethical and legal considerations of Digital Pathology

Introduction

The past 20 years have witnessed the growing digitalisation of histopathology services as a result of developments in whole slide image (WSI) scanning, storage, and analysis [1]. The implementation of Digital Pathology (DP) has been relatively slow in the United Kingdom (UK), although rapid changes are on the horizon [2, 3]. Currently, there are 41 pathology units in the UK, with approximately 1256 consultants. A UK 2018 survey found that 60% of pathology units have access to a DP scanner [3]. Following recent investment in DP infrastructure, five Artificial Intelligence (AI) Centres of Excellence have been established in the UK, aiming to develop the country's DP and imaging expertise. These are: the Industrial Centre for AI Research in Digital Diagnostics (I-CAIRD) based in Glasgow, the London Medical Imaging and Artificial Intelligence Centre for Value-Based Healthcare, the National Consortium of Intelligent Medical Imaging (NCIMI) in Oxford, the National Pathology Imaging Co-operative (NPIC) based in Leeds, and the Pathology image data Lake for Analytics, Knowledge and Education (PathLAKE) based in Coventry.

The adoption of DP is part of the strategy set out by the NHS Long Term Plan for digitally enabled care and the UK Government's Industrial Life Sciences Strategy [4, 5]. Stakeholders relevant to the digitalisation of pathology in the UK include The National Data Guardian, The Information Commissioner's Office (ICO), Alan Turing Institute, Health Data Research UK, Care Quality Commission, Public Health England, NHS Digital, and NHSX [6-13]. Internationally, the World Health Organisation (WHO), in partnership with the International Telecommunication Union (ITU), has established a Focus Group on Artificial Intelligence for Health (FG-AI4H) with the aim of identifying opportunities for standardisation and applications of AI to health issues on a global scale [14].

DP involves the creation of digital images by using a scanning device to provide high-resolution images that can be viewed on a platform. This provides a stage platform for developing and utilising AI algorithms, for recognising subtle patterns in tissue to assist diagnosis or derive novel insights into disease [15-18]. Generation of data from DP creates challenges for the histopathology community with regard to data management, processing, and security. The UK Government has stated that protecting patient data is a legal requirement of paramount importance [6, 19]. This is echoed globally, with guidelines, policies, and legislations aiming to ensure appropriate application of DP (Table 1).

Table 1. DP – relevant guidelines, position papers, regulations, and legislation relating to the management/use of data generated through WSI (amended from García-Rojo [] and Chong et al [], non-exhaustive list). Country/region Guideline/legislation Comments UK 2018: Royal College of Pathologists – Best practice recommendations for implementing DP Provides ‘an overview of the technology involved in DP and of the currently available evidence on its diagnostic use, together with practical advice for pathologists on implementing DP’ [22] 2018: UK Government – The DPA Stipulates how personal information is used by organisations, businesses, or the government. It is the UK's implementation of the GDPR [23] 2018: UK Government – NHS Data Opt-Out Introduced to enable patients to opt out from the use of their data for research or planning purposes in line with the recommendations of the National Data Guardian [24] 2018: UK Government – Code of Conduct for Data Driven Health and Care Technology A guide to good practice for the use of digital technology in health and care. The guide provides a set of principles that state what is expected from suppliers and users of data-driven technologies [19] 2019: UK Government – NHSX Artificial Intelligence How to Get it Right Provides an overview of the current state of play of data-driven technologies within the health and care system in the UK [6] Ongoing: Office for National Statistics (ONS): Principles for Data Initiatives ONS is the UK's largest independent producer of official statistics, responsible for collecting and publishing statistics related to population and society. The Principles for Data Initiatives is a section of the ONS Data Strategy, which states their fundamental principles and standards to promote public trust in their data handling [25] Ongoing: Common Law Duty of Confidentiality Common law (case law) is law that has developed through the courts making decisions in cases on legal points and creating binding precedents in contrast to statutory law which is determined by acts of parliament. It is the legal obligation for confidentiality; when personal information is shared in confidence, it must not be disclosed without some form of legal authority or justification [26] EU 2021: EU: Medical Devices Regulation Regulation stating that software will be considered a medical device if it forms part, or is an accessory, of a medical device or where it constitutes standalone software, has a medical purpose, and the processing of the data goes beyond mere storage, archiving, communication, or simple search [27] 2018: EU: GDPR Regulation drafted and passed by the EU for the processing of personal information, either within the EU or information related to people in the EU [28] 2016: EU – US Privacy Shield It was a framework for regulating transatlantic exchanges of personal data for commercial purposes between the EU and US. In 2020, a court issued that the framework no longer provided adequate safeguards so is now defunct [29] The United States of America 2021: Healthcare and Public Health Sector Coordinating Council (HSCC) Position Paper The HSCC Joint Cybersecurity Working Group is a standing working group of the HSCC composed of more than 300 industry and government organisations working together to develop strategies to address emerging and ongoing cybersecurity challenges to the health sector. They do state that the federal and state regulations have not kept in step with the rapid and widespread adoption of telehealth technologies across the country. Currently, there is no single federal agency with authority to establish and enforce privacy and security requirements for the entire telehealth ecosystem [30] 2021: College of American Pathologists – Validating Whole Slide Imaging Systems for Diagnostic purposes in Pathology, Guidelines Update Guidelines stating if WSI is used for diagnostic or other related clinical purposes, procedures must be in place that ensure sites using WSI provide reasonable and expected confidentiality and data security, in both data storage and data transmission [31] 2020: US Food and Drug administration (FDA) – Enforcement Policy for remote DP devices during the Coronavirus Disease 2019 Public Health Emergency Previously, FDA-approved WSI devices were not cleared for home use or categorised as waived by FDA, so limited to use in clinical laboratories and their healthcare settings. In March 2020, the Centers for Medicare & Medicaid Services (CMS) issued a memorandum, describing its exercise of enforcement discretion to ensure pathologists may review pathology slides and images remotely [32] 2020: American Telemedicine Association (ATA). Policy Principles Policies highlighting the importance of protection of patient privacy and cybersecurity risks along with the importance of ensuring safe transfer across state lines. Not specific for DP [33] 2019 (initially authorised 2017): US FDA WSI device authorised for marketing in the US with a second system cleared for use in 2019 [34] 2018: ATA Clinical Guidelines for Telepathology Guidelines state that all data transmission used in telepathology should be secured through the use of encryption that meets recognised standards. The ATA also recommends that protected health information and other confidential data only be backed up to or stored on secure data storage locations. Cloud services unable to achieve compliance should not be used for personal health information or confidential data [35] 2015: United States Government: Cybersecurity Information Sharing Act Established a mechanism for cybersecurity information sharing among private sector and federal government entities – provides a set of cybersecurity best practices that should be used in the protection of telehealth and telemedicine systems and services [36] 1996: US Department of Health and Human Services. Health Insurance Portability and Accountability Act (HIPAA) The act mandates data security and privacy controls to keep medical information safe. The Department of Health and Human Services (HHS) publishes the HIPAA privacy rule, the HIPAA security rule, and the HIPAA breach notification rule [37] Canada 2019: Office of the Privacy Commissioner of Canada – The Personal Information Protection and Electronic Documents Act (PIPEDA) The PIPEDA applies to private sector organisations across Canada that collect, use, or disclose personal information in the course of a commercial activity. Personal information relating to hospitals can also be covered by provincial laws [38] 2014: Canadian Association of Pathologists – Guidelines for establishing a telepathology service for anatomical pathology using WSI The objective is to provide Canadian pathologists with baseline information on how to implement and use relevant platforms. Guidelines cover privacy and security, document, and archiving and liability [39] 2005: Canadian Association of Pathologists – Code of ethics for storage and transmission of electronic laboratory data A voluntary code based on the work of the Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, created by the international Organization for Economic Cooperation and Development (OECD) [40] Germany 2018: Professional Association of German Pathologists – Digital Pathology in Diagnostics – reporting on digital images Purpose of the guidelines is to direct the framework on how to implement virtual microscopy in routine diagnosis in Germany and includes the topic of data security [41, 42] Australasia 2015: The Royal College of Pathologists of Australasia (RCPA) – Guidelines for Digital Microscopy in Anatomical Pathology and Cytology Guidelines include a module on ‘Privacy, Confidentiality, and Security’, which states that system must comply with national and state privacy regulations and is determined by the Privacy Act 1988 that regulates how personal information is handled and includes 13 Australian Privacy Principles [43] Spain 2021: The Spanish Society of Pathology – White Paper 2021 of the Pathological Anatomy in Spain Guidelines include acknowledgement that ‘The storage system of digital preparations must be based on open solutions and in international standards…. which will facilitate compliance with the Regulation GDPR’ [44] South Korea 2020: Korean Society of Pathologists (KSP) – Recommendations for pathological practice using DP The guidelines include ‘strict technical measures must be in place to ensure information security and protect personal information regardless of the type of terminal being used. Therefore, measures are needed to ensure that transmitted data are not easily released outside the network and that transmitted metadata do not contain personal information to minimise the risk to personal data even if a data leak was to occur’ [21]

Literature discussing the potential benefits of DP/AI rarely mention the ethical and legal considerations of access to, and processing of, patient data [45-51]. Advice/guidance on medical ethics and data governance exists, although the depth to which these topics are explored varies significantly (Table 1). This is complicated by WSI data often being generated primarily for diagnostic purposes but having other uses, i.e. teaching and research. This complex situation is compounded when collaborating with industry partners, and by political uncertainty such as the UK's recent withdrawal from the European Union (EU) and working across jurisdictions. It is unclear whether present frameworks and guidelines are useful to histopathologists or if there is a need for additional pathology-focused guidelines [6, 28, 52-55].

In this paper, we present the results of an electronic survey (e-survey) aiming to evaluate UK histopathologists' current levels of understanding of, and confidence with, the legal and ethical aspects of DP and their perceived training needs. We evaluate whether the rise of DP has created this need with the move from tissue-based work (where there is experience with legislation) to image/data-centred practice with different considerations; although targeted specifically at DP rather than AI, we also discuss relevant overlapping issues.

Materials and methods

We developed an e-survey comprising 22 questions using the online platform ‘SurveyMonkey’ (www.surveymonkey.co.uk). The questionnaire (supplementary material, Appendix S1) was developed with input from the Royal College of Pathologists (RCPath) Digital Pathology Working Group.

Information provided to gain consent included: study purpose, approximate completion time, confirmation of anonymity, and details of principal investigators. ‘SurveyMonkey’ collected the data; their privacy policy was present on their website at the time of completion. Consent was implicit by completion of the survey. No ethics approval was required.

Initially, a pilot e-survey was developed to assess the usability and technical functionality of the e-survey and tested by a pre-selected cohort (three consultant histopathologists and one specialty trainee) as a closed survey. The e-survey was structured with single sequential questions and question formats included: forced-choice, Likert scales, yes/no options, and open-ended/free text questions. The topics were: Demographics, Background, Training, Guidelines and Legislation, Consent, and Data sharing. Participants could review and amend answers prior to submission. Following the pilot e-survey, questions were rephrased to avoid testing specific knowledge and to gauge general understanding.

Following satisfactory completion of the pilot e-survey, the open e-survey web link was circulated via social media (Twitter) and e-mail through the RCPath Digital Pathology Working Group network, RCPath Trainee Committee network, the PathLAKE digital pathology consortium, National Pathology Imaging Co-operative (NPIC), and to membership of The Pathological Society of Great Britain and Northern Ireland and the British Division of the International Academy of Pathology (BDIAP). The survey was voluntary with no incentives offered. The survey link remained active between 14 July 2020 and 6 September 2020 and was closed only after several reminders had been sent out; only a few additional responses were gathered. The responses were automatically collected by the ‘SurveyMonkey’ platform which has mechanisms to prevent duplication by individuals.

Survey responses were analysed using descriptive statistics. Inductive analysis of free text answers (supplementary material, Appendix S1 – Questions 20 and 22) was performed using open coding with a final coding frame developed specifically for this study. Both sections were coded together and went through two independent rounds of open coding to determine the relevant themes. The codes were then cross referenced to determine the following four main meta-categories: Governing Data, Validating Data, Ownership and Third-Party Access, and Inclusivity and Transparency. Ambiguous and uncategorised comments were not reported. This manuscript has been prepared in accordance with the CHERRIES guidelines [56].

Results Response

In total, we received 198 responses including 194 histopathologists. Three advanced biomedical scientists and one clinical scientist also completed the survey, although it was stated that the survey was targeted at histopathologists specifically. As these responses represented only 2% of the overall responses, they were included in the analysis and we postulate that they represent scientists who use DP in their role. There was an overall completion rate of 79% with minor variations in response rates to individual questions having been indicated.

Consultants and specialty doctors with >20 years of clinical experience were the most common responders (35%, 70/198). Most respondents were based in England, working in the NHS tertiary referral centres in NHS posts with no funded academic time (Table 2). The most common experience with DP was ‘External Quality Assurance (EQA)’ (82%, 160/196), followed by ‘Teaching or training’ (72%, 142/196). The most common experience with consultants was ‘EQA’ (93%, 136/146), whereas for trainees it was ‘Teaching or training’ (94%, 44/47) (Table 2). Forty-three percent (85/198) of respondents had been involved in research using digital scanned slides; a further 6% (12/198) were planning to do so in the future. Two percent (4/196) had no experience in any of the stated areas of DP.

Table 2. Summary of respondents – grade, region, current post, and current centre. Question Responses Question 1. Current level of experience Consultant histopathologist with >20 years' experience* 35% (70/198) Consultant histopathologist with 15–20 years' experience* 17% (33/198) Consultant histopathologist with 10–15 years' experience* 13% (25/198) Consultant histopathologist with 5–10 years' experience* 10% (19/198) Trainee histopathologist 24% (47/198) Non-histopathologist 3× advanced biomedical scientists and 1× clinical scientist Question 2. Region England 81% (160/198) Scotland 12% (24/198) Wales 4% (8/198) Northern Ireland 3% (6/198) Question 3. Current post NHS post, no funded academic time 76% (149/195) NHS post, including some funded academic time 11% (22/195) Academic post including some funded NHS time 11% (21/195) Academic post, no funded NHS time 2% (3/195) Question 4. Current centre NHS – district general hospital 30% (59/198) NHS – tertiary referral centre 35% (70/198) NHS centre and university academic department 31% (61/198) University academic department 4% (7/198) Private laboratory 1% (1/198) Question 5. Experience with DP Primary diagnosis Consultant histopathologist with 5 to >20 years' experience* 36% (53/146) Trainee histopathologist 23% (11/47) Non-histopathologist 0% (0/3) Second opinion Consultant histopathologist with 5 to >20 years' experience* 24% (35/146) Trainee histopathologist 9% (4/47) Non-histopathologist 0% (0/3) Multidisciplinary team meeting Consultant histopathologist with 5 to >20 years' experience* 34% (50/146) Trainee histopathologist 13% (6/47) Non-histopathologist 67% (2/3) Research or clinical trials Consultant histopathologist with 5 to >20 years' experience* 38% (55/146) Trainee histopathologist 26% (12/47) Non-histopathologist 67% (2/3) Teaching Consultant histopathologist with 5 to >20 years' experience* 65% (95/146) Trainee histopathologist 94% (44/47) Non-histopathologist 67% (2/3) EQA Consultant histopathologist with 5 to >20 years' experience* 93% (136/146) Trainee histopathologist 49% (23/47) Non-histopathologist 33% (1/3) No experience of specific DP activities Consultant histopathologist with 5 to >20 years' experience* 1% (2/146) Trainee histopathologist 4% (2/47) Non-histopathologist 0% (0/3) Question 12. Involvement in research Overall respondents Yes 43% (85/198) No 51% (101/198) Planning to undertake research 6% (12/198) Grade of those involved in research Consultant histopathologist with >20 years' experience* 35% (30/85) Consultant histopathologist with 15–20 years' experience* 19% (16/85) Consultant histopathologist with 10–15 years' experience* 13% (11/85) Consultant histopathologist with 5–10 years' experience* 8% (7/85) Trainee histopathologist 22% (19/85) Non-histopathologist 2% (2/85) * Or specialty doctor, including training. Training

Eighty-eight percent of respondents (168/190) working in an NHS centre (190/198) reported having been offered NHS mandatory training in information governance, 4% (8/190) had not, and the remaining 7% (14/190) were ‘Not sure’. Nearly a quarter of all respondents (24%, 48/198) had undertaken additional training in information governance. Respondents reported attending a variety of additional online and face-to-face courses over the years (Table 2).

When asked about their need/desire for training, 39% (27/70) of ‘consultants and specialty doctors with over 20 years' experience’ wanted additional training, whereas approximately half of those with 5–20 years' experience (51%, 39/77) and trainees (51%, 24/47) wanted additional training. Those wanting further training called for this to be specific to DP and to be delivered in an online Continuing Professional Development (CPD)-accredited format. Summary of current available training, format, and content proposed by respondents is presented in Table 3.

Table 3. Summary of respondents' comments regarding additional training. Question 7. Current additional training

‘Personal Information Commissioner Officer registration’

‘Education for information commissioner registration and duties under the Data Protection Act 2018’

‘e-learning as General Medical Council (GMC) associate’

‘The Oxford University Information Governance online modules’

‘Part of master's degree’

‘General Data Protection Regulation (GDPR) sessions’

‘Information governance training as part of Good Clinical Practice (GCP) course’

‘Medical Research Council (MRC) module’

‘One day generic General Data Protection Regulation (GDPR) course’

Question 8. Proposed additional training; format and content

(41 respondents provided additional comments)

Format

Online modules + webinar

Standalone webinar

PowerPoint

e-learning modules

Continuing Professional Development (CPD) accreditation

Content

Healthcare-specific GDPR

Specific to DP

Theory of the legal and ethical considerations of DP

Application of legislation

Examples including case reports/exemplars

Use of scanned slide image sharing

Anonymising cases – when and how to

Dos and don'ts of DP

Templates/guidelines

Risks and responsibilities

Relevance to development of AI tools

Implications of reporting patient specimens off site

Use of images in publication and online education

Confidence in applying guidelines/legislation

Table 4 outlines respondents' confidence ratings concerning their understanding of policy/legislations and ethical guidelines. The Data Protection Act 2018 (DPA 2018) had the highest confidence ratings [23]. At the other end of the spectrum, respondents were least confident in their knowledge of the (now defunct) EU – US Privacy Shield, followed by the NHS National Data Opt-out [24, 29]. Regarding ethical guidance, all three groups reported predominantly ‘Not at all confident’ in their understanding of all three guidelines. There seemed to be higher confidence levels for legislation (General Data Protection Regulation [GDPR] and DPA 2018) compared to ethical guidance [6]. Comparing responses of those who had or had not received additional training revealed confidence ratings were higher across respondents who had undergone additional training.

Table 4. Response rates on confidence rating for legal (Question 9) and ethical guidance (Question 10); overall, comparing those with additional training to those without and comparing those involved in research to those not involved in research (excludes those reporting that they are not currently involved in research but are planning to in the future). Not confident at all (%) Slightly confident (%) Somewhat confident (%) Fairly confident (%) Completely confident (%) I am not aware of the policy/legislation (%) Total number of responses Legal policy/legislation GDPR 16 23 27 24 8 1 196 Overall 13 4 28 30 20 4 46 Additional training 17 29 27 22 5 0 150 Without additional training 8 18 27 34 12 1 83 Involved in research 24 25 27 18 6 1 101 Not involved in research DPA 2018 19 22 22 25

Comments (0)

No login
gif