Table 1.
DP – relevant guidelines, position papers, regulations, and legislation relating to the management/use of data generated through WSI (amended from García‐Rojo [20] and Chong et al [21], non‐exhaustive list).
| Country/region | Guideline/legislation | Comments |
|---|---|---|
| UK | 2018: Royal College of Pathologists – Best practice recommendations for implementing DP | Provides ‘an overview of the technology involved in DP and of the currently available evidence on its diagnostic use, together with practical advice for pathologists on implementing DP’ [22] |
| 2018: UK Government – The DPA | Stipulates how personal information is used by organisations, businesses, or the government. It is the UK's implementation of the GDPR [23] | |
| 2018: UK Government – NHS Data Opt‐Out | Introduced to enable patients to opt out from the use of their data for research or planning purposes in line with the recommendations of the National Data Guardian [24] | |
| 2018: UK Government – Code of Conduct for Data Driven Health and Care Technology | A guide to good practice for the use of digital technology in health and care. The guide provides a set of principles that state what is expected from suppliers and users of data‐driven technologies [19] | |
| 2019: UK Government – NHSX Artificial Intelligence How to Get it Right | Provides an overview of the current state of play of data‐driven technologies within the health and care system in the UK [6] | |
| Ongoing: Office for National Statistics (ONS): Principles for Data Initiatives | ONS is the UK's largest independent producer of official statistics, responsible for collecting and publishing statistics related to population and society. The Principles for Data Initiatives is a section of the ONS Data Strategy, which states their fundamental principles and standards to promote public trust in their data handling [25] | |
| Ongoing: Common Law Duty of Confidentiality | Common law (case law) is law that has developed through the courts making decisions in cases on legal points and creating binding precedents in contrast to statutory law which is determined by acts of parliament. It is the legal obligation for confidentiality; when personal information is shared in confidence, it must not be disclosed without some form of legal authority or justification [26] | |
| EU | 2021: EU: Medical Devices Regulation | Regulation stating that software will be considered a medical device if it forms part, or is an accessory, of a medical device or where it constitutes standalone software, has a medical purpose, and the processing of the data goes beyond mere storage, archiving, communication, or simple search [27] |
| 2018: EU: GDPR | Regulation drafted and passed by the EU for the processing of personal information, either within the EU or information related to people in the EU [28] | |
| 2016: EU – US Privacy Shield | It was a framework for regulating transatlantic exchanges of personal data for commercial purposes between the EU and US. In 2020, a court issued that the framework no longer provided adequate safeguards so is now defunct [29] | |
| The United States of America | 2021: Healthcare and Public Health Sector Coordinating Council (HSCC) Position Paper | The HSCC Joint Cybersecurity Working Group is a standing working group of the HSCC composed of more than 300 industry and government organisations working together to develop strategies to address emerging and ongoing cybersecurity challenges to the health sector. They do state that the federal and state regulations have not kept in step with the rapid and widespread adoption of telehealth technologies across the country. Currently, there is no single federal agency with authority to establish and enforce privacy and security requirements for the entire telehealth ecosystem [30] |
| 2021: College of American Pathologists – Validating Whole Slide Imaging Systems for Diagnostic purposes in Pathology, Guidelines Update | Guidelines stating if WSI is used for diagnostic or other related clinical purposes, procedures must be in place that ensure sites using WSI provide reasonable and expected confidentiality and data security, in both data storage and data transmission [31] | |
| 2020: US Food and Drug administration (FDA) – Enforcement Policy for remote DP devices during the Coronavirus Disease 2019 Public Health Emergency | Previously, FDA‐approved WSI devices were not cleared for home use or categorised as waived by FDA, so limited to use in clinical laboratories and their healthcare settings. In March 2020, the Centers for Medicare & Medicaid Services (CMS) issued a memorandum, describing its exercise of enforcement discretion to ensure pathologists may review pathology slides and images remotely [32] | |
| 2020: American Telemedicine Association (ATA). Policy Principles | Policies highlighting the importance of protection of patient privacy and cybersecurity risks along with the importance of ensuring safe transfer across state lines. Not specific for DP [33] | |
| 2019 (initially authorised 2017): US FDA | WSI device authorised for marketing in the US with a second system cleared for use in 2019 [34] | |
| 2018: ATA Clinical Guidelines for Telepathology | Guidelines state that all data transmission used in telepathology should be secured through the use of encryption that meets recognised standards. The ATA also recommends that protected health information and other confidential data only be backed up to or stored on secure data storage locations. Cloud services unable to achieve compliance should not be used for personal health information or confidential data [35] | |
| 2015: United States Government: Cybersecurity Information Sharing Act | Established a mechanism for cybersecurity information sharing among private sector and federal government entities – provides a set of cybersecurity best practices that should be used in the protection of telehealth and telemedicine systems and services [36] | |
| 1996: US Department of Health and Human Services. Health Insurance Portability and Accountability Act (HIPAA) | The act mandates data security and privacy controls to keep medical information safe. The Department of Health and Human Services (HHS) publishes the HIPAA privacy rule, the HIPAA security rule, and the HIPAA breach notification rule [37] | |
| Canada | 2019: Office of the Privacy Commissioner of Canada – The Personal Information Protection and Electronic Documents Act (PIPEDA) | The PIPEDA applies to private sector organisations across Canada that collect, use, or disclose personal information in the course of a commercial activity. Personal information relating to hospitals can also be covered by provincial laws [38] |
| 2014: Canadian Association of Pathologists – Guidelines for establishing a telepathology service for anatomical pathology using WSI | The objective is to provide Canadian pathologists with baseline information on how to implement and use relevant platforms. Guidelines cover privacy and security, document, and archiving and liability [39] | |
| 2005: Canadian Association of Pathologists – Code of ethics for storage and transmission of electronic laboratory data | A voluntary code based on the work of the Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, created by the international Organization for Economic Cooperation and Development (OECD) [40] | |
| Germany | 2018: Professional Association of German Pathologists – Digital Pathology in Diagnostics – reporting on digital images | Purpose of the guidelines is to direct the framework on how to implement virtual microscopy in routine diagnosis in Germany and includes the topic of data security [41, 42] |
| Australasia | 2015: The Royal College of Pathologists of Australasia (RCPA) – Guidelines for Digital Microscopy in Anatomical Pathology and Cytology | Guidelines include a module on ‘Privacy, Confidentiality, and Security’, which states that system must comply with national and state privacy regulations and is determined by the Privacy Act 1988 that regulates how personal information is handled and includes 13 Australian Privacy Principles [43] |
| Spain | 2021: The Spanish Society of Pathology – White Paper 2021 of the Pathological Anatomy in Spain | Guidelines include acknowledgement that ‘The storage system of digital preparations must be based on open solutions and in international standards…. which will facilitate compliance with the Regulation GDPR’ [44] |
| South Korea | 2020: Korean Society of Pathologists (KSP) – Recommendations for pathological practice using DP | The guidelines include ‘strict technical measures must be in place to ensure information security and protect personal information regardless of the type of terminal being used. Therefore, measures are needed to ensure that transmitted data are not easily released outside the network and that transmitted metadata do not contain personal information to minimise the risk to personal data even if a data leak was to occur’ [21] |