WO2020212614A1 - Method and system for data generating and transmitting data - Google Patents

Method and system for data generating and transmitting data Download PDF

Info

Publication number
WO2020212614A1
WO2020212614A1 PCT/EP2020/060931 EP2020060931W WO2020212614A1 WO 2020212614 A1 WO2020212614 A1 WO 2020212614A1 EP 2020060931 W EP2020060931 W EP 2020060931W WO 2020212614 A1 WO2020212614 A1 WO 2020212614A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
user
server
computer device
medical
Prior art date
Application number
PCT/EP2020/060931
Other languages
French (fr)
Inventor
Karl ASMAR
Makram SALEH
Nadine NEHME
Mouhamad KAWAS
Original Assignee
Medicus Ai Gmbh
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Medicus Ai Gmbh filed Critical Medicus Ai Gmbh
Publication of WO2020212614A1 publication Critical patent/WO2020212614A1/en

Links

Classifications

    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16HHEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
    • G16H50/00ICT specially adapted for medical diagnosis, medical simulation or medical data mining; ICT specially adapted for detecting, monitoring or modelling epidemics or pandemics
    • G16H50/30ICT specially adapted for medical diagnosis, medical simulation or medical data mining; ICT specially adapted for detecting, monitoring or modelling epidemics or pandemics for calculating health indices; for individual health risk assessment
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16HHEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
    • G16H50/00ICT specially adapted for medical diagnosis, medical simulation or medical data mining; ICT specially adapted for detecting, monitoring or modelling epidemics or pandemics
    • G16H50/20ICT specially adapted for medical diagnosis, medical simulation or medical data mining; ICT specially adapted for detecting, monitoring or modelling epidemics or pandemics for computer-aided diagnosis, e.g. based on medical expert systems
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16HHEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
    • G16H50/00ICT specially adapted for medical diagnosis, medical simulation or medical data mining; ICT specially adapted for detecting, monitoring or modelling epidemics or pandemics
    • G16H50/70ICT specially adapted for medical diagnosis, medical simulation or medical data mining; ICT specially adapted for detecting, monitoring or modelling epidemics or pandemics for mining of medical data, e.g. analysing previous cases of other patients

Definitions

  • the present invention relates to methods for operating end user computer devices, generating, transmitting and storing data, particularly medical data.
  • a method comprising operating an end user computer device comprising operating an end user computer device.
  • the end user computer device can be a device to be used by one user at a time, and it can comprise a data-processing system.
  • the end user computer device can for example be a laptop computer, a desktop computer, a mobile phone or a smart watch.
  • the method can comprise performing a storing step (SS).
  • the end user computer device can perform the storing step.
  • the end user computer device can comprise a storage component, which storage component can perform the storing step.
  • the storing step can comprise storing user input data.
  • User input data can be data that a user inputted, such as a language preference, a known medical condition, at least one or a plurality of answers to a questionnaire and/or a location.
  • the storing step can comprise storing a user location set.
  • the user location set can comprise at least one or a plurality of location(s) of the user, that is, location(s) where the user is or has been.
  • the location set can be generated by user input.
  • the location set can also be generated by the end user computer device, for example based on a satellite localisation component of the end user computer device, such as a GPS-component, by identities of WLAN-devices whose signals the end user computer device receives, by cell tower data, or by other sensing or estimating components of the end user computer device.
  • the end user computer device can also receive said location data by an external device.
  • the storing step can comprise storing sensed physiological data.
  • the sensed physiological data can be sensed physiological data of the user.
  • the sensed physiological data are intended to refer to data such as a body temperature of the user, a heart rate of the user and/or a blood pressure of the user.
  • the storing step can comprise storing medical user data.
  • the medical user data can be data such as lab reports, information regarding medical conditions, reports by MDs and other medical or clinical data.
  • the medical data can comprise the sensed physiological data.
  • the medical data can comprise a corresponding portion of the user input data.
  • the storing step can comprise storing medical environment data.
  • the medical environment data can refer for example to a spread of disease in an environment of a user, and/or risks for a user in his/her environment, such as risks due to pollution or a risk of being infected with a disease present in an environment.
  • the storing step can comprises storing a third party set.
  • the third party set can comprise an indication of at least one third party.
  • the at least one third party can be trusted third party, particularly a trusted third party for health issues.
  • the third party(s) can hence for example be at least one disease control center, a university or a health care provider, such as a health care provider providing services to the user.
  • the indication can for example be a public key of such a third party, which can be suitable for cryptographically signing data.
  • the indicator can for example also be a uniform resource locator referring to a website or access platform of at least one of the at least one trusted third party, an internet protocol address relating to a data-processing system of at least one of the at least one trusted third party, or the like.
  • the storing step can comprise storing analysis model data.
  • the analysis model data can for example be confirmed, signed or provided by the trusted third party.
  • the analysis model data can be data indicating steps of an analysis of data to a data- processing system.
  • the analysis model data can comprise at least one of rules, data relating to a decision tree and a neural network model data for an analysis data.
  • the analysis model can be particularly referring to an analysis of medical data or a medical condition of users.
  • the storing step can comprise storing sample data.
  • the sample data can be data referring to a sample taken from the user, such as a medical sample.
  • the sample data can comprise an identification of a sample, such as a tracking code.
  • the sample data can comprise an indication of whether a sample was generated, processed or transported.
  • the storing step can comprise storing display data.
  • the display data can be data that can be outputted.
  • the display data can be data that the end user computer device can output to the user.
  • the display data can be data for visual output, but they can for example also comprise data for acoustic output.
  • the storing step can comprise storing the data on the data storage component of the end user computer device.
  • the data storage component can comprise persistent memory, such as flash memory or a hard disk.
  • the storing step can comprise storing the user input data in an encrypted form.
  • the storing step can comprise storing the user location set in an encrypted form.
  • the storing step can comprise storing the medical user data in an encrypted form.
  • the storing step can also comprise storing the sample data in an encrypted form.
  • the storing step can also comprise storing a portion of at least or all of these data in an encrypted form.
  • An optional advantage can be that the respective data or the portions thereof are protected against unauthorized access, or that at least, such unauthorized access is rendered more difficult.
  • the analysis model data can specific to at least one of a geographical area and the indication of the trusted third party(s).
  • the analysis model data stored can hence be corresponding to the location data of the user and/or the indication of the at least one trusted third party.
  • the analysis model data can depend on the geographical area, considering that certain behaviours, exposures, or illnesses vary locally, or that they are managed differently by different third parties, such as different disease control entities.
  • the method can comprise performing an analysis step (AS).
  • AS analysis step
  • the analysis step can comprise receiving an analysis-portion of the user input data from a user.
  • the analysis-portion can comprise indications of the user as regards activities, behaviours, medical conditions or the like.
  • the analysis step can comprise receiving at least the analysis-portion from the user by means of a user interface.
  • the end user computer device can comprise the user interface.
  • the analysis step can comprise outputting a portion of the display data to the user.
  • This portion of the display data can prompt the user to input the analysis-portion of the user data. It can for example comprise data instructing the user interface to enable input of the analysis portion of the user input data.
  • the analysis step can comprise a generation of an estimation of a probability of a medical condition of the user.
  • a medical condition can for example be a disease, an infection, an underlying condition or another health problem.
  • the generation of the estimation can be performed based on the analysis model data.
  • the end user computer device can process the analysis model data so as to to generate said estimation.
  • Processing the analysis model data can for example be executing an application according to the analysis model data, or processing the analysis model data by an application which generates an estimation based on model(s) described by the analysis model data.
  • the generation of the estimation can comprise processing the analysis-portion of the user input data.
  • the generation of the estimation can comprise providing the analysis-portion as input data to a model or an application according to the analysis model data.
  • the generation of the estimation can comprise processing the user location set.
  • the generation of the estimation can comprise processing the medical environment data.
  • the generation of the estimation can comprise processing the medical user data. For example, symptoms corresponding to a medical condition or conditions that raise a probability of another disease can be used for the generation of the estimation.
  • An optional advantage can be that, with these data, the estimation can be more accurate for the user, and interdependencies can be modelled.
  • the method can comprise performing a contact establishment step (CS).
  • CS contact establishment step
  • the contact establishment step can be performed based on the generated estimation.
  • a contact can be established at all, or based on the generated estimation, a partner or other party, to which the contact is established, can be selected.
  • Performing the contact establishment step based on the generated estimation can be optionally advantageous, as it can allow for establishing contact to a suitable contact partner according to an estimated state of the user, or for not establishing a contact if the user seems not to need such a contact. For example, if the user needs medical attention with a certain probability, contact can be established, and if the user does (currently) not need medical attention with a certain probability, no contact is established.
  • the contact establishment step (CS) can comprise establishing a connection, such as a voice communication connection or a data connection.
  • a data connection can be a connection for data transfer, for example for transmission of text messages, image data, sound or the like.
  • a voice communication connection can for example be a connection via a phone network.
  • a data connection can comprise a voice connection.
  • the contact establishment step (CS) can comprise triggering a step of taking a medical sample from the user.
  • a sample can for example be a sample of a body fluid of the user, a sample of a tissue of the user, or a sample of a substance expelled by the user.
  • Triggering such a step can for example be sending instruction data to take such a sample, or sending instruction data to provide material for taking said sample.
  • the contact establishment step (CS) can further comprise receiving a portion of the sample data.
  • the portion of the sample data can comprise an identification of the sample.
  • Receiving the portion of the sample data can be performed for example by accepting an input of an identification number of a sample container or of the sample. Receiving the portion of the sample data can also be performed by reading, such as scanning or receiving via radio waves, an identification of the sample or its container, e.g. by scanning a bar code or a QR code of the container, or by receiving an identification from an NFC/RFID-chip which the container can comprise.
  • the contact establishment step can comprise determining the other party(s), that can be the above-mentioned contact partner, of the connection based on the indication of the at least one trusted third party(s).
  • the indication of the at least one trusted third party can comprise an indication of a contact partner or a set of at least one or a plurality of contact partners.
  • the contact establishment step can also comprise determining the other party(s) of the connection based on the user location set, particularly a current location of the user. For example, a closest contact partner can be selected, the contact partner can be chosen from a list of close contact partners, or the contact partner can be chosen from contact partner(s) corresponding to a region in which the end user computer device or the user is located.
  • the other party(s) of the connection can furthermore determined based on the generated estimation. As discussed above, for example, based on an estimation of a medical condition, a suitable contact partner can be chosen.
  • connection to a corresponding contact party e.g. a rescue coordination center
  • a connection to the respective health care provider or health authority can be established.
  • Determining the other party(s) of the connection based on the generated estimation may be optionally advantageous, as it may decrease a load of a transmission network because of connections to less suitable other party(s). Furthermore, it may decrease a time until the user is connected to a most suitable other party.
  • the method may comprise performing a downloading step (DS).
  • the downloading step can comprise receiving an updated portion of the display data.
  • the downloading step can comprise receiving an updated portion of the medical environment data.
  • Receiving updated data in the downloading step can comprise the end user computer device requesting data from another data-processing system, such as a server ("pull").
  • a server such as a server
  • Receiving updated data in the downloading step can also comprise the end user computer device receiving data from the other data-processing system initiated by the other data-processing system ("push").
  • the downloading step can comprise receiving the updated portion of the display data and/or the updated version of the medical environment data from a third party server.
  • the third party server can be indicated by the indication of the at least one trusted third party.
  • the updated portion of the display data and/or the medical environment data can cryptographically signed by the trusted third party. This is intended to also refer to other cryptographic methods for preserving an integrity or guaranteeing an authenticity of a message, for example providing a hash of the updated data portion, based on which the end user computer device determines an authenticity of the provided data.
  • the downloading step can comprise receiving the updated portion of the data in a compressed data format and decompressing the updated portion after receiving it. This can be optionally advantageous, as may require less transmission resources.
  • the downloading step can comprise sending request data.
  • the request data can be sent by the end user computer device.
  • the request data can comprise at least one of a portion of the user input data and a portion of the medical user data.
  • the portion of the user input data that the request data can comprise can be language settings of the user, or an indication of a hearing impairment or a visual impairment of the user.
  • the portion of the medical user data can for example refer to a pre-existing condition of the user.
  • the downloading step can comprise receiving at least a portion of the medical user data from a database server.
  • the downloading step can comprises sending a portion of the sample data or a data element generated thereof to the database server.
  • a data element can for example be an identification of the sample, as discussed above, or a hash of said identification.
  • the downloading step can comprise sending the portion of the sample data or the data element generated thereof to the database server and receiving the portion of the medical user data from the database server after sending said portion.
  • the method can comprise performing an outputting step (OS).
  • the end user computer device can perform the outputting step.
  • the outputting step (OS) can comprise outputting a portion of the output data.
  • the outputting step (OS) can comprises outputting the updated portion of the display data.
  • the method can comprise outputting the received portion of the medical user data.
  • the outputting step can comprise outputting the received portion of the medical user data.
  • the end user computer device can output these data by the user interface.
  • the method can comprise performing a monitoring step (MS).
  • MS monitoring step
  • the monitoring step can comprise analysing changes in at least one of the medical user data and the sensed physiological data.
  • the monitoring step can comprise analysing changes in the analysis-portion of the user input data.
  • Analysing the changes in at least one of the medical user data and the sensed physiological data can be based on the analysis model data.
  • the monitoring step can comprise generating the estimation of the probability of a medical condition of the user.
  • the monitoring step can comprise monitoring a condition of the user, or a development of a condition of a user.
  • the monitoring step can comprise monitoring a development of a condition of the user.
  • the contact establishment step can performed based on the generated estimation of at least one of the monitoring step and the analysis step.
  • the method can comprise performing an uploading step (US).
  • the uploading step (US) can comprise uploading data to an intermediary server system.
  • the intermediary server system can comprise a single computer, a server, a server network, a cloud system or another data-processing system that can perform the functionality of a server.
  • the intermediary server system can also comprise the server from which data can be downloaded in the download step.
  • the server, the intermediary server and/or the intermediary server system can comprise a single server, a server system composed of multiple servers, and/or a program emulating the functionality of a server, running on a cloud computing platform or any system configured to implement the functionality of a server.
  • the server and/or the server system can comprise means of data processing, such as, processor units, hardware accelerators and/or microcontrollers.
  • the server can comprise memory components, such as, main memory (e.g. RAM), cache memory (e.g. SRAM) and/or secondary memory (e.g. HDD, SDD).
  • the server and/or the server system can comprise busses configured to facilitate data exchange between components of the server, such as, the communication between the memory components and the processing components of the server (system).
  • the server and/or the server system can comprise network interface cards that can be configured to connect the server to a network, such as, to the Internet.
  • the server and/or the server system can comprise user interfaces, such as:
  • output user interface such as screens or monitors configured to display visual data and/or speakers configured to communicate audio data
  • input user interface such as a camera, a microphone configured to capture audio data, a keyboard, a trackpad, mouse, touchscreen and/or joystick.
  • the server can also be configured to be controlled from another computer system, such as via a remote-desktop connection, via a secure shell connection (SSH) or the like.
  • SSH secure shell connection
  • the server and/or the server system can be a processing unit configured to carry out instructions of a program.
  • the server and/or the server system can be a system-on-chip comprising processing units, memory components and busses.
  • the server and/or the server system can be a processing unit or a system-on-chip that can be interfaced with a personal computer, a laptop, a pocket computer, a smartphone, a tablet computer and/or user interfaces (such as the upper-mentioned user interfaces).
  • the uploading step (US) can comprise uploading data relating to at least one of a usage of the end user computer device and technical details of the end user computer device.
  • Technical details of the end user computer device can for example be a type of the end user computer device, a software version running on the end user computer device, and the like.
  • the method can comprise receiving instruction data from the intermediary server.
  • the end user computer device can comprise the instruction data from the intermediary server.
  • the instruction data can comprise an uploading criterion and an indication of data types.
  • the uploading criterion can relate to at least one of the user location set, the user input data and the medical user data on the end user computer device.
  • the uploading step can comprise verifying whether the uploading criterion is matched by the data stored on the end user computer device.
  • the uploading step can further comprise uploading at least one or a plurality of upload data element(s) from at least one of the user location set, the user input data and the medical user data to the intermediary server if the uploading criterion is matched.
  • the uploading criterion is "matched", when, applied to the respective data on the end user computer device, it evaluates to a pre-defined value, such as “true” or 1.1, or a pre defined range of values, such as "number > 1.0".
  • the criterion can have a default value, such as a default value that corresponds to a not matched-value.
  • An optional advantage can be that, if, for any reason, the uploading criterion was not evaluated, a probability of accidentally transmitting sensitive data is not can be reduced and a fail safety can hence be increased.
  • the method can comprise not uploading the upload data element(s) if the uploading criterion is not matched.
  • the method can comprise not uploading an identity of the user to the intermediary server.
  • the method can comprise performing an anonymizing step (AN).
  • AN anonymizing step
  • the anonymizing step (AN) can be performed by the end user computer device.
  • the anonymizing step (AN) can comprise removing identifying data from the upload data element(s).
  • the anonymizing step (AN) can also comprise inhibiting uploading data element(s) that comprise an identity of the user.
  • the method can comprise a data receiving step (DR).
  • DR data receiving step
  • the data receiving step (DR) can comprise receiving at least a portion of the medical user data from a measurement data processing system.
  • the measurement data processing system can for example be a data processing system used in a laboratory facility for processing generated and/or measured data.
  • the measurement data processing system can for example comprise a laboratory information system.
  • the measurement data processing system can receive measurement data from a set of measurement equipment.
  • a set of measurement equipment can comprise equipment for bio-medical and/or clinical analyses, as well-known in the art.
  • the receiving can for example be via a data connection to said equipment.
  • the receiving can also comprise transmission of the measurement data to the measurement data processing system by an agent.
  • the portion of the medical user data that are received from the measurement data processing system relate to a sample to which the sample data correspond.
  • the data receiving step (DR) can comprise receiving the sensed physiological data or a portion thereof from at least one of
  • sensing component which sensing component the end user computer device comprises.
  • the method can comprise operating the end user computer device according to an expert system method. Embodiments of said method will be discussed in the following.
  • the method can comprise operating the end user computer device according to a selective broadcasting method. Embodiments of said method will also be discussed in the following.
  • the method can also comprise performing one or more steps of the selective broadcasting method, or performing the selective broadcasting method.
  • the method can particularly comprise performing at least a part of the steps of the selective broadcasting method, which part of the steps is disclosed to be performed by the end user computer device and/or requires at least one of an action of and an interaction with the end user computer device.
  • parts of the selective broadcasting method may be performed by the end user computer device.
  • the end user computer device can comprise a comparator node.
  • the method can comprise operating the end user computer device according to a selective data transmission method. Embodiments of said method will be discussed later on.
  • the method can also comprise performing one or more steps of the selective data transmission method, or performing the selective data transmission method.
  • the user device(s) used in the selective data transmission method can be (the) end user computer device(s).
  • the method can comprise operating the end user computer device according to a distributed data transmission method. Embodiments of said method will be discussed still later on.
  • the method can also comprise performing one or more steps of the distributed data transmission method, or performing the distributed data transmission method.
  • the user device(s) used in the distributed data transmission method can be end user computer devices.
  • An expert system method for processing data on the end user computer device is disclosed.
  • the method can be a method for processing data on an end user computer device, and the method can perform a functionality of an expert system, such as a medical expert system.
  • the method can comprise processing user data by an application that can be executed by the end user computer device.
  • the end user computer device be a medical computer device satisfying the aforementioned condition.
  • the method can comprise processing the data by means of the end user computer device.
  • the method can comprise a user data storing step that can comprise storing at least a part of the user data on the end user computer device.
  • the method can comprise storing the user data on the data storage component.
  • the data storing step can comprise storing the data to be stored on the end user computer device, particularly on the data storage component.
  • the data storing step can comprise storing medical data. That is, the data storing step can comprise storing data regarding a user's health condition, his/her DNA, information about diseases, diseases in the family, a nutrition of the user or the like. Particularly, the method can comprise storing the medical data on the data storage component.
  • the user data storing step can comprise a technical user data storing step that comprises storing technical user data in a machine-interpretable form.
  • a machine-interpretable form can be a form that renders a data treatable to a computer, such as by a formatting convention of data in files, by defining standard units or by applying standards regarding a naming of one, a plurality or all fields that the computer is supposed to interpret.
  • the technical user data can comprise medical user data.
  • the technical user data storing step can comprise storing technical user data that are encoded with at least a homogenous naming for fields. That is, there can be a common naming of values that correspond to the same variable, such as a blood pressure. Such a naming is for example the LOINC-standard. The naming can nevertheless also follow any other standard, as long it is consistently applied.
  • the technical user data storing step can comprise for each field encoding values with a same dimension unit, such as a weight in kg.
  • the technical user data storing step can comprise furthermore storing at least partially automatically generated medical data.
  • These at least partially automatically generated medical data can comprise at least one medical image, such as an image obtained by X- ray radiography, ultrasound imaging, magnetic resonance imaging and/or a computed tomography scan.
  • the image can comprise a visual representation of at least a part of a user's body.
  • the medical data can also comprise at least one result of a laboratory analysis of material originating from or expelled by the human body.
  • material can comprise tissue samples and/or body fluids, such as blood or urine.
  • the laboratory analysis can comprise analysis data from a medical and/or a clinical laboratory.
  • the medical data can also comprise from a sensing device that senses biometrical or medical data of the user.
  • the medical data that are at least partially automatically generated can also be automatically generated. These data can also be at least partially automatically be transmitted to the user device.
  • processing user data by the application can comprise processing the technical user data.
  • the application can be executed by the end user computer device. That is, the method can comprise processing the technical user data by the application. The method does not need to comprise processing other parts of the user data in such embodiments.
  • processing the technical user data can comprise an information deriving step that can comprise deriving information from the technical user data by the application. The information deriving step can thus comprise generating derived information.
  • the end user computer device can perform the information deriving step.
  • the information deriving step can comprise deriving medical information from the technical user data by the application.
  • the application can comprise a machine learning model.
  • the information deriving step can comprise deriving the information based on the machine learning model.
  • This disclosure considers machine learning models to comprise neural networks.
  • the machine learning model can be a supervised machine learning model, and it can be a classifier.
  • the machine learning model can be such as a decision tree, a random forest model, a k-NN-model.
  • the machine learning model can optionally advantageously be configured to accept the medical data in the machine interpretable form and to output a diagnosis or another reference to corresponding output data.
  • An optional advantage of such models can be that their training may be less cumbersome than generating a program based on medical rules or medical knowledge that are translated into a computer code.
  • the application can comprise an expert system and the information deriving step can comprise deriving the information based on the expert system.
  • the expert system can comprise a model built for medical questions or medical problems.
  • the expert system can be a medical expert system. That is, the expert system can be configured to solve medical questions.
  • the expert system can comprise medical knowledge.
  • the medical expert system can comprise at least a part of a rule- based inference engine.
  • the medical expert system can also comprise the rule-based inference engine. That is, the medical expert system can also be implemented by a rule- based inference engine with appropriate data, as will be detailed later on.
  • An optional advantage of implementing the medical expert system using a rule-based inference engine is that the inference engine's operation is a deterministic algorithm and that furthermore, for every result, at least one rule indicates the reason for the result. In a context of analysis of medical data, this can be an optional advantage over algorithms where it is harder to deduce the causal relation between input and output.
  • the (medical) expert system can be a part of the application.
  • the expert system can be implemented in software.
  • the expert system can be executed by the end user computer device.
  • the application or a part thereof can derive information from the technical user data using their machine-interpretable form or at least one property of this machine-interpretable form.
  • the part of the application can for example be the machine learning model or the rule-based inference engine.
  • Using said machine-interpretable form comprises using at least one property of the machine-interpretable form, such as one of the detailed properties described above.
  • An optional advantage of using the machine- interpretable form can be that the application of rules by the rule-based inference engine yields correct results with a higher probability as a risk of wrong interpretation of input data due to their form is lowered.
  • a machine-learning model even though there might be models configured to interpret input in a form that is not machine- interpretable, an at least implicit conversion of input data in a form that is machine- interpretable or that an algorithm can process may introduce errors.
  • the application can be specified by application data.
  • the application data can specify to a processor or to a computer device which steps to perform when running the application.
  • the method can comprise storing the application data, particularly by means of the data storage component of the end user computer device.
  • the application data can comprise display data.
  • the display data can comprise data that are configured to be outputted to a user. They can for example comprise media data, such as sound data, text data, video data or image data. They can also comprise other data that is configured to be outputted to a user, such as data that is displayed by activating luminous elements corresponding to certain states of operation or to certain results.
  • the application data can comprise knowledge base.
  • the knowledge base data can comprise at least a part of data that are configured to specify a relation between input data and output data of the application.
  • the knowledge base data can comprise, for example, rules in case of a rule-based inference engine, or a trained model in case that the application comprises the machine learning model.
  • the application data can comprise inference engine data.
  • the inference engine data can comprise at least a of data that specify an evaluation of the input data using the knowledge base data.
  • data that specify the evaluation can for example be data that specify the evaluation of rules from the knowledge base data.
  • the user data storing step can comprise storing the derived information or indicators thereof. That is, at least a part of the derived information is stored at least indirectly with the user data. This can have an advantage, as this derived information can be user-specific and may therefore need a same treatment, such as an encryption or a backup-routine, as other user data.
  • storing the derived information or the indicators thereof can comprise storing at least one reference to at least one part of the display data. This can be optionally advantageous as it can allow to save data storage capacity on the user device as well as on a backup of the user data.
  • Storing the derived information or the indicators thereof can also comprise copying at least one part of display data.
  • Copying the display data can comprise copying the display data to the user data. This can be optionally advantageous as the corresponding parts of the display data can be outputted without accessing the display data, which may bring advantages for example if the display data are encrypted and accessing them therefore consumes computational capacities or if the derived information is transmitted to another device that cannot access the display data. This option can also be advantageous because of a lower complexity of an implementation of the application, in particular if the display data are encrypted.
  • Storing the derived information or the indicators thereof can also comprise generating data at least based on display data. This can comprise for example generating personalised data. This can also comprise adding user specific data to a template that can be part of the display data. The user specific data can be a part of the user data or of the derived information or the indicators thereof or both.
  • the method can comprise a data outputting step.
  • the data outputting step can comprise outputting at least a part of the user data by the end user computer device.
  • the data outputting step can also comprise outputting at least a part of the display data by the end user computer device.
  • the former can be optionally advantageous if the derived information or the indicators thereof are stored at least by copying at least one part of the display data, in particular if the at least one part of the display data is stored with the user data.
  • the former can also be advantageous if the derived information or the indicators thereof are at least stored by generating data at least based on display data, in particular if those are stored with the user data.
  • the latter can be optionally advantageous if storing the derived information of the indicators thereof comprises at least storing at least one reference to at least one part of the display data, as in this case, at least the at least one part of the display data can be foreseen to be outputted.
  • the data outputting step can comprise outputting at least a part of the derived information or the indicators thereof that are stored on the end user computer device.
  • data on the end user computer device can comprise encrypted data. That is, at least a part of the data on the end user computer device can be encrypted.
  • a part of the data stored by the data storage component can be encrypted.
  • the method can comprise encrypting at least a part of the user data.
  • This can comprise encrypting data that are configured to identify a user, such as his e-mail address, name, date of birth or the like.
  • This can also comprise applying a particular encryption that is required by a regulation for a particular type of data only to the corresponding parts of the user data that comprise said particular type of data.
  • An example would be medical data.
  • encrypting at least a part of the user data can comprise encrypting at least a part of the technical user data.
  • the encrypted data can further comprise at least a part of the application data.
  • the encrypted data can also comprise at least a part of the display data.
  • the encrypted data can also comprise the display data. This can be optionally advantageous, as the display data can be the most vulnerable part of the application data from a business perspective, as detailed above.
  • the method can comprise a data adding step.
  • the data adding step can comprise adding data to the user data on the end user computer device.
  • the data adding step can comprise storing further data on the end user computer device, particularly on the data storage component.
  • the method can comprise providing an interface for adding data to the user data by manual input.
  • Said interface can be an interface configured to enable a user to input data, such as a microphone, a keyboard, a touch-sensitive screen or a camera.
  • the data adding step can comprise using an optical input device, such as a camera.
  • the optical input device can be connected at least indirectly to the end user computer device.
  • the optical input device can be remote from the end user computer device, such as a scanner that is connected to the end user computer device, for example via WLAN or via internet.
  • the optical input device, such as the camera can also be connected to the end user computer device directly, such as a webcam that is connected to a desktop computer via USB.
  • the optical input device can also be mounted to the end user computer device, such as a camera in a smartphone.
  • the data adding step can comprise adding text data to the user data.
  • Adding the text data to the user data can comprise using the optical input device, such as the camera for adding at least a part of the text data.
  • the method can comprise applying at least optical character recognition to the data captured by the optical input device, such as images captured with a camera.
  • This can be optionally advantageous in cases where at least a part of data that are added are available as text, in particular as text printed on paper.
  • this can be furthermore optionally advantageous as it renders a human interaction unnecessary and as the human interaction might inflict disadvantages, e.g. introduce errors or be more cumbersome, as a machine-interpretable form is not necessarily optimised for treatment by a human operator.
  • the data adding step can also comprise receiving input data from a data server and adding at least a part of the input data to the user data.
  • a data server can also comprise receiving input data from a data server and adding at least a part of the input data to the user data.
  • This can be optionally advantageous in a case where the input data are already stored in a computer system, such as in case of a health care provider who keeps digital patient records or in case of a medical or clinical laboratory that provides results of at least one or a plurality of analyses in a digital form, as it saves a supplementary interaction step for a user and/or medical personnel.
  • the data adding step can also comprise receiving data from at least one sensing device.
  • the at least one sensing device can be configured to sense data related to a user.
  • an accelerometer-sensor can be adding the motion data of the user
  • a dosimeter could measure a dose of radiation
  • a location sensing device such as a GPS-receiver with appropriate calculation unit could measure a user's position.
  • At least one of the at least one sensing device can also be configured to sense physiological data related to the user, such as a pulse of the user, a blood pressure of the user or another measure for condition of the user.
  • the method can comprise an updating step.
  • the updating step can comprise sending at least a part of update data from the server and receiving at least the part of the update data by the end user computer device.
  • the updating step can be optionally advantageous for changes in the application data from a technical point of view, but also for updates of the knowledge base data in case of new medical findings or rules and for updates of the display data in the respective case or in case of new display data that is for example better accepted by users, e.g. in case of new findings of research or if the users' taste shifts over time or is just better known to the provider of the display data.
  • the updating step can comprise adapting at least a part of the application data on the end user computer device according to the received update data. That is, the update data can comprise data to replace at least one part of the application data.
  • the update data can also comprise data that indicate changes to be performed to at least one part of the application data.
  • the update data can comprise an instruction to receive or download data from another data source to replace at least one part of the application data.
  • the method can also comprise repeating at least a part of the information deriving step after the updating step. This can be optionally advantageous if the display data changed, as the user might get another output for a set of same derived information after the updating step is performed, or if the knowledge base data are modified, as the application might derive different information from a same set of user data after performing the updating step.
  • the method can further comprise sending at least an indicator of the updating step or a result thereof.
  • the method can also comprise sending an indicator of the application data, such as a version of the application data or a hash of the application data or of a part thereof, in particular after performing an updating step.
  • the method can also comprise sending at least an indicator of the end user computer device or of technical features thereof.
  • the sending of at least an indicator can be performed from the end user device to another device such as the server.
  • Sending said data can be optionally advantageous to for a provider of the application to adapt the application or to ensure an identity of the application data on the end user computer device to a version of the application data that is foreseen by the provider of the application data.
  • This sending step may also be advantageous to detect a malicious or at least unforeseen modification of the application data.
  • the method can comprise sending a part of the user data to another device, such as the server, a third party's server or a device configured to generate a backup of said part of the user data, such as a printer or a data storage device or system.
  • another device such as the server, a third party's server or a device configured to generate a backup of said part of the user data, such as a printer or a data storage device or system.
  • the method can comprise sending a part of the user data to another device only if at least one transfer condition of a transfer condition set is matched.
  • the another device can be a device such as the server, a third party's server or a device configured to generate a backup of said part of the user data, such as a printer or a data storage device or system.
  • the transfer condition set comprises at least one transfer condition, wherein the method can comprise requiring only matching one of the at least one transfer condition. Different transfer conditions can refer to at least one same element.
  • the transfer condition set can comprise at least one transfer condition.
  • At least one of the at least one transfer condition can refer to an anonymisation of at least a part of the user data that is sent.
  • At least one of the at least one transfer condition can also refer to an authorization by the user or an authorized third party.
  • the anonymisation can comprise removing or concealing at least a part of information before or while sending it to the server.
  • the anonymisation can also comprise limiting a precision of at least a part of information that is sent.
  • the anonymisation can also comprise adding random data to the data that is sent or at least a part thereof.
  • the authorized third party may be for example an emergency medical physician, a paramedic, a hospital, a coroner's office or the like.
  • the method can also comprise preventing sending the user data from the end user computer device if none of the transfer conditions of the transfer conditions set are satisfied. This can be optionally advantageous to ensure a confidentiality of data on the end user computer device and in particular of the user data or parts thereof.
  • the method can also comprise preventing sending the user data from the end user computer device. That is, the method can comprise preventing sending the user data from the end user computer device at all. This can be optionally advantageous if the user wants a high level of privacy, if data transmission networks to which the end user computer device is connected or can be connected cannot be trusted or the like.
  • At least a part of information deriving step is performed only on the end user computer device.
  • running the expert system or the rule-based inference engine can be performed only on the end user computer device.
  • the method can also comprise performing the information deriving step only on the end user computer device.
  • the features described in the preceding two paragraphs can be optionally advantageous as the user data do not need to be shared with another entity, such as an analysis server. This can optionally advantageously reduce systems that can be attacked by a malicious third party in order to obtain a part of the user data. It can furthermore optionally advantageously reduce the need of computer system resources for the operating party.
  • a method for selectively broadcasting data is disclosed.
  • the selective broadcasting method can comprise sending a broadcasting message comprising at least recipient criteria and broadcasted content from at least one broadcasting party to a plurality of end user computer devices.
  • the method can comprise receiving such a broadcasting message by means of the end user computer devices.
  • At least some end user computer devices can each comprise a comparator node.
  • the selective broadcasting method can comprises comparing the recipient criteria to a portion of the user data stored on each user device by the comparator node.
  • the selective broadcasting method can further comprise processing the broadcasted content on each end computer user device where the comparator node outputted a successful comparison of the recipient criteria to user data. Outputting a successful comparison can mean communicating such a successful comparison to another portion of the end computer user device, e.g. to its data-processing component.
  • the broadcasting message may comprise a plurality of data and/or instructions that can be interpretable by a machine, such as a processor.
  • the data and/or instructions can be at least partially machine-interpretable.
  • the recipient criteria may comprise certain parameters identifying an intended recipient. For example, an age range, sex, medical condition or the like can be examples of recipient criteria.
  • the broadcasted content may comprise data such as text, images, video, sound or the like.
  • the comparator node may comprise a program or part of a program that can be configured to use computational resources of the end computer user device to perform operations.
  • the comparator node may be implemented in software.
  • the comparator node may be executed by the end computer user device, particularly by its data-processing component.
  • User data may comprise any data related to the user of the end computer user device. Multiple users may also be associated with one end computer user device, where each individual user would then have a unique "user profile" or the like. However, in some embodiments, the end computer user device may be a device for simultaneous use of at most one user.
  • a successful comparison of the recipient criteria to user data may refer to the comparator node verifying whether the recipient criteria are satisfied by user data or at least a portion thereof associated with the user of the user device.
  • this comparison may refer to matching the required parameters (such as e.g. age, sex, medical information) of the recipient criteria to the user data stored on the user device.
  • the present method allows to send targeted messages to only a certain subset of users (who's user data fulfils the recipient criteria).
  • certain such messages may comprise medical suggestions or information targeted to a specific subclass of users, such as users with a certain medical condition.
  • the messages may be sent to all devices, and processed directly on the device to verify whether they are relevant to the specific user. This advantageously allows for sensitive user data (such as medical history, personal identification etc) to remain on the user device, while relevant broadcasting content can still reach the relevant target audience.
  • the end computer user device may comprise data storage, a processing unit configured to execute a program in a suitable form and format and a communication component at least configured to communicate with a remote server.
  • the data storage may be at least partially encrypted.
  • this can allow for secure storage of potentially sensitive data, such as medical data.
  • the user device may comprise a user terminal.
  • the end computer user device may be a portable device, such as a laptop, a tablet computer, a smartphone, a wearable device, or an adapted medical device.
  • the user data may comprise personal data of a user.
  • the user data may comprise technical user data and identifying personal data.
  • the identifying personal data may comprise, for example, an address, phone number, date of birth or user name.
  • the technical user data may comprise at least partially technical medical data.
  • the technical user data may be at least partially encoded by replacing at least parts of the data by machine-interpretable expressions. Parts of user data may be encrypted.
  • the broadcasting message may be formatted in a way that indicates that said message is configured to transport data from at least one of a server and broadcasting parties to at least one user device.
  • the broadcasting message comprises recipient criteria.
  • the recipient criteria may comprise a set of at least one machine-interpretable criterion.
  • the recipient criteria can be configured to determine, based on user data saved on the user device, whether a respective user and/or the user device is an intended receiver of the broadcasted message.
  • the broadcasting message also comprises broadcasted content.
  • the broadcasted content may comprise displayable data and/or data requesting the user device to perform at least a specific action.
  • the broadcasted content may comprise data requesting the user device to perform at least a specific action.
  • Such a requested specific action may be to generate a return message and/or to send such a message.
  • the requested content of the return message may be at least partially medical data.
  • the broadcasting message may comprise information about the broadcasting party that issued it.
  • sending the broadcasting message can comprise receiving a broadcasting message from at least one broadcasting party by a server and the server transmitting the broadcasting message to the plurality of user devices. This can be useful to further protect potentially sensitive data of individuals from third parties.
  • the method can further comprise discarding the broadcasting message on each end computer user device where the comparator node did not achieve a successful comparison of the recipient criteria to user data. In other words, if the user associated with the given user data is not a target recipient for the broadcasting content, the broadcasting content will not be outputted (that is, played, displayed or presented) to this user, even though the broadcasting message arrived to the user device. This allows to prevent that users that do not fit recipient criteria need to go through potential broadcasting contents that would be of no use to them or to show them advice that might not be helpful or even harmful.
  • the method can further comprise outputting the broadcasted content on each end computer user device where the comparator node achieved a successful comparison of the recipient criteria to user data.
  • Outputting can refer to displaying, playing, or otherwise presenting to the user the content of the broadcast (such as a message related to the user's medical condition).
  • the broadcasted content can comprise advertisement, announcement, or the like that can be pertinent to a particular user based on their user data (for example, a new available treatment or medication or the like).
  • the method can further comprise sending a notification from each end computer user device specifying results of the comparison between the recipient criteria and the user data.
  • the method can further comprise generating statistics on the notifications about at least one of the processing, delivery and at least implicitly on the comparison (or matching) of the broadcasting messages by at least one of the server and the broadcasting party. That is, it may be useful to know how many user devices actually outputted or displayed the broadcasted content to the users. In other words, it may be useful to generate statistics about how many users were targeted by the broadcasted content.
  • sending the broadcasting message can further comprise transmitting the broadcasting message by a connection configured to transfer data from the broadcasting party to the server.
  • sending the broadcasting message can further comprise connecting the end computer user devices and the server at least at some points in a period of time by a connection configured to transfer data from the server to the user devices.
  • the method can further comprise the comparator node performing a predetermined action to be performed by the user device on each user device where the comparator node achieved a successful comparison of the recipient criteria to user data.
  • Such an action can comprise, for example, outputting and/or displaying the broadcasting content, outputting parts of user data, prompting the user to perform an action, showing a notification to the user, or the like.
  • the predetermined action can be at least partially specified by at least parts of the broadcasting message.
  • the method can further comprise the comparator node limiting the possible predetermined actions that are at least partially specified by the broadcasting message.
  • the method can further comprise the server forwarding the received broadcasting message to all the end computer user devicethat are connected to the server at least at some points in a period of time.
  • the method can further comprise the server forwarding the received broadcasting message to at least some of the end computer user devices that are connected to the server at least at some points in a period of time, wherein said portion can be at least defined by a characteristic specified by at least one of the server, the broadcasting party sending the broadcasting message to the server and the user devices.
  • the period of time can have a defined starting point.
  • the starting point can be specified by at least one of the server, the broadcasting party, the broadcasting message and a third entity.
  • the period of time can have a defined endpoint.
  • the endpoint can be specified by at least one of the server, the broadcasting party, the broadcasting message and a third entity.
  • the broadcasting message can be distributed to at least one of the user devices during or after an installation, updating or downloading of the comparator node.
  • the message may be transmitted to the user device while the comparator node (which may correspond to a program for interfacing with the server and/or broadcasting parties) is being installed on the device, as opposed to at a later time via a connection.
  • the comparator node which may correspond to a program for interfacing with the server and/or broadcasting parties
  • This may be advantageous, as there may be some broadcasting content that should be delivered to the user immediately following installation/updating/downloading of the comparator node (note, that the comparator node may also correspond to an "app" on a end computer user device such as a smartphone).
  • the method can further comprise encrypting at least a part of the broadcasting message by at least one of the broadcasting party and the server.
  • the method can further comprise at least partially encrypting the broadcasting message by the broadcasting party before or while sending it to the server, at least partially decrypting the broadcasting message by the server after or while receiving said broadcasting message from the broadcasting party, at least partially encrypting the broadcasting message by the server before or while sending it to the end computer user devices, and at least partially decrypting the broadcasting message by the device after or while receiving said broadcasting message from the server.
  • the broadcasting message may generally be encrypted while in transit between secure environments of the server/broadcasting party/end computer user device to ensure data protection.
  • the method can further comprise the broadcasting party encrypting the broadcasting message at least partially with a key known to at least a portion of the end computer user devices before or while sending it to the server, and wherein at least a portion of the end computer user devices can decrypt said broadcasting message using said key known to at least a portion of the end computer user devices.
  • the selective data transmission method can comprise sending an inquiry message comprising at least request criteria from at least one broadcasting party to a plurality of end computer user devices.
  • Each end computer user device, or at least each of a plurality of end computer user devices can comprise the comparator node.
  • the selective data transmission method can comprise comparing the request criteria to at least a part or all of the user data stored on each end computer user device by the comparator node.
  • the selective data transmission method can also comprise, on each end computer user device where the comparator node achieved a successful comparison of the request criteria to user data, generating at least one return message based on at least parts of user data by the comparator node.
  • the selective data transmission method can further comprise, on each user device where the comparator node achieved a successful comparison of the request criteria to user data, sending the return message from the user device to at least one of the server and the broadcasting party.
  • the inquiry message may comprise a plurality of data and/or instructions that can be interpretable by a machine such as a processor.
  • the inquiry message may comprise a request for particular information (that is, user data) from a third party.
  • the third party may be interested in studying correlations between certain patient parameters or researching how many users exhibit particular parameters (as simple examples, the third party may be interested in average blood pressure of female users aged 25-35, or in comparing incidence of cardiovascular disease and white blood cell count in Caucasian male smokers above age 50). That is, the third party may request only a limited and specific set of parameters or data from user devices via the inquiry message.
  • the request criteria may comprise certain parameters identifying an intended recipient and/or further specifying what type of data should be returned. For example, an age range, sex, medical condition or the like can be examples of request criteria.
  • a third party may be interested in knowing how many users (associated with user devices and corresponding user data) suffer from below average kidney function.
  • the request criteria may then comprise instructions to compare kidney function values present in the user data with a certain threshold (such as a value associated with decreased kidney function), and return either simply a confirmation of the corresponding value forming part of user data below the threshold and/or the value itself.
  • the comparator node may comprise a program or part of a program that can be configured to use computational resources of the user device to perform operations.
  • User data may comprise any data related to the user of the user device. Multiple users may also be associated with one user device, where each individual user would then have a unique "user profile" or the like.
  • user data comprises, at least partially, medical data associated with the user. This can comprise results of various medical tests or procedures, diagnoses, measurements from fitness tracking or medical devices and the like.
  • a successful comparison of the request criteria to user data may refer to the comparator node verifying whether the request criteria are satisfied by user data associated with the user of the end computer user device.
  • this comparison may refer to matching the required parameters (such as e.g. age, sex, medical information) of the request criteria to the user data stored on the user device.
  • the return message based on at least parts of user data may comprise parts of user data itself (such as specific parameters requested by the request criteria), and/or simply a confirmation that upon comparison (that is, matching) between request criteria and user data, a successful comparison was achieved (for example, if the request criteria specified that only values of a certain parameter below a threshold of 10 are requested, and user data has a value of 8 for this parameter, a confirmation of a satisfied request criteria can be returned as part of the return message).
  • the return message can be formatted in a way that indicates to the server or to the broadcasting parties that said message is configured to transport data from an end computer user device to a server and/or to a broadcasting party.
  • the return message can comprise returned user data.
  • the return message can comprise user independent data, such as information about the reason for its emission, such as a reference to the inquiry message that triggered the emission/generation of said return message.
  • the return message can be encrypted.
  • the returned data can be at least partially medical data.
  • the present method may allow a third party to gain access to sensitive user data without compromising the privacy and security of the user.
  • a third party may be preferable that it is stored on the user device (that is, under the control of the user), and it may not be optimal to simply send it somewhere for further research or analysis. Therefore, it is particularly useful to extract only the requested parts of the data (or simply a confirmation that the user data corresponds to the parameters set out by the request criteria), particularly without compromising sensitive user data or disclosing more than requested to the third party.
  • sending the inquiry message can comprise receiving an inquiry message from at least one broadcasting party by a server and the server transmitting the inquiry message to the plurality of user devices.
  • this may prevent third parties having direct access to user devices.
  • the server can then serve as an intermediary that can already filter some inquiry messages or otherwise process them before forwarding them on to the user devices.
  • the method can further comprise discarding the inquiry message on each end computer user device where the comparator node did not achieve a successful comparison of the request criteria to user data. That is, if the user data does not match the request criteria, the inquiry message may be simply discarded, and there may be no generation of the return message (additionally or alternatively, there may be a return message generated to confirm that the comparison between the request criteria and user data was not successful).
  • sending the inquiry message can further comprise transmitting the inquiry message by a connection configured to transfer data from the broadcasting party to the server.
  • sending the inquiry message can further comprise connecting the user devices and the server at least at some points in a period of time by a connection configured to transfer data from the server to the user devices.
  • the sending of the return message can be performed at any point in time after the generating at least one return message. In some such embodiments, the point of time when the sending is performed can depend on a further condition.
  • user data can comprise at least identifying data and technical data.
  • the generating of at least one of said return message can comprise inserting at least a part of the technical data and at least a part of the identifying data to the at least one return message by the comparator node.
  • inserting the technical data and the identifying data can be performed at most to the extent that was requested by the inquiry message that triggered the generation of said return message.
  • the generating of at least one of the return message can comprise furthermore processing the identifying data before inserting it to the return message.
  • the processing of the identifying data can be performed by the comparator node.
  • the method can further comprise the comparator node using a set of rules to invoke certain actions if certain portions of the user data or combinations thereof are requested by the inquiry message.
  • the processing of said inquiry message can comprise anonymising at least parts of the identifying data before inserting it to the return message.
  • the anonymising of at least parts of the identifying data can comprise limiting the precision of at least a portion of said identifying data. For example, this can be done by replacing the date of birth by year of birth, by replacing the address by the ZIP-code, parts thereof, the region in which the address is located or the like.
  • the anonymising of at least parts of the identifying data can comprise replacing at least a portion of the identifying data by pseudonyms or codes. Those pseudonyms or codes can be generated by the comparator node. Additionally or alternatively, they can also be generated by the server if the return message is first sent to the server before being forwarded to the broadcasting parties.
  • the anonymising of at least parts of the identifying data can comprise replacing at least a portion of said identifying data by variables that are deduced from the identifying data, but that do not allow exact determination of the identifying data. For example, the date of birth can be replaced by age.
  • the anonymising of at least parts of the identifying data can comprise treating at least a part of the identifying data with a differential privacy algorithm.
  • Anonymising or otherwise masking user data before it leaves the user device as part of the return message can be very useful to ensure user privacy, as well as security of possibly sensitive data. It is particularly advantageous to perform this anonymising before sharing user data (that is, preferably parts of it) with third parties. It allows such third parties to get access to accurate and useful data for possible further research into treatments, marketing purposes, general research or the like, while not compromising on the users' right to privacy and safe data storage.
  • the technical user data that can be sent to at least one of a server and a broadcasting party as part of the return message can be treated with a differential privacy algorithm before being sent to at least one of a server and a broadcasting party respectively.
  • the processing of the inquiry message can comprise sending at least a plurality of the return messages.
  • the inquiry message may comprise a plurality of independent request criteria. An individual return message can be generated for each such independent request criteria.
  • the return message can comprise at least an indicator for at least one of the following : user data matches the request criteria for the first time and an event concerning user data occurs (for instance, adding a certain value or registering a certain event).
  • the sending can furthermore require that at least one of the user data and an event concerning user data respectively also satisfy a time constraint. For example, this can be the user data matching the matching criteria (4) within a given period of time or that the event occurs within a given period of time.
  • the method can further comprise requesting at least implicit general consent, more preferably explicitly indicated consent, more preferably explicitly indicated consent to each single request of the user data, of the user before at least one of generating or triggering sending at least one return message corresponding to the inquiry message is performed by the comparator node.
  • one or a plurality of return messages that are generated on the user device can be sent to a server or a broadcasting party at a point in time when the user device is at least indirectly connected to the server and/or the broadcasting party respectively.
  • the one or a plurality of return messages that are generated on the user device can be sent to the server or the broadcasting party in at least one of a compressed form, batches and an agglomerated form. This can be advantageous to ensure efficient data management and optimisation of data transfer.
  • the sending to the server or the broadcasting party of the one or a plurality of return message that are generated on the user device can be triggered once during a defined period of time (e.g. once an hour, a day, a week etc), by a message from a server or a broadcasting party, and/or by a matching of a condition on the user device, such as existence of at least one of a defined number of return messages.
  • the method can further comprise, after the receiving of the return message, forwarding at least parts of the return message that the server received to at least some of the broadcasting parties, preferably forwarding each return message to the broadcasting party that sent the inquiry message that caused the generation of the respective return message.
  • generating the at least one return message can comprise furthermore adding a specification of at least one of the broadcasting party and the inquiry message that caused the generation of the return message.
  • the method can further comprise the server using at least the specification of at least one of the broadcasting party and the inquiry message to forward at least the content of the return message.
  • the method can further comprise the server collecting the return messages corresponding to one inquiry message and making available the return messages or their content, preferably in an agglomerated form, to the broadcasting party that issued said inquiry message.
  • the sending the return messages or their content, preferably in an agglomerated form, can be triggered when a certain condition is met.
  • the condition can comprise, for example, elapsed time, a pre-defined number of received answers, approval by the broadcasting party that sent the inquiry message.
  • the method can further comprise taking measures to mask, remove or conceal elements suitable to identify the user or the user device (such as e.g. IP address) prior to sending the return messages or parts thereof to at least one of the at least one broadcasting parties.
  • the method can further comprise encrypting at least parts of the return message with at least one encryption key by the user device before or while sending it.
  • the method can further comprise decrypting the return message at the respective broadcasting parties.
  • the method can further comprise encrypting at least parts of each the return message at the user device before or while sending it to the server.
  • the method can then further comprise decrypting at least parts of each return message at the server after receiving said return message.
  • the method can then also comprise encrypting at least parts of said return message, of a set of return messages or of the agglomerated content of multiple return messages at the server before sending said return message to the receiving broadcasting party.
  • the method can then further comprise decrypting the data sent by the server at least partially at the receiving broadcasting party.
  • the method can further comprise encrypting at least parts of the return message with a key corresponding to the respective broadcasting party that issued the inquiry message that caused the generation of the return message.
  • the encryption can be then set up in a way so that the server cannot access said parts of the return message (e.g. by sharing a secret key between the broadcasting party and the user device). This can be advantageous, for example, when the third party has certain permissions to access sensitive (preferably medical) user data, that the server does not have permission to access.
  • the method can further comprise encrypting at least parts of the return message at the user device using an asymmetric encryption algorithm before or while sending each return message.
  • This can comprise furthermore using at least a public key for the encryption of each return message, wherein said public key corresponds to the respective broadcasting party that is the intended receiver of said return message.
  • the method can further comprise sending and receiving the inquiry message with one or multiple parts of the server that are at least partially different from parts of the server used for sending and receiving at least parts of the return message at the server.
  • the method can further comprise sending inquiry messages by the broadcasting parties from systems that are for at least one broadcasting party at least partially different from systems that are used for receiving the return messages.
  • the last two embodiments can be particularly advantageous if virtual separation between the inquiry message and the return message (possibly comprising sensitive data) is preferred.
  • the distributed data transmission method can comprise a device data storing step that comprises for each of at least one end computer user device, storing the user data relating to the respective user device on said respective end computer user device.
  • the distributed data transmission method can also comprise a device sending step that comprises sending at least one data set from the at least one end computer user device to the server.
  • the distributed data transmission method can further comprise a server receiving step that comprises receiving the at least one data set by the server.
  • the distributed data transmission method can also comprise a server packaging step that comprises combining data elements of the at least one received data set to at least one data container.
  • User data may comprise any data related to the user of the end computer user device. Multiple users may also be associated with one end computer user device, where each individual user would then have a unique "user profile" or the like.
  • user data comprises, at least partially, medical data associated with the user. This can comprise results of various medical tests or procedures, diagnoses, measurements from fitness tracking or medical devices and the like.
  • the present method may advantageously allow to securely share parts of sensitive user data (such as for example medical data) with third parties (e.g. research institutions or the like) without compromising user privacy.
  • the user data may first be anonymised via a certain technique and sent from the end computer user device to the server. There, the data may be stored until parts or all of it are needed by a third party. The data may then be anonymised again, via a different technique, and provided to the third party packaged into a data container.
  • the present method is useful for ensuring that user data is handled with utmost case and user privacy is respected, while the integrity of the data can be preserved so that it can be further analysed and/or studied and/or otherwise used by third parties.
  • the user data can be specific to the respective end computer user device.
  • the device data storing step can comprise storing medical data and wherein the user data can comprise medical data.
  • the device data storing step can comprise storing at least a part of the user data in a machine-interpretable form.
  • storing at least the part of the user data in a machine-interpretable form can comprise at least one of using a homogenous naming for fields and, for each field, encoding values with a same dimension unit.
  • the device data storing step can comprise storing at least partially automatically generated medical data that comprise at least one of at least one medical image, at least one result of a laboratory analysis of material originating from or expelled by the human body, and data from a sensing device that senses biometrical or medical data of the user.
  • Material originating from or expelled by the human body for example can comprise body fluids such as blood or urine, stool or tissue samples.
  • the at least partially automatically generated medical data can be automatically generated.
  • the device sending step can comprise a device processing step that comprises processing the at least one data set on the at least one device.
  • the device sending step can comprise a device data set selection step that can comprise selecting at least one data set from the user data on the at least one user device.
  • the device sending step can be performed by at least one of the at least one user device periodically and/or upon request by the server.
  • the server receiving step can comprise connecting at least one of the at least one user device at least at some points in time to the server.
  • the server receiving step can comprise storing server data on the server, wherein the server data can comprise at least a part of at least one of the at least one data set received by the server.
  • the server packaging step can comprises receiving at least one data request from at least one requesting party.
  • a request can comprise, for example a request for a specific type of medical data and/or a patient profile.
  • the server packaging step can comprise furthermore a server processing step.
  • the server packaging step can comprise furthermore a server data selection step that can comprise selecting the data elements of the at least one received data set to be combined to the at least one data container.
  • the server packaging step can comprise furthermore a server container releasing step that comprises preventing releasing at least one of the at least one data container before at least one container releasing condition is matched.
  • the at least one user device can comprise a plurality of user devices.
  • the user data on the at least one user device can comprise at least one data element.
  • This data element can comprise one or more of the following data : at least one numeric value, single selectable options from at least one list, multiple selectable options from at least one list, at least one time-stamped value, and at least one binary value.
  • the method can further comprise a device processing step that comprises processing at least one data element of at least one data set of the user data on at least one user device by the respective user device. Processing at least one data element may also be processing at least one value of the data element, if the data element comprises a plurality of values, such as a vector.
  • the device processing step can comprise, on at least one end computer user device, at least one of removing information from at least a part of the user data and limiting a precision of at least a part of the user data. This can be achieved by measures such as by adding noise, by adding errors, by changing a data type of a value or by only indicating range selected that may be selected from a pre defined set of ranges, wherein the values is. That is, the device processing step can anonymise data, or at least limit a traceability of data or inhibit direct linking of parts of data sets obtained by an adverse party, if these data sets all refer to a same user or user device.
  • the device processing step can comprise processing at least one numerical data element.
  • the at least one numerical data element can comprise a data element which comprises at least one numeric value.
  • the device processing step can furthermore comprise combining numerical noise and the numerical data element.
  • combining numerical noise and the at least one numerical data element can comprise adding the numerical noise to at least one of the at least one numeric value of the numerical data element.
  • combining numerical noise and the at least one numerical data element can comprise adding the numerical noise to the numeric value of the respective numeric data element and for at least one of the at least one numerical data element, limiting the numerical noise so that the respective numeric value does not exceed a pre defined interval (and/or a predefined threshold value).
  • the pre-defined interval or threshold value can be global, such as for the height of a user, wherein a minimum height may be fixed.
  • the interval may be selected, for example for a biomarker that has three ranges, "high”, “medium” and “low", if a value of the biomarker was in the high-range, the biomarker may be limited to said range.
  • the numerical noise can be generated by a Laplace- distribution with an appropriate scaling. This can be particularly advantageous to provide sufficient anonymity to user data, while maintaining its statistical properties.
  • a probability density function of a variable that is added as noise can optionally be given by the following formula with appropriate m and b.
  • the device processing step can comprise processing at least one data element by converting a representation of the data element from a first encoding to a second encoding. That can also comprise changing a part of an encoding, for example an encoding of a quantity of consumed cigarettes per day if a data element comprises a quantity of consumed cigarettes per day and a timestamp.
  • the first and the second encoding can be, at least for some values of the data element, not equivalent and converting a representation of the data element in the second encoding can comprise using an appropriate random function. This can be the case if a range A in a first encoding alpha (for example corresponding to "high") corresponds to two values B and B* in a second encoding beta (for example "critically high” and "over-average”).
  • the device processing step can comprise processing at least a timestamped data element.
  • the at least one timestamped data element can comprise a data element which comprises at least one timestamped value.
  • the device processing step can then comprise replacing a timestamp of at least one of the at least one timestamped value.
  • the step of replacing a timestamp of the at least one of the at least one timestamped value can comprise limiting the precision of said timestamp.
  • the step of replacing a timestamp of the at least one of the at least one timestamped value can comprise replacing said timestamp by a temporal distance relative to another point in time, such as a timestamp of another data element.
  • the method can further comprise limiting the precision of said temporal distance relative to another point in time.
  • the device processing step can comprise an operation to anonymize at least a part of the user data on at least one user device.
  • At least one data element of the at least one data element can comprise at least one of the following data : at least one numeric value, single selectable options from at least one list, multiple selectable options from at least one list, at least one time-stamped value, and at least one binary value.
  • the server processing step can comprise processing at least one data element of at least one data set of the server data on the server.
  • the server processing step can comprise at least one of removing at least one of removing information from at least a part of the user data and limiting a precision of at least a part of the respective data element. This can be achieved by measures such as by adding noise, by adding errors, by changing a data type of a value or by only indicating range selected that may be selected from a pre-defined set of ranges, wherein the values is. That is, the server processing step can anonymise data, or at least limit a traceability of data or inhibit direct linking of parts of data sets obtained by an adverse party.
  • the server processing step can comprise processing at least one numerical data element.
  • the at least one numerical data element can be a data element which comprises at least one numeric value.
  • the server processing step can furthermore comprise combining numerical noise and the numerical data element.
  • combining numerical noise and the at least one numerical data element can comprise adding the numerical noise to at least one of the at least one numeric value of the numerical data element.
  • combining numerical noise and the at least one numerical data element can comprise adding the numerical noise to the numeric value of the respective numeric data element and for at least one of the at least one numerical data element, limiting the numerical noise so that the respective numeric value does not exceed a pre-defined interval.
  • the numerical noise can be generated by a Laplace- distribution with an appropriate scaling. This can be particularly advantageous to provide sufficient anonymity to user data, while maintaining its statistical properties.
  • a probability density function of a variable that is added as noise can optionally be given by the following formula with appropriate m and b.
  • the server processing step can comprise processing at least one data element by converting a representation of the data element from a first encoding to a second encoding. That can also comprise changing a part of an encoding, for example an encoding of a quantity of consumed cigarettes per day if a data element comprises a quantity of consumed cigarettes per day and a timestamp.
  • the first and the second encoding can be, at least for some values of the data element, not equivalent and converting a representation of the data element in the second encoding can comprise using an appropriate random function. This can be the case if a range A in a first encoding alpha (for example corresponding to "high") corresponds to two values B and B* in a second encoding beta (for example "critically high” and "over-average”).
  • the server processing step comprises processing at least a timestamped data element
  • the at least one timestamped data element can be a data element which comprises at least one timestamped value.
  • the server processing step can comprise replacing a timestamp of at least one of the at least one timestamped value.
  • the step of replacing a timestamp of the at least one of the at least one timestamped value can comprise limiting the precision of said timestamp. In some other embodiments, the step of replacing a timestamp of the at least one of the at least one timestamped value can comprise replacing said timestamp by a temporal distance relative to another point in time, such as a timestamp of another data element.
  • the method can further comprise limiting the precision of said temporal distance relative to another point in time.
  • the server processing step can comprise an operation to anonymize at least a part of the server data.
  • the at least one data set in the device data set selection step can be selected only from a pre-defined part of user data on the user device. This part can for example exclude identifying data, such as contact data, a user's address or at least a part thereof and/or his payment data.
  • the server data selection step can comprise receiving at least one data request.
  • the data request can be received from third parties, such as research partners.
  • the at least one data request comprises a data request condition and a first list of fields.
  • the data request condition is a condition that specifies criteria for users that are relevant for the third party or the research partner. Technically, it is a condition that needs to be matched for data to be selected.
  • the first list of fields lists a minimum of data elements necessary for the purpose of the third party, such as a research purpose for a third party.
  • the at least one data request can be a plurality of data requests.
  • each of the at least one data container is specific to a respective data request. That is, each data container comprises the data corresponding to the respective data request.
  • the server data can comprise at least one data element group, wherein the at least one data element group comprises at least one data element and the at least one data element comprises a common group key that corresponds to the at least one data element group.
  • the common group key can also be linked to a data element by the data set to which the group key and the data element belong.
  • Each data element group can be understood as collection of data that have such a common group key element, so that the common group key defines a data profile.
  • the common group key can comprise a user device indicator. That is, the data element groups can be understood as anonymised profiles of users that collect the anonymised data that is sent by the users.
  • the user device indicator may also be the same for a plurality of devices if the user device receives a corresponding instruction, e.g. if a user changes his user device.
  • the at least one data element group can be a plurality of data element groups.
  • the server data selection step comprises evaluating for each data request at least one server selection condition by the server, wherein each server selection condition corresponds to one data request condition.
  • each server selection condition can comprise the corresponding data request condition. That is, the server can add at least one criterion to the data request condition, e.g. in order to protect the privacy of the users, as will be detailed below.
  • each server selection condition can comprise a condition regarding whether a data element group comprises at least some or all data elements indicated by the corresponding data request's first list of fields. This can be optionally advantageous to limit data element groups that match the server condition to data element groups that can be selected to respond to the data request.
  • each server selection condition can comprise a condition regarding a proportion of data elements indicated by the corresponding data request's first list of fields and a data element group's data elements.
  • a proportion can be a proportion such as a ration of a number of requested fields or data elements to a number for fields or data elements of the data element group.
  • the data selection step can comprise adding a selection flag to each data element that is selected during processing of a data request.
  • each server selection condition can comprise a condition referring to an amount of data elements of a data element group that are indicated by the corresponding data request's first list of fields and to which a selection flag was added.
  • a condition could for example be a maximum number of selection flags that may have been added to the data elements that are indicated by the first list of fields and that might therefore be used to match user profiles if an adverse party gains access to more than one data container.
  • each server selection condition can comprise a condition referring to a proportion of data elements of a data element group that are indicated by the corresponding data request's first list of fields and to which a selection flag was added to the data elements of a data element group that are indicated by the corresponding data request's first list of fields.
  • the advantage of the preceding paragraph can apply accordingly.
  • An example for said part of each server selection condition can be that the proportion of data elements that were previously shared with a research partner and all the data elements of the data element group is below 50%.
  • each server selection condition can comprise a condition regarding a maximum number of data element groups that are selected for the data request corresponding to the server selection condition.
  • the server data selection step can comprise for each data request, evaluating the server selection condition data element group-wise until a finishing condition is matched. That is, the server checks for each data element group whether it matches the respective server condition and selects it accordingly.
  • An optional advantage can be a limited processing time, as not all of the data element groups need to be checked. Furthermore, it can be easier to limit the selection to a part of the data element groups.
  • the server data selection step can comprise for each data request selecting data elements from the at least one data element group based on the data request and a result of evaluating the server selection condition for the respective data element group. That is, a result of verifying the server selection condition can be used as selection criterion for data element groups, as implied above.
  • selecting data elements from the at least one data element group based on the data request and a result of evaluating the server selection condition for the respective data element group can comprise selecting the data elements from the at least one data element group that are indicated by the first list of fields if the server selection condition was matched for the respective data element group.
  • the at least one data request can comprise a second list of fields.
  • selecting data elements from the at least one data element group based on the data request and a result of evaluating the server selection condition for the respective data element group can comprise selecting data elements from the at least one data element group that are indicated by the second list of fields if the server selection condition was matched for the respective data element group.
  • selecting data elements from the at least one data element group based on the data request and a result of evaluating the server selection condition for the respective data element group can comprise furthermore selecting data elements from the at least one data element group that are indicated by the second list of fields if the server selection condition was matched for the respective data element group, until the part of the server condition regarding the proportion of data elements indicated by the corresponding data request's first list of fields and a data element group's data elements is not matched anymore. That is, if the first list of fields specifies x data elements to be sent and by the aforementioned criterion regarding the proportion of data elements, y data elements may be selected, then for y>x, up to y-x data elements are selected according to the second list of fields.
  • an optional advantage can be that data element groups are considered that only comprise all data elements from the first list of fields and none or not all of the data elements from the second list of fields. So, this option allows the specification of optional data elements that are selected from the data element group, but does at the same time not limit the quantity of data element groups that match the server selection condition.
  • the at least one data request can comprise at least one further list of fields, such as a third list of fields.
  • selecting data elements from the at least one data element group based on the data request and a result of evaluating the server selection condition for the respective data element group can comprise furthermore selecting data elements from the at least one data element group that are indicated by the further list of fields, such as the third list of fields, when there are no data elements left that are indicated by the first and the second list of fields, if the server selection condition was matched for the respective data element group, until the part of the server condition regarding the proportion of data elements indicated by the corresponding data request's first list of fields and a data element group's data elements is not matched anymore.
  • This can have the same advantages as specified in the preceding paragraph.
  • the server data selection step can comprise finishing selecting data elements from a data element group when a condition referring to a proportion of data elements that are selected and a data element group's data elements is matched, such as the condition discussed above. That is, the data elements can be selected from the second and subsequently from the third list of fields as long as the proportion of selected data elements and available data elements of a respective data element group does fulfil a condition, such as not exceed a ratio of 50%.
  • the at least one container releasing condition can be verified for each of the at least one data container separately.
  • the at least one container releasing condition can comprise a minimum number of different data element groups from which data elements were selected for the respective data container.
  • the server container releasing step can comprise preventing releasing each of the at least one data container before the at least one container releasing condition is matched for the respective data container. That is that sharing a data container comprising data elements from too few data element groups can be prevented.
  • This can be optionally advantageous in a case where the absolute number of data element groups satisfying the data request condition or the server selection condition respectively is small.
  • a shared part of the user's data would be exposed and it would be possible to match said part of the user's data to the user is the data request condition is sufficiently specific and another party obtains knowledge about the specificity by other means.
  • an insurance company insuring patients with a very rare disease could thus obtain information on their customers. Avoiding such a scenario may be an advantage of the option discussed in this paragraph.
  • the server packaging step can comprise furthermore a server container releasing step that comprises preventing releasing each of the at least one data container respectively before at least one container releasing condition that is specific to the respective data container is matched. That is, the container releasing conditions can be adapted to the container and thus to the data request condition of the respective data request, for example depending on how specific the data request condition is.
  • At least one of the at least one container releasing condition can comprise a minimum number of different data element groups from which data elements were selected for the respective data container. That is, again for the example with data element groups having a user device indicator as key element, that data from a minimum number of users must be selected.
  • At least one of the at least one container releasing condition can comprise a condition regarding a uniqueness of data elements from data element groups that were selected for the respective data container.
  • the uniqueness can also be measured with a vectoral proximity measure or by fuzzy measures and does not need to be strict.
  • Many unique data elements can be an indicator for a high variety of data, which can be an optional advantage in particular for third parties or research partners that want to research a phenomenon without limiting themselves to special cases or for example if the data are used for data mining.
  • the method can further comprise steps of any of the expert system method, the selective broadcasting method and the selective data transmission method.
  • the system comprise the end user computer device.
  • the end user computer device is configured for carrying out the method according to any of the above-mentioned embodiments.
  • the end user computer device can comprise an analysis step module.
  • the analysis step module can configured for performing the analysis step of the method.
  • the end user computer device can comprise a contact establishment module.
  • the contact establishment module can be configured for performing the contact establishment step of the method.
  • the end user computer device can comprise an outputting step module.
  • the outputting step module can be configured for performing the outputting step of the method.
  • the end user computer device can comprise a user interface.
  • the outputting step module can be configured for controlling the user interface.
  • the end user computer device can comprise an downloading step module.
  • the downloading step module can be configured for performing the downloading step of the method.
  • the end user computer device can comprise a communication component.
  • the downloading step module can be configured for data exchange by means of the communication component.
  • the end user computer device can comprise a monitoring step module.
  • the monitoring step module can be configured for performing the monitoring step of the method.
  • the end user computer device can comprise an uploading step module.
  • the uploading step module can be configured for performing the uploading step of the method.
  • the end user computer device can comprise the communication component.
  • the uploading step module can be configured for data exchange by means of the communication component.
  • the end user computer device can comprise an anonymizing step module.
  • the anonymizing step module can be configured for performing the anonymizing step of the method
  • the end user computer device can comprise an data receiving module.
  • the data receiving module can be configured for performing the data receiving step of the method.
  • the system can comprise a data storage component.
  • the data storage component can be configured for performing the storing step of the method.
  • the system can further comprise a server.
  • the server can be configured to carry out at least a part of the method.
  • the end computer user device can further comprise a comparator node.
  • each module and/or the comparator node can be a separate data- processing unit, such as an adapted microcontroller, processor, FPGA or the like, for example in combination with a suitable memory element.
  • one or all modules and/or the comparator node can also be implemented in software, too, which software may then be executed by the end user computer device.
  • Ml A method comprising operating an end user computer device.
  • method comprises performing a storing step (SS).
  • the storing step comprises storing user input data.
  • the storing step comprises storing a user location set, which user location set comprises at least one or a plurality of user location(s).
  • the storing step comprises storing sensed physiological data.
  • the storing step comprises storing medical user data.
  • the storing step comprises storing medical environment data.
  • the storing step comprises storing a third party set, comprising an indication of at least one trusted third party(s).
  • the storing step comprises storing analysis model data.
  • the storing step comprises storing sample data.
  • Mi l The method according to any of the preceding embodiments with the features of M2, wherein the storing step comprises storing display data.
  • the storing step comprises storing at least one of
  • analysis model data are specific to at least one of a geographical area and the indication of the trusted third party(s).
  • the method comprises performing an analysis step (AS).
  • analysis step comprises receiving at least the analysis-portion from a user by means of a user interface of the end user computer device.
  • analysis step comprises outputting a portion of the display data to the user.
  • portion of the display data prompts the user to input the analysis -portion.
  • analysis step comprises a generation of an estimation of a probability of a medical condition of the user
  • the generation of the estimation comprises processing the user location set.
  • the generation of the estimation comprises processing the medical environment data.
  • the generation of the estimation comprises processing the medical user data.
  • the method comprises performing a contact establishment step (CS).
  • CS contact establishment step
  • the contact establishment step (CS) comprises establishing a connection, such as a voice communication connection or a data connection.
  • contact establishment step (CS) further comprises triggering a step of taking a medical sample from the user, such as a sample of body fluid or a sample of tissue of the user.
  • the contact establishment step (CS) further comprises receiving a portion of the sample data, wherein the portion preferably comprises an identification of the sample.
  • the contact establishment step comprises determining the other party(s) of the connection based on at least one of
  • the user location set particularly a current location of the user.
  • the method comprises performing a downloading step (DS).
  • downloading step comprises receiving the updated portion of the display data and/or the medical environment data from a third party server, wherein the third party server is indicated by the indication of the at least one trusted third party.
  • downloading step comprises receiving the updated portion of the display data and/or the medical environment data from a third party server, wherein the third party server is indicated by the indication of the at least one trusted third party.
  • M35 The method according to the preceding embodiment, wherein the updated portion of the display data and/or the medical environment data is cryptographically signed by the trusted third party.
  • M36 The method according to any of the preceding embodiments with the features of M33, wherein the downloading step comprises receiving the updated portion in a compressed data format and decompressing the updated portion after receiving it.
  • the downloading step comprises sending request data, and wherein the request data comprise at least one of a portion of the user input data and a portion of the medical user data.
  • the downloading step comprises receiving at least a portion of the medical user data from a database server.
  • the downloading step comprises sending a portion of the sample data or a data element generated thereof to the database server.
  • downloading step comprises sending the portion of the sample data or the data element generated thereof to the database server and receiving the portion of the medical user data from the database server after sending said portion.
  • the method comprises performing an outputting step (OS).
  • the method comprises performing a monitoring step (MS).
  • monitoring step comprises analysing changes in at least one of the medical user data and the sensed physiological data.
  • monitoring step comprises analysing changes in the analysis-portion.
  • analysing the changes is based on the analysis model data.
  • M49 The method according to any of the preceding embodiments with the features of M45, wherein the monitoring step comprises generating the estimation of a probability of a medical condition of the user.
  • the method comprises performing an uploading step (US).
  • the uploading step (US) comprises uploading data to an intermediary server system.
  • the uploading step (US) comprises uploading data relating to at least one of a usage of the end user computer device and technical details of the end user computer device.
  • the method comprises receiving instruction data from the intermediary server,
  • instruction data comprise an uploading criterion and an indication of data types.
  • the uploading criterion relates to at least one of the user location set, the user input data and the medical user data on the end user computer device.
  • uploading step comprises
  • the method comprises not uploading the upload data element(s) if the uploading criterion is not matched.
  • the method comprises not uploading an identity of the user to the intermediary server.
  • the method comprises performing an anonymizing step (AN),
  • the anonymizing step (AN) comprises removing identifying data from the upload data element(s) and/or inhibiting uploading data element(s) that comprise an identity of the user.
  • the method comprises a data receiving step (DR).
  • DR data receiving step
  • the data receiving step (DR) comprises receiving at least a portion of the medical user data from a measurement data processing system.
  • the measurement data processing system receives measurement data from a set of measurement equipment.
  • M64 The method according to any of the two preceding embodiments and with the features of M10, wherein the portion of the medical user data that are received from the measurement data processing system relate to a sample to which the sample data correspond.
  • M65 The method according to any of the preceding embodiments with the features of M61, wherein the data receiving step (DR) comprises receiving sensed physiological data from at least one of
  • sensing component which sensing component the end user computer device comprises.
  • the method comprises operating the end user computer device according to any of the expert system method embodiments.
  • the method comprises operating the end user computer device according to any of the selective broadcasting method embodiments.
  • the method comprises performing at least a part of the steps of the method according to the selective broadcasting method embodiments, which part of the steps is performed by an end user computer device and/or require at least one of an action of and an interaction with the end user computer device.
  • the end user computer device comprises a comparator node according to the selective broadcasting method embodiments.
  • the method comprises performing at least one or more steps of the selective broadcasting method according to any of the selective broadcasting method embodiments.
  • the method comprises performing the selective broadcasting method according to any of the selective broadcasting method embodiments.
  • the method comprises operating the end user computer device according to any of the selective data transmission method embodiments.
  • the method comprises performing one or more steps of the selective data transmission method according to any of the selective data transmission method embodiments.
  • M74 The method according to any of the preceding embodiments, wherein the method comprises performing the selective data transmission method according to any of the selective data transmission method.
  • the method comprises operating the end user computer device according to any of the distributed data transmission method embodiments.
  • N1 A method for processing data on an end user computer device
  • a user data storing step that comprises storing at least a part of the user data on the end user computer device.
  • the user data storing step comprises storing medical data.
  • the user data storing step comprises a technical user data storing step that comprises storing technical user data in a machine-interpretable form.
  • technical user data comprise medical user data.
  • the technical user data storing step comprises storing technical user data that are encoded with at least a homogenous naming for fields.
  • the technical user data storing step comprises
  • processing user data by the application that is executed by the end user computer device comprises
  • processing the technical user data comprises
  • an information deriving step that comprises deriving information from the technical user data by the application and thus generating derived information.
  • the information deriving step comprises deriving medical information from the technical user data by the application.
  • the application comprises a machine learning model and the information deriving step comprises deriving the information based on the machine learning model.
  • the application comprises an expert system and the information deriving step comprises deriving the information based on the expert system.
  • the expert system is a medical expert system.
  • the medical expert system comprises at least a part of a rule-based inference engine.
  • the application or a part thereof derives information from the technical user data using their machine-interpretable form or at least one property of this machine-interpretable form.
  • N18a The method according to any of the preceding method embodiments, wherein the method comprises storing the application data on the end user computer device.
  • application data comprise display data
  • the application data comprise knowledge base data that comprise at least a part of data that are configured to specify a relation between input data and output data of the application.
  • the application data comprise inference engine data that comprise at least a part of data that specify an evaluation of the input data using the knowledge base data.
  • the user data storing step comprises storing the derived information or indicators thereof.
  • storing the derived information or the indicators thereof comprises at least one of
  • display data are preferably according to any of the preceding embodiments that comprise display data.
  • the method comprises a data outputting step that comprises outputting at least a part of the user data and/or of the display data by the end user computer device.
  • outputting at least a part of user data by the end user computer device comprises outputting at least a part of the derived information or the indicators thereof that are stored on the end user computer device.
  • data on the end user computer device comprises encrypted data
  • encrypting at least a part of the user data comprises encrypting at least a part of the technical user data.
  • the encrypted data comprise at least a part of the application data.
  • N30 The method according to the preceding embodiment and with the features of M19, wherein the encrypted data comprise at least a part of the display data.
  • the encrypted data comprise the display data .
  • the method comprises a data adding step that comprises adding data to the user data on the end user computer device.
  • the method comprises providing an interface for adding data to the user data by manual input.
  • the data adding step comprises using a camera that is connected at least indirectly to the end user computer device.
  • the data adding step comprises adding text data to the user data and wherein using the camera comprises using the camera for adding at least a part of the text data.
  • adding the text data to the user data comprises furthermore applying at least optical character recognition to data captured by the camera.
  • the data adding step comprises receiving input data from a data server and adding at least a part of the input data to the user data.
  • N38 The method according to any of the preceding method embodiments with the features of N32, wherein the data adding step comprises receiving data from at least one sensing device that is configured to sense data related to a user.
  • At least one of the at least one sensing device that is configured to sense data related to the user is configured to sense physiological data related to the user.
  • the method comprises an updating step that comprises sending at least a part of update data from the server and receiving at least the part of the update data by the end user computer device.
  • the updating step comprises adapting at least a part of the application data on the end user computer device according to the received update data.
  • the method comprises furthermore repeating at least a part of the information deriving step after the updating step.
  • the method comprises sending at least an indicator of at least one of (a) the updating step or a result thereof, (b) the application data and (c) the end user computer device or of technical features thereof from the end user device to another device.
  • the transfer condition set comprises at least one transfer condition and wherein at least one of the at least one transfer condition comprises
  • the method comprises preventing sending the user data from the end user computer device if none of the transfer conditions of the transfer condition set is satisfied.
  • the method comprises preventing sending the user data from the end user computer device.
  • selective broadcasting method embodiments will be discussed. These embodiments are abbreviated by the letter “O” followed by a number. Whenever reference is herein made to “selective broadcasting method embodiments”, these embodiments are meant.
  • a method for broadcasting data comprising
  • the server transmitting the broadcasting message to the plurality of user devices.
  • the method according to the preceding method embodiment further comprising generating statistics on the notifications about at least one of the processing, delivery and at least implicitly on the successful comparison of the broadcasting messages by at least one of the server and the broadcasting party.
  • sending the broadcasting message further comprises transmitting the broadcasting message by a connection configured to transfer data from the broadcasting party to the server.
  • sending the broadcasting message further comprises connecting the user devices and the server at least at some points in a period of time by a connection configured to transfer data from the server to the user devices.
  • invention 02 further comprising the server forwarding the received broadcasting message to at least some of the user devices that are connected to the server at least at some points in a period of time, wherein said portion is at least defined by a characteristic specified by at least one of the server, the broadcasting party sending the broadcasting message to the server and the user devices.
  • a method for selectively transmitting data comprising
  • the comparator node generating at least one return message based on at least parts of user data
  • the server transmitting the inquiry message to the plurality of end computer user device s. P3.
  • the method according to any of the preceding method embodiments further comprising discarding the inquiry message on each device where the comparator node did not achieve a successful comparison of the request criteria to user data.
  • sending the inquiry message further comprises transmitting the inquiry message by a connection configured to transfer data from the broadcasting party to the server.
  • sending the inquiry message further comprises connecting the end computer user device s and the server at least at some points in a period of time by a connection configured to transfer data from the server to the end computer user device s.
  • generating the at least one return message(s) comprises furthermore adding a specification of at least one of the broadcasting party and the inquiry message that caused the generation of the return message(s).
  • P31 The method according to any of the three preceding embodiments further comprising the server collecting the return messages corresponding to one inquiry message and making available the return messages or their content, preferably in an agglomerated form, to the broadcasting party that issued said inquiry message.
  • P32 The method according to the preceding embodiment wherein the sending the return messages or their content, preferably in an agglomerated form, is triggered when a certain condition is met.
  • encrypting at least parts of the return message using an asymmetric encryption algorithm comprises furthermore using at least a public key for the encryption of each return message, wherein said public key corresponds to the respective broadcasting party that is the intended receiver of said return message.
  • distributed data transmission method embodiments will be discussed. These embodiments are abbreviated by the letter “Q” followed by a number. Whenever reference is herein made to “distributed data transmission method embodiments”, these embodiments are meant.
  • Q1 A method for sending combined parts of distributed data from user devices to at least one recipient, comprising
  • a device data storing step (DD) that comprises for each of at least one user device, storing user data relating to the respective user device on said respective user device,
  • a device sending step that comprises sending at least one data set from the at least one user device to a server
  • SR server receiving step
  • a server packaging step that comprises combining data elements of the at least one received data set to at least one data container.
  • the user data are specific to the respective user device.
  • the device data storing step (DD) comprises storing medical data and wherein the user data comprise medical data.
  • the device data storing step (DD) comprises storing at least a part of the user data in a machine-interpretable form.
  • storing at least the part of the user data in a machine-interpretable form comprises at least one of
  • the device data storing step (DD) comprises storing at least partially automatically generated medical data that comprise at least one of
  • the device sending step (DS) comprises a device processing step (DPS) that comprises processing the at least one data set on the at least one device.
  • DPS device processing step
  • the device sending step (DS) comprises a device data set selection step (DDS) that comprises selecting at least one data set from the user data on the at least one user device.
  • DDS device data set selection step
  • the device sending step (DS) is performed by at least one of the at least one user device periodically and/or upon request by the server.
  • server receiving step (SR) comprises connecting at least one of the at least one user device at least at some points in time to the server.
  • server receiving step (SR) comprises storing server data on the server
  • server data comprise at least a part of at least one of the at least one data set received by the server.
  • server packaging step (SP) comprises receiving at least one data request from at least one requesting party.
  • server packaging step (SP) comprises furthermore a server processing step (SPS).
  • server packaging step comprises furthermore a server data selection step (SDS) that comprises selecting the data elements of the at least one received data set to be combined to the at least one data container.
  • SDS server data selection step
  • server packaging step comprises furthermore a server container releasing step (SCR) that comprises preventing releasing at least one of the at least one data container before at least one container releasing condition is matched.
  • SCR server container releasing step
  • the user data on the at least one user device comprise at least one data element, wherein at least one data element of the at least one data element comprises at least one of the following data :
  • the method comprises a device processing step (DPS) that comprises processing at least one data element of at least one data set of the user data on at least one user device by the respective user device.
  • DPS device processing step
  • the device processing step comprises on at least one user device at least one of removing information from at least a part of the user data and limiting a precision of at least a part of the user data.
  • DPS device processing step
  • the at least one numerical data element is a data element which comprises at least one numeric value
  • DPS device processing step
  • combining numerical noise and the at least one numerical data element comprises adding the numerical noise to at least one of the at least one numeric value of the numerical data element.
  • combining numerical noise and the at least one numerical data element comprises adding the numerical noise to the numeric value of the respective numeric data element and for at least one of the at least one numerical data element, limiting the numerical noise so that the respective numeric value does not exceed a pre-defined interval.
  • DPS device processing step
  • first and the second encoding are at least for some values of the data element not equivalent and converting a representation of the data element in the second encoding comprises using an appropriate random function.
  • DPS device processing step
  • the at least one timestamped data element is a data element which comprises at least one timestamped value
  • DPS device processing step
  • step of replacing a timestamp of the at least one of the at least one timestamped value comprises limiting the precision of said timestamp.
  • step of replacing a timestamp of the at least one of the at least one timestamped value comprises replacing said timestamp by a temporal distance relative to another point in time, such as a timestamp of another data element.
  • DPS device processing step
  • server data on the server comprise at least one data element, wherein at least one data element of the at least one data element comprises at least one of the following data :
  • server processing step comprises processing at least one data element of at least one data set of the server data on the server.
  • server processing step comprises at least one of removing information from at least a part of the server data and limiting a precision of at least a part of the server data.
  • server processing step comprises processing at least one numerical data element
  • the at least one numerical data element is a data element which comprises at least one numeric value
  • server processing step comprises furthermore combining numerical noise and the numerical data element.
  • combining numerical noise and the at least one numerical data element comprises adding the numerical noise to at least one of the at least one numeric value of the numerical data element.
  • combining numerical noise and the at least one numerical data element comprises adding the numerical noise to the numeric value of the respective numeric data element and for at least one of the at least one numerical data element, limiting the numerical noise so that the respective numeric value does not exceed a pre-defined interval.
  • server processing step comprises processing at least one data element by converting a representation of the data element from a first encoding to a second encoding.
  • first and the second encoding are at least for some values of the data element not equivalent and converting a representation of the data element in the second encoding comprises using an appropriate random function.
  • server processing step (SPS) processing at least a timestamped data element
  • the at least one timestamped data element is a data element which comprises at least one timestamped value
  • server processing step comprises replacing a timestamp of at least one of the at least one timestamped value.
  • step of replacing a timestamp of the at least one of the at least one timestamped value comprises limiting the precision of said timestamp.
  • step of replacing a timestamp of the at least one of the at least one timestamped value comprises replacing said timestamp by a temporal distance relative to another point in time, such as a timestamp of another data element.
  • server processing step comprises an operation to anonymize at least a part of the server data.
  • DDS device data set selection step
  • server data selection step (SDS) comprises receiving at least one data request.
  • the at least one data request comprises a data request condition and a first list of fields.
  • the at least one data request is a plurality of data requests.
  • each of the at least one data container is specific to a respective data request.
  • server data comprise at least one data element group
  • the at least one data element group comprises at least one data element and the at least one data element comprises a common group key that corresponds to the at least one data element group.
  • the common group key comprises a user device indicator (UDI).
  • UMI user device indicator
  • server data selection step (SDS) comprises evaluating for each data request at least one server selection condition by the server
  • each server selection condition corresponds to one data request condition.
  • each server selection condition comprises the corresponding data request condition.
  • each server selection condition comprises a condition regarding whether a data element group comprises at least some or all data elements indicated by the corresponding data request's first list of fields.
  • each server selection condition comprises a condition regarding a proportion of data elements indicated by the corresponding data request's first list of fields and a data element group's data elements.
  • the data selection step comprises adding a selection flag to each data element that is selected during the processing of a data request.
  • each server selection condition comprises a condition referring to an amount of data elements of a data element group that are indicated by the corresponding data request's first list of fields and to which a selection flag was added.
  • each server selection condition comprises a condition referring to a proportion of data elements of a data element group that are indicated by the corresponding data request's first list of fields and to which a selection flag was added to the data elements of a data element group that are indicated by the corresponding data request's first list of fields.
  • each server selection condition comprises a condition regarding a maximum number of data element groups that are selected for the data request corresponding to the server selection condition.
  • server data selection step (SDS) comprises for each data request, evaluating the server selection condition data element group-wise until a finishing condition is matched.
  • server data selection step comprises for each data request selecting data elements from the at least one data element group based on the data request and a result of evaluating the server selection condition for the respective data element group.
  • the at least one data request comprises at least one further list of fields, such as a third list of fields,
  • server data selection step comprises
  • the at least one container releasing condition is verified for each of the at least one data container separately and wherein the at least one container releasing condition comprises a minimum number of different data element groups from which data elements were selected for the respective data container.
  • server container releasing step comprises preventing releasing each of the at least one data container before the at least one container releasing condition is matched for the respective data container.
  • server packaging step comprises furthermore a server container releasing step (SCR) that comprises preventing releasing each of the at least one data container respectively before at least one container releasing condition that is specific to the respective data container is matched.
  • SCR server container releasing step
  • At least one of the at least one container releasing condition comprises a minimum number of different data element groups from which data elements were selected for the respective data container.
  • At least one of the at least one container releasing condition comprises a condition regarding a uniqueness of data elements from data element groups that were selected for the respective data container.
  • the method further comprises the steps of any of the preceding embodiments which are not carried out by the end user computer device.
  • a system comprising an end user computer device, wherein the end user computer device is configured for carrying out the method according to any of the method embodiments.
  • analysis step module is configured for performing the analysis step of the method according to any of the method embodiments with the features of M15.
  • the outputting step module is configured for performing the outputting of the method according to any of method embodiments with the features of M41.
  • the end user computer device comprises a user interface and wherein the outputting step module is configured for controlling the user interface.
  • the end user computer device comprises an downloading step module.
  • the downloading step module is configured for performing the downloading step of the method according to any of method embodiments with the features of M32.
  • the end user computer device comprises a communication component and wherein the downloading step module is configured for data exchange by means of the communication component.
  • the end user computer device comprises a monitoring step module.
  • monitoring step module is configured for performing the monitoring step of the method according to any of method embodiments with the features of M45.
  • the end user computer device comprises an uploading step module.
  • the uploading step module is configured for performing the uploading step of the method according to any of method embodiments with the features of M51.
  • the end user computer device comprises the communication component and wherein the uploading step module is configured for data exchange by means of the communication component.
  • the end user computer device comprises an anonymizing step module.
  • the anonymizing step module is configured for performing the anonymizing step of the method according to any of method embodiments with the features of M59.
  • the end user computer device comprises an data receiving module.
  • the data receiving module is configured for performing the data receiving step of the method according to any of method embodiments with the features of M61.
  • system further comprises a server, wherein the server is configured to carry out at least a part of the method.
  • Fig. 1 schematically depicts a system configured to carry out a method according to embodiments of the present invention
  • Fig. 2 schematically depicts an interaction of a system configured to carry out a method according to embodiments of the present invention.
  • Fig. 1 schematically depicts a system comprising an end user computer device 100 configured to carry out a method according to embodiment of the present invention.
  • the end user computer device 100 may comprise a plurality of modular components, which may also be referred to as modules, and conceptually identified by reference numeral 10, 20, 30, 40, 50, 60 and 70.
  • the end user computer device 100 can comprise means of data processing, such as, processor units, hardware accelerators and/or microcontrollers.
  • the end user computer device can comprise memory components, such as, main memory (e.g. RAM), cache memory (e.g. SRAM) and/or secondary memory (e.g. HDD, SDD).
  • the end user computer device 100 can comprise busses configured to facilitate data exchange between components of the end user computer device, such as, the communication between the memory components and the processing components.
  • the end user computer device 100 can comprise network interface cards that can be configured to connect the data processing device to a network, such as, to the Internet.
  • the end user computer device 100 can comprise user interfaces, such as: output user interface, such as screens or monitors configured to display visual data and/or speakers configured to communicate audio data (e.g. playing audio data to the user), input user interface, such as a camera configured to capture visual data (e.g. capturing images and/or videos of the user), a microphone configured to capture audio data (e.g. recording audio from the user), a keyboard and/or a touchscreen.
  • output user interface such as screens or monitors configured to display visual data and/or speakers configured to communicate audio data (e.g. playing audio data to the user)
  • input user interface such as a camera configured to capture visual data (e.g. capturing images and/or videos of the user), a microphone configured to capture audio data (e.g. recording audio from the user), a keyboard and/or a touchscreen.
  • the end user computer device can be a processing unit configured to carry out instructions of a program.
  • the end user computer device can be a system-on- chip comprising processing units, memory components and busses.
  • the end user computer device can be a personal computer, a laptop, a pocket computer, a smartphone, a tablet computer.
  • the end user computer device can be a processing unit or a system-on-chip that can be interfaced with a personal computer, a laptop, a pocket computer, a smartphone, a tablet computer and/or user interfaces (such as the upper- mentioned user interfaces).
  • the module 10 may be configured to perform an analysis step (AS), and therefore may also be referred to as analysis step module 10.
  • AS analysis step
  • the module 20 may be configured to perform a contact establishment step (CS), and therefore may also be referred to as contact establishment step module 20.
  • CS contact establishment step
  • the module 30 may be configured to perform an outputting step (OS), and therefore may also be referred to as outputting step module 30.
  • OS outputting step
  • the module 40 may be configured to perform a downloading step (DS), and therefore may also be referred to as a downloading step module 40.
  • DS downloading step
  • the module 50 may be configured to perform a monitoring step (MS), and therefore may also be referred to as monitoring step module 50.
  • the module 60 may be configured to perform an uploading step (US), and therefore may also be referred to as uploading step module 60.
  • the module 60 may also be configured to perform an anonymizing step (AN), and therefore may further be referred to as anonymizing step module 60.
  • the uploading step module may comprise the anonymizing step module.
  • the module 70 may be configured to perform a data receiving step (DR), therefore it may also be referred to as data receiving step module 70.
  • DR data receiving step
  • the module 10 may be configured to perform, for instance, a triage comprising a risk stratification questionnaire in order to triage patients that may require to be test for a given a disease or an actor causing the diseases, e.g. SARS-CoV- 2.
  • a triage comprising a risk stratification questionnaire in order to triage patients that may require to be test for a given a disease or an actor causing the diseases, e.g. SARS-CoV- 2.
  • the module 10 may further be configured to assess patients' risk profile based on the questionnaire, which may, inter alia, comprise symptoms, recent travel history, job such as type of job, and social life such as social life habits and their frequency.
  • the module 20 may be configured to perform, for instance, a logistical support step. For instance, if patients may require medical attention, the module 20 may be configured to, for example, connect them to medical service provider, e.g. a medical doctor of relevant specially for their given risk profiles. The module 20 may establish the connection between the patient and the medical doctor, for example, through telemedicine consultation and/or a call such as a phone. Additionally or alternatively, the module 20 may grant access to the user to a plurality of data tailored according to the risk profile of the user, for example, the module 20 may grant access to the user to data comprising the closest testing facility for medical test, e.g.
  • the module 20 may further be configured to prompt the user to place an order. Additionally or alternatively the module 20 may also comprise grant access to the user to a coding tool such as a QR code, which may allow the module 20 to grant access to the user to all test results, e.g. laboratory tests results, directly on an app component as described below. It should be understood that the information may also be supplied to the user by other means such as, for example, electronic means e.g. e-mail and/or per SMS. In one embodiment, the module 30 may also be configured to perform a plurality of steps, for instance, outputting data relating to a test result.
  • a coding tool such as a QR code
  • the results may be input to the module 30, which may be configured to interpret the results and further to generate or output explanatory data.
  • the module 40 may be configured to process, generate and grant access to additional relevant information to the user based on the risk profile of the user, wherein the additional relevant information may comprise, for example, national safety guidelines, curated sources and recommendations such as behavioral tips and clinic visits.
  • the module 50 may be configured to monitor the user. For instance, for patients that tested positive, the module 50 may be configured to track relevant parameters of the user such as, for example, blood pressure, heart rate and temperature. In one embodiment, the relevant parameters may be monitored by means of device connected to the mobile app 110. In one embodiment, the monitoring may be automated. Therefore, the module 50 may be configured to assist in monitoring patients, for example, by the medical care providers, to enable early detection of, for instance, increased risks and/or minimize potential complications. Additionally or alternatively, the module 50 may also be configured to trigger and grant access to the user to additional information data, such as alert to prompt the user to attend to an emergency assistance. In one embodiment, the module 50 may further be configured to supply data, such as medical emergency data, to authorities, such as an emergency authority, medical authorities.
  • relevant parameters of the user such as, for example, blood pressure, heart rate and temperature.
  • the relevant parameters may be monitored by means of device connected to the mobile app 110. In one embodiment, the monitoring may be automated. Therefore, the module 50 may be configured to assist in monitoring patients
  • the module 70 may be configured to execute analytics and broadcasting.
  • the module 70 may be configured to, for example, track the user movement and health status, e.g. infection status, which may be particularly advantageous to reconstruct infection chains, generate warning to which further relevant user can be granted access to, such as, for example, users that have been in contact with (potentially) infected users, which may be further advantageous to contain and/or minimize spreading of infections, such as spreading of a virus, e.g. SARS-CoV-2.
  • the module 70 may be configured to grant access to further authorized users, such as relevant institutions and healthcare providers to target specific groups in a fully anonymized manner.
  • Fig. 2 depicts an overall view of the interaction of the system 100 with other systems to perform a method according to embodiments of the present invention.
  • the system 100 may comprise at least one user app and therefore may also be refer to as user app system 100, user app 100 or user apps 100.
  • the system 100 may be configured to exchange information with a plurality of systems, such as for example, with a back-end system 200, a public source system 300 and a research partners system 400.
  • the user app system 100 may comprise mobile app 110 comprising a user data component 112 and an anonymous analytics component 114. In another embodiment, the user app system 100 may comprise a web app 120 comprising an anonymous analytics component 122.
  • the user app system 100 may also comprise both the mobile app 110 and the web app 120.
  • the anonymous analytics component 114 may comprise a different anonymous analytics component than the anonymous analytics component 122.
  • the anonymous analytics component 114 and anonymous analytics component 122 may comprise the same anonymous analytics component.
  • the back-end system 200 may comprise a content back-end component 210 and an analytics dashboard component 220.
  • the content back-end component 210 may comprise a medical knowledge base module 212, a local info database module 214 and a curated content module 216
  • the analytics dashboard component may comprise an anonymous analytics component 222.
  • the public sources system 300 may comprise a mapping service component 302 and a resources and statistics component 304.
  • the research partner system 400 may comprise an anonymized data component 402.
  • the mobile app 110 may be configured to establish an indirect communication with the anonymized data component 402 of the research partner system 400, wherein the mobile app 110 may supply user data for research.
  • the mobile app 110 may be further configured to perform anonymizing step by means of the anonymous analytics component 114 before supplying the user data to the anonymized data component 402 of the research partner system 400.
  • the data transfer between the mobile app 110 and the anonymized data component 402 of the research partner system 400 may bidirectional, i.e. the mobile app 110 may supply the anonymized data component 402 with a plurality of anonymized user data, and may also receive a plurality of processed data comprising a plurality of results, such as, for example, predictions, based on the supplied anonymized user data.
  • the anonymous analytics component 112 may be configured to process the results supplied by the anonymized data component 402 of the research partner system 400, and further may be able to identify relevant information to be displayed to a given user of the mobile app 110.
  • the mobile app 110 may be configured to receive an input from the content back-end component 210 of the back-end system 200. Such an input may, for instance, comprise a plurality of data supplied by at least one of the medical knowledge base module 212, the local info database module 214 and the curated content module 216. Subsequently, the mobile app 110 may be configured to process the data supplied by the content back-end component 210 and grant access to these data to the user data to perform an anonymization of the received data, for instance, before granting access to the user data.
  • anonymous analytics components 114 and 122 may be configured to establish a communication with the analytical dashboard component 220, wherein the anonymous analytics components 114 and 122 may supplied anonymized user data.
  • the analytical dashboard component 220 may be configured to grant access to the anonymized data to a plurality of authorized users.
  • the mobile app 110 may also be configured to establish a communication the mapping service component 302 of public source system 300, for instance, to receive input data.
  • the resources and statistics component 304 of the public source system 300 may supply information to the curated content module 216 of the content back-end component 210 of the back-end system 200, wherein the curated content module 216 may be configured to process the information to generate a curated content dataset.
  • the communication established between the mapping service component 302 and the mobile app 110, the mobile app 110 and analytics dashboard component 220, the content back-end component 210 and the mobile app 110, and the web app 120 and the analytics dashboard component 302 may comprise a restricted application programming interface (API).
  • API restricted application programming interface
  • the communication established between the resources and statistics component 304 and curated content module 216, and the mobile app 110 and anonymized data component 402 may comprise an indirect communication. While in the above, a preferred embodiment has been described with reference to the accompanying drawings, the skilled person will understand that this embodiment was provided for illustrative purpose only and should by no means be construed to limit the scope of the present invention, which is defined by the claims.
  • step (X) preceding step (Z) encompasses the situation that step (X) is performed directly before step (Z), but also the situation that (X) is performed before one or more steps (Yl), ..., followed by step (Z).
  • step (Z) encompasses the situation that step (X) is performed directly before step (Z), but also the situation that (X) is performed before one or more steps (Yl), ..., followed by step (Z).

Landscapes

  • Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Public Health (AREA)
  • Biomedical Technology (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Pathology (AREA)
  • Epidemiology (AREA)
  • General Health & Medical Sciences (AREA)
  • Primary Health Care (AREA)
  • Measuring And Recording Apparatus For Diagnosis (AREA)

Abstract

Disclosed is a method, comprising operating an end user computer device, performing a storing step (SS). The storing step comprises storing user input data, at least one of a user location set and a third party set, analysis model data, and display data on a data storage component of the end user computer device. The method further comprises performing an analysis step (AS), wherein the analysis step comprises a generation of an estimation of a probability of a medical condition of the user, wherein the generation of the estimation is performed based on the analysis model data, and wherein the generation of the estimation comprises processing the user location set. The method further comprises performing a contact establishment step (CS), which comprises establishing a connection, and wherein the contact establishment step is performed based on the generated estimation. Furthermore, a system comprising an end user computer device is disclosed. The end user computer device is configured for carrying out the disclosed method. The end user computer device furthermore comprises a data storage component, a communication component and an analysis step module, wherein the analysis step module is configured for performing the analysis step.

Description

Method and system for data generating and transmitting data
The present invention relates to methods for operating end user computer devices, generating, transmitting and storing data, particularly medical data.
In a first embodiment, a method comprising operating an end user computer device is disclosed. The end user computer device can be a device to be used by one user at a time, and it can comprise a data-processing system. The end user computer device can for example be a laptop computer, a desktop computer, a mobile phone or a smart watch.
The method can comprise performing a storing step (SS). The end user computer device can perform the storing step. The end user computer device can comprise a storage component, which storage component can perform the storing step.
The storing step can comprise storing user input data. User input data can be data that a user inputted, such as a language preference, a known medical condition, at least one or a plurality of answers to a questionnaire and/or a location.
The storing step can comprise storing a user location set. The user location set can comprise at least one or a plurality of location(s) of the user, that is, location(s) where the user is or has been.
The location set can be generated by user input.
The location set can also be generated by the end user computer device, for example based on a satellite localisation component of the end user computer device, such as a GPS-component, by identities of WLAN-devices whose signals the end user computer device receives, by cell tower data, or by other sensing or estimating components of the end user computer device. The end user computer device can also receive said location data by an external device.
The storing step can comprise storing sensed physiological data. The sensed physiological data can be sensed physiological data of the user. The sensed physiological data are intended to refer to data such as a body temperature of the user, a heart rate of the user and/or a blood pressure of the user.
The storing step can comprise storing medical user data. The medical user data can be data such as lab reports, information regarding medical conditions, reports by MDs and other medical or clinical data. The medical data can comprise the sensed physiological data.
The medical data can comprise a corresponding portion of the user input data.
The storing step can comprise storing medical environment data. The medical environment data can refer for example to a spread of disease in an environment of a user, and/or risks for a user in his/her environment, such as risks due to pollution or a risk of being infected with a disease present in an environment.
The storing step can comprises storing a third party set. The third party set can comprise an indication of at least one third party. The at least one third party can be trusted third party, particularly a trusted third party for health issues. The third party(s) can hence for example be at least one disease control center, a university or a health care provider, such as a health care provider providing services to the user.
The indication can for example be a public key of such a third party, which can be suitable for cryptographically signing data. In less complex cases the indicator can for example also be a uniform resource locator referring to a website or access platform of at least one of the at least one trusted third party, an internet protocol address relating to a data-processing system of at least one of the at least one trusted third party, or the like.
The storing step can comprise storing analysis model data. The analysis model data can for example be confirmed, signed or provided by the trusted third party.
The analysis model data can be data indicating steps of an analysis of data to a data- processing system. For example, the analysis model data can comprise at least one of rules, data relating to a decision tree and a neural network model data for an analysis data.
The analysis model can be particularly referring to an analysis of medical data or a medical condition of users.
The storing step can comprise storing sample data. The sample data can be data referring to a sample taken from the user, such as a medical sample. The sample data can comprise an identification of a sample, such as a tracking code. The sample data can comprise an indication of whether a sample was generated, processed or transported.
The storing step can comprise storing display data. The display data can be data that can be outputted. The display data can be data that the end user computer device can output to the user. The display data can be data for visual output, but they can for example also comprise data for acoustic output.
The storing step can comprise storing the data on the data storage component of the end user computer device. The data storage component can comprise persistent memory, such as flash memory or a hard disk.
The storing step can comprise storing the user input data in an encrypted form. The storing step can comprise storing the user location set in an encrypted form. The storing step can comprise storing the medical user data in an encrypted form. The storing step can also comprise storing the sample data in an encrypted form. The storing step can also comprise storing a portion of at least or all of these data in an encrypted form.
An optional advantage can be that the respective data or the portions thereof are protected against unauthorized access, or that at least, such unauthorized access is rendered more difficult.
The analysis model data can specific to at least one of a geographical area and the indication of the trusted third party(s). The analysis model data stored can hence be corresponding to the location data of the user and/or the indication of the at least one trusted third party.
The analysis model data can depend on the geographical area, considering that certain behaviours, exposures, or illnesses vary locally, or that they are managed differently by different third parties, such as different disease control entities.
The method can comprise performing an analysis step (AS).
The analysis step can comprise receiving an analysis-portion of the user input data from a user. The analysis-portion can comprise indications of the user as regards activities, behaviours, medical conditions or the like.
The analysis step can comprise receiving at least the analysis-portion from the user by means of a user interface. The end user computer device can comprise the user interface.
The analysis step can comprise outputting a portion of the display data to the user.
This portion of the display data can prompt the user to input the analysis-portion of the user data. It can for example comprise data instructing the user interface to enable input of the analysis portion of the user input data.
The analysis step can comprise a generation of an estimation of a probability of a medical condition of the user. Such a medical condition can for example be a disease, an infection, an underlying condition or another health problem.
The generation of the estimation can be performed based on the analysis model data. In other words, the end user computer device can process the analysis model data so as to to generate said estimation. Processing the analysis model data can for example be executing an application according to the analysis model data, or processing the analysis model data by an application which generates an estimation based on model(s) described by the analysis model data.
The generation of the estimation can comprise processing the analysis-portion of the user input data. For example, the generation of the estimation can comprise providing the analysis-portion as input data to a model or an application according to the analysis model data.
The generation of the estimation can comprise processing the user location set.
The generation of the estimation can comprise processing the medical environment data.
These two features can be optionally advantageous if health effects are depending on a location of the user, such as environmental influences or locally varying risk of an infection with a disease.
The generation of the estimation can comprise processing the medical user data. For example, symptoms corresponding to a medical condition or conditions that raise a probability of another disease can be used for the generation of the estimation.
An optional advantage can be that, with these data, the estimation can be more accurate for the user, and interdependencies can be modelled.
The method can comprise performing a contact establishment step (CS).
The contact establishment step can be performed based on the generated estimation.
Merely for example, based on the generated estimation, a contact can be established at all, or based on the generated estimation, a partner or other party, to which the contact is established, can be selected.
Performing the contact establishment step based on the generated estimation can be optionally advantageous, as it can allow for establishing contact to a suitable contact partner according to an estimated state of the user, or for not establishing a contact if the user seems not to need such a contact. For example, if the user needs medical attention with a certain probability, contact can be established, and if the user does (currently) not need medical attention with a certain probability, no contact is established.
The contact establishment step (CS) can comprise establishing a connection, such as a voice communication connection or a data connection. A data connection can be a connection for data transfer, for example for transmission of text messages, image data, sound or the like. A voice communication connection can for example be a connection via a phone network. However, a data connection can comprise a voice connection.
The contact establishment step (CS) can comprise triggering a step of taking a medical sample from the user. Such as a sample can for example be a sample of a body fluid of the user, a sample of a tissue of the user, or a sample of a substance expelled by the user. Triggering such a step can for example be sending instruction data to take such a sample, or sending instruction data to provide material for taking said sample. The contact establishment step (CS) can further comprise receiving a portion of the sample data. The portion of the sample data can comprise an identification of the sample.
Receiving the portion of the sample data can be performed for example by accepting an input of an identification number of a sample container or of the sample. Receiving the portion of the sample data can also be performed by reading, such as scanning or receiving via radio waves, an identification of the sample or its container, e.g. by scanning a bar code or a QR code of the container, or by receiving an identification from an NFC/RFID-chip which the container can comprise.
The contact establishment step can comprise determining the other party(s), that can be the above-mentioned contact partner, of the connection based on the indication of the at least one trusted third party(s). For example, the indication of the at least one trusted third party can comprise an indication of a contact partner or a set of at least one or a plurality of contact partners.
The contact establishment step can also comprise determining the other party(s) of the connection based on the user location set, particularly a current location of the user. For example, a closest contact partner can be selected, the contact partner can be chosen from a list of close contact partners, or the contact partner can be chosen from contact partner(s) corresponding to a region in which the end user computer device or the user is located.
The other party(s) of the connection can furthermore determined based on the generated estimation. As discussed above, for example, based on an estimation of a medical condition, a suitable contact partner can be chosen.
For example, if the user seems to suffer from a severe medical condition requiring attention by an emergency response team, connection to a corresponding contact party, e.g. a rescue coordination center, can be established. Continuing the example, if the estimated probability of the user being infected with a contagious illness requiring quarantine surpasses a threshold, a connection to the respective health care provider or health authority can be established.
Determining the other party(s) of the connection based on the generated estimation may be optionally advantageous, as it may decrease a load of a transmission network because of connections to less suitable other party(s). Furthermore, it may decrease a time until the user is connected to a most suitable other party. The method may comprise performing a downloading step (DS).
The downloading step can comprise receiving an updated portion of the display data.
The downloading step can comprise receiving an updated portion of the medical environment data.
Receiving updated data in the downloading step can comprise the end user computer device requesting data from another data-processing system, such as a server ("pull").
Receiving updated data in the downloading step can also comprise the end user computer device receiving data from the other data-processing system initiated by the other data-processing system ("push").
The downloading step can comprise receiving the updated portion of the display data and/or the updated version of the medical environment data from a third party server. The third party server can be indicated by the indication of the at least one trusted third party.
The updated portion of the display data and/or the medical environment data can cryptographically signed by the trusted third party. This is intended to also refer to other cryptographic methods for preserving an integrity or guaranteeing an authenticity of a message, for example providing a hash of the updated data portion, based on which the end user computer device determines an authenticity of the provided data.
This can be optionally advantageous, as it can reduce a risk of unauthorized manipulation of the data.
The downloading step can comprise receiving the updated portion of the data in a compressed data format and decompressing the updated portion after receiving it. This can be optionally advantageous, as may require less transmission resources.
The downloading step can comprise sending request data. The request data can be sent by the end user computer device. The request data can comprise at least one of a portion of the user input data and a portion of the medical user data.
For example, the portion of the user input data that the request data can comprise can be language settings of the user, or an indication of a hearing impairment or a visual impairment of the user.
The portion of the medical user data can for example refer to a pre-existing condition of the user.
This can be optionally advantageous, as upon receiving said request data, data corresponding to the preference and/or condition of the user can be sent. Thus, optionally, different user groups can be provided with different data according to their circumstances. Furthermore, optionally, a load on a transmission network can be reduced, since it may not be necessary to transmit all versions of data to all users.
The downloading step can comprise receiving at least a portion of the medical user data from a database server.
The downloading step can comprises sending a portion of the sample data or a data element generated thereof to the database server. Such a data element can for example be an identification of the sample, as discussed above, or a hash of said identification.
The downloading step can comprise sending the portion of the sample data or the data element generated thereof to the database server and receiving the portion of the medical user data from the database server after sending said portion.
The method can comprise performing an outputting step (OS). The end user computer device can perform the outputting step.
The outputting step (OS) can comprise outputting a portion of the output data.
The outputting step (OS) can comprises outputting the updated portion of the display data.
The method can comprise outputting the received portion of the medical user data. The outputting step can comprise outputting the received portion of the medical user data.
The end user computer device can output these data by the user interface.
The method can comprise performing a monitoring step (MS).
The monitoring step can comprise analysing changes in at least one of the medical user data and the sensed physiological data.
The monitoring step can comprise analysing changes in the analysis-portion of the user input data.
Analysing the changes in at least one of the medical user data and the sensed physiological data can be based on the analysis model data.
The monitoring step can comprise generating the estimation of the probability of a medical condition of the user.
In other words: The monitoring step can comprise monitoring a condition of the user, or a development of a condition of a user. For example, when a user is infected with an illness, the monitoring step can comprise monitoring a development of a condition of the user. The contact establishment step can performed based on the generated estimation of at least one of the monitoring step and the analysis step. Respective advantages and options as discussed in the context of the analysis step can apply.
The method can comprise performing an uploading step (US).
The uploading step (US) can comprise uploading data to an intermediary server system.
The intermediary server system can comprise a single computer, a server, a server network, a cloud system or another data-processing system that can perform the functionality of a server.
The intermediary server system can also comprise the server from which data can be downloaded in the download step.
The server, the intermediary server and/or the intermediary server system can comprise a single server, a server system composed of multiple servers, and/or a program emulating the functionality of a server, running on a cloud computing platform or any system configured to implement the functionality of a server.
The server and/or the server system can comprise means of data processing, such as, processor units, hardware accelerators and/or microcontrollers. The server can comprise memory components, such as, main memory (e.g. RAM), cache memory (e.g. SRAM) and/or secondary memory (e.g. HDD, SDD). The server and/or the server system can comprise busses configured to facilitate data exchange between components of the server, such as, the communication between the memory components and the processing components of the server (system). The server and/or the server system can comprise network interface cards that can be configured to connect the server to a network, such as, to the Internet. The server and/or the server system can comprise user interfaces, such as:
• output user interface, such as screens or monitors configured to display visual data and/or speakers configured to communicate audio data,
• input user interface, such as a camera, a microphone configured to capture audio data, a keyboard, a trackpad, mouse, touchscreen and/or joystick.
The server can also be configured to be controlled from another computer system, such as via a remote-desktop connection, via a secure shell connection (SSH) or the like.
To put it simply, the server and/or the server system can be a processing unit configured to carry out instructions of a program. The server and/or the server system can be a system-on-chip comprising processing units, memory components and busses. The server and/or the server system can be a processing unit or a system-on-chip that can be interfaced with a personal computer, a laptop, a pocket computer, a smartphone, a tablet computer and/or user interfaces (such as the upper-mentioned user interfaces).
The uploading step (US) can comprise uploading data relating to at least one of a usage of the end user computer device and technical details of the end user computer device.
Technical details of the end user computer device can for example be a type of the end user computer device, a software version running on the end user computer device, and the like.
The method can comprise receiving instruction data from the intermediary server. The end user computer device can comprise the instruction data from the intermediary server.
The instruction data can comprise an uploading criterion and an indication of data types.
The uploading criterion can relate to at least one of the user location set, the user input data and the medical user data on the end user computer device.
The uploading step can comprise verifying whether the uploading criterion is matched by the data stored on the end user computer device.
The uploading step can further comprise uploading at least one or a plurality of upload data element(s) from at least one of the user location set, the user input data and the medical user data to the intermediary server if the uploading criterion is matched.
The uploading criterion is "matched", when, applied to the respective data on the end user computer device, it evaluates to a pre-defined value, such as "true" or 1.1, or a pre defined range of values, such as "number > 1.0".
The criterion can have a default value, such as a default value that corresponds to a not matched-value. An optional advantage can be that, if, for any reason, the uploading criterion was not evaluated, a probability of accidentally transmitting sensitive data is not can be reduced and a fail safety can hence be increased.
The method can comprise not uploading the upload data element(s) if the uploading criterion is not matched.
The method can comprise not uploading an identity of the user to the intermediary server.
The method can comprise performing an anonymizing step (AN).
The anonymizing step (AN) can be performed by the end user computer device. The anonymizing step (AN) can comprise removing identifying data from the upload data element(s). The anonymizing step (AN) can also comprise inhibiting uploading data element(s) that comprise an identity of the user.
The method can comprise a data receiving step (DR).
The data receiving step (DR) can comprise receiving at least a portion of the medical user data from a measurement data processing system. The measurement data processing system can for example be a data processing system used in a laboratory facility for processing generated and/or measured data. The measurement data processing system can for example comprise a laboratory information system.
The measurement data processing system can receive measurement data from a set of measurement equipment. Such a set of measurement equipment can comprise equipment for bio-medical and/or clinical analyses, as well-known in the art. The receiving can for example be via a data connection to said equipment. The receiving can also comprise transmission of the measurement data to the measurement data processing system by an agent.
The portion of the medical user data that are received from the measurement data processing system relate to a sample to which the sample data correspond.
The data receiving step (DR) can comprise receiving the sensed physiological data or a portion thereof from at least one of
(a) a sensing device that is connected to the end user computer device, and
(b) a sensing component, which sensing component the end user computer device comprises.
The method can comprise operating the end user computer device according to an expert system method. Embodiments of said method will be discussed in the following.
The method can comprise operating the end user computer device according to a selective broadcasting method. Embodiments of said method will also be discussed in the following. The method can also comprise performing one or more steps of the selective broadcasting method, or performing the selective broadcasting method.
The method can particularly comprise performing at least a part of the steps of the the selective broadcasting method, which part of the steps is disclosed to be performed by the end user computer device and/or requires at least one of an action of and an interaction with the end user computer device. In other words, parts of the selective broadcasting method may be performed by the end user computer device.
The end user computer device can comprise a comparator node. The method can comprise operating the end user computer device according to a selective data transmission method. Embodiments of said method will be discussed later on. The method can also comprise performing one or more steps of the selective data transmission method, or performing the selective data transmission method.
The user device(s) used in the selective data transmission method can be (the) end user computer device(s).
The method can comprise operating the end user computer device according to a distributed data transmission method. Embodiments of said method will be discussed still later on. The method can also comprise performing one or more steps of the distributed data transmission method, or performing the distributed data transmission method.
The user device(s) used in the distributed data transmission method can be end user computer devices.
In the following, the expert system method will be discussed. Above definitions can apply, they can however also differ. The same applies to definitions in the context of the expert system method.
An expert system method for processing data on the end user computer device is disclosed. The method can be a method for processing data on an end user computer device, and the method can perform a functionality of an expert system, such as a medical expert system. The method can comprise processing user data by an application that can be executed by the end user computer device. The end user computer device be a medical computer device satisfying the aforementioned condition.
The method can comprise processing the data by means of the end user computer device.
The method can comprise a user data storing step that can comprise storing at least a part of the user data on the end user computer device. Particularly, the method can comprise storing the user data on the data storage component. In other words, the data storing step can comprise storing the data to be stored on the end user computer device, particularly on the data storage component.
The data storing step can comprise storing medical data. That is, the data storing step can comprise storing data regarding a user's health condition, his/her DNA, information about diseases, diseases in the family, a nutrition of the user or the like. Particularly, the method can comprise storing the medical data on the data storage component. The user data storing step can comprise a technical user data storing step that comprises storing technical user data in a machine-interpretable form. A machine-interpretable form can be a form that renders a data treatable to a computer, such as by a formatting convention of data in files, by defining standard units or by applying standards regarding a naming of one, a plurality or all fields that the computer is supposed to interpret.
In some embodiments, the technical user data can comprise medical user data.
In some embodiments, the technical user data storing step can comprise storing technical user data that are encoded with at least a homogenous naming for fields. That is, there can be a common naming of values that correspond to the same variable, such as a blood pressure. Such a naming is for example the LOINC-standard. The naming can nevertheless also follow any other standard, as long it is consistently applied.
In some embodiments, the technical user data storing step can comprise for each field encoding values with a same dimension unit, such as a weight in kg.
The technical user data storing step can comprise furthermore storing at least partially automatically generated medical data. These at least partially automatically generated medical data can comprise at least one medical image, such as an image obtained by X- ray radiography, ultrasound imaging, magnetic resonance imaging and/or a computed tomography scan. The image can comprise a visual representation of at least a part of a user's body.
The medical data can also comprise at least one result of a laboratory analysis of material originating from or expelled by the human body. Such material can comprise tissue samples and/or body fluids, such as blood or urine. The laboratory analysis can comprise analysis data from a medical and/or a clinical laboratory.
The medical data can also comprise from a sensing device that senses biometrical or medical data of the user.
The medical data that are at least partially automatically generated can also be automatically generated. These data can also be at least partially automatically be transmitted to the user device.
In some embodiments, processing user data by the application can comprise processing the technical user data. Note that, as discussed above, the application can be executed by the end user computer device. That is, the method can comprise processing the technical user data by the application. The method does not need to comprise processing other parts of the user data in such embodiments. In some embodiments, processing the technical user data can comprise an information deriving step that can comprise deriving information from the technical user data by the application. The information deriving step can thus comprise generating derived information. The end user computer device can perform the information deriving step.
The information deriving step can comprise deriving medical information from the technical user data by the application.
In some embodiments, the application can comprise a machine learning model. In such embodiments, the information deriving step can comprise deriving the information based on the machine learning model. This disclosure considers machine learning models to comprise neural networks. The machine learning model can be a supervised machine learning model, and it can be a classifier. The machine learning model can be such as a decision tree, a random forest model, a k-NN-model. The machine learning model can optionally advantageously be configured to accept the medical data in the machine interpretable form and to output a diagnosis or another reference to corresponding output data. An optional advantage of such models can be that their training may be less cumbersome than generating a program based on medical rules or medical knowledge that are translated into a computer code.
In some embodiments, the application can comprise an expert system and the information deriving step can comprise deriving the information based on the expert system. The expert system can comprise a model built for medical questions or medical problems.
The expert system can be a medical expert system. That is, the expert system can be configured to solve medical questions. The expert system can comprise medical knowledge.
In some embodiments, the medical expert system can comprise at least a part of a rule- based inference engine. The medical expert system can also comprise the rule-based inference engine. That is, the medical expert system can also be implemented by a rule- based inference engine with appropriate data, as will be detailed later on. An optional advantage of implementing the medical expert system using a rule-based inference engine is that the inference engine's operation is a deterministic algorithm and that furthermore, for every result, at least one rule indicates the reason for the result. In a context of analysis of medical data, this can be an optional advantage over algorithms where it is harder to deduce the causal relation between input and output. The (medical) expert system can be a part of the application. The expert system can be implemented in software. The expert system can be executed by the end user computer device.
In some embodiments, the application or a part thereof can derive information from the technical user data using their machine-interpretable form or at least one property of this machine-interpretable form. The part of the application can for example be the machine learning model or the rule-based inference engine. Using said machine-interpretable form comprises using at least one property of the machine-interpretable form, such as one of the detailed properties described above. An optional advantage of using the machine- interpretable form can be that the application of rules by the rule-based inference engine yields correct results with a higher probability as a risk of wrong interpretation of input data due to their form is lowered. For the case of a machine-learning model, even though there might be models configured to interpret input in a form that is not machine- interpretable, an at least implicit conversion of input data in a form that is machine- interpretable or that an algorithm can process may introduce errors.
In some embodiments, the application can be specified by application data. As an example, the application data can specify to a processor or to a computer device which steps to perform when running the application.
The method can comprise storing the application data, particularly by means of the data storage component of the end user computer device.
The application data can comprise display data. The display data can comprise data that are configured to be outputted to a user. They can for example comprise media data, such as sound data, text data, video data or image data. They can also comprise other data that is configured to be outputted to a user, such as data that is displayed by activating luminous elements corresponding to certain states of operation or to certain results.
In some embodiments, the application data can comprise knowledge base. The knowledge base data can comprise at least a part of data that are configured to specify a relation between input data and output data of the application. The knowledge base data can comprise, for example, rules in case of a rule-based inference engine, or a trained model in case that the application comprises the machine learning model. In case that the application comprises the machine learning model, the knowledge base data can also be a derivate of the machine learning model after training, such as a decision boundary instead of a k-nearest-neighbours model for classification purpose with k= l.
In some embodiments, the application data can comprise inference engine data. The inference engine data can comprise at least a of data that specify an evaluation of the input data using the knowledge base data. Such data that specify the evaluation can for example be data that specify the evaluation of rules from the knowledge base data.
In some embodiments, the user data storing step can comprise storing the derived information or indicators thereof. That is, at least a part of the derived information is stored at least indirectly with the user data. This can have an advantage, as this derived information can be user-specific and may therefore need a same treatment, such as an encryption or a backup-routine, as other user data.
In some embodiments, storing the derived information or the indicators thereof can comprise storing at least one reference to at least one part of the display data. This can be optionally advantageous as it can allow to save data storage capacity on the user device as well as on a backup of the user data.
Storing the derived information or the indicators thereof can also comprise copying at least one part of display data. Copying the display data can comprise copying the display data to the user data. This can be optionally advantageous as the corresponding parts of the display data can be outputted without accessing the display data, which may bring advantages for example if the display data are encrypted and accessing them therefore consumes computational capacities or if the derived information is transmitted to another device that cannot access the display data. This option can also be advantageous because of a lower complexity of an implementation of the application, in particular if the display data are encrypted.
Storing the derived information or the indicators thereof can also comprise generating data at least based on display data. This can comprise for example generating personalised data. This can also comprise adding user specific data to a template that can be part of the display data. The user specific data can be a part of the user data or of the derived information or the indicators thereof or both.
The method can comprise a data outputting step. The data outputting step can comprise outputting at least a part of the user data by the end user computer device. The data outputting step can also comprise outputting at least a part of the display data by the end user computer device. The former can be optionally advantageous if the derived information or the indicators thereof are stored at least by copying at least one part of the display data, in particular if the at least one part of the display data is stored with the user data. The former can also be advantageous if the derived information or the indicators thereof are at least stored by generating data at least based on display data, in particular if those are stored with the user data. The latter can be optionally advantageous if storing the derived information of the indicators thereof comprises at least storing at least one reference to at least one part of the display data, as in this case, at least the at least one part of the display data can be foreseen to be outputted.
In some embodiments, the data outputting step can comprise outputting at least a part of the derived information or the indicators thereof that are stored on the end user computer device.
In some embodiments, data on the end user computer device can comprise encrypted data. That is, at least a part of the data on the end user computer device can be encrypted.
Particularly, a part of the data stored by the data storage component can be encrypted.
This can optionally be advantageous if at least a part of the data on the device are considered to be confidential or if they should be protected for another reason. This can in particular apply to the application data, the display data, the user data or parts of any of the aforementioned, as detailed above.
In some embodiments, the method can comprise encrypting at least a part of the user data. This can comprise encrypting data that are configured to identify a user, such as his e-mail address, name, date of birth or the like. This can also comprise applying a particular encryption that is required by a regulation for a particular type of data only to the corresponding parts of the user data that comprise said particular type of data. An example would be medical data.
In some embodiments, encrypting at least a part of the user data can comprise encrypting at least a part of the technical user data. The reasoning in the preceding paragraph applies respectively.
The encrypted data can further comprise at least a part of the application data.
The encrypted data can also comprise at least a part of the display data. The encrypted data can also comprise the display data. This can be optionally advantageous, as the display data can be the most vulnerable part of the application data from a business perspective, as detailed above.
The method can comprise a data adding step. The data adding step can comprise adding data to the user data on the end user computer device. In other words, the data adding step can comprise storing further data on the end user computer device, particularly on the data storage component.
The method can comprise providing an interface for adding data to the user data by manual input. Said interface can be an interface configured to enable a user to input data, such as a microphone, a keyboard, a touch-sensitive screen or a camera.
In some embodiments, the data adding step can comprise using an optical input device, such as a camera. The optical input device can be connected at least indirectly to the end user computer device. The optical input device can be remote from the end user computer device, such as a scanner that is connected to the end user computer device, for example via WLAN or via internet. The optical input device, such as the camera, can also be connected to the end user computer device directly, such as a webcam that is connected to a desktop computer via USB. The optical input device can also be mounted to the end user computer device, such as a camera in a smartphone.
In some embodiments, the data adding step can comprise adding text data to the user data. Adding the text data to the user data can comprise using the optical input device, such as the camera for adding at least a part of the text data.
In some embodiments, the method can comprise applying at least optical character recognition to the data captured by the optical input device, such as images captured with a camera. This can be optionally advantageous in cases where at least a part of data that are added are available as text, in particular as text printed on paper. In cases where the text is already at least partially in the machine-interpretable form, this can be furthermore optionally advantageous as it renders a human interaction unnecessary and as the human interaction might inflict disadvantages, e.g. introduce errors or be more cumbersome, as a machine-interpretable form is not necessarily optimised for treatment by a human operator.
In some embodiments, the data adding step can also comprise receiving input data from a data server and adding at least a part of the input data to the user data. This can be optionally advantageous in a case where the input data are already stored in a computer system, such as in case of a health care provider who keeps digital patient records or in case of a medical or clinical laboratory that provides results of at least one or a plurality of analyses in a digital form, as it saves a supplementary interaction step for a user and/or medical personnel.
In some embodiments, the data adding step can also comprise receiving data from at least one sensing device. The at least one sensing device can be configured to sense data related to a user. For example, an accelerometer-sensor can be adding the motion data of the user, a dosimeter could measure a dose of radiation and a location sensing device such as a GPS-receiver with appropriate calculation unit could measure a user's position.
At least one of the at least one sensing device can also be configured to sense physiological data related to the user, such as a pulse of the user, a blood pressure of the user or another measure for condition of the user.
In some embodiments, the method can comprise an updating step.
The updating step can comprise sending at least a part of update data from the server and receiving at least the part of the update data by the end user computer device. The updating step can be optionally advantageous for changes in the application data from a technical point of view, but also for updates of the knowledge base data in case of new medical findings or rules and for updates of the display data in the respective case or in case of new display data that is for example better accepted by users, e.g. in case of new findings of research or if the users' taste shifts over time or is just better known to the provider of the display data.
In some embodiments, the updating step can comprise adapting at least a part of the application data on the end user computer device according to the received update data. That is, the update data can comprise data to replace at least one part of the application data. The update data can also comprise data that indicate changes to be performed to at least one part of the application data. Furthermore, the update data can comprise an instruction to receive or download data from another data source to replace at least one part of the application data.
In some embodiments, the method can also comprise repeating at least a part of the information deriving step after the updating step. This can be optionally advantageous if the display data changed, as the user might get another output for a set of same derived information after the updating step is performed, or if the knowledge base data are modified, as the application might derive different information from a same set of user data after performing the updating step.
In some embodiments, the method can further comprise sending at least an indicator of the updating step or a result thereof. The method can also comprise sending an indicator of the application data, such as a version of the application data or a hash of the application data or of a part thereof, in particular after performing an updating step. The method can also comprise sending at least an indicator of the end user computer device or of technical features thereof. The sending of at least an indicator can be performed from the end user device to another device such as the server. Sending said data can be optionally advantageous to for a provider of the application to adapt the application or to ensure an identity of the application data on the end user computer device to a version of the application data that is foreseen by the provider of the application data. This sending step may also be advantageous to detect a malicious or at least unforeseen modification of the application data.
In some embodiments, the method can comprise sending a part of the user data to another device, such as the server, a third party's server or a device configured to generate a backup of said part of the user data, such as a printer or a data storage device or system.
In some embodiments, the method can comprise sending a part of the user data to another device only if at least one transfer condition of a transfer condition set is matched. The another device can be a device such as the server, a third party's server or a device configured to generate a backup of said part of the user data, such as a printer or a data storage device or system. The transfer condition set comprises at least one transfer condition, wherein the method can comprise requiring only matching one of the at least one transfer condition. Different transfer conditions can refer to at least one same element.
The transfer condition set can comprise at least one transfer condition. At least one of the at least one transfer condition can refer to an anonymisation of at least a part of the user data that is sent. At least one of the at least one transfer condition can also refer to an authorization by the user or an authorized third party. The anonymisation can comprise removing or concealing at least a part of information before or while sending it to the server. The anonymisation can also comprise limiting a precision of at least a part of information that is sent. The anonymisation can also comprise adding random data to the data that is sent or at least a part thereof. The authorized third party may be for example an emergency medical physician, a paramedic, a hospital, a coroner's office or the like.
In some embodiments, the method can also comprise preventing sending the user data from the end user computer device if none of the transfer conditions of the transfer conditions set are satisfied. This can be optionally advantageous to ensure a confidentiality of data on the end user computer device and in particular of the user data or parts thereof.
In some embodiments, the method can also comprise preventing sending the user data from the end user computer device. That is, the method can comprise preventing sending the user data from the end user computer device at all. This can be optionally advantageous if the user wants a high level of privacy, if data transmission networks to which the end user computer device is connected or can be connected cannot be trusted or the like.
In some embodiments at least a part of information deriving step is performed only on the end user computer device. For example, running the expert system or the rule-based inference engine can be performed only on the end user computer device.
The method can also comprise performing the information deriving step only on the end user computer device.
The features described in the preceding two paragraphs can be optionally advantageous as the user data do not need to be shared with another entity, such as an analysis server. This can optionally advantageously reduce systems that can be attacked by a malicious third party in order to obtain a part of the user data. It can furthermore optionally advantageously reduce the need of computer system resources for the operating party.
In the following, the selective broadcasting method will be discussed. Above definitions can apply, they can however also differ. The same applies to definitions in the context of the selective broadcasting method.
A method for selectively broadcasting data is disclosed.
The selective broadcasting method can comprise sending a broadcasting message comprising at least recipient criteria and broadcasted content from at least one broadcasting party to a plurality of end user computer devices. The method can comprise receiving such a broadcasting message by means of the end user computer devices. At least some end user computer devices can each comprise a comparator node. The selective broadcasting method can comprises comparing the recipient criteria to a portion of the user data stored on each user device by the comparator node. The selective broadcasting method can further comprise processing the broadcasted content on each end computer user device where the comparator node outputted a successful comparison of the recipient criteria to user data. Outputting a successful comparison can mean communicating such a successful comparison to another portion of the end computer user device, e.g. to its data-processing component.
The broadcasting message may comprise a plurality of data and/or instructions that can be interpretable by a machine, such as a processor. In other words, the data and/or instructions can be at least partially machine-interpretable.
The recipient criteria may comprise certain parameters identifying an intended recipient. For example, an age range, sex, medical condition or the like can be examples of recipient criteria.
The broadcasted content may comprise data such as text, images, video, sound or the like.
The comparator node may comprise a program or part of a program that can be configured to use computational resources of the end computer user device to perform operations. In other words, the comparator node may be implemented in software. The comparator node may be executed by the end computer user device, particularly by its data-processing component.
User data may comprise any data related to the user of the end computer user device. Multiple users may also be associated with one end computer user device, where each individual user would then have a unique "user profile" or the like. However, in some embodiments, the end computer user device may be a device for simultaneous use of at most one user.
A successful comparison of the recipient criteria to user data may refer to the comparator node verifying whether the recipient criteria are satisfied by user data or at least a portion thereof associated with the user of the user device. In other words, this comparison may refer to matching the required parameters (such as e.g. age, sex, medical information) of the recipient criteria to the user data stored on the user device.
Advantageously, the present method allows to send targeted messages to only a certain subset of users (who's user data fulfils the recipient criteria). For example, certain such messages (or broadcasted content) may comprise medical suggestions or information targeted to a specific subclass of users, such as users with a certain medical condition. Instead of collecting all user data and using it to send targeted messages to specific user devices, the messages may be sent to all devices, and processed directly on the device to verify whether they are relevant to the specific user. This advantageously allows for sensitive user data (such as medical history, personal identification etc) to remain on the user device, while relevant broadcasting content can still reach the relevant target audience.
The end computer user device may comprise data storage, a processing unit configured to execute a program in a suitable form and format and a communication component at least configured to communicate with a remote server. The data storage may be at least partially encrypted. Advantageously, this can allow for secure storage of potentially sensitive data, such as medical data. The user device may comprise a user terminal.
The end computer user device may be a portable device, such as a laptop, a tablet computer, a smartphone, a wearable device, or an adapted medical device.
The user data may comprise personal data of a user. The user data may comprise technical user data and identifying personal data. The identifying personal data may comprise, for example, an address, phone number, date of birth or user name. The technical user data may comprise at least partially technical medical data. The technical user data may be at least partially encoded by replacing at least parts of the data by machine-interpretable expressions. Parts of user data may be encrypted.
The broadcasting message may be formatted in a way that indicates that said message is configured to transport data from at least one of a server and broadcasting parties to at least one user device. The broadcasting message comprises recipient criteria. The recipient criteria may comprise a set of at least one machine-interpretable criterion. The recipient criteria can be configured to determine, based on user data saved on the user device, whether a respective user and/or the user device is an intended receiver of the broadcasted message.
The broadcasting message also comprises broadcasted content. The broadcasted content may comprise displayable data and/or data requesting the user device to perform at least a specific action. The broadcasted content may comprise data requesting the user device to perform at least a specific action. Such a requested specific action may be to generate a return message and/or to send such a message. The requested content of the return message may be at least partially medical data.
Parts or all of the broadcasting message may be encrypted. The broadcasting message may comprise information about the broadcasting party that issued it.
In some embodiments, sending the broadcasting message can comprise receiving a broadcasting message from at least one broadcasting party by a server and the server transmitting the broadcasting message to the plurality of user devices. This can be useful to further protect potentially sensitive data of individuals from third parties. In some embodiments, the method can further comprise discarding the broadcasting message on each end computer user device where the comparator node did not achieve a successful comparison of the recipient criteria to user data. In other words, if the user associated with the given user data is not a target recipient for the broadcasting content, the broadcasting content will not be outputted (that is, played, displayed or presented) to this user, even though the broadcasting message arrived to the user device. This allows to prevent that users that do not fit recipient criteria need to go through potential broadcasting contents that would be of no use to them or to show them advice that might not be helpful or even harmful.
In some embodiments, the method can further comprise outputting the broadcasted content on each end computer user device where the comparator node achieved a successful comparison of the recipient criteria to user data. Outputting can refer to displaying, playing, or otherwise presenting to the user the content of the broadcast (such as a message related to the user's medical condition). The broadcasted content can comprise advertisement, announcement, or the like that can be pertinent to a particular user based on their user data (for example, a new available treatment or medication or the like).
In some embodiments, the method can further comprise sending a notification from each end computer user device specifying results of the comparison between the recipient criteria and the user data. In such embodiments, the method can further comprise generating statistics on the notifications about at least one of the processing, delivery and at least implicitly on the comparison (or matching) of the broadcasting messages by at least one of the server and the broadcasting party. That is, it may be useful to know how many user devices actually outputted or displayed the broadcasted content to the users. In other words, it may be useful to generate statistics about how many users were targeted by the broadcasted content.
In some embodiments, sending the broadcasting message can further comprise transmitting the broadcasting message by a connection configured to transfer data from the broadcasting party to the server.
In some embodiments, sending the broadcasting message can further comprise connecting the end computer user devices and the server at least at some points in a period of time by a connection configured to transfer data from the server to the user devices.
In some embodiments, the method can further comprise the comparator node performing a predetermined action to be performed by the user device on each user device where the comparator node achieved a successful comparison of the recipient criteria to user data. Such an action can comprise, for example, outputting and/or displaying the broadcasting content, outputting parts of user data, prompting the user to perform an action, showing a notification to the user, or the like.
In some embodiments, the predetermined action can be at least partially specified by at least parts of the broadcasting message. In such embodiments, the method can further comprise the comparator node limiting the possible predetermined actions that are at least partially specified by the broadcasting message.
In some embodiments, the method can further comprise the server forwarding the received broadcasting message to all the end computer user devicethat are connected to the server at least at some points in a period of time.
In some embodiments, the method can further comprise the server forwarding the received broadcasting message to at least some of the end computer user devices that are connected to the server at least at some points in a period of time, wherein said portion can be at least defined by a characteristic specified by at least one of the server, the broadcasting party sending the broadcasting message to the server and the user devices. In some such embodiments, the period of time can have a defined starting point.
In some embodiments, the starting point can be specified by at least one of the server, the broadcasting party, the broadcasting message and a third entity.
In some such embodiments, the period of time can have a defined endpoint. The endpoint can be specified by at least one of the server, the broadcasting party, the broadcasting message and a third entity.
In some embodiments, the broadcasting message can be distributed to at least one of the user devices during or after an installation, updating or downloading of the comparator node. In other words, the message may be transmitted to the user device while the comparator node (which may correspond to a program for interfacing with the server and/or broadcasting parties) is being installed on the device, as opposed to at a later time via a connection. This may be advantageous, as there may be some broadcasting content that should be delivered to the user immediately following installation/updating/downloading of the comparator node (note, that the comparator node may also correspond to an "app" on a end computer user device such as a smartphone).
In some embodiments, the method can further comprise encrypting at least a part of the broadcasting message by at least one of the broadcasting party and the server. In some such embodiments, the method can further comprise at least partially encrypting the broadcasting message by the broadcasting party before or while sending it to the server, at least partially decrypting the broadcasting message by the server after or while receiving said broadcasting message from the broadcasting party, at least partially encrypting the broadcasting message by the server before or while sending it to the end computer user devices, and at least partially decrypting the broadcasting message by the device after or while receiving said broadcasting message from the server. In other words, the broadcasting message may generally be encrypted while in transit between secure environments of the server/broadcasting party/end computer user device to ensure data protection.
In some embodiments, the method can further comprise the broadcasting party encrypting the broadcasting message at least partially with a key known to at least a portion of the end computer user devices before or while sending it to the server, and wherein at least a portion of the end computer user devices can decrypt said broadcasting message using said key known to at least a portion of the end computer user devices.
In the following, the selective data transmission method will be discussed. Above definitions can apply, they can however also differ. The same applies to definitions in the context of the selective data transmission method.
The selective data transmission method can comprise sending an inquiry message comprising at least request criteria from at least one broadcasting party to a plurality of end computer user devices. Each end computer user device, or at least each of a plurality of end computer user devices can comprise the comparator node.
The selective data transmission method can comprise comparing the request criteria to at least a part or all of the user data stored on each end computer user device by the comparator node.
The selective data transmission method can also comprise, on each end computer user device where the comparator node achieved a successful comparison of the request criteria to user data, generating at least one return message based on at least parts of user data by the comparator node.
The selective data transmission method can further comprise, on each user device where the comparator node achieved a successful comparison of the request criteria to user data, sending the return message from the user device to at least one of the server and the broadcasting party.
The inquiry message may comprise a plurality of data and/or instructions that can be interpretable by a machine such as a processor. Put simply, the inquiry message may comprise a request for particular information (that is, user data) from a third party. In the case of medical applications (that is, when user data comprises medical data), the third party may be interested in studying correlations between certain patient parameters or researching how many users exhibit particular parameters (as simple examples, the third party may be interested in average blood pressure of female users aged 25-35, or in comparing incidence of cardiovascular disease and white blood cell count in Caucasian male smokers above age 50). That is, the third party may request only a limited and specific set of parameters or data from user devices via the inquiry message.
The request criteria may comprise certain parameters identifying an intended recipient and/or further specifying what type of data should be returned. For example, an age range, sex, medical condition or the like can be examples of request criteria. In a simple example, a third party may be interested in knowing how many users (associated with user devices and corresponding user data) suffer from below average kidney function. The request criteria may then comprise instructions to compare kidney function values present in the user data with a certain threshold (such as a value associated with decreased kidney function), and return either simply a confirmation of the corresponding value forming part of user data below the threshold and/or the value itself.
The comparator node may comprise a program or part of a program that can be configured to use computational resources of the user device to perform operations.
User data may comprise any data related to the user of the user device. Multiple users may also be associated with one user device, where each individual user would then have a unique "user profile" or the like. In a preferred embodiment, user data comprises, at least partially, medical data associated with the user. This can comprise results of various medical tests or procedures, diagnoses, measurements from fitness tracking or medical devices and the like.
A successful comparison of the request criteria to user data may refer to the comparator node verifying whether the request criteria are satisfied by user data associated with the user of the end computer user device. In other words, this comparison may refer to matching the required parameters (such as e.g. age, sex, medical information) of the request criteria to the user data stored on the user device.
The return message based on at least parts of user data may comprise parts of user data itself (such as specific parameters requested by the request criteria), and/or simply a confirmation that upon comparison (that is, matching) between request criteria and user data, a successful comparison was achieved (for example, if the request criteria specified that only values of a certain parameter below a threshold of 10 are requested, and user data has a value of 8 for this parameter, a confirmation of a satisfied request criteria can be returned as part of the return message).
The return message can be formatted in a way that indicates to the server or to the broadcasting parties that said message is configured to transport data from an end computer user device to a server and/or to a broadcasting party. The return message can comprise returned user data. The return message can comprise user independent data, such as information about the reason for its emission, such as a reference to the inquiry message that triggered the emission/generation of said return message. The return message can be encrypted. The returned data can be at least partially medical data.
Advantageously, the present method may allow a third party to gain access to sensitive user data without compromising the privacy and security of the user. Particularly in the case of medical data, it may be preferable that it is stored on the user device (that is, under the control of the user), and it may not be optimal to simply send it somewhere for further research or analysis. Therefore, it is particularly useful to extract only the requested parts of the data (or simply a confirmation that the user data corresponds to the parameters set out by the request criteria), particularly without compromising sensitive user data or disclosing more than requested to the third party.
In some embodiments, sending the inquiry message can comprise receiving an inquiry message from at least one broadcasting party by a server and the server transmitting the inquiry message to the plurality of user devices. Advantageously, this may prevent third parties having direct access to user devices. The server can then serve as an intermediary that can already filter some inquiry messages or otherwise process them before forwarding them on to the user devices.
In some embodiments, the method can further comprise discarding the inquiry message on each end computer user device where the comparator node did not achieve a successful comparison of the request criteria to user data. That is, if the user data does not match the request criteria, the inquiry message may be simply discarded, and there may be no generation of the return message (additionally or alternatively, there may be a return message generated to confirm that the comparison between the request criteria and user data was not successful).
In some embodiments, sending the inquiry message can further comprise transmitting the inquiry message by a connection configured to transfer data from the broadcasting party to the server.
In some embodiments, sending the inquiry message can further comprise connecting the user devices and the server at least at some points in a period of time by a connection configured to transfer data from the server to the user devices.
In some embodiments, the sending of the return message can be performed at any point in time after the generating at least one return message. In some such embodiments, the point of time when the sending is performed can depend on a further condition.
In some embodiments, user data can comprise at least identifying data and technical data. In some such embodiments, the generating of at least one of said return message can comprise inserting at least a part of the technical data and at least a part of the identifying data to the at least one return message by the comparator node. In some such embodiments, inserting the technical data and the identifying data can be performed at most to the extent that was requested by the inquiry message that triggered the generation of said return message.
In some embodiments, the generating of at least one of the return message can comprise furthermore processing the identifying data before inserting it to the return message. In some such embodiments, the processing of the identifying data can be performed by the comparator node. In some such embodiments, the method can further comprise the comparator node using a set of rules to invoke certain actions if certain portions of the user data or combinations thereof are requested by the inquiry message.
In some such embodiments, the processing of said inquiry message can comprise anonymising at least parts of the identifying data before inserting it to the return message. In some such embodiments, the anonymising of at least parts of the identifying data can comprise limiting the precision of at least a portion of said identifying data. For example, this can be done by replacing the date of birth by year of birth, by replacing the address by the ZIP-code, parts thereof, the region in which the address is located or the like. The anonymising of at least parts of the identifying data can comprise replacing at least a portion of the identifying data by pseudonyms or codes. Those pseudonyms or codes can be generated by the comparator node. Additionally or alternatively, they can also be generated by the server if the return message is first sent to the server before being forwarded to the broadcasting parties.
In some embodiments, the anonymising of at least parts of the identifying data can comprise replacing at least a portion of said identifying data by variables that are deduced from the identifying data, but that do not allow exact determination of the identifying data. For example, the date of birth can be replaced by age. In some such embodiments, the anonymising of at least parts of the identifying data can comprise treating at least a part of the identifying data with a differential privacy algorithm.
Anonymising or otherwise masking user data before it leaves the user device as part of the return message can be very useful to ensure user privacy, as well as security of possibly sensitive data. It is particularly advantageous to perform this anonymising before sharing user data (that is, preferably parts of it) with third parties. It allows such third parties to get access to accurate and useful data for possible further research into treatments, marketing purposes, general research or the like, while not compromising on the users' right to privacy and safe data storage.
In some embodiments, the technical user data that can be sent to at least one of a server and a broadcasting party as part of the return message can be treated with a differential privacy algorithm before being sent to at least one of a server and a broadcasting party respectively. In some embodiments, the processing of the inquiry message can comprise sending at least a plurality of the return messages. For example, the inquiry message may comprise a plurality of independent request criteria. An individual return message can be generated for each such independent request criteria.
In some embodiments, the return message can comprise at least an indicator for at least one of the following : user data matches the request criteria for the first time and an event concerning user data occurs (for instance, adding a certain value or registering a certain event).
In some embodiments, the sending can furthermore require that at least one of the user data and an event concerning user data respectively also satisfy a time constraint. For example, this can be the user data matching the matching criteria (4) within a given period of time or that the event occurs within a given period of time.
In some embodiments, the method can further comprise requesting at least implicit general consent, more preferably explicitly indicated consent, more preferably explicitly indicated consent to each single request of the user data, of the user before at least one of generating or triggering sending at least one return message corresponding to the inquiry message is performed by the comparator node.
In some embodiments, one or a plurality of return messages that are generated on the user device can be sent to a server or a broadcasting party at a point in time when the user device is at least indirectly connected to the server and/or the broadcasting party respectively. In some such embodiments, the one or a plurality of return messages that are generated on the user device can be sent to the server or the broadcasting party in at least one of a compressed form, batches and an agglomerated form. This can be advantageous to ensure efficient data management and optimisation of data transfer. In some such embodiments, the sending to the server or the broadcasting party of the one or a plurality of return message that are generated on the user device can be triggered once during a defined period of time (e.g. once an hour, a day, a week etc), by a message from a server or a broadcasting party, and/or by a matching of a condition on the user device, such as existence of at least one of a defined number of return messages.
In some embodiments where the return message can be sent to the server, the method can further comprise, after the receiving of the return message, forwarding at least parts of the return message that the server received to at least some of the broadcasting parties, preferably forwarding each return message to the broadcasting party that sent the inquiry message that caused the generation of the respective return message. In some such embodiments, generating the at least one return message can comprise furthermore adding a specification of at least one of the broadcasting party and the inquiry message that caused the generation of the return message.
In some such embodiments, the method can further comprise the server using at least the specification of at least one of the broadcasting party and the inquiry message to forward at least the content of the return message.
In some such embodiments, the method can further comprise the server collecting the return messages corresponding to one inquiry message and making available the return messages or their content, preferably in an agglomerated form, to the broadcasting party that issued said inquiry message. The sending the return messages or their content, preferably in an agglomerated form, can be triggered when a certain condition is met. The condition can comprise, for example, elapsed time, a pre-defined number of received answers, approval by the broadcasting party that sent the inquiry message.
In some such embodiments, the method can further comprise taking measures to mask, remove or conceal elements suitable to identify the user or the user device (such as e.g. IP address) prior to sending the return messages or parts thereof to at least one of the at least one broadcasting parties.
In some embodiments, the method can further comprise encrypting at least parts of the return message with at least one encryption key by the user device before or while sending it. In some such embodiments where the return message is sent to the broadcasting parties the method can further comprise decrypting the return message at the respective broadcasting parties.
In some embodiments where the return message is sent to the server, the method can further comprise encrypting at least parts of each the return message at the user device before or while sending it to the server. The method can then further comprise decrypting at least parts of each return message at the server after receiving said return message. The method can then also comprise encrypting at least parts of said return message, of a set of return messages or of the agglomerated content of multiple return messages at the server before sending said return message to the receiving broadcasting party. The method can then further comprise decrypting the data sent by the server at least partially at the receiving broadcasting party.
In some embodiments where the return message is sent to the server, the method can further comprise encrypting at least parts of the return message with a key corresponding to the respective broadcasting party that issued the inquiry message that caused the generation of the return message. The encryption can be then set up in a way so that the server cannot access said parts of the return message (e.g. by sharing a secret key between the broadcasting party and the user device). This can be advantageous, for example, when the third party has certain permissions to access sensitive (preferably medical) user data, that the server does not have permission to access.
In some embodiments, the method can further comprise encrypting at least parts of the return message at the user device using an asymmetric encryption algorithm before or while sending each return message. This can comprise furthermore using at least a public key for the encryption of each return message, wherein said public key corresponds to the respective broadcasting party that is the intended receiver of said return message.
In some embodiments where the return message is sent to the server, the method can further comprise sending and receiving the inquiry message with one or multiple parts of the server that are at least partially different from parts of the server used for sending and receiving at least parts of the return message at the server.
In some embodiments, the method can further comprise sending inquiry messages by the broadcasting parties from systems that are for at least one broadcasting party at least partially different from systems that are used for receiving the return messages.
The last two embodiments can be particularly advantageous if virtual separation between the inquiry message and the return message (possibly comprising sensitive data) is preferred. There can be subservers/subroutines that are isolated from each other (such as virtual isolated environments) handling the inquiry message and the return message, either on the server, at the broadcasting parties and/or both.
In the following, the distributed data transmission method will be discussed. Above definitions can apply, they can however also differ. The same applies to definitions in the context of the distributed data transmission method.
The distributed data transmission method can comprise a device data storing step that comprises for each of at least one end computer user device, storing the user data relating to the respective user device on said respective end computer user device. The distributed data transmission method can also comprise a device sending step that comprises sending at least one data set from the at least one end computer user device to the server. The distributed data transmission method can further comprise a server receiving step that comprises receiving the at least one data set by the server. The distributed data transmission method can also comprise a server packaging step that comprises combining data elements of the at least one received data set to at least one data container.
User data may comprise any data related to the user of the end computer user device. Multiple users may also be associated with one end computer user device, where each individual user would then have a unique "user profile" or the like. In a preferred embodiment, user data comprises, at least partially, medical data associated with the user. This can comprise results of various medical tests or procedures, diagnoses, measurements from fitness tracking or medical devices and the like.
The present method may advantageously allow to securely share parts of sensitive user data (such as for example medical data) with third parties (e.g. research institutions or the like) without compromising user privacy. The user data may first be anonymised via a certain technique and sent from the end computer user device to the server. There, the data may be stored until parts or all of it are needed by a third party. The data may then be anonymised again, via a different technique, and provided to the third party packaged into a data container. The present method is useful for ensuring that user data is handled with utmost case and user privacy is respected, while the integrity of the data can be preserved so that it can be further analysed and/or studied and/or otherwise used by third parties.
In some embodiments, for at least one of end computer user devices, the user data can be specific to the respective end computer user device.
In some embodiments, the device data storing step can comprise storing medical data and wherein the user data can comprise medical data. In some such embodiments, the device data storing step can comprise storing at least a part of the user data in a machine-interpretable form. In some such embodiments, storing at least the part of the user data in a machine-interpretable form can comprise at least one of using a homogenous naming for fields and, for each field, encoding values with a same dimension unit.
In some embodiments, the device data storing step can comprise storing at least partially automatically generated medical data that comprise at least one of at least one medical image, at least one result of a laboratory analysis of material originating from or expelled by the human body, and data from a sensing device that senses biometrical or medical data of the user. Material originating from or expelled by the human body for example can comprise body fluids such as blood or urine, stool or tissue samples.
In some such embodiments, the at least partially automatically generated medical data can be automatically generated.
In some embodiments, the device sending step can comprise a device processing step that comprises processing the at least one data set on the at least one device.
In some embodiments, the device sending step can comprise a device data set selection step that can comprise selecting at least one data set from the user data on the at least one user device.
In some embodiments, the device sending step can be performed by at least one of the at least one user device periodically and/or upon request by the server. In some embodiments, the server receiving step can comprise connecting at least one of the at least one user device at least at some points in time to the server.
In some embodiments, the server receiving step can comprise storing server data on the server, wherein the server data can comprise at least a part of at least one of the at least one data set received by the server.
In some embodiments, the server packaging step can comprises receiving at least one data request from at least one requesting party. Such a request can comprise, for example a request for a specific type of medical data and/or a patient profile.
In some embodiments, the server packaging step can comprise furthermore a server processing step.
In some embodiments, the server packaging step can comprise furthermore a server data selection step that can comprise selecting the data elements of the at least one received data set to be combined to the at least one data container.
In some embodiments, the server packaging step can comprise furthermore a server container releasing step that comprises preventing releasing at least one of the at least one data container before at least one container releasing condition is matched.
In some embodiments, the at least one user device can comprise a plurality of user devices.
In some embodiments, the user data on the at least one user device can comprise at least one data element. This data element can comprise one or more of the following data : at least one numeric value, single selectable options from at least one list, multiple selectable options from at least one list, at least one time-stamped value, and at least one binary value.
In some embodiments, the method can further comprise a device processing step that comprises processing at least one data element of at least one data set of the user data on at least one user device by the respective user device. Processing at least one data element may also be processing at least one value of the data element, if the data element comprises a plurality of values, such as a vector.
In some such embodiments, the device processing step can comprise, on at least one end computer user device, at least one of removing information from at least a part of the user data and limiting a precision of at least a part of the user data. This can be achieved by measures such as by adding noise, by adding errors, by changing a data type of a value or by only indicating range selected that may be selected from a pre defined set of ranges, wherein the values is. That is, the device processing step can anonymise data, or at least limit a traceability of data or inhibit direct linking of parts of data sets obtained by an adverse party, if these data sets all refer to a same user or user device.
In some such embodiments, the device processing step can comprise processing at least one numerical data element. The at least one numerical data element can comprise a data element which comprises at least one numeric value. The device processing step can furthermore comprise combining numerical noise and the numerical data element.
In some embodiments, combining numerical noise and the at least one numerical data element can comprise adding the numerical noise to at least one of the at least one numeric value of the numerical data element.
In some embodiments, combining numerical noise and the at least one numerical data element can comprise adding the numerical noise to the numeric value of the respective numeric data element and for at least one of the at least one numerical data element, limiting the numerical noise so that the respective numeric value does not exceed a pre defined interval (and/or a predefined threshold value). The pre-defined interval or threshold value can be global, such as for the height of a user, wherein a minimum height may be fixed. For other values, there may be a plurality of intervals, and depending on the original value, the interval may be selected, for example for a biomarker that has three ranges, "high", "medium" and "low", if a value of the biomarker was in the high-range, the biomarker may be limited to said range. An optional advantage of this technique can be that results of a subsequent analysis are not perturbated.
In some such embodiments, the numerical noise can be generated by a Laplace- distribution with an appropriate scaling. This can be particularly advantageous to provide sufficient anonymity to user data, while maintaining its statistical properties. A probability density function of a variable that is added as noise can optionally be given by the following formula with appropriate m and b.
Figure imgf000036_0001
In some embodiments, the device processing step can comprise processing at least one data element by converting a representation of the data element from a first encoding to a second encoding. That can also comprise changing a part of an encoding, for example an encoding of a quantity of consumed cigarettes per day if a data element comprises a quantity of consumed cigarettes per day and a timestamp.
In some such embodiments, the first and the second encoding can be, at least for some values of the data element, not equivalent and converting a representation of the data element in the second encoding can comprise using an appropriate random function. This can be the case if a range A in a first encoding alpha (for example corresponding to "high") corresponds to two values B and B* in a second encoding beta (for example "critically high" and "over-average").
In some embodiments, the device processing step can comprise processing at least a timestamped data element. The at least one timestamped data element can comprise a data element which comprises at least one timestamped value. The device processing step can then comprise replacing a timestamp of at least one of the at least one timestamped value.
In some such embodiments, the step of replacing a timestamp of the at least one of the at least one timestamped value can comprise limiting the precision of said timestamp.
In some embodiments, the step of replacing a timestamp of the at least one of the at least one timestamped value can comprise replacing said timestamp by a temporal distance relative to another point in time, such as a timestamp of another data element.
In some embodiments, the method can further comprise limiting the precision of said temporal distance relative to another point in time.
In some embodiments, the device processing step can comprise an operation to anonymize at least a part of the user data on at least one user device.
In some embodiments where the server data on the server comprise at least one data element, at least one data element of the at least one data element can comprise at least one of the following data : at least one numeric value, single selectable options from at least one list, multiple selectable options from at least one list, at least one time-stamped value, and at least one binary value.
In some embodiments, the server processing step can comprise processing at least one data element of at least one data set of the server data on the server. In some such embodiments, the server processing step can comprise at least one of removing at least one of removing information from at least a part of the user data and limiting a precision of at least a part of the respective data element. This can be achieved by measures such as by adding noise, by adding errors, by changing a data type of a value or by only indicating range selected that may be selected from a pre-defined set of ranges, wherein the values is. That is, the server processing step can anonymise data, or at least limit a traceability of data or inhibit direct linking of parts of data sets obtained by an adverse party.
In some such embodiments, the server processing step can comprise processing at least one numerical data element. The at least one numerical data element can be a data element which comprises at least one numeric value. The server processing step can furthermore comprise combining numerical noise and the numerical data element.
In some such embodiments, combining numerical noise and the at least one numerical data element can comprise adding the numerical noise to at least one of the at least one numeric value of the numerical data element.
In some other embodiments, combining numerical noise and the at least one numerical data element can comprise adding the numerical noise to the numeric value of the respective numeric data element and for at least one of the at least one numerical data element, limiting the numerical noise so that the respective numeric value does not exceed a pre-defined interval.
In some such embodiments, the numerical noise can be generated by a Laplace- distribution with an appropriate scaling. This can be particularly advantageous to provide sufficient anonymity to user data, while maintaining its statistical properties. A probability density function of a variable that is added as noise can optionally be given by the following formula with appropriate m and b.
Figure imgf000038_0001
In some embodiments, the server processing step can comprise processing at least one data element by converting a representation of the data element from a first encoding to a second encoding. That can also comprise changing a part of an encoding, for example an encoding of a quantity of consumed cigarettes per day if a data element comprises a quantity of consumed cigarettes per day and a timestamp.
In some such embodiments, the first and the second encoding can be, at least for some values of the data element, not equivalent and converting a representation of the data element in the second encoding can comprise using an appropriate random function. This can be the case if a range A in a first encoding alpha (for example corresponding to "high") corresponds to two values B and B* in a second encoding beta (for example "critically high" and "over-average").
In some embodiments where the server processing step comprises processing at least a timestamped data element, the at least one timestamped data element can be a data element which comprises at least one timestamped value. The server processing step can comprise replacing a timestamp of at least one of the at least one timestamped value.
In some such embodiments, the step of replacing a timestamp of the at least one of the at least one timestamped value can comprise limiting the precision of said timestamp. In some other embodiments, the step of replacing a timestamp of the at least one of the at least one timestamped value can comprise replacing said timestamp by a temporal distance relative to another point in time, such as a timestamp of another data element.
In some such embodiments, the method can further comprise limiting the precision of said temporal distance relative to another point in time.
In some embodiments, the server processing step can comprise an operation to anonymize at least a part of the server data.
In some embodiments, the at least one data set in the device data set selection step can be selected only from a pre-defined part of user data on the user device. This part can for example exclude identifying data, such as contact data, a user's address or at least a part thereof and/or his payment data.
In some embodiments, the server data selection step can comprise receiving at least one data request. The data request can be received from third parties, such as research partners.
In some such embodiments, the at least one data request comprises a data request condition and a first list of fields. The data request condition is a condition that specifies criteria for users that are relevant for the third party or the research partner. Technically, it is a condition that needs to be matched for data to be selected. The first list of fields lists a minimum of data elements necessary for the purpose of the third party, such as a research purpose for a third party.
In some embodiments, the at least one data request can be a plurality of data requests.
In some such embodiments, each of the at least one data container is specific to a respective data request. That is, each data container comprises the data corresponding to the respective data request.
In some embodiments, the server data can comprise at least one data element group, wherein the at least one data element group comprises at least one data element and the at least one data element comprises a common group key that corresponds to the at least one data element group. The common group key can also be linked to a data element by the data set to which the group key and the data element belong. Each data element group can be understood as collection of data that have such a common group key element, so that the common group key defines a data profile.
In some embodiments, the common group key can comprise a user device indicator. That is, the data element groups can be understood as anonymised profiles of users that collect the anonymised data that is sent by the users. The user device indicator may also be the same for a plurality of devices if the user device receives a corresponding instruction, e.g. if a user changes his user device. In some such embodiments, the at least one data element group can be a plurality of data element groups.
In some such embodiments, the server data selection step comprises evaluating for each data request at least one server selection condition by the server, wherein each server selection condition corresponds to one data request condition.
In such embodiments, each server selection condition can comprise the corresponding data request condition. That is, the server can add at least one criterion to the data request condition, e.g. in order to protect the privacy of the users, as will be detailed below.
In some such embodiments, each server selection condition can comprise a condition regarding whether a data element group comprises at least some or all data elements indicated by the corresponding data request's first list of fields. This can be optionally advantageous to limit data element groups that match the server condition to data element groups that can be selected to respond to the data request.
In some such embodiments, each server selection condition can comprise a condition regarding a proportion of data elements indicated by the corresponding data request's first list of fields and a data element group's data elements. Such a proportion can be a proportion such as a ration of a number of requested fields or data elements to a number for fields or data elements of the data element group. An optional advantage of this feature can be that consequently, in one data container, there can be only a limited amount of data regarding a user and the user data that are stored on the server cannot be disclosed by just a single data request.
In some such embodiments, the data selection step can comprise adding a selection flag to each data element that is selected during processing of a data request.
In some such embodiments, each server selection condition can comprise a condition referring to an amount of data elements of a data element group that are indicated by the corresponding data request's first list of fields and to which a selection flag was added. Such a condition could for example be a maximum number of selection flags that may have been added to the data elements that are indicated by the first list of fields and that might therefore be used to match user profiles if an adverse party gains access to more than one data container.
In some such embodiments, each server selection condition can comprise a condition referring to a proportion of data elements of a data element group that are indicated by the corresponding data request's first list of fields and to which a selection flag was added to the data elements of a data element group that are indicated by the corresponding data request's first list of fields. The advantage of the preceding paragraph can apply accordingly. An example for said part of each server selection condition can be that the proportion of data elements that were previously shared with a research partner and all the data elements of the data element group is below 50%.
In some such embodiments, each server selection condition can comprise a condition regarding a maximum number of data element groups that are selected for the data request corresponding to the server selection condition.
In some such embodiments, the server data selection step can comprise for each data request, evaluating the server selection condition data element group-wise until a finishing condition is matched. That is, the server checks for each data element group whether it matches the respective server condition and selects it accordingly. An optional advantage can be a limited processing time, as not all of the data element groups need to be checked. Furthermore, it can be easier to limit the selection to a part of the data element groups.
In some such embodiments, the server data selection step can comprise for each data request selecting data elements from the at least one data element group based on the data request and a result of evaluating the server selection condition for the respective data element group. That is, a result of verifying the server selection condition can be used as selection criterion for data element groups, as implied above.
In such embodiments, selecting data elements from the at least one data element group based on the data request and a result of evaluating the server selection condition for the respective data element group can comprise selecting the data elements from the at least one data element group that are indicated by the first list of fields if the server selection condition was matched for the respective data element group. An advantage of this can be that there is a clear criterion for the selection of data elements from data element groups for answering a data request.
In such embodiments, the at least one data request can comprise a second list of fields.
Furthermore, selecting data elements from the at least one data element group based on the data request and a result of evaluating the server selection condition for the respective data element group can comprise selecting data elements from the at least one data element group that are indicated by the second list of fields if the server selection condition was matched for the respective data element group.
Alternatively, selecting data elements from the at least one data element group based on the data request and a result of evaluating the server selection condition for the respective data element group can comprise furthermore selecting data elements from the at least one data element group that are indicated by the second list of fields if the server selection condition was matched for the respective data element group, until the part of the server condition regarding the proportion of data elements indicated by the corresponding data request's first list of fields and a data element group's data elements is not matched anymore. That is, if the first list of fields specifies x data elements to be sent and by the aforementioned criterion regarding the proportion of data elements, y data elements may be selected, then for y>x, up to y-x data elements are selected according to the second list of fields. Furthermore, an optional advantage can be that data element groups are considered that only comprise all data elements from the first list of fields and none or not all of the data elements from the second list of fields. So, this option allows the specification of optional data elements that are selected from the data element group, but does at the same time not limit the quantity of data element groups that match the server selection condition.
In such embodiments, the at least one data request can comprise at least one further list of fields, such as a third list of fields. Furthermore, selecting data elements from the at least one data element group based on the data request and a result of evaluating the server selection condition for the respective data element group can comprise furthermore selecting data elements from the at least one data element group that are indicated by the further list of fields, such as the third list of fields, when there are no data elements left that are indicated by the first and the second list of fields, if the server selection condition was matched for the respective data element group, until the part of the server condition regarding the proportion of data elements indicated by the corresponding data request's first list of fields and a data element group's data elements is not matched anymore. This can have the same advantages as specified in the preceding paragraph.
In some such embodiments, the server data selection step can comprise finishing selecting data elements from a data element group when a condition referring to a proportion of data elements that are selected and a data element group's data elements is matched, such as the condition discussed above. That is, the data elements can be selected from the second and subsequently from the third list of fields as long as the proportion of selected data elements and available data elements of a respective data element group does fulfil a condition, such as not exceed a ratio of 50%.
In some embodiments, the at least one container releasing condition can be verified for each of the at least one data container separately. In such embodiments, the at least one container releasing condition can comprise a minimum number of different data element groups from which data elements were selected for the respective data container.
In such embodiments, the server container releasing step can comprise preventing releasing each of the at least one data container before the at least one container releasing condition is matched for the respective data container. That is that sharing a data container comprising data elements from too few data element groups can be prevented. This can be optionally advantageous in a case where the absolute number of data element groups satisfying the data request condition or the server selection condition respectively is small. As an example, in an extreme case with only one matching data element group that matches the data request condition, in a case where a data element group corresponds to data of a user, a shared part of the user's data would be exposed and it would be possible to match said part of the user's data to the user is the data request condition is sufficiently specific and another party obtains knowledge about the specificity by other means. For example, an insurance company insuring patients with a very rare disease could thus obtain information on their customers. Avoiding such a scenario may be an advantage of the option discussed in this paragraph.
In some such embodiments, the server packaging step can comprise furthermore a server container releasing step that comprises preventing releasing each of the at least one data container respectively before at least one container releasing condition that is specific to the respective data container is matched. That is, the container releasing conditions can be adapted to the container and thus to the data request condition of the respective data request, for example depending on how specific the data request condition is.
In such embodiments, at least one of the at least one container releasing condition can comprise a minimum number of different data element groups from which data elements were selected for the respective data container. That is, again for the example with data element groups having a user device indicator as key element, that data from a minimum number of users must be selected. The optional advantages of the penultimate paragraph apply respectively.
In some such embodiments, at least one of the at least one container releasing condition can comprise a condition regarding a uniqueness of data elements from data element groups that were selected for the respective data container. The uniqueness can also be measured with a vectoral proximity measure or by fuzzy measures and does not need to be strict. Many unique data elements can be an indicator for a high variety of data, which can be an optional advantage in particular for third parties or research partners that want to research a phenomenon without limiting themselves to special cases or for example if the data are used for data mining.
It is to be noted that in the above methods, the terms "end computer user device" and "user device" may be used interchangeably. The method can further comprise steps of any of the expert system method, the selective broadcasting method and the selective data transmission method.
In still another embodiment, a system is disclosed.
The system comprise the end user computer device. The end user computer device is configured for carrying out the method according to any of the above-mentioned embodiments.
The end user computer device can comprise an analysis step module.
The analysis step module can configured for performing the analysis step of the method.
The end user computer device can comprise a contact establishment module. The contact establishment module can be configured for performing the contact establishment step of the method.
The end user computer device can comprise an outputting step module.
The outputting step module can be configured for performing the outputting step of the method.
The end user computer device can comprise a user interface.
The outputting step module can be configured for controlling the user interface.
The end user computer device can comprise an downloading step module.
The downloading step module can be configured for performing the downloading step of the method.
The end user computer device can comprise a communication component. The downloading step module can be configured for data exchange by means of the communication component.
The end user computer device can comprise a monitoring step module. The monitoring step module can be configured for performing the monitoring step of the method.
The end user computer device can comprise an uploading step module. The uploading step module can be configured for performing the uploading step of the method.
The end user computer device can comprise the communication component. The uploading step module can be configured for data exchange by means of the communication component.
The end user computer device can comprise an anonymizing step module. The anonymizing step module can be configured for performing the anonymizing step of the method The end user computer device can comprise an data receiving module. The data receiving module can be configured for performing the data receiving step of the method.
The system can comprise a data storage component. The data storage component can be configured for performing the storing step of the method.
The system can further comprise a server. The server can be configured to carry out at least a part of the method.
The end computer user device can further comprise a comparator node.
It is to be noted that each module and/or the comparator node can be a separate data- processing unit, such as an adapted microcontroller, processor, FPGA or the like, for example in combination with a suitable memory element. However, one or all modules and/or the comparator node can also be implemented in software, too, which software may then be executed by the end user computer device.
The present invention is further defined in the below embodiments and claims.
Below, method embodiments will be discussed. These embodiments are abbreviated by the letter "M" followed by a number. Whenever reference is herein made to "method embodiments", these embodiments are meant.
Ml. A method comprising operating an end user computer device.
M2. The method according to any of the preceding embodiments,
wherein method comprises performing a storing step (SS).
M3. The method according to any of the preceding embodiments with the features of M2,
wherein the storing step comprises storing user input data.
M4. The method according to any of the preceding embodiments with the features of M2,
wherein the storing step comprises storing a user location set, which user location set comprises at least one or a plurality of user location(s).
M5. The method according to any of the preceding embodiments with the features of M2,
wherein the storing step comprises storing sensed physiological data.
M6. The method according to any of the preceding embodiments with the features of M2,
wherein the storing step comprises storing medical user data. M7. The method according to any of the preceding embodiments with the features of M2,
wherein the storing step comprises storing medical environment data.
M8. The method according to any of the preceding embodiments with the features of M2,
wherein the storing step comprises storing a third party set, comprising an indication of at least one trusted third party(s).
M9. The method according to any of the preceding embodiments with the features of M2,
wherein the storing step comprises storing analysis model data.
M10. The method according to any of the preceding embodiments with the features of M2,
wherein the storing step comprises storing sample data.
Mi l. The method according to any of the preceding embodiments with the features of M2, wherein the storing step comprises storing display data.
M12. The method according to any of the preceding embodiments with the features of M2, wherein the storing step comprises storing the data on a data storage component of the end user computer device.
M13. The method according to any of the preceding embodiments with the features of M2 and at least one of M3, M4, M6 and M10,
wherein the storing step comprises storing at least one of
(a) the user input data,
(b) the user location set,
(c) the medical user data, and
(d) the sample data;
in an encrypted form.
M14. The method according to any of the preceding embodiments with the features of M9 and at least one of M8 and M4,
wherein the analysis model data are specific to at least one of a geographical area and the indication of the trusted third party(s).
M15. The method according to any of the preceding embodiments,
wherein the method comprises performing an analysis step (AS).
M16. The method according to any of the preceding embodiments with the features of M15, wherein the analysis step comprises receiving at least an analysis-portion of the user input data from a user.
M17. The method according to the preceding embodiment,
wherein the analysis step comprises receiving at least the analysis-portion from a user by means of a user interface of the end user computer device.
M18. The method according to any of the preceding embodiments with the features of M15,
wherein the analysis step comprises outputting a portion of the display data to the user.
M19. The method according to the two preceding embodiments,
wherein the portion of the display data prompts the user to input the analysis -portion.
M20. The method according to any of the preceding embodiments with the features of M15,
wherein the analysis step comprises a generation of an estimation of a probability of a medical condition of the user,
wherein the generation of the estimation is performed based on the analysis model data.
M21. The method according to the preceding embodiment, wherein the generation of the estimation comprises processing the analysis-portion of the user input data.
M22. The method according to any of the preceding embodiments with the features of M20,
wherein the generation of the estimation comprises processing the user location set.
M23. The method according to any of the preceding embodiments with the features of M20,
wherein the generation of the estimation comprises processing the medical environment data.
M24. The method according to any of the preceding embodiments with the features of M20,
wherein the generation of the estimation comprises processing the medical user data.
M25. The method according to any of the preceding embodiments,
wherein the method comprises performing a contact establishment step (CS). M26. The method according to any of the preceding embodiments with the features of M25 and M20,
wherein the contact establishment step is performed based on the generated estimation.
M27. The method according to any of the preceding embodiments with the features of M25,
wherein the contact establishment step (CS) comprises establishing a connection, such as a voice communication connection or a data connection.
M28. The method according to the preceding embodiment,
wherein the contact establishment step (CS) further comprises triggering a step of taking a medical sample from the user, such as a sample of body fluid or a sample of tissue of the user.
M29. The method according to any of the two preceding embodiments, wherein the contact establishment step (CS) further comprises receiving a portion of the sample data, wherein the portion preferably comprises an identification of the sample.
M30. The method according to any of the preceding embodiments with the features of M27,
wherein the contact establishment step comprises determining the other party(s) of the connection based on at least one of
the indication of the at least one trusted third party(s), and
the user location set, particularly a current location of the user.
M31. The method according to any of the preceding embodiments with the features of the preceding embodiment and with the features of M26,
wherein the other party(s) of the connection are furthermore determined based on the generated estimation.
M32. The method according to any of the preceding embodiments,
wherein the method comprises performing a downloading step (DS).
M33. The method according to any of the preceding embodiments with the features of M32, wherein the downloading step comprises receiving an updated portion of the display data and/or the medical environment data.
M34. The method according to any of the preceding embodiments with the features of M32, wherein downloading step comprises receiving the updated portion of the display data and/or the medical environment data from a third party server, wherein the third party server is indicated by the indication of the at least one trusted third party. M35. The method according to the preceding embodiment, wherein the updated portion of the display data and/or the medical environment data is cryptographically signed by the trusted third party.
M36. The method according to any of the preceding embodiments with the features of M33, wherein the downloading step comprises receiving the updated portion in a compressed data format and decompressing the updated portion after receiving it.
M37. The method according to any of the preceding embodiments with the features of M32, wherein the downloading step comprises sending request data, and wherein the request data comprise at least one of a portion of the user input data and a portion of the medical user data.
M38. The method according to any of the preceding method embodiments with the features of M32,
wherein the downloading step comprises receiving at least a portion of the medical user data from a database server.
M39. The method according to the preceding embodiment,
wherein the downloading step comprises sending a portion of the sample data or a data element generated thereof to the database server.
M40. The method according to the two preceding embodiments,
wherein the downloading step comprises sending the portion of the sample data or the data element generated thereof to the database server and receiving the portion of the medical user data from the database server after sending said portion.
M41. The method according to any of the preceding embodiments,
wherein the method comprises performing an outputting step (OS).
M42. The method according to any of the preceding embodiments with the features of M41, wherein the outputting step (OS) comprises outputting a portion of the display data.
M43. The method according to any of the preceding embodiments with the features of M41 and M33, wherein the outputting step (OS) comprises outputting the updated portion of the display data.
M44. The method according to any of the preceding embodiments with the features of M41 and M38,
wherein the method comprises outputting the received portion of the medical user data. M45. The method according to any of the preceding embodiments,
wherein the method comprises performing a monitoring step (MS).
M46. The method according to any of the preceding embodiments with the features of M45,
wherein the monitoring step comprises analysing changes in at least one of the medical user data and the sensed physiological data.
M47. The method according to any of the preceding embodiments with the features of M45 and M16,
wherein the monitoring step comprises analysing changes in the analysis-portion.
M48. The method according to any of the two preceding embodiments,
wherein analysing the changes is based on the analysis model data.
M49. The method according to any of the preceding embodiments with the features of M45, wherein the monitoring step comprises generating the estimation of a probability of a medical condition of the user.
M50. The method according to the preceding embodiment and with the features of M26, wherein the contact establishment step is performed based on the generated estimation of at least one of the monitoring step and the analysis step.
M51. The method according to any of the preceding embodiments,
wherein the method comprises performing an uploading step (US).
M52. The method according to any of the preceding embodiments with the features of M51,
wherein the uploading step (US) comprises uploading data to an intermediary server system.
M53. The method according to any of the preceding embodiments with the features of M51,
wherein the uploading step (US) comprises uploading data relating to at least one of a usage of the end user computer device and technical details of the end user computer device.
M54. The method according to any of the preceding embodiments with the features of M52,
wherein the method comprises receiving instruction data from the intermediary server,
wherein the instruction data comprise an uploading criterion and an indication of data types. M55. The method according to the preceding embodiment,
wherein the uploading criterion relates to at least one of the user location set, the user input data and the medical user data on the end user computer device.
M56. The method according to any of the two preceding embodiments,
wherein the uploading step comprises
verifying whether the uploading criterion is matched by the data stored on the end user computer device, and
uploading at least one or a plurality of upload data element(s) from at least one of the user location set, the user input data and the medical user data to the intermediary server if the uploading criterion is matched.
M57. The method according to the preceding embodiment,
wherein the method comprises not uploading the upload data element(s) if the uploading criterion is not matched.
M58. The method according to any of the two preceding embodiments,
wherein the method comprises not uploading an identity of the user to the intermediary server.
M59. The method according to any of the preceding embodiments,
wherein the method comprises performing an anonymizing step (AN),
which anonymizing step (AN) is performed by the end user computer device.
M60. The method according to the preceding embodiment, wherein the anonymizing step (AN) comprises removing identifying data from the upload data element(s) and/or inhibiting uploading data element(s) that comprise an identity of the user.
M61. The method according to any of the preceding embodiments,
wherein the method comprises a data receiving step (DR).
M62. The method according to the preceding embodiment,
wherein the data receiving step (DR) comprises receiving at least a portion of the medical user data from a measurement data processing system.
M63. The method according to the preceding embodiment,
wherein the measurement data processing system receives measurement data from a set of measurement equipment.
M64. The method according to any of the two preceding embodiments and with the features of M10, wherein the portion of the medical user data that are received from the measurement data processing system relate to a sample to which the sample data correspond. M65. The method according to any of the preceding embodiments with the features of M61, wherein the data receiving step (DR) comprises receiving sensed physiological data from at least one of
(a) a sensing device that is connected to the end user computer device, and
(b) a sensing component, which sensing component the end user computer device comprises.
M66. The method according to any of the preceding embodiments,
wherein the method comprises operating the end user computer device according to any of the expert system method embodiments.
M67. The method according to any of the preceding embodiments,
wherein the method comprises operating the end user computer device according to any of the selective broadcasting method embodiments.
M68. The method according to the preceding embodiment,
wherein the method comprises performing at least a part of the steps of the method according to the selective broadcasting method embodiments, which part of the steps is performed by an end user computer device and/or require at least one of an action of and an interaction with the end user computer device.
M69. The method according to any of the preceding embodiments with the features of M67,
wherein the end user computer device comprises a comparator node according to the selective broadcasting method embodiments.
M70. The method according to any of the preceding embodiments,
wherein the method comprises performing at least one or more steps of the selective broadcasting method according to any of the selective broadcasting method embodiments.
M71. The method according to any of the preceding embodiments,
wherein the method comprises performing the selective broadcasting method according to any of the selective broadcasting method embodiments.
M72. The method according to any of the preceding embodiments,
wherein the method comprises operating the end user computer device according to any of the selective data transmission method embodiments.
M73. The method according to any of the preceding embodiments,
wherein the method comprises performing one or more steps of the selective data transmission method according to any of the selective data transmission method embodiments. M74. The method according to any of the preceding embodiments, wherein the method comprises performing the selective data transmission method according to any of the selective data transmission method.
M75. The method according to any of the preceding embodiments,
wherein the method comprises operating the end user computer device according to any of the distributed data transmission method embodiments.
M76. The method according to any of the preceding embodiments, wherein the method comprises performing one or more steps of the distributed data transmission method according to any of the distributed data transmission method embodiments.
M77. The method according to any of the preceding embodiments, wherein the method comprises performing the distributed data transmissions method according to any of the distributed data transmission method embodiments.
Below, expert system method embodiments will be discussed. These embodiments are abbreviated by the letter "N" followed by a number. Whenever reference is herein made to "expert system method embodiments", these embodiments are meant.
N1 A method for processing data on an end user computer device ,
comprising processing user data by an application that is executed by the end user computer device.
N2 The method according to the preceding embodiment,
comprising furthermore a user data storing step that comprises storing at least a part of the user data on the end user computer device.
N3 The method according to the preceding method embodiment,
wherein the user data storing step comprises storing medical data.
N4 The method according to the any of the two preceding method embodiments, wherein the user data storing step comprises a technical user data storing step that comprises storing technical user data in a machine-interpretable form.
N5 The method according to the preceding embodiment,
wherein the technical user data comprise medical user data.
N6 The method according to any of the two preceding method embodiments,
wherein the technical user data storing step comprises storing technical user data that are encoded with at least a homogenous naming for fields.
N7 The method according to the preceding three method embodiments,
wherein the technical user data storing step comprises
for each field encoding values with a same dimension unit.
N8 The method according to the any of the four preceding method embodiments, wherein the technical user data storing step comprises
storing at least partially automatically generated medical data that comprise at least one of
(a) at least one medical image,
(b) at least one result of a laboratory analysis of material originating from or expelled by the human body, and
(c) data from a sensing device that senses biometrical or medical data of the user.
N9 The method according to the preceding method embodiment,
wherein the at least partially automatically generated medical data is automatically generated.
N10 The method according to any of the preceding method embodiments with the features of N4,
wherein processing user data by the application that is executed by the end user computer device comprises
processing the technical user data.
Ni l The method according to the preceding method embodiment,
wherein processing the technical user data comprises
an information deriving step that comprises deriving information from the technical user data by the application and thus generating derived information.
N12 The method according to the preceding method embodiment,
wherein the information deriving step comprises deriving medical information from the technical user data by the application.
N13 The method according to any of the preceding method embodiments with the features of Ni l,
wherein the application comprises a machine learning model and the information deriving step comprises deriving the information based on the machine learning model.
N14 The method according to any of the two preceding method embodiments,
wherein the application comprises an expert system and the information deriving step comprises deriving the information based on the expert system.
N15 The method according to any of the two preceding method embodiments,
wherein the expert system is a medical expert system.
N16 The method according to the preceding method embodiment,
wherein the medical expert system comprises at least a part of a rule-based inference engine.
N17 The method according to any of the preceding five method embodiments,
wherein the application or a part thereof derives information from the technical user data using their machine-interpretable form or at least one property of this machine-interpretable form.
N18 The method according to any of the preceding method embodiments,
wherein the application is specified by application data.
N18a The method according to any of the preceding method embodiments, wherein the method comprises storing the application data on the end user computer device.
N19 The method according to the preceding method embodiment,
wherein the application data comprise display data.
N20 The method according to any of the preceding method embodiments with the features of N18,
wherein the application data comprise knowledge base data that comprise at least a part of data that are configured to specify a relation between input data and output data of the application.
N21 The method according to any of the preceding method embodiments with the features of N20 and N14,
wherein the application data comprise inference engine data that comprise at least a part of data that specify an evaluation of the input data using the knowledge base data. N22 The method according to any of the preceding method embodiments with the features of N2 and Nil,
wherein the user data storing step comprises storing the derived information or indicators thereof.
N23 The method according to the preceding method embodiment,
wherein storing the derived information or the indicators thereof comprises at least one of
(a) storing at least one reference to at least one part of the display data,
(b) copying at least one part of display data, and
(c) generating data at least based on display data,
wherein the display data are preferably according to any of the preceding embodiments that comprise display data.
N24 The method according to any of the preceding method embodiments,
wherein the method comprises a data outputting step that comprises outputting at least a part of the user data and/or of the display data by the end user computer device.
N25 The method according to the preceding method embodiment and with the features of N22,
wherein outputting at least a part of user data by the end user computer device comprises outputting at least a part of the derived information or the indicators thereof that are stored on the end user computer device.
N26 The method according to any of the preceding method embodiments,
wherein data on the end user computer device comprises encrypted data.
N27 The method according to any of the preceding method embodiments,
comprising furthermore encrypting at least a part of the user data.
N28 The method according to the preceding method embodiment and with the features of N4,
wherein encrypting at least a part of the user data comprises encrypting at least a part of the technical user data. N29 The method according to any of the preceding embodiments with the features of N18 and N26,
wherein the encrypted data comprise at least a part of the application data.
N30 The method according to the preceding embodiment and with the features of M19, wherein the encrypted data comprise at least a part of the display data.
N31 The method according to the preceding embodiment,
wherein the encrypted data comprise the display data .
N32 The method according to any of the preceding method embodiments,
wherein the method comprises a data adding step that comprises adding data to the user data on the end user computer device.
N33 The method according to the preceding embodiment,
wherein the method comprises providing an interface for adding data to the user data by manual input.
N34 The method according to any of two preceding method embodiments,
wherein the data adding step comprises using a camera that is connected at least indirectly to the end user computer device.
N35 The method according to the preceding method embodiment,
wherein the data adding step comprises adding text data to the user data and wherein using the camera comprises using the camera for adding at least a part of the text data.
N36 The method according to the preceding method embodiment,
wherein adding the text data to the user data comprises furthermore applying at least optical character recognition to data captured by the camera.
N37 The method according to any of the preceding method embodiments with the features of N32,
wherein the data adding step comprises receiving input data from a data server and adding at least a part of the input data to the user data.
N38 The method according to any of the preceding method embodiments with the features of N32, wherein the data adding step comprises receiving data from at least one sensing device that is configured to sense data related to a user.
N39 The method according to the preceding method embodiment,
wherein at least one of the at least one sensing device that is configured to sense data related to the user is configured to sense physiological data related to the user.
N40 The method according to any of the preceding method embodiments with the features of N18,
wherein the method comprises an updating step that comprises sending at least a part of update data from the server and receiving at least the part of the update data by the end user computer device.
N41 The method according to the preceding method embodiment,
wherein the updating step comprises adapting at least a part of the application data on the end user computer device according to the received update data.
N42 The method according to any of the two preceding method embodiments and with the features of Ni l,
wherein the method comprises furthermore repeating at least a part of the information deriving step after the updating step.
N43 The method according to any of the preceding method embodiments and with the features of N40,
wherein the method comprises sending at least an indicator of at least one of (a) the updating step or a result thereof, (b) the application data and (c) the end user computer device or of technical features thereof from the end user device to another device.
N44 The method according to any of the preceding method embodiments,
comprising sending at least a part of the user data or an indicator thereof to a third party from the end user computer device.
N45 The method according to any of the preceding method embodiments,
comprising furthermore sending at least a part of the user data to another device from the end user computer device only if at least one transfer condition of a transfer condition set is satisfied. N46 The method according to the preceding method embodiment,
wherein the transfer condition set comprises at least one transfer condition and wherein at least one of the at least one transfer condition comprises
(a) an anonymization of at least a part of the user data that is sent, and
(b) an authorization by the user or an authorized third party.
N47 The method according to any of the two preceding method embodiments,
wherein the method comprises preventing sending the user data from the end user computer device if none of the transfer conditions of the transfer condition set is satisfied.
N48 The method according to any of the preceding method embodiments,
wherein the method comprises preventing sending the user data from the end user computer device.
N49 The method according to any of the preceding method embodiments with the features of Ni l,
wherein at least a part of the information deriving step is performed only on the end user computer device.
N50 The method according to any of the preceding method embodiments with the features of Ni l,
wherein the information deriving step is performed only on the end user computer device.
Below, selective broadcasting method embodiments will be discussed. These embodiments are abbreviated by the letter "O" followed by a number. Whenever reference is herein made to "selective broadcasting method embodiments", these embodiments are meant.
01. A method for broadcasting data, the method comprising
Sending a broadcasting message comprising at least recipient criteria and broadcasted content from at least one broadcasting party to a plurality of end computer user devices, each comprising a comparator node;
Comparing the recipient criteria to at least a portion of the user data stored on each end computer user device by the comparator node;
Processing the broadcasted content on each end computer user device where the comparator node outputted a successful comparison of the recipient criteria to user data. 02. The method according to the preceding embodiment wherein sending the broadcasting message comprises
Receiving a broadcasting message from at least one broadcasting party by a server;
The server transmitting the broadcasting message to the plurality of user devices.
03. The method according to any of the preceding method embodiments further comprising discarding the broadcasting message on each device where the comparator node did not achieve a successful comparison of the recipient criteria to user data.
04. The method according to any of the preceding method embodiments further comprising outputting the broadcasted content on each user device where the comparator node achieved a successful comparison of the recipient criteria to user data.
05. The method according to any of the preceding method embodiments further comprising sending a notification from each user device specifying results of the comparison between the recipient criteria and the user data.
06. The method according to the preceding method embodiment further comprising generating statistics on the notifications about at least one of the processing, delivery and at least implicitly on the successful comparison of the broadcasting messages by at least one of the server and the broadcasting party.
07. The method according to any of the preceding method embodiments and with the features of embodiment 02 wherein sending the broadcasting message further comprises transmitting the broadcasting message by a connection configured to transfer data from the broadcasting party to the server.
08. The method according to any of the preceding method embodiments and with features of embodiment 02 wherein sending the broadcasting message further comprises connecting the user devices and the server at least at some points in a period of time by a connection configured to transfer data from the server to the user devices.
09. The method according to any of the preceding method embodiments further comprising the comparator node performing a predetermined action to be performed by the user device on each user device where the comparator node achieved a successful comparison of the recipient criteria to user data.
OIO. The method according to the preceding embodiment wherein the predetermined action is at least partially specified by at least parts of the broadcasting message (3). Oi l. The method according to the preceding embodiment further comprising the comparator node limiting the possible predetermined actions at least partially specified by the broadcasting message.
012. The method according to any of the preceding method embodiments and with features of embodiment 02, further comprising the server forwarding the received broadcasting message to all the user devices that are connected to the server at least at some points in a period of time.
013. The method according to any of the preceding method embodiments and with features of embodiment 02 further comprising the server forwarding the received broadcasting message to at least some of the user devices that are connected to the server at least at some points in a period of time, wherein said portion is at least defined by a characteristic specified by at least one of the server, the broadcasting party sending the broadcasting message to the server and the user devices.
014. The method according to any of the two preceding embodiments wherein said period of time has a defined starting point.
015. The method according to the preceding embodiment wherein said starting point is specified by at least one of the server, the broadcasting party, the broadcasting message and a third entity.
016. The method according to any of the two preceding embodiments wherein said period of time has a defined endpoint.
017. The method according to the preceding embodiment wherein said endpoint is specified by at least one of the server, the broadcasting party, the broadcasting message and a third entity.
018. The method according to any of the preceding method embodiments wherein the broadcasting message is distributed to at least one of the user device(s) during or after an installation, updating or downloading of the comparator node.
019. The method according to any of the preceding method embodiments and with features of embodiment 02 further comprising encrypting at least a part of the broadcasting message by at least one of the broadcasting party and the server.
020. The method according to the preceding embodiment, further comprising
at least partially encrypting the broadcasting message by the broadcasting party before or while sending it to the server,
at least partially decrypting the broadcasting message by the server after or while receiving said broadcasting message from the broadcasting party, at least partially encrypting the broadcasting message by the server before or while sending it to the user devices, and
and at least partially decrypting the broadcasting message by the device after or while receiving said broadcasting message from the server.
021. The method according to any of the two preceding embodiments further comprising the broadcasting party encrypting the broadcasting message at least partially with a key known to at least a portion of the user devices before or while sending it to the server,
and wherein at least a portion of the user devices decrypt said broadcasting message using said key known to at least a portion of the user devices.
022. The method according to any of the preceding method embodiments wherein the user data comprises medical data.
Below, selective data transmission method embodiments will be discussed. These embodiments are abbreviated by the letter "P" followed by a number. Whenever reference is herein made to "selective data transmission method embodiments", these embodiments are meant.
PI. A method for selectively transmitting data, the method comprising
Sending an inquiry message comprising at least request criteria from at least one broadcasting party to a plurality of end computer user devices, each comprising a comparator node;
Comparing the request criteria to user data stored on each end computer user device by the comparator node;
On each end computer user device where the comparator node achieved a successful comparison of the request criteria to user data,
The comparator node generating at least one return message based on at least parts of user data; and
Sending the return message from the end computer user device to at least one of the server and the broadcasting party.
P2. The method according to the preceding embodiment wherein sending the inquiry message comprises
Receiving an inquiry message from at least one broadcasting party by a server;
The server transmitting the inquiry message to the plurality of end computer user device s. P3. The method according to any of the preceding method embodiments further comprising discarding the inquiry message on each device where the comparator node did not achieve a successful comparison of the request criteria to user data.
P4. The method according to any of the preceding method embodiments and with the features of embodiment P2 wherein sending the inquiry message further comprises transmitting the inquiry message by a connection configured to transfer data from the broadcasting party to the server.
P5. The method according to any of the preceding method embodiments and with features of embodiment P2 wherein sending the inquiry message further comprises connecting the end computer user device s and the server at least at some points in a period of time by a connection configured to transfer data from the server to the end computer user device s.
P6. The method according to any of the preceding method embodiments wherein the sending of the return message is performed at any point in time after the generating at least one return message.
P7. The method according to the preceding method embodiment wherein the point of time when the sending is performed depends on a further condition.
P8. The method according to any of the preceding method embodiments wherein user data comprises at least identifying data and technical data.
P9. The method according to the preceding embodiment wherein the generating of at least one of said return message(s) comprises inserting at least a part of the technical data and at least a part of the identifying data to the at least one return message by the comparator node.
P10. The method according to the preceding embodiment wherein inserting the technical data and the identifying data is performed at most to the extent that was requested by the inquiry message that triggered the generation of said return message.
Pl l. The method according to any of the three preceding embodiments wherein the generating of at least one of the return message(s)comprises furthermore processing the identifying data before inserting it to the return message.
P12. The method according to the preceding embodiment, wherein the processing of the identifying data is performed by the comparator node.
P13. The method according to the preceding embodiment further comprising the comparator node using a set of rules to invoke certain actions if certain portions of the user data or combinations thereof are requested by the inquiry message. P14. The method according to any of the three preceding embodiments wherein the processing of said inquiry message comprises anonymising at least parts of the identifying data before inserting it to the return message(s).
P15. The method according to the preceding embodiment wherein the anonymising of at least parts of the identifying data comprises limiting the precision of at least a portion of said identifying data.
P16. The method according to any of the two preceding embodiments wherein the anonymising of at least parts of the identifying data comprises replacing at least a portion of the identifying data by pseudonyms or codes.
P17. The method according to the preceding embodiment wherein the pseudonyms or codes are generated by the comparator node.
P18. The method according to any of the four preceding embodiments wherein the anonymising of at least parts of the identifying data comprises replacing at least a portion of said identifying data by variables that are deduced from the identifying data, but that do not allow exact determination of the identifying data.
P19. The method according to any of the five preceding embodiments wherein the anonymising of at least parts of the identifying data comprises treating at least a part of the identifying data with a differential privacy algorithm.
P20. The method according to any of the preceding method embodiments and with features of embodiment P8 wherein the technical user data that is sent to at least one of a server and a broadcasting party as part of the return message is treated with a differential privacy algorithm before being sent to at least one of a server and a broadcasting party respectively.
P21. The method according to any of the preceding method embodiments wherein the processing of the inquiry message comprises sending at least a plurality of the return messages.
P22. The method according to any of the preceding method embodiments wherein the return message comprises at least an indicator for at least one of the following :
user data matches the request criteria for the first time and
an event concerning user data occurs.
P23. The method according to any of the preceding method embodiments wherein the sending requires furthermore that at least one of the user data and an event concerning user data respectively also satisfy a time constraint.
P24. The method according to any of the preceding method embodiments further comprising requesting at least implicit general consent, more preferably explicitly indicated consent, more preferably explicitly indicated consent to each single request of the user data, of the user before at least one of generating or triggering sending at least one return message corresponding to the inquiry message is performed by the comparator node.
P25. The method according to any of the preceding method embodiments wherein one or a plurality of return message(s) that are generated on the user device are sent to a server or a broadcasting party at a point in time when the user device is at least indirectly connected to the server and/or the broadcasting party respectively.
P26. The method according to the preceding embodiment, wherein the one or a plurality of return message(s) that are generated on the user device are sent to the server or the broadcasting party in at least one of a compressed form, batches and an agglomerated form.
P27. The method according to any of the two preceding returning method embodiments, wherein the sending to the server or the broadcasting party of the one or a plurality of return message(s) that are generated on the user device is triggered
(a) once during a defined period of time,
(b) by a message from a server or a broadcasting party, and/or
(c) by a matching of a condition on the user device, such as existence of at least one of a defined number of return message(s).
P28. The method according to any of the preceding method embodiments wherein the return message is sent to the server, further comprising, after the receiving of the return message(s), forwarding at least parts of the return message(s) that the server received to at least some of the broadcasting parties, preferably forwarding each return message to the broadcasting party that sent the inquiry message that caused the generation of the respective return message.
P29. The method according to the preceding embodiment wherein generating the at least one return message(s) comprises furthermore adding a specification of at least one of the broadcasting party and the inquiry message that caused the generation of the return message(s).
P30. The method according to the preceding embodiment further comprising the server using at least the specification of at least one of the broadcasting party and the inquiry message to forward at least the content of the return message(s).
P31. The method according to any of the three preceding embodiments further comprising the server collecting the return messages corresponding to one inquiry message and making available the return messages or their content, preferably in an agglomerated form, to the broadcasting party that issued said inquiry message. P32. The method according to the preceding embodiment wherein the sending the return messages or their content, preferably in an agglomerated form, is triggered when a certain condition is met.
P33. The method according to any of the five preceding embodiments further comprising taking measures to mask, remove or conceal elements suitable to identify the user or the user device prior to sending the return messages or parts thereof to at least one of the at least one broadcasting parties.
P34. The method according to any of the preceding method embodiments further comprising encrypting at least parts of the return message with at least one encryption key by the user device before or while sending it.
P35. The method according to the preceding embodiment wherein the return message is sent to the broadcasting parties further comprising decrypting the return message at the respective broadcasting parties.
P36. The method according to any of the preceding method embodiments wherein the return message is sent to the server further comprising
encrypting at least parts of each the return message at the user device before or while sending it to the server,
decrypting at least parts of each return message at the server after receiving said return message,
encrypting at least parts of said return message, of a set of return messages or of the agglomerated content of multiple return messages at the server before sending said return message(s) to the receiving broadcasting party and
decrypting the data sent by the server at least partially at the receiving broadcasting party.
P37. The method according to any of the preceding method embodiments wherein the return message is sent to the server further comprising encrypting at least parts of the return message(s) with a key corresponding to the respective broadcasting party that issued the inquiry message that caused the generation of the return message(s), wherein the encryption is set up in a way so that the server cannot access said parts of the return message(s).
P38. The method according to any of the preceding method embodiments further comprising encrypting at least parts of the return message(s) at the user device using an asymmetric encryption algorithm before or while sending each return message.
P39. The method according to the preceding embodiment wherein encrypting at least parts of the return message using an asymmetric encryption algorithm comprises furthermore using at least a public key for the encryption of each return message, wherein said public key corresponds to the respective broadcasting party that is the intended receiver of said return message.
P40. The method according to any of the preceding method embodiments wherein the return message is sent to the server further comprising sending and receiving the inquiry messages with one or multiple parts of the server that are at least partially different from parts of the server used for sending and receiving at least parts of the return message(s) at the server.
P41. The method according to any of the preceding method embodiments further comprising sending inquiry messages by the broadcasting parties from systems that are for at least one broadcasting party at least partially different from systems that are used for receiving the return messages.
Below, distributed data transmission method embodiments will be discussed. These embodiments are abbreviated by the letter "Q" followed by a number. Whenever reference is herein made to "distributed data transmission method embodiments", these embodiments are meant.
Q1 A method for sending combined parts of distributed data from user devices to at least one recipient, comprising
a device data storing step (DD) that comprises for each of at least one user device, storing user data relating to the respective user device on said respective user device,
a device sending step (DS) that comprises sending at least one data set from the at least one user device to a server,
a server receiving step (SR) that comprises receiving the at least one data set by the server, and
a server packaging step (SP) that comprises combining data elements of the at least one received data set to at least one data container.
Q2 The method according to any of the preceding method embodiments,
wherein for at least one of the at least one user device, the user data are specific to the respective user device.
Q3 The method according to any of the preceding method embodiments,
wherein the device data storing step (DD) comprises storing medical data and wherein the user data comprise medical data.
Q4 The method according to the preceding embodiment,
wherein the device data storing step (DD) comprises storing at least a part of the user data in a machine-interpretable form. Q5 The method according to the preceding embodiment,
wherein storing at least the part of the user data in a machine-interpretable form comprises at least one of
(a) using a homogenous naming for fields and
(b) for each field, encoding values with a same dimension unit.
Q6 The method according to any of the preceding method embodiments,
wherein the device data storing step (DD) comprises storing at least partially automatically generated medical data that comprise at least one of
(a) at least one medical image,
(b) at least one result of a laboratory analysis of material originating from or expelled by the human body, and
(c) data from a sensing device that senses biometrical or medical data of the user.
Q7 The method according to the preceding method embodiment,
wherein the at least partially automatically generated medical data are automatically generated.
Q8 The method according to any of the preceding method embodiments,
wherein the device sending step (DS) comprises a device processing step (DPS) that comprises processing the at least one data set on the at least one device.
Q9 The method according to any of the preceding method embodiments,
wherein the device sending step (DS) comprises a device data set selection step (DDS) that comprises selecting at least one data set from the user data on the at least one user device.
Q10 The method according to any of the preceding method embodiments,
wherein the device sending step (DS) is performed by at least one of the at least one user device periodically and/or upon request by the server.
Ql l The method according to any of the preceding method embodiments,
wherein the server receiving step (SR) comprises connecting at least one of the at least one user device at least at some points in time to the server.
Q12 The method according to any of the preceding method embodiments,
wherein the server receiving step (SR) comprises storing server data on the server,
wherein the server data comprise at least a part of at least one of the at least one data set received by the server.
Q13 The method according to any of the preceding method embodiments,
wherein the server packaging step (SP) comprises receiving at least one data request from at least one requesting party. Q14 The method according to any of the preceding method embodiments, wherein the server packaging step (SP) comprises furthermore a server processing step (SPS).
Q15 The method according to any of the preceding method embodiments,
wherein the server packaging step comprises furthermore a server data selection step (SDS) that comprises selecting the data elements of the at least one received data set to be combined to the at least one data container.
Q16 The method according to any of the preceding method embodiments,
wherein the server packaging step comprises furthermore a server container releasing step (SCR) that comprises preventing releasing at least one of the at least one data container before at least one container releasing condition is matched.
Q17 The method according to any of the preceding method embodiments, wherein the at least one user device is a plurality of user devices.
Q18 The method according to any of the preceding method embodiments,
wherein the user data on the at least one user device comprise at least one data element, wherein at least one data element of the at least one data element comprises at least one of the following data :
(a) at least one numeric value,
(b) single selectable options from at least one list,
(c) multiple selectable options from at least one list,
(d) at least one time-stamped value, and
(e) at least one binary value.
Q19 The method according to any of the preceding method embodiments with the features of Q18,
wherein the method comprises a device processing step (DPS) that comprises processing at least one data element of at least one data set of the user data on at least one user device by the respective user device.
Q20 The method according to the preceding method embodiment,
wherein the device processing step comprises on at least one user device at least one of removing information from at least a part of the user data and limiting a precision of at least a part of the user data.
Q21 The method according to any of the two preceding embodiments,
wherein the device processing step (DPS) comprises processing at least one numerical data element,
wherein the at least one numerical data element is a data element which comprises at least one numeric value,
and wherein the device processing step (DPS) comprises furthermore combining numerical noise and the numerical data element.
Q22 The method according to the preceding method embodiment,
wherein combining numerical noise and the at least one numerical data element comprises adding the numerical noise to at least one of the at least one numeric value of the numerical data element.
Q23 The method according to the penultimate method embodiment,
wherein combining numerical noise and the at least one numerical data element comprises adding the numerical noise to the numeric value of the respective numeric data element and for at least one of the at least one numerical data element, limiting the numerical noise so that the respective numeric value does not exceed a pre-defined interval.
Q24 The method according to any of the two preceding method embodiments,
wherein the numerical noise is generated by a Laplace-distribution with an appropriate scaling.
Q25 The method according to any of the preceding method embodiments with the features of Q19,
wherein the device processing step (DPS) comprises processing at least one data element by converting a representation of the data element from a first encoding to a second encoding.
Q26 The method according to the preceding embodiment,
wherein the first and the second encoding are at least for some values of the data element not equivalent and converting a representation of the data element in the second encoding comprises using an appropriate random function.
Q27 The method according to any of the preceding method embodiments with the features of Q19,
wherein the device processing step (DPS) comprises processing at least a timestamped data element,
wherein the at least one timestamped data element is a data element which comprises at least one timestamped value,
and wherein the device processing step (DPS) comprises replacing a timestamp of at least one of the at least one timestamped value.
Q28 The method according to the preceding method embodiment,
wherein the step of replacing a timestamp of the at least one of the at least one timestamped value comprises limiting the precision of said timestamp. Q29 The method according to the penultimate method embodiment,
wherein the step of replacing a timestamp of the at least one of the at least one timestamped value comprises replacing said timestamp by a temporal distance relative to another point in time, such as a timestamp of another data element.
Q30 The method according to the preceding embodiment,
comprising limiting the precision of said temporal distance relative to another point in time.
Q31 The method according to any of the preceding method embodiments with the features of Q19,
wherein the device processing step (DPS) comprises an operation to anonymize at least a part of the user data on at least one user device.
Q32 The method according to any of the preceding method embodiments that comprise server data,
wherein the server data on the server comprise at least one data element, wherein at least one data element of the at least one data element comprises at least one of the following data :
(a) at least one numeric value,
(b) single selectable options from at least one list,
(c) multiple selectable options from at least one list,
(d) at least one time-stamped value, and
(e) at least one binary value.
Q33 The method according to any of the preceding method embodiments with the features of Q32 and Q14,
wherein the server processing step (SPS) comprises processing at least one data element of at least one data set of the server data on the server.
Q34 The method according to the preceding method embodiment,
wherein the server processing step (SPS) comprises at least one of removing information from at least a part of the server data and limiting a precision of at least a part of the server data.
Q35 The method according to the preceding embodiment,
wherein the server processing step (SPS) comprises processing at least one numerical data element,
wherein the at least one numerical data element is a data element which comprises at least one numeric value,
and wherein the server processing step (SPS) comprises furthermore combining numerical noise and the numerical data element. Q36 The method according to the preceding method embodiment,
wherein combining numerical noise and the at least one numerical data element comprises adding the numerical noise to at least one of the at least one numeric value of the numerical data element.
Q37 The method according to the penultimate method embodiment,
wherein combining numerical noise and the at least one numerical data element comprises adding the numerical noise to the numeric value of the respective numeric data element and for at least one of the at least one numerical data element, limiting the numerical noise so that the respective numeric value does not exceed a pre-defined interval.
Q38 The method according to any of the two preceding method embodiments,
wherein the numerical noise is generated by a Laplace-distribution with appropriate scaling.
Q39 The method according to any of the preceding method embodiments with the features of Q33,
wherein the server processing step (SPS) comprises processing at least one data element by converting a representation of the data element from a first encoding to a second encoding.
Q40 The method according to the preceding embodiment,
wherein the first and the second encoding are at least for some values of the data element not equivalent and converting a representation of the data element in the second encoding comprises using an appropriate random function.
Q41 The method according to any of the preceding method embodiments with the features of Q33,
wherein the server processing step (SPS) processing at least a timestamped data element,
wherein the at least one timestamped data element is a data element which comprises at least one timestamped value,
and wherein the server processing step (SPS) comprises replacing a timestamp of at least one of the at least one timestamped value.
Q42 The method according to the preceding method embodiment,
wherein the step of replacing a timestamp of the at least one of the at least one timestamped value comprises limiting the precision of said timestamp.
Q43 The method according to the penultimate method embodiment,
wherein the step of replacing a timestamp of the at least one of the at least one timestamped value comprises replacing said timestamp by a temporal distance relative to another point in time, such as a timestamp of another data element.
Q44 The method according to the preceding embodiment,
comprising limiting the precision of said temporal distance relative to another point in time.
Q45 The method according to any of the preceding embodiments with the features of Q33,
wherein the server processing step (SPS) comprises an operation to anonymize at least a part of the server data.
Q46 The method according to any of the preceding method embodiments with the features of Q9,
wherein the at least one data set in the device data set selection step (DDS) is selected only from a pre-defined part of user data on the user device.
Q47 The method according to any of the preceding method embodiments with the features of Q13 and Q15,
wherein the server data selection step (SDS) comprises receiving at least one data request.
Q48 The method according to the preceding method embodiment,
wherein the at least one data request comprises a data request condition and a first list of fields.
Q49 The method according to any of the two preceding method embodiments,
wherein the at least one data request is a plurality of data requests.
Q50 The method according to any of the preceding two method embodiments,
wherein each of the at least one data container is specific to a respective data request.
Q51 The method according to the preceding method embodiment and with the features of Q12,
wherein the server data comprise at least one data element group,
wherein the at least one data element group comprises at least one data element and the at least one data element comprises a common group key that corresponds to the at least one data element group.
Q52 The method according to the preceding method embodiment,
wherein the common group key comprises a user device indicator (UDI).
Q53 The method according to any of the two preceding method embodiments,
wherein the at least one data element group is a plurality of data element groups. Q54 The method according to any of the preceding method embodiments with the features of Q48,
wherein the server data selection step (SDS) comprises evaluating for each data request at least one server selection condition by the server,
wherein each server selection condition corresponds to one data request condition.
Q55 The method according to the preceding method embodiment,
wherein each server selection condition comprises the corresponding data request condition.
Q56 The method according to any of the preceding two method embodiments,
wherein each server selection condition comprises a condition regarding whether a data element group comprises at least some or all data elements indicated by the corresponding data request's first list of fields.
Q57 The method according to any of the three preceding method embodiments,
wherein each server selection condition comprises a condition regarding a proportion of data elements indicated by the corresponding data request's first list of fields and a data element group's data elements.
Q58 The method according to any of the preceding method embodiments with the features of Q33 and Q47,
wherein the data selection step comprises adding a selection flag to each data element that is selected during the processing of a data request.
Q59 The method according to any of the preceding method embodiments with the features of Q58 and Q54,
wherein each server selection condition comprises a condition referring to an amount of data elements of a data element group that are indicated by the corresponding data request's first list of fields and to which a selection flag was added.
Q60 The method according to any of the preceding method embodiments with the features of the preceding embodiment and Q54,
wherein each server selection condition comprises a condition referring to a proportion of data elements of a data element group that are indicated by the corresponding data request's first list of fields and to which a selection flag was added to the data elements of a data element group that are indicated by the corresponding data request's first list of fields.
Q61 The method according to any of the preceding method embodiments with the features of Q54, wherein each server selection condition comprises a condition regarding a maximum number of data element groups that are selected for the data request corresponding to the server selection condition.
Q61 The method according to any of the preceding method embodiments with the features of Q54,
wherein the server data selection step (SDS) comprises for each data request, evaluating the server selection condition data element group-wise until a finishing condition is matched.
Q62 The method according to the preceding method embodiment,
wherein the server data selection step (SDS) comprises for each data request selecting data elements from the at least one data element group based on the data request and a result of evaluating the server selection condition for the respective data element group.
Q63 The method according to the preceding method embodiment,
wherein selecting data elements from the at least one data element group based on the data request and a result of evaluating the server selection condition for the respective data element group
comprises selecting the data elements from the at least one data element group that are indicated by the first list of fields if the server selection condition was matched for the respective data element group.
Q64 The method according to the preceding method embodiment,
wherein the at least one data request comprises a second list of fields and wherein selecting data elements from the at least one data element group based on the data request and a result of evaluating the server selection condition for the respective data element group
comprises furthermore selecting data elements from the at least one data element group that are indicated by the second list of fields if the server selection condition was matched for the respective data element group.
Q65 The method according to the penultimate method embodiment and with the features of Q57,
wherein the at least one data request comprises a second list of fields and wherein selecting data elements from the at least one data element group based on the data request and a result of evaluating the server selection condition for the respective data element group
comprises furthermore selecting data elements from the at least one data element group that are indicated by the second list of fields if the server selection condition was matched for the respective data element group, until the part of the server condition specified in M57 is not matched anymore.
Q66 The method according to the preceding method embodiment,
wherein the at least one data request comprises at least one further list of fields, such as a third list of fields,
and
wherein selecting data elements from the at least one data element group based on the data request and a result of evaluating the server selection condition for the respective data element group
comprises furthermore selecting data elements from the at least one data element group that are indicated by the further list of fields, such as the third list of fields, when there are no data elements left that are indicated by the first and the second list of fields, if the server selection condition was matched for the respective data element group, until the part of the server condition specified in M57 is not matched anymore.
Q67 The method according to any of the preceding method embodiments with the features of Q51,
wherein the server data selection step comprises
finishing selecting data elements from a data element group when a condition referring to a proportion of data elements that are selected and a data element group's data elements is matched.
Q68 The method according to any of the preceding method embodiments with the features of Q16 and Q51,
the at least one container releasing condition is verified for each of the at least one data container separately and wherein the at least one container releasing condition comprises a minimum number of different data element groups from which data elements were selected for the respective data container.
Q69 The method according to the preceding method embodiment,
wherein the server container releasing step (SCR) comprises preventing releasing each of the at least one data container before the at least one container releasing condition is matched for the respective data container.
Q70 The method according to any of the preceding method embodiments with the features of Q51,
wherein the server packaging step comprises furthermore a server container releasing step (SCR) that comprises preventing releasing each of the at least one data container respectively before at least one container releasing condition that is specific to the respective data container is matched. Q71 The method according to the preceding method embodiment,
wherein at least one of the at least one container releasing condition comprises a minimum number of different data element groups from which data elements were selected for the respective data container.
Q72 The method according to any of the preceding four method embodiments,
wherein at least one of the at least one container releasing condition comprises a condition regarding a uniqueness of data elements from data element groups that were selected for the respective data container.
M15. The method according to any of the preceding method embodiments (indicated with a "M"),
wherein the method further comprises the steps of any of the preceding embodiments which are not carried out by the end user computer device.
Below, system embodiments will be discussed. These embodiments are abbreviated by the letter "S" followed by a number. Whenever reference is herein made to "system embodiments", these embodiments are meant.
51. A system, comprising an end user computer device, wherein the end user computer device is configured for carrying out the method according to any of the method embodiments.
52. The system according to the preceding embodiment, wherein the end user computer device comprises an analysis step module.
53. The system according to the preceding embodiment, wherein the analysis step module is configured for performing the analysis step of the method according to any of the method embodiments with the features of M15.
54. The system according to any of the preceding system embodiments, wherein the end user computer device comprises a contact establishment module.
55. The system according to the preceding embodiment, wherein the contact establishment module is configured for performing the contact establishment step of the method according to any of method embodiments with the features of M25.
56. The system according to any of the preceding system embodiments, wherein the end user computer device comprises an outputting step module.
57. The system according to the preceding embodiment, wherein the outputting step module is configured for performing the outputting of the method according to any of method embodiments with the features of M41. The system according to any of the two preceding embodiments, wherein the end user computer device comprises a user interface and wherein the outputting step module is configured for controlling the user interface.
The system according to any of the preceding system embodiments, wherein the end user computer device comprises an downloading step module.
The system according to the preceding embodiment, wherein the downloading step module is configured for performing the downloading step of the method according to any of method embodiments with the features of M32.
The system according to any of the two preceding method embodiments, wherein the end user computer device comprises a communication component and wherein the downloading step module is configured for data exchange by means of the communication component.
The system according to any of the preceding system embodiments, wherein the end user computer device comprises a monitoring step module.
The system according to the preceding embodiment, wherein the monitoring step module is configured for performing the monitoring step of the method according to any of method embodiments with the features of M45.
The system according to any of the preceding system embodiments, wherein the end user computer device comprises an uploading step module.
The system according to the preceding embodiment, wherein the uploading step module is configured for performing the uploading step of the method according to any of method embodiments with the features of M51.
The method according to any of the two preceding embodiments, wherein the end user computer device comprises the communication component and wherein the uploading step module is configured for data exchange by means of the communication component.
The system according to any of the preceding system embodiments, wherein the end user computer device comprises an anonymizing step module.
The system according to the preceding embodiment, wherein the anonymizing step module is configured for performing the anonymizing step of the method according to any of method embodiments with the features of M59.
The system according to any of the preceding system embodiments, wherein the end user computer device comprises an data receiving module. 520. The system according to the preceding embodiment, wherein the data receiving module is configured for performing the data receiving step of the method according to any of method embodiments with the features of M61.
521. The system according to any of the preceding embodiments, wherein the system comprises a data storage component.
522. The system according to the preceding embodiment, wherein the data storage component is configured for performing the storing step of the method according to any of the method embodiments with the features of M2.
523. The system according to any of the preceding system embodiments, wherein the system further comprises a server, wherein the server is configured to carry out at least a part of the method.
The present invention will now be described with reference to the accompanying drawings which illustrate embodiments of the invention. These embodiments should only exemplify, but not limit, the present invention.
Fig. 1 schematically depicts a system configured to carry out a method according to embodiments of the present invention;
Fig. 2 schematically depicts an interaction of a system configured to carry out a method according to embodiments of the present invention.
It is noted that not all the drawings carry all the reference signs. Instead, in some of the drawings, some of the reference signs have been omitted for sake of brevity and simplicity of illustration. Embodiments of the present invention will now be described with reference to the accompanying drawings.
Fig. 1 schematically depicts a system comprising an end user computer device 100 configured to carry out a method according to embodiment of the present invention. In simple terms, the end user computer device 100 may comprise a plurality of modular components, which may also be referred to as modules, and conceptually identified by reference numeral 10, 20, 30, 40, 50, 60 and 70.
The end user computer device 100 can comprise means of data processing, such as, processor units, hardware accelerators and/or microcontrollers. The end user computer device can comprise memory components, such as, main memory (e.g. RAM), cache memory (e.g. SRAM) and/or secondary memory (e.g. HDD, SDD). The end user computer device 100 can comprise busses configured to facilitate data exchange between components of the end user computer device, such as, the communication between the memory components and the processing components. The end user computer device 100 can comprise network interface cards that can be configured to connect the data processing device to a network, such as, to the Internet. The end user computer device 100 can comprise user interfaces, such as: output user interface, such as screens or monitors configured to display visual data and/or speakers configured to communicate audio data (e.g. playing audio data to the user), input user interface, such as a camera configured to capture visual data (e.g. capturing images and/or videos of the user), a microphone configured to capture audio data (e.g. recording audio from the user), a keyboard and/or a touchscreen.
To put it simply, the end user computer device can be a processing unit configured to carry out instructions of a program. The end user computer device can be a system-on- chip comprising processing units, memory components and busses. The end user computer device can be a personal computer, a laptop, a pocket computer, a smartphone, a tablet computer. The end user computer device can be a processing unit or a system-on-chip that can be interfaced with a personal computer, a laptop, a pocket computer, a smartphone, a tablet computer and/or user interfaces (such as the upper- mentioned user interfaces).
In one embodiment, the module 10 may be configured to perform an analysis step (AS), and therefore may also be referred to as analysis step module 10.
In one embodiment, the module 20 may be configured to perform a contact establishment step (CS), and therefore may also be referred to as contact establishment step module 20.
In one embodiment, the module 30 may be configured to perform an outputting step (OS), and therefore may also be referred to as outputting step module 30.
In one embodiment, the module 40 may be configured to perform a downloading step (DS), and therefore may also be referred to as a downloading step module 40.
In one embodiment, the module 50 may be configured to perform a monitoring step (MS), and therefore may also be referred to as monitoring step module 50. In one embodiment, the module 60 may be configured to perform an uploading step (US), and therefore may also be referred to as uploading step module 60. In another embodiment, the module 60 may also be configured to perform an anonymizing step (AN), and therefore may further be referred to as anonymizing step module 60. The uploading step module may comprise the anonymizing step module.
In one embodiment, the module 70 may be configured to perform a data receiving step (DR), therefore it may also be referred to as data receiving step module 70.
It should be understood that the term user(s) and patient(s) are used in this description inter-exchangeable and indistinctively without altering the meaning of the description.
In simple words, for example, the module 10 may be configured to perform, for instance, a triage comprising a risk stratification questionnaire in order to triage patients that may require to be test for a given a disease or an actor causing the diseases, e.g. SARS-CoV- 2.
Additionally or alternatively, the module 10 may further be configured to assess patients' risk profile based on the questionnaire, which may, inter alia, comprise symptoms, recent travel history, job such as type of job, and social life such as social life habits and their frequency.
The module 20 may be configured to perform, for instance, a logistical support step. For instance, if patients may require medical attention, the module 20 may be configured to, for example, connect them to medical service provider, e.g. a medical doctor of relevant specially for their given risk profiles. The module 20 may establish the connection between the patient and the medical doctor, for example, through telemedicine consultation and/or a call such as a phone. Additionally or alternatively, the module 20 may grant access to the user to a plurality of data tailored according to the risk profile of the user, for example, the module 20 may grant access to the user to data comprising the closest testing facility for medical test, e.g. for test, and/or data comprising means for placing an order for self-testing at home, wherein the module 20 may further be configured to prompt the user to place an order. Additionally or alternatively the module 20 may also comprise grant access to the user to a coding tool such as a QR code, which may allow the module 20 to grant access to the user to all test results, e.g. laboratory tests results, directly on an app component as described below. It should be understood that the information may also be supplied to the user by other means such as, for example, electronic means e.g. e-mail and/or per SMS. In one embodiment, the module 30 may also be configured to perform a plurality of steps, for instance, outputting data relating to a test result. For instance, once a user has received a result of a test performed by their health care provider, e.g. a SARS-CoV-2 related test has been performed, the results may be input to the module 30, which may be configured to interpret the results and further to generate or output explanatory data.
The module 40 may be configured to process, generate and grant access to additional relevant information to the user based on the risk profile of the user, wherein the additional relevant information may comprise, for example, national safety guidelines, curated sources and recommendations such as behavioral tips and clinic visits.
Moreover, the module 50 may be configured to monitor the user. For instance, for patients that tested positive, the module 50 may be configured to track relevant parameters of the user such as, for example, blood pressure, heart rate and temperature. In one embodiment, the relevant parameters may be monitored by means of device connected to the mobile app 110. In one embodiment, the monitoring may be automated. Therefore, the module 50 may be configured to assist in monitoring patients, for example, by the medical care providers, to enable early detection of, for instance, increased risks and/or minimize potential complications. Additionally or alternatively, the module 50 may also be configured to trigger and grant access to the user to additional information data, such as alert to prompt the user to attend to an emergency assistance. In one embodiment, the module 50 may further be configured to supply data, such as medical emergency data, to authorities, such as an emergency authority, medical authorities.
Additionally or alternatively, the module 70 may be configured to execute analytics and broadcasting. In simple words, the module 70 may be configured to, for example, track the user movement and health status, e.g. infection status, which may be particularly advantageous to reconstruct infection chains, generate warning to which further relevant user can be granted access to, such as, for example, users that have been in contact with (potentially) infected users, which may be further advantageous to contain and/or minimize spreading of infections, such as spreading of a virus, e.g. SARS-CoV-2. Furthermore, the module 70 may be configured to grant access to further authorized users, such as relevant institutions and healthcare providers to target specific groups in a fully anonymized manner.
Fig. 2 depicts an overall view of the interaction of the system 100 with other systems to perform a method according to embodiments of the present invention. In simple, terms the system 100 may comprise at least one user app and therefore may also be refer to as user app system 100, user app 100 or user apps 100. Furthermore, the system 100 may be configured to exchange information with a plurality of systems, such as for example, with a back-end system 200, a public source system 300 and a research partners system 400.
In one embodiment, the user app system 100 may comprise mobile app 110 comprising a user data component 112 and an anonymous analytics component 114. In another embodiment, the user app system 100 may comprise a web app 120 comprising an anonymous analytics component 122.
It should be understood that the user app system 100 may also comprise both the mobile app 110 and the web app 120.
In one embodiment, the anonymous analytics component 114 may comprise a different anonymous analytics component than the anonymous analytics component 122.
In another embodiment, the anonymous analytics component 114 and anonymous analytics component 122 may comprise the same anonymous analytics component.
The back-end system 200 may comprise a content back-end component 210 and an analytics dashboard component 220. In simple terms, the content back-end component 210 may comprise a medical knowledge base module 212, a local info database module 214 and a curated content module 216, and the analytics dashboard component may comprise an anonymous analytics component 222.
The public sources system 300 may comprise a mapping service component 302 and a resources and statistics component 304.
The research partner system 400 may comprise an anonymized data component 402.
In one embodiment the mobile app 110 may be configured to establish an indirect communication with the anonymized data component 402 of the research partner system 400, wherein the mobile app 110 may supply user data for research. The mobile app 110 may be further configured to perform anonymizing step by means of the anonymous analytics component 114 before supplying the user data to the anonymized data component 402 of the research partner system 400. It should be understood that the data transfer between the mobile app 110 and the anonymized data component 402 of the research partner system 400 may bidirectional, i.e. the mobile app 110 may supply the anonymized data component 402 with a plurality of anonymized user data, and may also receive a plurality of processed data comprising a plurality of results, such as, for example, predictions, based on the supplied anonymized user data. Furthermore, the anonymous analytics component 112 may be configured to process the results supplied by the anonymized data component 402 of the research partner system 400, and further may be able to identify relevant information to be displayed to a given user of the mobile app 110.
Moreover, the mobile app 110 may be configured to receive an input from the content back-end component 210 of the back-end system 200. Such an input may, for instance, comprise a plurality of data supplied by at least one of the medical knowledge base module 212, the local info database module 214 and the curated content module 216. Subsequently, the mobile app 110 may be configured to process the data supplied by the content back-end component 210 and grant access to these data to the user data to perform an anonymization of the received data, for instance, before granting access to the user data.
Furthermore, anonymous analytics components 114 and 122 may be configured to establish a communication with the analytical dashboard component 220, wherein the anonymous analytics components 114 and 122 may supplied anonymized user data. Alternatively or additionally, the analytical dashboard component 220 may be configured to grant access to the anonymized data to a plurality of authorized users.
The mobile app 110 may also be configured to establish a communication the mapping service component 302 of public source system 300, for instance, to receive input data.
Moreover, the resources and statistics component 304 of the public source system 300 may supply information to the curated content module 216 of the content back-end component 210 of the back-end system 200, wherein the curated content module 216 may be configured to process the information to generate a curated content dataset.
It should be understood that the communication established between the mapping service component 302 and the mobile app 110, the mobile app 110 and analytics dashboard component 220, the content back-end component 210 and the mobile app 110, and the web app 120 and the analytics dashboard component 302 may comprise a restricted application programming interface (API).
It should be understood that the communication established between the resources and statistics component 304 and curated content module 216, and the mobile app 110 and anonymized data component 402 may comprise an indirect communication. While in the above, a preferred embodiment has been described with reference to the accompanying drawings, the skilled person will understand that this embodiment was provided for illustrative purpose only and should by no means be construed to limit the scope of the present invention, which is defined by the claims.
Whenever a relative term, such as "about", "substantially" or "approximately" is used in this specification, such a term should also be construed to also include the exact term. That is, e.g., "substantially straight" should be construed to also include "(exactly) straight".
Whenever steps were recited in the above or also in the appended claims, it should be noted that the order in which the steps are recited in this text may be accidental. That is, unless otherwise specified or unless clear to the skilled person, the order in which steps are recited may be accidental. That is, when the present document states, e.g., that a method comprises steps (A) and (B), this does not necessarily mean that step (A) precedes step (B), but it is also possible that step (A) is performed (at least partly) simultaneously with step (B) or that step (B) precedes step (A). Furthermore, when a step (X) is said to precede another step (Z), this does not imply that there is no step between steps (X) and (Z). That is, step (X) preceding step (Z) encompasses the situation that step (X) is performed directly before step (Z), but also the situation that (X) is performed before one or more steps (Yl), ..., followed by step (Z). Corresponding considerations apply when terms like "after" or "before" are used.
While in the above, a preferred embodiment has been described with reference to the accompanying drawings, the skilled person will understand that this embodiment was provided for illustrative purpose only and should by no means be construed to limit the scope of the present invention, which is defined by the claims.

Claims

Claims
1. A method, comprising
operating an end user computer device;
performing a storing step (SS), wherein the storing step comprises storing user input data, at least one of a user location set and a third party set, wherein the third party set comprises an indication of at least one trusted third party(s), analysis model data, and display data on a data storage component of the end user computer device; performing an analysis step (AS), wherein the analysis step comprises a generation of an estimation of a probability of a medical condition of the user, wherein the generation of the estimation is performed based on the analysis model data, and wherein the generation of the estimation comprises processing the user location set; and performing a contact establishment step (CS), comprising establishing a connection, wherein the contact establishment step is performed based on the generated estimation.
2. The method according to the preceding claim,
wherein the analysis model data are specific to at least one of a geographical area and the indication of the trusted third party(s).
3. The method according to any of the preceding claims,
wherein the storing step comprises storing medical environment data, and wherein the generation of the estimation comprises processing the user location set and the medical environment data.
4. The method according to any of the preceding claims, wherein the contact establishment step (CS) further comprises triggering a step of taking a medical sample from the user, and wherein the contact establishment step comprises determining the other party(s) of the connection based on at least one of the indication of the at least one trusted third party(s), and the user location set, particularly a current location of the user.
5. The method according to any of the preceding claims, preferably according to claim 3, wherein the method comprises performing a downloading step (DS), and wherein the downloading step comprises receiving an updated portion of the display data and/or the medical environment data.
6. The method according to any of the preceding claims,
wherein comprises performing a monitoring step (MS), wherein the monitoring step comprises generating the estimation of a probability of a medical condition of the user, and wherein the contact establishment step is performed based on the generated estimation of at least one of the monitoring step and the analysis step.
7. The method according to the preceding claim,
wherein the storing step comprises storing at least one of medical user data and sensed physiological data, and
wherein the monitoring step comprises analysing changes in at least one of the medical user data and the sensed physiological data.
8. The method according to any of the preceding claims,
wherein the method comprises performing an uploading step (US), wherein the uploading step (US) comprises uploading data to an intermediary server system, and wherein the method comprises receiving instruction data from the intermediary server.
9. The method according to the preceding claim, wherein the instruction data comprise an uploading criterion, and wherein the uploading criterion relates to at least one of the user location set, the user input data and the medical user data on the end user computer device.
10. The method according to any of the preceding claims, wherein the method comprises a data receiving step (DR), wherein the data receiving step (DR) comprises at least one of
(a) receiving at least a portion of the medical user data from a measurement data processing system, and
(b) receiving sensed physiological data from a sensing device that is connected to the end user computer device.
11. A system, comprising an end user computer device, wherein the end user computer device is configured for carrying out the method according to any of the claims 1-10, wherein the end user computer device comprises a data storage component, a communication component and an analysis step module, wherein the analysis step module is configured for performing the analysis step according to any of the preceding claims.
12. The system according to the preceding claim, wherein the end user computer device comprises a contact establishment module, which contact establishment module is configured for performing the contact establishment step according to any of the claims 1-10, and for controlling the communication component.
13. The system according to any of the two preceding claims, wherein the end user computer device further comprises a downloading step module, wherein the downloading step module is configured for data exchange by means of the communication component, and wherein the downloading step module is configured for performing the downloading step according to any of the claims 5-10.
14. The system according to any of the three preceding claims, wherein the end user computer device comprises a monitoring step module, wherein the monitoring step module is configured for performing the monitoring step according to any of the claims 6- 10.
15. The system according to any of the four preceding claims, wherein the end user computer device comprises an uploading step module, and wherein the uploading step module is configured for data exchange by means of the communication component.
PCT/EP2020/060931 2019-04-18 2020-04-17 Method and system for data generating and transmitting data WO2020212614A1 (en)

Applications Claiming Priority (10)

Application Number Priority Date Filing Date Title
EP19170091.3 2019-04-18
EP19170100.2 2019-04-18
EP19170096.2 2019-04-18
EP19170111 2019-04-18
EP19170096 2019-04-18
EP19170091 2019-04-18
EP19170100 2019-04-18
EP19170111.9 2019-04-18
EP20166096.6 2020-03-26
EP20166096 2020-03-26

Publications (1)

Publication Number Publication Date
WO2020212614A1 true WO2020212614A1 (en) 2020-10-22

Family

ID=70285705

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2020/060931 WO2020212614A1 (en) 2019-04-18 2020-04-17 Method and system for data generating and transmitting data

Country Status (1)

Country Link
WO (1) WO2020212614A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170039339A1 (en) * 2015-08-06 2017-02-09 Microsoft Technology Licensing, Llc Computing system for identifying health risk regions

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170039339A1 (en) * 2015-08-06 2017-02-09 Microsoft Technology Licensing, Llc Computing system for identifying health risk regions

Similar Documents

Publication Publication Date Title
Kaissis et al. End-to-end privacy preserving deep learning on multi-institutional medical imaging
Ricci Lara et al. Addressing fairness in artificial intelligence for medical imaging
CN113169957B (en) Personal medical data security sharing and ownership decentralized ownership system
Ferretti et al. Quantifying SARS-CoV-2 transmission suggests epidemic control with digital contact tracing
US10255458B2 (en) Trust based access to records via encrypted protocol communications with authentication system
CN110462654B (en) Record access and management
KR102403295B1 (en) System and method for validating homogeneously encrypted data and performing an operation thereon
US10635833B2 (en) Uniform-frequency records with obscured context
US11616825B2 (en) System and method of aggregating and interpreting data from connected devices
Sarkar et al. Performance of intensive care unit severity scoring systems across different ethnicities in the USA: a retrospective observational study
US11664115B2 (en) Volumetric imaging technique for medical imaging processing system
Ficek et al. Differential privacy in health research: A scoping review
JP6038185B2 (en) Method for processing patient-related data records
US20130219193A1 (en) Encrypted biometric data management and retrieval
US20240037278A1 (en) Computer system of computer servers and dedicated computer clients specially programmed to generate synthetic non-reversible electronic data records based on real-time electronic querying and methods of use thereof
Wright et al. Returning genome sequences to research participants: Policy and practice
Deffland et al. Effects of pain, sedation and delirium monitoring on clinical and economic outcome: a retrospective study
Hamood Alsamhi et al. Advancing Pandemic Preparedness in Healthcare 5.0: A Survey of Federated Learning Applications
Loftus et al. Federated learning for preserving data privacy in collaborative healthcare research
Handelman et al. Media messaging in diagnosis of acute CXR pathology: an interobserver study among residents
Mwenda et al. Integrating human papillomavirus testing as a point-of care service using GeneXpert platforms: Findings and lessons from a Kenyan pilot study (2019–2020)
Near et al. Guidelines for Evaluating Differential Privacy Guarantees
WO2020212614A1 (en) Method and system for data generating and transmitting data
Monroe et al. Location data and COVID-19 contact tracing: how data privacy regulations and cell service providers work in tandem
US20170185751A1 (en) Methods and devices for anonymous processing of medical studies

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20718683

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 28/02/2022)

122 Ep: pct application non-entry in european phase

Ref document number: 20718683

Country of ref document: EP

Kind code of ref document: A1