More Related Content

Slideshows for you(20)

Similar to Patient Data Ownership(20)


Patient Data Ownership

  1. Patient Data Ownership Tyrone Grandison*, Anish Mohammed+ *Proficiency Labs Intl, Oregon, USA (@tyrgr) + Accenture, London, England (@anishmohammed)
  2. Preamble All ideas presented are our own and not attributable to any organization we are connected to. We are not lawyers. We are not dispensing legal advice. However, we are computer scientists who have had to understand law and lawyers in the course of doing our jobs. 2
  3. Exciting or Scary? 3
  4. Outline • Data Ownership –Perception, Definition • The Reality of the Current State (USA & UK perspective) • The Impact on Patients (USA & UK perspective) • Remedies Going Forward 4
  5. Pop Quiz 1 • Data Ownership is a well understood and well defined concept. • True • False • The concept of Data Ownership has been around for only a short period of time. • True • False 5
  6. On “Data Ownership” • Data ownership • Is a relatively new term for the mainstream (en vogue since 2000s) • However, reference to the term goes back two to three decades – in the field of medical research. • Is often used without prior agreement on the definition 6
  7. Data Ownership: US Healthcare “Data ownership refers to both the possession of and responsibility for information. Ownership implies power as well as control. The control of information includes not just the ability to access, create, modify, package, derive benefit from, sell or remove data, but also the right to assign these access privileges to others” - The Office of Research Integrity, The Department of Health and Human Services, US Government* *They borrow from a definition by David Loshin in the Data Warehouse magazine, titled “Knowledge Integrity: Data Ownership” published June 8, 2004. 7
  8. Data Ownership: US Legal • Data Ownership stems from the basic concept of ownership • Implies legal title and full property rights to data. • If this is the case, then anyone assigned as a data owner can potentially take the data they “own” and sell it. • However, US Law interpretation and enforcement is a mix of Federal and State case law. • At the core, leveraging and applying old legislation made for physical assets in an industrial world to digital assets in an information economy. 8
  9. Data Ownership: UK • The Ownership of data in UK is defined by ICO (Information Commissioners Office). • The guidance in UK complies with European Union Directives especially - 1995 EU Data Protection Directive • Key principles include • Individuals should be informed when personal data is collected • Individuals should be told who is requesting the data and the reason for their request. • Individuals should be told how they can access data about themselves • Individuals should be told how their data will be protected from misuse. 9
  10. Pop Quiz 2 How many people believe that data about them (or data generated about them) is owned by? a)Them b)The individual companies that hold the data c)A mix d)None of the above 10
  11. Current THINKSCAPE: US A medical researcher who receives patient data conducts the research at his institution with funding from Pfizer and produces results. Who owns the data at each stage? Patient? Data Collector? Funder? Institution? Researcher? Patient Data Conducts Research Results Institution Funder 11
  12. Current THINKSCAPE: UK A medical researcher who receives patient data conducts the research at his institution with funding from funding agencies. Who owns the data at each stage? Patient? Data Collector? Funder? Institution? Researcher? Data Management Plan Patient Data Conducts Research Results Institution National Science Foundation, National Institute of Health, BBSRC, Cancer Research UK, Wellcome Trust, and ESRC Funder 12
  13. The Reality Patients: Funder •Patients are either forced to consent to turn •Government gives research institutions the over their data rights or not use service. right to use data collected with public funds as an incentive to put research to use for the public good •Private companies seek to retain the right to the commercial use of data. •Philanthropic organizations retain or give away ownership rights depending on their interests. Data Collector: Research Institution •Proclaims ownership of received/bought •Claim ownership rights over data collected data and re-packages & sells. with funds given to the institution. • Implies researchers can’t assume they can take data with them if they move. • Receiving institution may have rights and obligations to retain control over the data. Researcher •No ownership rights on data or results 13
  14. EXTRAPOLATING Instantiating for Health 2.0 and beyond Patient & Data Collector remain the same, Funder is now an Angel/VC/Crowdfunders, Institution is now a Startup & You are the Medical Researcher Developer/Innovator Patient Data Data Insight Builds Solution Startup Funder 14
  15. The COLD, HARD TRUTH: US INDUSTRY EDITION ‘One of the tenets of Data Governance is that enterprise data doesn't "belong" to individuals. It is an asset that belongs to the enterprise. Still, it needs to be managed. Some organizations assign "owners" to data, while others shy away from the concept of data ownership’ - The Data Governance Institute Bottom Line: Once your data is generated and not in only in your computer systems, it is owned by someone else 15
  16. The COLD, HARD TRUTH: Patient Edition • The patient does not own: • their data, • the metadata created to support its processing, • the processed results or insight from analysis • Agreements with healthcare entities are normally used as tools: • to coerce you to give up any rights that you may have • to allow the entities to share, distribute or sell your data without further consent or notification from you. • i.e. entities can use your data anyway necessary to make money • to limit the entities’ liability when harm comes to you from their reckless behavior 16
  17. The Evidence • Term and Conditions • Privacy Policy/Statement • Notice ofKaiser Permanente’s Privacy Statement (excerpt) Privacy Practices • Data Use Policy • Statements of Rights and Responsibilities Post-Talk Exercise: 1.Go to the top 3 Healthcare sites or mobile apps that you use 2.Find the above documents for them 3.Search within them for the words “own” and “sell” 17
  18. POP Quiz 3 • How many legislative acts protect the data ownership rights of American patients? a) Zero b) One c) Two d) Three e) Four or more 18
  19. POP Quiz 4 • Which legislative acts protect the data ownership rights of UK patients? a) Data Protection Act b) European Data Protection Directive c) Health and Social Care Act 2001 d) Human Rights Act 19
  20. But…BUT…BUT • What do all the legislative protections provide? USA UK HIPAA – Issued Jan 25, 2013. Data Protection Act Five (5) mentions of data ownership in 563 page document. Fair Information Practice Principles – does not address data ownership. 1995 EU Data Protection Directive Privacy Act of 1974 – No mention of data ownership. 20
  21. POP Quiz 5 • The landscape is getting better in the UK/Europe in comparison to the US? a) True b) False 21
  22. General Data Protection Regulation (GDPR) • Current proposed amendments to the EU’s GDR include: • Eliminating explicit opt-in user consent to personal data • Letting corporations share personal data with any other entity that has a “legitimate interest” in that data • Disallowing citizens to access their own personal data “in electronic form” • Not requiring corporate “data protection officers” • Forbidding consumer groups from bringing lawsuits against corporations on behalf of individuals See “EU data law draft uses language—word-for-word—from US, EU corporations” by Cyrus Farivar - Feb 11 2013 & The Influence of Lobbyists on EU Committee Members by OpenDataCity – Feb 14, 2013 22
  23. Impact • Choice • Depends on context • The difficulty is to define context • Choice could result in blanket opt in or out • Cost-Reward-Risk • Cost in healthcare is difficult to measure as its qualitative • Cost is context sensitive • Reward is mostly intangible in short term • Risk with healthcare is impact is very long term 23
  24. Impact • Security • Driven by legislative compliance • No other incentive or disincentive to have robust controls around data • Implemented to meet the “bare minimum” • Privacy • Driven by Legal departments • Responsive to Financial Risk Analysis • How many payouts have we made for non-compliance • Not prioritized unless aggressive compliance auditing is performed 24
  25. REMEDIES • Educate • Education of the customers to the choices they have generally results in better outcomes • Education of the regulators and key stake holders • Activism • Customer activism has been increasing with advent of web2.0 • Use your voice • Ever heard of data stewardship? • Promote delineation between data ownership and data stewardship 25
  26. REMEDIES • Create Community • The power of numbers generally works in the favor of the many • Communities generally result in education of its members • Larger numbers get attention of politicians and policy makers • Use your power ($$$) • General observation of more money you have the more power you wield • Healthcare in most parts of the world is still a service which consumers can choose providers 26
  27. Questions? Tyrone Grandison @tyrgr Anish Mohammed @anishmohammed 27

Editor's Notes

  1. Do we want to add “Consent” a UK “ Informaton Governance “ term, the cause of failure of NHS IT in the minds of many
  2. Source -
  3. How does this translate to quantified self intiatives, where you own the data generation points
  4. There is a “Triad” of actors in UK, do we want to depict them ?
  5. Medical Research Council - Personal Information for Medical Research – guidance – creation of DMP
  6. How does this translate to quantified self intiatives, where you own the data generation points
  7. Not sure what to put here ? Remove it ?