1

BIG DATA AND SECONDARY USES OF DATA: PRACTICALTIPS TO AVOID PRIVACY PITFALLS AND REGULATORY RISK

16th Annual Compliance and Ethics Institute October 18, 2017 | Caesars Palace | Las Vegas

Corey M. Dennis, CIPP/US Director of Privacy & Counsel

Pharmaceutical Product Development LLC (PPD)

Asra Ali, MS, CHC, CHPC, CIPM Compliance and Risk Manager

Healthscape Advisors

Introduction• What is “big data”? Modern-day data analytics.

• Data is growing faster than ever before and by the year 2020:

– every person in the world will create ~1.6 MB data per second

– digital universe will grow to 44 zettabytes (44 trillion gigabytes)

– 6.1B+ smartphone users globally

• Cross-Industry Benefits

Sources: Bernard Marr, Big Data: 20 Mind-Boggling Facts Everyone Must Read, Forbes (Sept. 30, 2015), https://www.forbes.com/sites/bernardmarr/2015/09/30/big-

data-20-mind-boggling-facts-everyone-must-read; Scott Ferguson, Big Data, Analytics Market To Hit $203 Billion In 2020 (Oct. 4, 2016),

http://www.informationweek.com/big-data/big-data-analytics-market-to-hit-$203-billion-in-2020-/d/d-id/1327092.

2

1. Understand what “big data” means

• Definition:

– Extremely large data sets

– analyzed computationally

– reveal patterns, trends, and associations (esp. relating to human behavior and interactions)

• 5Vs

– Volume

– Velocity

– Veracity

– Variety

– Value

Source: IBM Big Data & Analytics Hub, http://www.ibmbigdatahub.com/infographic/extracting-business-value-4-vs-big-data; see also

Identifying opportunities for ‘big data’ in medicines development and regulatory science, European Medicines Agency (Feb. 2017),

http://www.ema.europa.eu/docs/en_GB/document_library/Report/2017/02/WC500221938.pdf.

2. Understand how big data can be leveraged at your organization

• Big data can reduce US healthcare costs by $300-$450B and improve care

– Secondary use of data facilitates medical research

• White House has invested $200M in big data projects

• Strong link between financial performance and effective use of big data across all industries

– Analytics to improve products/services and improve marketing

– 10% increase in data accessibility = $65M+ in additional income for F1000 companies

• Big data/analytics market to grow from $130B to $203B by 2020

Sources: Big data: Lessons from the leaders, Economist Intelligence Unit (The Economist) (2012),

https://www.sas.com/resources/asset/EIU_SAS_BigData_120822.pdf; see also Marr & Ferguson, infra.

Source: http://www.mckinsey.com/industries/healthcare-systems-and-services/our-insights/the-

big-data-revolution-in-us-health-care.

3

3. Understand applicable legal requirements/best practices

• U.S. privacy laws/enforcement– Federal: HIPAA, FTC Act, FCRA, anti-

discrimination laws

– State: medical privacy, breach notification, information security

• Health Big Data Recommendations (Fed. Advis. Comm. on Health IT Policy)

– address harm/discrimination

– address uneven policy enforcement (e.g., promote FIPPs for data outside HIPAA)

– promote robust de-identification methodologies Source: http://www.zdnet.com/article/where-are-us-data-breach-laws-

toughest-check-this-map.

3. Understand applicable legal requirements/best practices

• FTC data broker report (2014) and enforcement actions

– transparency/consent/choice

– privacy by design

– data minimization/disposal

– avoid discrimination

• Center for Digital Democracy Report on Wearable Devices/Big Data and Privacy/Security (2016)

• FTC Report on the Internet of Things (2015)

4

3. Understand applicable legal requirements/best practices

• EU data protection principles

– Fair/lawful processing (transparency/consent)

– Purpose limitation

– Adequate/relevant/not excessive

– Accuracy

– Retention (only as long as necessary)

– Subject rights (right of access/correction)

– Appropriate technical/organizational measures

– Not exported unless country ensure adequate level of protection

3. Understand applicable legal requirements/best practices

• EDPS Opinion 7/2015: “Meeting the challenges of big data”

– Transparency

– User control

– Protection by design

– Accountability

• UK ICO report: Big data, artificial intelligence, machine learning and data protection (2017)

– Fairness/transparency

– Consent/legitimate interest

– Purpose limitation

– Information security

– Anonymization

5

4. Be mindful of the FCRA and discriminatory practices

• FTC Report—Big Data: A Tool for Inclusion or Exclusion? (Jan. 2016)

• FTC Act Section 5 (unfair/deceptive acts)– consent and privacy misrepresentations

– data security of databases

• FCRA

– applies to consumer reporting agencies (CRAs), credit bureaus, and employment screening companies, but can be broader (e.g., data brokers)

– governs consumer reports used to determine eligibility for credit, employment, insurance, and housing

– example: company makes credit decisions based on consumer’s zip codes, which impacts particular ethnic groups

Source: https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-

understanding-issues/160106big-data-rpt.pdf.

5. Privacy By Design and Privacy Impact Assessments

• Privacy/security embedded proactively when system/practice designed

• Privacy/transparency embedded into all lifestyles stages

• FTC Privacy Report (2012)– Privacy by design and simplified

consumer choice/transparency

• EU General Data Protection Regulation (May 2018)

– Article 25 (Data protection by design and by default)

– Article 35 (Data protection impact assessment)

Source: FTC Issues Final Commission Report on Protecting Consumer Privacy (2012),

https://www.ftc.gov/news-events/press-releases/2012/03/ftc-issues-final-commission-report-

protecting-consumer-privacy.

6

6. Anonymize Data

• HIPAA De-identification Standard– Safe Harbor Method

– Expert Determination Method

• EU anonymization– Opinion 05/2014 on “Anonymisation

Techniques (WP216)

• NIST Standard – Suppression

– Averaging

– Generalization

– Perturbation

– SwappingSource: Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance

Portability and Accountability Act (HIPAA) Privacy Rule, U.S. Dept. of Health and Human Services (2012),

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/De-

identification/hhs_deid_guidance.pdf; see also Kelsey Finch, A Visual Guide to Practical Data De-Identification (Future of Privacy

Forum), https://fpf.org/2016/04/25/a-visual-guide-to-practical-data-de-identification.

7

7. Conduct Vendor Diligence

• Review vendors practices for compliance with laws and best practices (e.g., consent/notice, security, etc.)

• Conduct security assessment of vendor

• Identify sub-vendors/data sources

• Implement strong contractual language (e.g., reps/warranties on data and data collection)

Source: Big Data Security Risk in the Enterprise: The Pitfalls of Hadoop, ITBusinessEdge,

http://www.itbusinessedge.com/slideshows/big-data-security-risk-in-the-enterprise-the-pitfalls-of-

hadoop.html.

8. Ensure robust information security

• Anonymization/pseudonymization

• Data minimization

• Access/account controls

• Ensure secure infrastructure

– infrastructure security/secure computations

– granular access controls/audits

– secure data storage/logging

– end-point validation and filtering)

• Encryption in transit (and at rest)

• Secure data disposal

Source: Expanded Top Ten Big Data Security and Privacy Challenges, Cloud Security Alliance (April 2013),

https://downloads.cloudsecurityalliance.org/initiatives/bdwg/Expanded_Top_Ten_Big_Data_Security_and_Privacy_Challenges.pdf.

8

9. Enable International Data Transfers

• U.S.-EU Safe Harbor Framework (2000) declared invalid in October 2015

• Privacy Shield adopted July 2016

• Other legal EU data export mechanisms:

– Model Clauses/Standard Contractual Clauses (“SCCs”)

– Binding Corporate Rules (BCRs)

– Consent (limited circumstances) Source: http://www.technoid.com.au/2011/12/16/caltech-and-uvic-team-smash-

data-transfer-record.

10. Know (and Own) Your IP Rights

• Vendor insists on "owning" data and algorithms that they shouldn't

– new land grab for rights to new or enhanced algorithms

• In data analytics and IoT, information is collected and pulled in many more directions than before and involves more parties

– mapping now must also track the rights and obligations of each involved party

• Derived information should also be addressed (i.e., times and location of use, behavior patterns) and other new purposes

9

Big Data and Secondary Uses of Data: Practical Tips to Avoid Privacy Pitfalls and Regulatory Risk

QUESTIONS?

Corey M. Dennis, CIPP/US

Director of Privacy & Counsel

Pharmaceutical Product Development, LLC (PPD)

corey.dennis@ppdi.com

Asra Ali, MS, CHC, CHPC, CIPM

Compliance and Risk Manager

Healthscape Advisors

aali@healthscape.com