Patient Data Patient Data Ownership Ownership

Tyrone Grandison*, Anish MohammedTyrone Grandison*, Anish Mohammed++

*Proficiency Labs Intl, Oregon, USA (@tyrgr)*Proficiency Labs Intl, Oregon, USA (@tyrgr)++Accenture, London, England (@anishmohammed)Accenture, London, England (@anishmohammed)

PreamblePreamble

All ideas presented are our own and not All ideas presented are our own and not attributable to any organization we are attributable to any organization we are

connected to.connected to.

We are not lawyers. We are not dispensing We are not lawyers. We are not dispensing legal advice.legal advice.

However, we are computer scientists who However, we are computer scientists who have had to understand law and lawyers in have had to understand law and lawyers in

the course of doing our jobs.the course of doing our jobs.

22

Exciting or Scary?Exciting or Scary?

33

OutlineOutline

•Data Ownership Data Ownership –Perception, –Perception, Definition Definition

•The Reality of the Current State The Reality of the Current State (USA & UK perspective)(USA & UK perspective)

•The Impact on Patients The Impact on Patients (USA & UK (USA & UK perspective)perspective)

•Remedies Going ForwardRemedies Going Forward

44

Pop Quiz 1Pop Quiz 1

•Data Ownership is a well understood Data Ownership is a well understood and well defined concept.and well defined concept.• True True • FalseFalse

•The concept of Data Ownership has The concept of Data Ownership has been around for only a short period been around for only a short period of time.of time.• True True • FalseFalse 55

On “Data Ownership”On “Data Ownership”

•Data ownershipData ownership • Is a relatively new term for the Is a relatively new term for the

mainstream (en vogue since 2000s)mainstream (en vogue since 2000s)• However, reference to the term However, reference to the term

goes back two to three decades – in goes back two to three decades – in the field of medical research.the field of medical research.

• Is often used without prior Is often used without prior agreement on the definitionagreement on the definition

66

- The Office of Research Integrity, The Department of Health and Human Services, US Government*

Data Ownership: Data Ownership: US HealthcareUS Healthcare

“Data ownership refers to both the possession of and responsibility for information. Ownership implies power as well as control. The control of information includes not just the ability to access, create, modify, package, derive benefit from, sell or remove data, but also the right to assign these access privileges to others”

*They borrow from a definition by David Loshin in the Data Warehouse magazine, titled “Knowledge Integrity: Data Ownership” published June 8,

2004.77

Data Ownership: Data Ownership: US LegalUS Legal

• Data OwnershipData Ownership stems from the basic concept of stems from the basic concept of ownershipownership• Implies legal title and full property rights to data.Implies legal title and full property rights to data.• If this is the case, then anyone assigned as a data If this is the case, then anyone assigned as a data

owner can potentially take the data they “own” and owner can potentially take the data they “own” and sell it. sell it.

• However, US Law interpretation and enforcement However, US Law interpretation and enforcement is a mix of Federal and State case law.is a mix of Federal and State case law.

• At the core, leveraging and applying old legislation At the core, leveraging and applying old legislation made for physical assets in an industrial world to made for physical assets in an industrial world to digital assets in an information economy.digital assets in an information economy.

88

• The Ownership of data in UK is defined by ICO The Ownership of data in UK is defined by ICO (Information Commissioners Office). (Information Commissioners Office).

• The guidance in UK complies with European Union The guidance in UK complies with European Union Directives especially - 1995 EU Data Protection DirectiveDirectives especially - 1995 EU Data Protection Directive

• Key principles includeKey principles include• Individuals should be informed when personal data is collectedIndividuals should be informed when personal data is collected• Individuals should be told who is requesting the data and the Individuals should be told who is requesting the data and the

reason for their request.reason for their request.• Individuals should be told how they can access data about Individuals should be told how they can access data about

themselvesthemselves• Individuals should be told how their data will be protected from Individuals should be told how their data will be protected from

misuse.misuse.

Data Ownership: UKData Ownership: UK

99

Pop Quiz 2Pop Quiz 2

How many people believe that data How many people believe that data about them (or data generated about about them (or data generated about them) is owned by?them) is owned by?

a)a)ThemThem

b)b)The individual companies that hold the The individual companies that hold the datadata

c)c)A mixA mix

d)d)None of the aboveNone of the above 1010

Current THINKSCAPE: USCurrent THINKSCAPE: US

A medical researcher who receives patient data conducts the research at his institution with funding from Pfizer and

produces results. Who owns the data at each stage? Patient? Data Collector? Funder? Institution?

Researcher?

Funder

Institution

Patient Data Conduct

sResearc

h

Results

1111

Current THINKSCAPE: UKCurrent THINKSCAPE: UK

Funder

Institution

Patient Data Conduct

sResearc

h

Results

A medical researcher who receives patient data conducts the research at his institution with funding from funding agencies. Who owns the data at each stage? Patient? Data Collector? Funder? Institution?

Researcher?

National Science Foundation, National Institute of Health, BBSRC, Cancer Research UK, Wellcome Trust, and ESRC

Data Management Plan

1212

The RealityThe RealityPatients: •Patients are either forced to consent to turn over their data rights or not use service.

Funder•Government gives research institutions the right to use data collected with public funds as an incentive to put research to use for the public good•Private companies seek to retain the right to the commercial use of data.•Philanthropic organizations retain or give away ownership rights depending on their interests.

Data Collector: •Proclaims ownership of received/bought data and re-packages & sells.

Research Institution•Claim ownership rights over data collected with funds given to the institution.

• Implies researchers can’t assume they can take data with them if they move.

• Receiving institution may have rights and obligations to retain control over the data.

Researcher•No ownership rights on data or results

1313

EXTRAPOLATINGEXTRAPOLATING

FunderStartup

Patient Data

BuildsSolution

Data Insight

Instantiating for Health 2.0 and beyondPatient & Data Collector remain the same, Funder is now an

Angel/VC/Crowdfunders, Institution is now a Startup & You are the Medical Researcher

Developer/Innovator

1414

‘‘One of the tenets of Data Governance is that One of the tenets of Data Governance is that enterprise enterprise data doesn't "belong" to individualsdata doesn't "belong" to individuals. It is an . It is an asset that asset that belongs to the enterprisebelongs to the enterprise. Still, it needs to . Still, it needs to be managed. Some organizations assign "owners" to be managed. Some organizations assign "owners" to data, while others shy away from the concept of data data, while others shy away from the concept of data ownership’ownership’

- The Data Governance Institute

Bottom Line: Once your data is generated and not in only in your computer systems, it is owned by

someone else

The COLD, HARD TRUTH:The COLD, HARD TRUTH:US INDUSTRY EDITIONUS INDUSTRY EDITION

1515

The COLD, HARD TRUTH: The COLD, HARD TRUTH: Patient EditionPatient Edition

• The patient does not own:The patient does not own:• their data, their data, • the metadata created to support its processing, the metadata created to support its processing, • the processed results or insight from analysisthe processed results or insight from analysis

• Agreements with healthcare entities are normally Agreements with healthcare entities are normally used as tools:used as tools:• to coerce you to give up any rights that you may haveto coerce you to give up any rights that you may have• to allow the entities to share, distribute or sell your to allow the entities to share, distribute or sell your

data without further consent or notification from you.data without further consent or notification from you.• i.e. entities can use your data anyway necessary to make i.e. entities can use your data anyway necessary to make

moneymoney

• to limit the entities’ liability when harm comes to you to limit the entities’ liability when harm comes to you from their reckless behaviorfrom their reckless behavior1616

The EvidenceThe Evidence

• Term and ConditionsTerm and Conditions

• Privacy Policy/StatementPrivacy Policy/Statement

• Notice of Privacy PracticesNotice of Privacy Practices

• Data Use PolicyData Use Policy

• Statements of Rights and ResponsibilitiesStatements of Rights and Responsibilities

Post-Talk Exercise: 1.Go to the top 3 Healthcare sites or mobile apps that you use2.Find the above documents for them3.Search within them for the words “own” and “sell”

Kaiser Permanente’s Privacy Statement (excerpt)

1717

POP Quiz 3POP Quiz 3

• How many legislative acts protect the data How many legislative acts protect the data ownership rights of American patients?ownership rights of American patients?

a)a)ZeroZerob)b)OneOnec)c)Two Two d)d)ThreeThreee)e)Four or moreFour or more

1818

POP Quiz 4POP Quiz 4

• Which legislative acts protect the data Which legislative acts protect the data ownership rights of UK patients?ownership rights of UK patients?

a)a)Data Protection ActData Protection Actb)b)European Data Protection European Data Protection

DirectiveDirectivec)c)Health and Social Care Act 2001Health and Social Care Act 2001d)d)Human Rights ActHuman Rights Act

1919

But…BUT…BUTBut…BUT…BUT

• What do all the legislative protections provide?What do all the legislative protections provide?

USA UK

HIPAA – Issued Jan 25, 2013. Five (5) mentions of data ownership in 563 page document.

Data Protection Act

Fair Information Practice Principles – does not address data ownership.

1995 EU Data Protection Directive

Privacy Act of 1974 – No mention of data ownership.

2020

POP Quiz 5POP Quiz 5

•The landscape is getting The landscape is getting better in the UK/Europe in better in the UK/Europe in comparison to the US?comparison to the US?a)a)TrueTrueb)b)FalseFalse

2121

General Data Protection General Data Protection Regulation (GDPR)Regulation (GDPR)

• Current proposed amendments to the EU’s GDR Current proposed amendments to the EU’s GDR include:include:• Eliminating explicit opt-in user consent to personal dataEliminating explicit opt-in user consent to personal data• Letting corporations share personal data with any other Letting corporations share personal data with any other

entity that has a “legitimate interest” in that dataentity that has a “legitimate interest” in that data• Disallowing citizens to access their own personal data “in Disallowing citizens to access their own personal data “in

electronic form”electronic form”• Not requiring corporate “data protection officers”Not requiring corporate “data protection officers”• Forbidding consumer groups from bringing lawsuits Forbidding consumer groups from bringing lawsuits

against corporations on behalf of individualsagainst corporations on behalf of individualsSee “EU data law draft uses language—word-for-word—from US, EU corporations” by Cyrus Farivar - Feb 11 2013 & The Influence of Lobbyists on EU Committee Members by OpenDataCity – Feb 14, 2013

2222

ImpactImpact

• ChoiceChoice• Depends on context Depends on context • The difficulty is to define context The difficulty is to define context • Choice could result in blanket opt in or outChoice could result in blanket opt in or out

• Cost-Reward-RiskCost-Reward-Risk• Cost in healthcare is difficult to measure as its Cost in healthcare is difficult to measure as its

qualitativequalitative• Cost is context sensitiveCost is context sensitive• Reward is mostly intangible in short termReward is mostly intangible in short term• Risk with healthcare is impact is very long termRisk with healthcare is impact is very long term

2323

ImpactImpact

• SecuritySecurity• Driven by legislative complianceDriven by legislative compliance• No other incentive or disincentive to have robust controls No other incentive or disincentive to have robust controls

around dataaround data• Implemented to meet the “bare minimum”Implemented to meet the “bare minimum”

• PrivacyPrivacy• Driven by Legal departmentsDriven by Legal departments• Responsive to Financial Risk AnalysisResponsive to Financial Risk Analysis

• How many payouts have we made for non-complianceHow many payouts have we made for non-compliance

• Not prioritized unless aggressive compliance auditing is Not prioritized unless aggressive compliance auditing is performedperformed

2424

REMEDIESREMEDIES

• EducateEducate• Education of the customers to the choices they Education of the customers to the choices they

have generally results in better outcomeshave generally results in better outcomes• Education of the regulators and key stake holdersEducation of the regulators and key stake holders

• Activism Activism • Customer activism has been increasing with Customer activism has been increasing with

advent of web2.0advent of web2.0• Use your voiceUse your voice• Ever heard of data stewardship?Ever heard of data stewardship?

• Promote delineation between data ownership and data Promote delineation between data ownership and data stewardshipstewardship

2525

REMEDIESREMEDIES

• Create CommunityCreate Community• The power of numbers generally works in the favor The power of numbers generally works in the favor

of the manyof the many• Communities generally result in education of its Communities generally result in education of its

membersmembers• Larger numbers get attention of politicians and Larger numbers get attention of politicians and

policy makerspolicy makers

• Use your power ($$$) Use your power ($$$) • General observation of more money you have the General observation of more money you have the

more power you wieldmore power you wield• Healthcare in most parts of the world is still a Healthcare in most parts of the world is still a

service which consumers can choose providersservice which consumers can choose providers2626

Questions?

Tyrone Grandison @tyrgr tgrandison@proficiencylabs.comAnish Mohammed @anishmohammed anish.mohammed@gmail.com

2727