Initiatives to incorporate data driven research and policy efforts in the healthcare sector do not accommodate mechanisms for meaningful community participation. The public sector has a significant role in ensuring that these initiatives are responsible and participatory. There are many stewarding initiatives that enable community-driven data sharing and decision making to tackle critical issues in the healthcare sector. However the lack of accessible public health data by the public sector hinders its potential to add value to decision making and to use for public benefit. Further, a lot of the data that could be useful for health data governance still remains siloed by private commercial actors that undermine public benefit data exchange. The current play addresses a few such challenges faced by health data stewarding initiatives and lays down strategies that the public sector can implement to encourage participatory health data governance.
Limited citizen involvement in health data governance lead to exploitative data practices that exclude communities from using data for public benefit
As addressed in the introduction, health data sharing efforts are anchored in individual consent provisioning that is largely inadequate and fails to afford patients with substantial control over their health data. In the age of Big Data, informed consent is rendered ineffective if the specificity of purpose is not built in the principles of sharing of health data, given its sensitive nature. While the need for large and representative datasets are a key consideration for decision making, research and policy, prevailing consent mechanisms can stymie this. For instance, in cases where health data needs to be re-used for newer research projects, efforts to obtain consent again are often both impractical and will be representative of only those who have previously consented to sharing their data and hence, supply a biassed/limited dataset for research.
Due to these manifest challenges in gaining access to and using comprehensive datasets, there is a need to move away from individualised models for authorising health data exchange. Systems of data governance founded in solidarity-based conceptions offer a new paradigm that privileges public value as well as collective control as the guiding imperative for health data exchange. Consequently, community participation is encoded as a core design artifice in ways that enhance public accountability, legitimacy and trust in policies around health data governance.
Encoding participation in regulatory frameworks for health data governance
The care.data initiative is a well-known example that emphasises the importance for public and patient trust to undertake successful health data research. Trust can be enhanced when there is substantive citizen involvement and participation throughout the lifecycle of data-driven health research and policy initiatives.
Encoding public consultation to ensure open dialogue amongst citizens regarding the benefits, risk and risk mitigation will ensure that health data is governed according to societal values and expectations. Netherlands, for instance, includes open public consultations to review documents that showcase data governance concepts. Countries such as Australia, Israel, Estonia have encoded public consultation processes regarding the secondary uses of health data. For instance, Canada sought to consult the public to develop the best method to determine key areas that public consultation exercises should focus on.
Social licensing is another promising framework to contemplate public involvement to devolve greater control to citizens and allow for a reflexive conception of public interest to dictate the means by which health data is governed. This will ensure societal principles are embedded in data activities and that the value derived from data is utilised for public good. To this end, drawing a distinction between public and private interests is critical to ensure that health data is employed to further public benefit primarily. Accordingly, laws on health data governance should seek to institutionalise a taxonomy to create different standards of protection govern the use of health data and also provide remedies when harms occur. Depending on the level of public value generated from the use of health data, policymakers can create legal pathways to share such profits with the public. To this end, the European Commission proposed minimum corporate taxation as a pathway to distribute value from health data use and reduce inequities.
Building techno-legal infrastructure that help leverage health data for public benefit
A large amount of public data collected by different institutions can inform health policy and produce positive health outcomes. However, there exist persistent issues with the collection and storing of health data that policymakers can attempt to address through techno-legal pathways that will enable regulatory requirements through a technological backbone. For instance, establishing standards for interoperability of health data can build on efforts that are underway to set up health data sharing architectures through an open and collaborative approach.
Sweden implemented a number of policy initiatives that made public health data open and accessible via APIs. In 2020, a comprehensive data warehouse was set up to collect live data across healthcare systems. The government also provides funding to implement data-driven care where it identifies and helps scale successful AI applications in healthcare. This collaborative approach to embedding technical infrastructure that enhances the resilience of digitised health systems is noteworthy inasmuch it promotes active funding and support from public institutions towards private innovation around datadriven applications.
France is another remarkable example that has deployed legal pathways and set up initiatives to leverage data for public benefit. In 2019, France passed the Act on the Organisation and Transformation of Health System in 2019 to broaden the definition of national health data system and set out clear data sharing principles among custodians such as healthcare providers. Along with this a Health Data Hub (HDH) was established which primarily allows secure data linkage and access for researchers that contribute to public interests to ensure rights of patients are respected. Among other functions, the HDH also consults with civil society to understand the needs of citizens in order to frame public communications on the expectations of citizens with health data. To further foster a culture of proactive health data exchange at a societal level, the HDH provides educational tools that enable citizens to understand data and how to use them for research projects. Similarly, Findata is authorised by law in Finland to support the secondary use of health data that contribute to public interest, albeit the level of patient involvement in decision-making over data governance is limited.
Beyond building DPI that enable greater access to and sharing of health data, policymakers should work towards formulating governance architectures that strengthen public trust by meaningfully involving patients and ensuring their data rights are upheld. Such architectures should consider the possibility of employing privacy protecting infrastructure (which includes approaches like federated learning and differential privacy) that enables the use of health data stored among disparate sources, without actual transfer of individual-level health data.
Harms produced by questionable health data practices affect patients who have little recourse or avenues to seek accountability from erring parties
Current legal frameworks are overwhelmingly preoccupied with individual harms arising from health data use that are untenable under prevailing logics of Big Data applications in healthcare. Consequently, there is a need to shift the focus of health data governance legislations towards harm mitigation as well as recognition of collective harms that occur at the community level. A harm mitigation approach takes the onus away from patients to prove the occurrence of harm to health data users and custodians to protect patient rights and reduce risks involved in health information exchange.
Additionally, structural discrimination that erodes equitable access to health services has disconcerting implications for health data governance. For one, the representativeness of datasets itself is undermined in the absence of information that captures health status and outcomes for marginalised populations. Second, the collection of sensitive personal and health information by providers can render certain demographics more vulnerable to attacks and disenfranchisement. Lastly, systemic racism (owing to present and past atrocities such as Tuskegee) and resultant distrust in healthcare systems fail to address historical harms and trauma experienced by certain communities. Policymakers can create regulatory frameworks in such a way that the current health inequities and harms are taken into consideration.
Expand scope of regulation to take into account the implications of health inequities and embed harm mitigation measures
Public sector governance bodies can instantiate fair and transparent project review processes to assess whether the processing of data is appropriate and within stated goals of public interest. Such assessments should be made public and used to continuously review and inform best practices. These bodies can also conduct robust identity verification and authentication of those who process data.
Regulatory frameworks must have safeguards to include accountability through audit mechanisms, risk mitigation processes to redress harms caused due to misuse or reidentification of data. Further regulatory frameworks could provide for certification/ accreditation processes to ensure organisations or stewards seeking to process health data meet societal expectations for health data governance. Secure alternatives such as Data Access Committees can be established within institutional frameworks to promote data sharing such that accountability is embedded and is guided by principles of public health equity. For instance, the Mahidol Oxford Tropical Medicine Research Unit (MORU) DAC is one such example that has reviewed several data requests (such as from pharma companies for data from trials) since its establishment in 2016.
Encouraging stewarding entities to monitor harms
Data stewards can play a role in providing collective support mechanisms for individuals harmed by data use, particularly for marginalised communities who lack the resources and institutional support to avail any remedies in the event of misuse. Stewards can not only help negotiate their rights but also monitor and detect harms (such as that of exclusion) caused by the use of big data or predictive analytics. In a similar vein, stewards can furnish a platform for individuals and communities alike to voice their issues on specific data governance practices back to regulators, thus involving communities in reflexive governance.
The Mayo Clinic adopted a model where they engaged the community in open dialogue on the reuse of electronic health records. They were provided with the opportunity to interact with scientists and privacy advocates to formulate recommendations on how privacy must be addressed.
Understanding Patient Data (UPD) has made a promising step towards capacity building of patient communities, with UPD attempting to “objectively explain how and why data can be used for care and research, what’s allowed and what’s not, and how personal information is kept safe”. Additionally, it has also recognised the importance of framing conversations about patient data using words that are accurate but also accessible and meaningful to communities
Lack of available, accessible and quality data hinder effective data sharing and use for public benefit
Lack of access to timely and high quality data, often a manifestation of dissimilar data storage and taxonomical conventions, hinder effective health data exchange. Consequently, health data interoperability – so essential to facilitate use and re-use of health information for research and other purposes – is rendered non-feasible, with potentially disruptive and diametrics practices characterising the health data governance landscape.
Such issues are further exacerbated due to legal barriers to linkage of national health datasets and the difference in regulations for different types of datasets (for instance, clinical trial data and routinely collected public health data are regulated differently). This complicates the integration and sharing of different health datasets, creating bottlenecks for health policy and research.
Encouraging stewarding entities to monitor harms
Regulations must govern technical aspects such as registration and authorisation of health devices, standardisation of health data quality and measurements, disclosure of APIs and interoperability measures. While there are existing taxonomies of health data, rules for sharing health data and international standards for interoperability; there is a need for these standards to be adopted and embedded widely. Implementing strategies for data integration and interoperability can promote engagement of industrial stakeholders while ensuring quality and safety of data. This would ensure transparent and effective sharing of data that is particularly salient during periods of public health exigencies.
Health authorities in the USA for instance, have ruled for the healthcare industry to use APIs and to adopt interoperability standards for health data exchange. The Office of the National Coordinator of Health Information (ONC) has introduced a United States Core Data for Interoperability standard for vocabulary of health data. While developing data interoperability standards, the ONC takes public engagement and input through advisory committees that consist of representatives of all stakeholders from health information experts to providers and patients. The government, in this instance, also provides financial support to implement these standards.
Legal frameworks should ensure that linkage of health datasets are made possible. Accreditation is one way to ensure secure data integration – for instance, Australia mandates accreditation of public authorities before they undertake high risk linkage projects. Norway’s Beredt C19 is a data lake authorised by law which collects daily data on hospitalisation, primary and emergency care and links it to records across data sources in real-time with the help of digital ID. This timeliness of health data linkages has proved to be extremely helpful due to the rapid pace with which the government could use data, especially during the pandemic.
Lack of involvement and regulation of private actors in health data sharing
Owing to the sensitive nature of health data and crisis of trust, there is an unwillingness among the public to share their data with commercial actors. While large hospitals are mandated to provide patients with access to their personal health records, health technology companies are not bound by similar obligations in that they fail to provide users with access to self tracking data or charge them for it. This could hinder patients’ ability to access data for personalised insights into their health conditions (like monitoring glucose data for diabetes patients).
The lack of incentive to share coupled with other factors such as frequent change in market conditions lead to commercial service providers closing, after which access to data is not allowed and very often back up of such data before closure is also not allowed. Further cost of maintenance and change in data access methods through internal policies (such as discontinuing APIs) constrain people from accessing and repurposing their own data. Therefore these reasons for non-disclosure of data by tech companies reflect the failure of existing health data governance frameworks to keep up with digitised personal health services. Further, as private and commercial actors increasingly engage with health data collected by public institutions, there is heightened concern about democratic access, control and accountability.
The involvement of the private sector in acquisition of massive troves of data and application of analytics sees its use in consumer wearable devices to collaborations with public health providers. This acquisition of huge datasets allows tech giants to circumvent the protection of anonymity that is provided. A prominent example of this is when Facebook wanted anonymized health data to include demographics of hospitals which was then used to compare to its own user base to match and profile them – thus essentially de-anonymising the data. Further, commercial arrangements between the UK’s NHS and tech giants like DeepMind, Palantir, etc have raised many concerns over governance of health data.
While consumers can seek to withhold their data from companies they disapprove of by avoiding their consumer services, it is not viable for individuals to avoid healthcare services. The impossibility of avoiding services since we are being held captive by private companies has huge repercussions on data justice. Therefore, the increasing use of health data and reliance on digital infrastructure for healthcare delivery raises multiple concerns regarding accountability, democratic control, and creation of a new class of social inequities that need to be addressed in regulation and governance frameworks.
Embed a system of incentives within regulatory frameworks to encourage proactive private sector involvement with ethical data sharing practices
Research shows that the public approves of health research but they distrust commercial involvement. There is a recognition however of the public benefits that could be brought upon commercial involvement. The understanding of public benefit must align with public views and values including economic benefits from sharing or reusing data. If access to patient data is ultimately grounded on the basis of public interest, it is pertinent that patients be involved as ‘collaborators in the whole system while developing data initiatives’ according to the Nuffield Council on Bioethics. These collective and societal harms arising from collection and exploitation of data are not addressed by current regulatory frameworks.
On the right to data portability, Article 29 Working Party encourages service providers to develop interoperable formats for individuals to use or transfer to other sources. The public sector can thus call for health platforms and app developers and data stewards to establish these standards of interoperability. Data accessibility of personal health data apps must be in a way that’s amenable for data to be used to achieve personal goals of the individual and must be allowed to reuse and integrate from multiple sources to get insights. This means that individuals need to have the right to data portability.
Policy makers need to make regulatory pathways to prevent the concentration of power in the hands of tech giants. Encouraging companies to self-regulate in one way to prevent data extractivism in the healthcare sector. Adopting legal and technical tools to monitor impact and enfranchising individuals and groups to create the design and implement digital health policy and technology, and to engage in reflective feedback mechanisms amongst decision makers and private companies.