Privacy framework could help harness the power of big data
Privacy considerations don't necessarily need to be a barrier to the use of big data in healthcare and can be respected as long as a transparent framework is established and the onus for remedying data breaches is put on the collector rather than the subject, a privacy expert said.
Emma Hossack, CEO of shared electronic health record company Extensia and president of the International Association of Privacy Professionals Australia and New Zealand (iappANZ), told the HISA Big Data conference in Melbourne yesterday that the current consent model for the use of private data – particularly that relating to health data – meant that the societal benefits of big data for medical research could not be fully realised.
However, if more responsibility is placed on the data collector and data user to ensure appropriate and transparent frameworks, along with the introduction of mandatory date breach notifications such as those encapsulated in the PCEHR Act, then personal privacy can be respected and the benefits of big data harnessed, she said.
“Because there is no certainty at the point of collection what data you really need to collect for your particular purpose, and because that purpose might in any event change once you have analysed the data, it means that when you are seeking consent from the data subject, you cannot properly inform them of the purpose for which you are collecting the data,” Ms Hossack said.
“Informed consent is one of the key processes in the current privacy structure – you must ensure that you tell the person whose data it is or who has the custodianship of the data, what you are going to do with it. Obviously that's impossible with big data, so when you realise that you can't actually get proper consent in the traditional manner, that means that one of the fundamental principles of privacy is turned on its head.
“It also means that the notice provisions, giving the party full notice and transparency about what their data will be used for, is also inappropriate with big data.”
However, there is a way forward, she said. She agrees with the authors of the recent publication Big Data: A Revolution That Will Transform How We Live, Work And Think, Viktor Mayer-Schonberger and Kenneth Cukier, that industry should develop a transparent framework, in which the data subject is informed sufficiently to be able to make a decision about whether the benefits of sharing outweigh the risks, much like people do every day with loyalty plans and social media.
Given that people often do not read or understand current consent models, they may even be in a better position if they are informed better, she said. In addition, the penalties such as those that will come into force in March next year with the new Privacy Amendment (Enhancing Privacy) Act 2012 will give people greater confidence that the data collectors will take care to secure it and match the security with the risk.
“If you do not allow companies who are looking to get big data to participate properly, if they are frustrated by the consent process, which is the biggest obstacle for them, and if the consents are overly onerous and unrealistic, then they are not going to be able to use big data,” she said.
“If on the other hand you are aware of the risks and you know that the data will be used by a reputable body that will process it in accordance with a framework of an ethics committees, and if there is a breach that they will have at least taken steps to de-identify the data ... at that point you might say I am happy to contribute to this data set that will enable health research.”
Ms Hossack said many of the consent processes currently used to ensure that people are protected are often written in legalese and people don't understand them, or they feel they have no choice but to sign. This also has the danger of data collectors pointing to these consents as a means of abrogating their responsibility.
“It's a binary choice: either consent or don't consent, but if you don't consent you don't get the service,” she said. “In many cases, you can’t afford not to have the service, in which case it's not really voluntary consent.
“We should be looking at creating a framework whereby if the risks are high, and if there is damage as a result of data leaking out inappropriately and it becomes re-identified, at that point, the party which is responsible for that breach should be heavily penalised.”
Ms Hossack said public education and oversight through auditing and responding to complaints was essential, but that recent cuts to staffing and general low resourcing at the office of the Australian Privacy Commissioner meant that the organisation might not be able to fulfil this vital role in educating the public and the private sector.
The staffing cuts are unfortunate given the new Privacy Act was passed in December last year and will come into effect in March next year, she said.
“In Australia there are new fines coming in that will be in force on the 12th of March, 2014, but the problem we've got is that despite that, we have an under-resourced Privacy Commissioner.
“One of the big issues with privacy is, of course, educating the companies that hold all of this data [about] how to use it and how to do a privacy impact assessment. That would be a prudent thing for a lot of companies that don't have a privacy framework in place – [but] there's not much education going on at all. The reason for that is not because the Commissioner isn't willing and able and certainly has the capability, but the Privacy Commissioner has very limited resources to carry out a very big job.”
She said that despite data breach notification not being compulsory at the moment in Australia except in respect of the PCEHR, a general consensus is that it will become a feature of the law sooner rather than later.
“It is a live issue and something should happen in that space next year,” she said. “I think we need a transparent framework, which the public is aware of and they can then make the choice if they wish to participate in it and have their data used, but won't have the responsibility and the onus of suing if there is a breach.
“At the end of the day nothing is perfect … and sometimes there will unfortunately be security breaches and data breaches, because that's a fact of life. It is interesting that the US-based insurance group Beazley is opening up in Australia later this year to offer data breach insurance – it indicates that there is confidence in the marketplace that there will be data breaches and they will be prosecuted.
“Protecting privacy not only has financial implications for companies, but companies will also become more aware that data breaches have ramifications for their reputation, which in the case of big data will be very important if they wish to be given the data sets from which they can derive value.
“All this means that companies are going to have a heightened sense of the importance of privacy and their responsibilities to people in regards to their sensitive information, all of which is a really positive outcome.”
Posted in Australian eHealth