What did I learn from the EU Health Data workshop? Trust, consent, infrastructures & individuals
Last week I had a fun day participating in the workshop ‘Towards a European Ecosystem for Health Care Data’, hosted by the Digital Enlightenment Forum. While health data is not my area of expertise (or, let’s be honest, deep interest), the issues of how to organise regulation and cooperation around data are. And you always need a topic to ‘point to’ to bring people across sectors and type of work together. So the workshop and excellent discussions were an insight into high-level minds working on policy issues and trying out solutions to deal with the concrete issues of the changing digital landscape.
While the panels were pretty varied, ranging from the specifics of the GDPR to technical solutions to policy questions of harmonisation (you can access the presentations and check the twitter hashtag #euhealthdata), there were a few threads of conversation that ran through the workshop that as a relative outsider were very interesting to pick up.
People are willing to share their health data
What’s always been interesting about health data is that if you talk to somebody off the street with no direct relation to data discussions, they can immediately and intuitively understand the importance of the privacy of health records. Health data has always been an entry point to public discussions.
Which is why I was pleasantly surprised when Despina Spanou, Director for Consumers at the DG Justice and Consumers, presented the European Commission’s position and results of their recent public consultation on health data. 70% of respondents were individuals, and 90% said they would be willing to share their health data. I don’t have the exact numbers on hand, but you can get more information here.
So it’s incredibly encouraging that there is a public understanding of the use of data for the greater good. (The gif is slightly less relevant, but I cannot utter the phrase ‘the greater good’ without thinking about it, so there you go).
We need to talk about control of data, not ownership
Ownership is a tricky issue when it comes to data, especially from the legal perspective.
On top of a presentation full of comics – my favourite kind – Petra Wilson from Health Connect gave an excellent analogy: you can rent a house, and you don’t own it, but you still have the right to stop people from entering.
This also explains why I have seen some interesting ideas flying by about learning from property rights and regulating data giants in similar ways to public utilities.
Instead of talking about ownership, the discussion is about control. But what does control mean, and how is that operationalised? Does it mean access, does it mean ability to remove your data from databases, do you need to give consent for every transaction?
Don’t trust, but build trustworthy systems
Trust means that you don’t know what is going on, but you decide to ‘trust’ that what’s happening is in your best interest. For instance, I don’t know that you’ll pay me back when you say you will, but it’s ok, I trust you.
If we take that and apply it to working with data, it becomes problematic, because there are fewer safeguards. You trust that the heart surgeon knows what they are doing because they’ve been to years of medical school, etc. etc. Relying on trust is not adequate – not only ethically, but also in practice; several research projects are failing because of the lack of trust and resulting inability to access data.
Rather than expecting trust, we need to build systems that safeguard trust within the infrastructure of the data system and how they’re used. Two specific ways were discussed, which I’ll address in turn below. Blockchain as the current fad of trust-less systems was mentioned in passing, but not given substantial attention.
Dynamic consent is the new favourite
Moving on to questions of how, several of the technical or technological solutions presented at the workshop were precisely about how to create a technical infrastructure to shift the locus of control firmly to the individual.
While the GDPR places a lot of emphasis on consent and consent needs to be given for each topic, how to implement this in practice becomes tricky.
‘Even though GDPR emphasises informed consent, most patients have no idea what that means or does.’ Bian Young, NTNU
Dynamic consent came up several times in the workshop as a possible solution (rather than, say, questioning if consent is the right model, it’s in the regulation so now let’s move forward from there.) For example, there was a presentation on piloting verifiable credentials – basically have a personal key which you then set your security details for each website that you can change for each website. Say, only allow the hospital to access a and b, but the shopping centre only to access a and c, or something like that. There was also discussion of homomorphic encryption.
Which, while I’m not a technical person and so have a wee bit of trouble relating it back now, at the time made sense, and I encourage you to look at the presentations if you want further follow up.
Data cooperatives as democratic data infrastructures
Several presenters discussed citizen-driven, collaborative, democratic infrastructure models piloting on health data: the midata.coop from Switzerland, the salus.coop from Catalonia, and the Data for Good Foundation in Denmark.
All were trying to deal with the systemic change in data governance, and this is where my ears prick up. What strikes me is that there is a lot of work being done on the data commons, and I am sure there are plenty of lessons to learn from the history of agricultural cooperatives.
What it also means: ‘It’s about organising the stakeholders, it’s not about the technology’ – Claus Nielsen, Data for Good Foundation
This is why data governance is important.
Interoperability needs information brokerage & oversight
What’s particular about health data and trying to create an EU ecosystem is that health is a member state issue. Which means the idea is to create harmonised investment and an interoperable system, but how that is operationalised into the healthcare system is up to individual member states.
Sonja Marcovic of RAND made a great point that there is a specific need for information brokerage. How do you ensure the information is out there? And accessible? And then fed back into and kept up to date? And sensitive to stakeholder needs, member state priorities, and patient-centred? How do you distill the memory of a project after that project has ended?
We need to share best, and worst practices. Feedback is one of my research interests, and being open to learning from what went wrong is also important.
We also need to be sure that we maintain data quality and reliability, especially as health data does not only come from hospitals, which are relatively easier to standardize for interoperability, but also increasingly from apps, from individuals, etc.
The individual as the ultimate data unit in an Enlightenment context
Throughout the workshop there was an assumption, sometimes explicit and sometimes unspoken, about the individual at the centre of data. This showed up in a few ways:
- Linked to the control and ownership discussion above, it was the deafening vocie that the individuals should have control over their data, and that because citizens have the same needs EU-wide, this focus on the individual will also help interoperability concerns within a European framework.
- Building patient-centred care, and putting patients’ needs at the forefront rather than those of companies or other actors. Entirely admirable and a positive movement.
- The individual as the ‘ultimate integrator’ of data, put forward by Ernst Hafen of midata.coop. This makes sense from a technical level, where, I presume, you are looking at categories of data and how to organise them, and the individual is the smallest category to integrate. There is an idea here that needs to be further worked out, but for now this will do.
- The overarching framework of ‘Digital Enlightenment’, harkening back to the values of the 18th century enlightenment.
As I’m working on a data justice project with a global focus and have been reading about the political philosophy underlying justice, I’ve been twirling around with ideas about liberalism and what does that mean, and how do understand the relation of the individual to the whole. I would not argue that individuals shouldn’t have control of their data, but I’m thinking through the implications of the liberal framework we work within, and what that might mean if we take this specifically European framework and apply (part of) it to other contexts.
And to close, this fantastic slide:
— DigitalEnlightenment (@DigEnlight) October 25, 2017
Full disclosure: I’d been working with DigEnlight for a year on the communications, and the workshop was my final shebang on working with DigEnlight in an official capacity. It’s a fantastic network of people working actively on an ethical transformation of society and technology, so I’ll still be connected with the network, especially once the upcoming trusted community platform is launched, probably in the next two weeks.