There were red faces at the UK Department of Health and Social Care last month when it was forced to admit that its COVID-19 Test and Trace scheme had ridden roughshod over data protection regulations. Specifically, the Department confessed that officials had failed to conduct a privacy risk assessment as required by GDPR (General Data Protection Regulation).
This perhaps shouldn’t have come as too much of a surprise. As far back as May, global public policy group Access Partnership warned that privacy was taking a back seat as governments around the world put in place their own track and trace initiatives. The group argued that the danger with this was that ignoring data protection practices in the name of a crisis response to COVID-19 risked setting a ‘new normal’ precedent for the future:
Does extensive collection and analysis of personal health data by the state become the new normal, in the same manner that extensive state surveillance became largely normalised after traumatic terrorist attacks in the West in the early 2000s?…For several years, the global privacy debate has been driven by private sector scandals and an EU-led approach to protecting consumer privacy through the private sector-focused General Data Protection Regulation. However, the COVID-19 crisis has shifted the conversation…the principle of data minimisation may lose some of its pre-eminence, as increased access to data is recognised as invaluable to protecting public health.
But is it a case that the end justifies the means here? The key to suppressing COVID-19’s spread lies in widespread testing and tracking of outbreaks and spikes of the virus. In the interest of saving lives on a potentially global scale, is it unreasonable not to prioritise adherence to ‘peacetime’ data protection bureaucracy? And if it isn’t, then is it time to re-evaluate the role of data management in healthcare, particularly when the prospect of future pandemics is now a harsh reality around the globe?
Some of these topics were discussed in a recent online debate hosted by UK trade association techUK, which looked at the wider question of digital transformation and the use of technology in tackling health crisises. For Graham King, Product Manager, at health data specialist DesAcc, the COVID situation has highlighted something that was already known:
Data is really important, but [COVID] has also shown some of the barriers to get to it. Data has most value when it's combined. There's a lot of data inherent in organizations that could help both with real time response to this current pandemic, but also drive insights in other forms of non-communicable disease, which are public health crises of a more slow burn nature. But the point is, there's a great deal of data, but not all of it is accessible.
King believes that most people would be happy with relaxing privacy laws in the public interest on a short term basis, but added:
I wonder about how that could be opened up for other disease cases or will it be rolled back for COVID and we'll go back to how it was, where information data governance is the biggest obstacle to overcome in most data driven research projects?
One thing we could do is highlight all the good work that's been possible because of being able to combine data sets from different controllers and show to the public that this is what was achievable. But we do need a proper conversation on it….It’s really hard to try and get data sharing up and going. If you're any kind of third party with a hospital... [you’re] either slowed down to a crawl or just stalled completely on legal barriers and lack of explicit consent.
Alex Eavis, CEO of Dovetail Lab, which has developed a distributed e-consent and data sharing platform to pioneer better information sharing in healthcare, agreed that interoperability, while improving, remains problematic:
Speed and the latency is a problem, and supports things like the move to cloud or the need for the move to cloud, because it's just not acceptable that it takes a week to get data to Public Health England and then data back out the localities about spotting outbreaks and things like that.
In terms of data controllership, Eavis would like to think that learnings will be taken from the current crisis:
I hope that the work that's being done, particularly in the research space and the rapid innovation that's happening, will highlight the benefits of data sharing, particularly with the GP community where each individual GP is still the data controller, but they would be more open to sort of limited pseudonimized data sharing in the public interest. We don't want to rely on COPI [Control of Patient Information] notices for all data sharing in the future. From just an interoperability perspective, is a patient-controlled record rather than an organisation-level data sharing approach an easier way of tackling some of these problems? Possibly. I mean, trust is key across the board with this. Hopefully, the work that that has happened during this crisis highlights to the public and practitioners that the work that's done with data is in people's best interest.
The greater good
Perception of responsibilities - personal and societal - could be key here, suggested Charles Alessi, Chief Clinical Officer, at the Healthcare Information and Management Systems Society (HIMSS):
One of the things which everybody talks about is the different duties of the citizen and the conflict between the citizen having responsibilities to their fellow citizens in a pandemic, as against personal privacy. What is really interesting here is understanding other countries and the way they've dealt with previous pandemics. Our short term memory of pandemics is really important. So South Korea, for example, after they had their MERS outbreak, they introduced legislation which changed their very strict personal privacy rules to ensure that there was liberty to aggregate data, which was, of course, immensely valuable once the pandemic started. Of course you need to do this before a pandemic starts. So the issue of the law is actually quite important. Technically, everything is surmountable; the biggest issue, as always, is people.
Perhaps the solution isn't necessarily relaxing the rules around GDPR, which is what we're talking about in Europe, but more about its interpretation and also secondary incident. There are some wonderful examples globally around secondary use of data. One notable one is in Finland, where they have an organization called Big Data which was set up specifically to monitor, control and manage secondary use data. It works exceptionally well. But part of this is allowing, embracing and ensuring that activated people exist, and in England, we still don't have access to our own medical records. The only access I have is if I forget my address, I can look it up or if I forget when I was born, but there's no damn medical record when I look for it because it hasn't been turned on. We have a long way to go in England. Sadly, we're not at the front of the queue here.
That said, the NHS in England has some great data assets at its disposal, said Sarah Deeny, Assistant Director of Analytics at healthcare charity The Health Foundation, pointing to GP data as a case in point:
We've seen amazing work with open safety trials and studies that have really used the fact that we have this amazing resource with these GP records that are going back decades. I think the slightly unsung heroes in the UK has been our Office of National Statistics which we can be really proud of internationally, getting data and being able to use that as a way to grow large extra studies as needed. I think that's actually brought in an awful lot of information. Where I think, possibly we could be doing a bit better, and see other countries are maybe better at, is sharing openly data that is not sensitive, like for example on incidence rates or on testing data.
But other countries have their own issues as well, as Albin Forslund, Head of Customer Operations, at healthcare platform provider Visiba Care, pointing to Sweden and Finland as examples:
In Sweden, we're doing similar things with handing out data. In Finland there was a national law that decided that this should happen everywhere. In Sweden, it's each region that's in charge of this themselves, so that enables a situation where some people in some areas can get much more data than other people in other areas. So, we see a lot of challenges in a lot of places, but things are moving quite rapidly in Scandinavia. In the UK at the moment, you could have had the same potential to actually take these steps. I think it's important to bring that information to patients about what was going on, what happened, what were you were worried about here. We need to be careful we don't mix up all [types of] data and put in too many restraints on data that is anonymized, that could be shared in different ways, [compared to] the more sensitive personal and patient data.
COVID has however flagged up one unavoidable reality that needs to be addressed, he warned:
We're unable to share data and critical data at national level, so we can't really see real trends in real time. I think that's problematic, that all the different suppliers have different silos for data, and that will be essential [to address] for handling a next wave or future crisis.
This is a very important debate that needs to be had. The danger with making exceptions to legislation intended to protect personal rights and liberties in the cause of a greater good is the age old one of giving an inch and finding that it rapidly becomes a country mile and there’s no turning back. That said, data sharing is clearly a critical weapon in the healthcare arsenal and one that isn’t as easy to put to use as it should be. Different countries have made progress at different paces, but there’s certainly room for considerable improvement in Europe as a whole.