Technical and legal aspects of privacy-preserving services: the case of health data
Nowadays, the potential usefulness as well as the value of health data are broadly recognized. They may transform traditional medicine into clinical science intertwined with data research, driving innovation and producing value from the perspective of the key stakeholders of the health care ecosystem: not only patients but also health care providers and the life insurance sector.
Yet, the health data does not appear out of thin air, it is not a product that can be viewed in isolation. It is:
- the personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status (data concerning health),
- the personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question (genetic data),
- the personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (biometric data).
Thus, the individual cannot be deprived of the right to decide about their processing as the health issues are at the very centre of the privacy protection sphere.
It becomes clear that balancing the interests of the private individual whose privacy is protected, interests of other private and public actors, and general common interests is highly problematic. Naturally, processing of the health data cannot be unrestricted: optimally, the legal framework should facilitate unlocking the value of health data for European citizens and businesses and empower users in the management of their own health data without undermining the very essence of the right to privacy.
Currently, processing of health data falls under complex GDPR legal regime. This, however, poses a serious challenge for the data processors on the one hand and, on the other, gives rise to numerous legal questions. What are the grounds for processing such data in this highly differentiated context? How should medical data be protected both on the regulatory and technological level? How can we harness newest technology to increase data safety? How can anonymization and/or privacy-preserving data management techniques using efficient cryptography (e.g. homomorphic, secure multi-party computations) contribute to reaching higher protection levels without becoming a hurdle or an impediment for legitimate data processing? Can the blockchain technologies be used for health information exchange? Should the creation of technological infrastructure be coupled with establishing proper key management schemes?
The task is twofold. First, on the regulatory level general policy guidelines for legislators, independent agencies, businesses on data sharing platforms are necessary, together with the analysis of the policy and market implications of providing privacy-preserving services. Second, the practical recommendations are needed: specific postulates should be formulated on how data protection techniques can be applied in the health domain, in order to contribute to achieving the abovementioned aims.
Author: dr. Katarzyna Południak-Gierz, Jagiellonian University