In this talk, we initially highlight the current conceptions and perceptions around patient data ownership (presenting both the North American and British viewpoints). Then, we will examine the reality in the healthcare industry with regards to ownership and provide an accounting of how we came to this state. We then present the ramifications of this situation on the security and privacy guarantees and controls in place and available to a patient. We finally discuss (and solicit) thoughts on solutions going forward.

1. Patient Data
Ownership
Tyrone Grandison*, Anish Mohammed+
*Proficiency Labs Intl, Oregon, USA (@tyrgr)
+
Accenture, London, England (@anishmohammed)

2. Preamble
All ideas presented are our own and not attributable
to any organization we are connected to.
We are not lawyers. We are not dispensing legal
advice.
However, we are computer scientists who have had to
understand law and lawyers in the course of doing
our jobs.
2

3. Exciting or Scary?
3

4. Outline
• Data Ownership –Perception, Definition
• The Reality of the Current State (USA &
UK perspective)
• The Impact on Patients (USA & UK
perspective)
• Remedies Going Forward
4

5. Pop Quiz 1
• Data Ownership is a well understood and
well defined concept.
• True
• False
• The concept of Data Ownership has been
around for only a short period of time.
• True
• False
5

6. On “Data Ownership”
• Data ownership
• Is a relatively new term for the mainstream
(en vogue since 2000s)
• However, reference to the term goes back
two to three decades – in the field of
medical research.
• Is often used without prior agreement on
the definition
6

7. Data Ownership:
US Healthcare
“Data ownership refers to both the possession of and
responsibility for information. Ownership implies power as
well as control. The control of information includes not just
the ability to access, create, modify, package, derive benefit
from, sell or remove data, but also the right to assign these
access privileges to others”
- The Office of Research Integrity,
The Department of Health and Human Services,
US Government*
*They borrow from a definition by David Loshin in the Data Warehouse magazine, titled “Knowledge
Integrity: Data Ownership” published June 8, 2004.
7

8. Data Ownership:
US Legal
• Data Ownership stems from the basic concept of
ownership
• Implies legal title and full property rights to data.
• If this is the case, then anyone assigned as a data owner can
potentially take the data they “own” and sell it.
• However, US Law interpretation and enforcement is a mix
of Federal and State case law.
• At the core, leveraging and applying old legislation made for
physical assets in an industrial world to digital assets in an
information economy.
8

9. Data Ownership: UK
• The Ownership of data in UK is defined by ICO
(Information Commissioners Office).
• The guidance in UK complies with European Union
Directives especially - 1995 EU Data Protection Directive
• Key principles include
• Individuals should be informed when personal data is collected
• Individuals should be told who is requesting the data and the reason
for their request.
• Individuals should be told how they can access data about
themselves
• Individuals should be told how their data will be protected from
misuse. 9

10. Pop Quiz 2
How many people believe that data about them
(or data generated about them) is owned by?
a)Them
b)The individual companies that hold the data
c)A mix
d)None of the above
10

11. Current THINKSCAPE: US
A medical researcher who receives patient data conducts the research at his
institution with funding from Pfizer and produces results.
Who owns the data at each stage? Patient? Data Collector? Funder? Institution? Researcher?
Patient
Data
Conducts
Research Results
Institution
Funder
11

12. Current THINKSCAPE: UK
A medical researcher who receives patient data conducts the research at his
institution with funding from funding agencies.
Who owns the data at each stage? Patient? Data Collector? Funder? Institution? Researcher?
Data Management Plan
Patient
Data
Conducts
Research Results
Institution
National Science Foundation, National Institute of
Health, BBSRC, Cancer Research UK, Wellcome Trust,
and ESRC
Funder
12

13. The Reality
Patients: Funder
•Patients are either forced to consent to turn •Government gives research institutions the
over their data rights or not use service. right to use data collected with public funds as
an incentive to put research to use for the public
good
•Private companies seek to retain the right to
the commercial use of data.
•Philanthropic organizations retain or give
away ownership rights depending on their
interests.
Data Collector: Research Institution
•Proclaims ownership of received/bought •Claim ownership rights over data collected
data and re-packages & sells. with funds given to the institution.
• Implies researchers can’t assume they can take data with
them if they move.
• Receiving institution may have rights and obligations to
retain control over the data.
Researcher
•No ownership rights on data or results
13

14. EXTRAPOLATING
Instantiating for Health 2.0 and beyond
Patient & Data Collector remain the same, Funder is now an Angel/VC/Crowdfunders,
Institution is now a Startup & You are the Medical Researcher
Developer/Innovator
Patient
Data
Data
Insight
Builds
Solution
Startup
Funder
14

15. The COLD, HARD TRUTH:
US INDUSTRY EDITION
‘One of the tenets of Data Governance is that enterprise data
doesn't "belong" to individuals. It is an asset that belongs to
the enterprise. Still, it needs to be managed. Some
organizations assign "owners" to data, while others shy away
from the concept of data ownership’
- The Data Governance Institute
Bottom Line: Once your data is generated and not in only in
your computer systems, it is owned by someone else
15

16. The COLD, HARD TRUTH:
Patient Edition
• The patient does not own:
• their data,
• the metadata created to support its processing,
• the processed results or insight from analysis
• Agreements with healthcare entities are normally used as
tools:
• to coerce you to give up any rights that you may have
• to allow the entities to share, distribute or sell your data
without further consent or notification from you.
• i.e. entities can use your data anyway necessary to make money
• to limit the entities’ liability when harm comes to you from
their reckless behavior 16

17. The Evidence
• Term and Conditions
• Privacy Policy/Statement
• Notice ofKaiser Permanente’s Privacy Statement (excerpt)
Privacy Practices
• Data Use Policy
• Statements of Rights and Responsibilities
Post-Talk Exercise:
1.Go to the top 3 Healthcare sites or mobile apps that you use
2.Find the above documents for them
3.Search within them for the words “own” and “sell”
17

18. POP Quiz 3
• How many legislative acts protect the data
ownership rights of American patients?
a) Zero
b) One
c) Two
d) Three
e) Four or more
18

19. POP Quiz 4
• Which legislative acts protect the data ownership
rights of UK patients?
a) Data Protection Act
b) European Data Protection Directive
c) Health and Social Care Act 2001
d) Human Rights Act
19

20. But…BUT…BUT
• What do all the legislative protections provide?
USA UK
HIPAA – Issued Jan 25, 2013. Data Protection Act
Five (5) mentions of data
ownership in 563 page
document.
Fair Information Practice Principles
– does not address data
ownership. 1995 EU Data Protection
Directive
Privacy Act of 1974 – No
mention of data ownership.
20

21. POP Quiz 5
• The landscape is getting better in
the UK/Europe in comparison to
the US?
a) True
b) False
21

22. General Data Protection
Regulation (GDPR)
• Current proposed amendments to the EU’s GDR include:
• Eliminating explicit opt-in user consent to personal data
• Letting corporations share personal data with any other entity
that has a “legitimate interest” in that data
• Disallowing citizens to access their own personal data “in
electronic form”
• Not requiring corporate “data protection officers”
• Forbidding consumer groups from bringing lawsuits against
corporations on behalf of individuals
See “EU data law draft uses language—word-for-word—from US, EU corporations”
by Cyrus Farivar - Feb 11 2013 & The Influence of Lobbyists on EU Committee Members
by OpenDataCity – Feb 14, 2013 22

23. Impact
• Choice
• Depends on context
• The difficulty is to define context
• Choice could result in blanket opt in or out
• Cost-Reward-Risk
• Cost in healthcare is difficult to measure as its qualitative
• Cost is context sensitive
• Reward is mostly intangible in short term
• Risk with healthcare is impact is very long term
23

24. Impact
• Security
• Driven by legislative compliance
• No other incentive or disincentive to have robust controls around
data
• Implemented to meet the “bare minimum”
• Privacy
• Driven by Legal departments
• Responsive to Financial Risk Analysis
• How many payouts have we made for non-compliance
• Not prioritized unless aggressive compliance auditing is performed
24

25. REMEDIES
• Educate
• Education of the customers to the choices they have
generally results in better outcomes
• Education of the regulators and key stake holders
• Activism
• Customer activism has been increasing with advent of
web2.0
• Use your voice
• Ever heard of data stewardship?
• Promote delineation between data ownership and data stewardship
25

26. REMEDIES
• Create Community
• The power of numbers generally works in the favor of the
many
• Communities generally result in education of its members
• Larger numbers get attention of politicians and policy
makers
• Use your power ($$$)
• General observation of more money you have the more
power you wield
• Healthcare in most parts of the world is still a service which
consumers can choose providers
26

27. Questions?
Tyrone Grandison @tyrgr tgrandison@proficiencylabs.com
Anish Mohammed @anishmohammed anish.mohammed@gmail.com
27