Comments
Feds Praise Open Data Health Cloud Launch
Threaded  |  Newest First  |  Oldest First
pseurre
100%
0%
pseurre,
User Rank: Strategist
11/20/2013 | 8:52:13 AM
Privacy laws
There is no such thing as 'de-indentified'. There will always be something to link the records back to the person that they're associated with. If this link didn't exist then the records would be useless.

I'm also curious to know why BT - a private company - is even allowed access in any shape or form to personal and private records? This is happening without either the knowledge or consent of the people whose details are being shared. As a user of the NHS myself I was not even notified that this was going to take place, much less asked for permission to share my private information beforehand.

The arrogant presumption of the British government is quite simply breathtaking. Who the hell do they think they are? We are not possessions of the state. We do not belong to the state, and neither do our personal records. They should have no right to be doing this without gaining explicit concent from the patients involved prior to the sharing.

If pharmaceutical coporations want access to our records, then they need to ask *us*, not the government but us - the patients involved. The fact that this may take them more time is beside the point: we do not exist to make their lives easy or to make more money from our own information.

I'm also curious as to the legal position of such data sharing. EU directives - which the UK are legally to obliged to implement nationally - seem to be quite clear on the subject, and this sharing would seem to fall foul of that (take directive 95/46/EC as the prime example). I am not a lawyer however.
Thomas C. Mueller
50%
50%
Thomas C. Mueller,
User Rank: Apprentice
11/20/2013 | 3:31:58 PM
Re: Privacy laws
De-identifying health care data isn't difficult.  The HIPAA Privacy Rule describes two de-identification approaches, Expert Determination and Safe Harbor.  Every de-identification project I've worked on used the Safe Harbor method described in section 164.514(b)(2) of the Privacy Rule.  This method prescribes the removal of 18 types of identifiers like name, address, birth date, etc.

De-identified health care data can only be re-identified if a link between the original and de-identified data is maintained and available when trying to reverse the process.  I have never worked on a data de-identification project that maintained a link between the original and data.  This was always a conscious decision on our part.  Maintaining such a link is a major security risk, and there wasn't a valid use case that would've justified taking the risk.  No such use case exists in my opinion.

Health care data de-identification should be a one-way process.  I hope the persons responsible for de-identifying this latest data set followed the Safe Harbor guidelines and did not make the process reversible. 

--
Thomas C. Mueller, MBA, CDMP, CHPA
Director of Technical Delivery
Forward Health Group, Inc.
http://www.forwardhealthgroup.com
pseurre
100%
0%
pseurre,
User Rank: Strategist
11/20/2013 | 3:55:27 PM
Re: Privacy laws
Part of the problem is - if letters sent out to some British patients by GPs are anything to go by - the data being handed out to the likes of BT by the British government would appear to contain personal indentifiers (the source of this being the UK - so would HIPAA even apply if data is sent to the US?).

This isn't difficult to believe since recent legislation saw the British HSCIC being given legal exemptions allowing them to share records in ways that would have presumably previously been illegal, and to do so not just for the provision of healthcare but also to provide information to 'customers' (the GPs own word used) - i.e. presumably anybody with the money to pay for access.

Even if BT do not include such identifiers in the data they hand out it still begs the question as to why they are being given access in the first place. Why do they have access to these records and why our our records being sold to anybody that can afford it?
anon4930272121
0%
100%
anon4930272121,
User Rank: Apprentice
11/25/2013 | 6:19:47 AM
Re: Privacy laws
The records wouldn't be useless if there was no way to link data back to the patient. 

What these programs aim to do is introduce what hackers Brute force attacks in to medicine to discover new treatements and cures. So they need large amount of data to spot patterns in patient care which could lead to better or novel treatements or application of today drugs. 

All privacy laws in this country is base on content, now I am pretty sure when I signed up to the GP I signed a form allowing him to share my data annonymously with third parties. The use of third parties would cover the use of data in this project. But not being a lawyer I am not 100% sure. New EU laws force organisations to ask for explicite content for each use of your data, current laws don't, and there a lot of opposition in the EU for that element of the law. An not all EU laws are applicable to this country either. 
pseurre
100%
0%
pseurre,
User Rank: Strategist
11/25/2013 | 8:39:55 AM
Re: Privacy laws
Directive 95/46/EC is certainly applicable in this country. The UK government was taken to court over the concept of 'implied consent' contained within RIPA as it clashed with this directive. Read section 8.1 of the directive. There are of course exemptions to the general statement placed there, but funnily enough they forgot to add 'because we can't be bothered to ask for permission' as one of them.

As for agreeing that GPs can share my information I think most people would assume that this is normally only done to help with their own treatment. Research or not this is still commercial exploitation of the information and would appear to go well beyond any requirement for my own treatment.

The government has no god given right to make this decision for me, despite acting as if they do.

The sad thing here is that if I was asked to participate then in most cases I would probably agree. It's the arrogant presumption being shown by both the government and the private sector that's really irritating. My privacy should not be at their discretion.
pseurre
100%
0%
pseurre,
User Rank: Strategist
11/25/2013 | 8:52:57 AM
Re: Privacy laws
The records wouldn't be useless if there was no way to link data back to the patient.

If you just needed one piece of information each time then I would agree with that statement. However most research is probably far more complex than that would need more information: not just on the condition being researched, but whether they suffered other problems, at what time, for how long and other details if they were looking into interactions.

Without some identifier to properly organise these records then the records themselves are useless when it comes to research.

Incidentally, it's interesting you mention hackers. Have you come across the term 'jigsaw identification'?
pseurre
100%
0%
pseurre,
User Rank: Strategist
11/20/2013 | 4:04:15 PM
Limits
There are some rather startling limits to what anonymisation can achieve - especially if you know who you're looking for.

http://arstechnica.com/tech-policy/2009/09/your-secrets-live-online-in-databases-of-ruin/


The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.