Data Ownership in Healthcare: History
Contributors:

This section briefly discusses this issue of data ownership in the light of recent privacy laws. These laws have a very large impact on the topic of data sharing. It shows that these privacy laws provide rights to the patient, but they do not necessarily make clear who is the owner of the data. They only provide a legal framework for the handling of the data.

  • data sharing
  • privacy
  • consent
  • data ownership

When discussing the sharing of data, it is important to realize that there is not much consensus on who is actually the owner of that data. This section briefly discusses this issue of data ownership in the light of recent privacy laws. These laws have a very large impact on the topic of data sharing.

Institutions tend to believe that they own the patient data, since they collected it. However, these institutions are in fact just “data custodians”; the data is the property of the patient and the access and use of that data outside of the clinical institute usually requires patient consent [1]. This limits the exploitation of the “big data” that are available in the clinical records, because the data should be destroyed (or sufficiently anonymized) after the end of the study. Big data techniques such as machine learning and deep learning use thousands to millions of data points, which may have required considerable processing. It would be a waste to lose such valuable data at the end of the project. Therefore, it is advised to ask the patient for consent to store and use their data for future scientific research. Although it is not possible to use the data from a large number of retrospective datasets in this manner, this will make sure that at least the prospectively collected data can be used in future studies. The dilemma of the use of patient data versus privacy rights has gotten much attention because of the implementation of the GDPR in 2018 (as well as the CCPA in 2020), initiating an international debate on the sharing of big data in the healthcare domain [2]. Earlier laws such as the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule [3] of the USA and the Personal Information Protection and Electronic Documents Act (PIPEDA) [4] of Canada already gave more rights to patients regarding their data, but the GDPR and CCPA have taken it to another level. However, GDPR and similar laws do not say much about data ownership. The GDPR’s main entities are the data controller and the data processor [5]. “Data controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. “Data processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. In countries outside of the European Union, where GDPR does not apply, there is also not much agreement on data ownership, making it even more justifiable to always ask for the consent of the patient.

This entry is adapted from the peer-reviewed paper 10.3390/ijerph17093046

References

  1. Tim Hulsen, Saumya S. Jamuar, Alan R. Moody, Jason H. Karnes, Orsolya Varga, Stine Hedensted, Roberto Spreafico, David A. Hafler, Eoin F. McKinney; From Big Data to Precision Medicine. Frontiers in Medicine 2019, 6, 34, 10.3389/fmed.2019.00034.
  2. Knoppers, B.M.; Thorogood, A.M.; Ethics and big data in health. Curr. Opin. Syst. Biol. 2017, 4, 53-57, 10.1016/j.coisb.2017.07.001.
  3. Health Insurance Portability and Accountability Act-Privacy Rule . U.S. Congress. Retrieved 2020-5-8
  4. Personal Information Protection and Electronic Documents Act . Parliament of Canada. Retrieved 2020-5-8
  5. The European Parliament and the Council of the European Union; Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Off. J. Eur. Union 2016, 59, 1-88.
More