The health sector is one of the most vulnerable sectors when it comes to data privacy. Blockchain technology, which is currently emerging as one of the most promising technology for healthcare systems is evaluated here from a privacy standpoint to ascertain if it will alleviate the concerns around data privacy especially in light of the GDPR.
Advances in mHealth technologies, internet usage, and the uptake in the use of mobile devices across the globe have resulted in large quantities of medical data being collected which includes personal information as well as sensitive health data. mHealth solutions offer a cost-effective method to reach wider segments of national populations making it attractive for the purposes of public health management and as an enabler for meeting sustainable development goals in the global south. However, based on recent notable data breaches worldwide, the health sector has been identified as immensely data rich and yet one of the most vulnerable sectors when it comes to data privacy and cybersecurity. The health sector thus faces a unique challenge as it has to perform a balancing act between privacy-preservation and accessibility of multiple parties to health data in the interest of individual and public health.
The benefits of mHealth technology to improve healthcare quality and expand public access to services can be achieved only if individuals and service providers are confident in the privacy, security and data integrity of collected and stored health data. Blockchain technology is currently emerging as one of the most promising technology for healthcare systems, but it needs to be evaluated from a privacy standpoint to see if it will alleviate the concerns around data privacy. The concept of privacy today has been transformed from the historical “right to be left alone” to the ability and the right of users “to control and protect personal information” and in the cases of the General Data Protection Regulation (GDPR1) compliant countries, the “right to be forgotten”. The goal of this chapter is to review and analyse the academic as well as practice literature and report on the following:
a. What are the major concerns about patient privacy related to mHealth data used for purposes other than primary patient care?
b. How privacy legislation around the world is seeking to control concerns around data privacy?
c. What are the implications for digital privacy in using blockchain technology for mHealth solutions?
We will first briefly define privacy and why it is a concern for mHealth, we will then provide an overview of the major challenges for mHealth solutions. We then discuss how privacy legislation around the world is addressing data privacy challenges, followed by an evaluation of blockchain technology against one of the major privacy legislations, the EUGDPR.
The actual definition of privacy has not always been clear or comprehensive. Many researchers have suggested that privacy is the ability to control information about oneself (Bélanger&Crossler, 2011). From a traditional human rights viewpoint, “privacy is often thought of as a moral right or a legal right” (Clarke 1999) and in this tradition the right to privacy would also be a right that needs to be protected as is evidenced by the dominance of legal processes and mechanisms in existence to protect this right in societies. Privacy is held to be valuable because it is believed to protect individuals from all kinds of external threats such as defamation, harassment, manipulation, blackmail, theft, subordination and exclusion. Privacy is an articulation of the core value of ‘security’, meant to protect people from all kinds of harm done by others (Moor, 1997).
According to ALRC Report 108, 2008,information privacy involves rules that govern collection and handling of personal and sensitive data such as financial information and medical records while privacy of communications deals with the security and confidentiality of mail, telephones and other forms of private communications. In this chapter, our scope of privacy will be limited to information privacy pertaining to mHealth systems data and privacy of related communications over the internet. By control we mean controlling the unauthorised incursions from individuals, businesses and governments on data collected by combining technology, policy, and legislation in order to protect privacy (Landau, 2015).
Privacy of mHealth data is a major concern of the population, particularly if there is stigma associated with the illness (e.g., HIV/AIDS). Although mHealth is being used widely in healthcare industry, there is a lack of robustness in these systems from the perspective of privacy management (Raychaudhuri & Ray, 2010).Healthcare data is a lucrative target for hackers and, therefore, securing protected health information is the primary motivation of healthcare providers. Healthcare has also become the primary target for cybercriminals. In Australia, the Office of the Australian Information Commissioner (OAIC) released its latest quarterly statistics report of Notifiable Data Breach (NDB) Scheme (1 April to 30 June 2019). The report shows trends and developments about notifications made under the NDB scheme and in this quarter, health sector recorded the highest number of data breaches. This year, a record number of 2.5 million Australians have also opted-out of the Australian online health record system, myHealthRecord. Governments globally have started tightening up their privacy legislation to combat the growing trend in data breaches. In this climate, the technologies underpinning mHealth must address data privacy seriously.
In the current digital world, mHealth data often flows across a borderless internet network. Borderless healthcare can enable treatments outside of national healthcare systems and sharing mHealth data can help to improve the accuracy of diagnosis and treatments and deliver positive benefits. However, governments around the world are imposing restrictions on cross-border data transfers in order to protect privacy, therefore organisations that deal with health data need to be aware of privacy legislation, standards and guidelines in each jurisdiction.
The European Union(EU)General Data Protection Regulation (GDPR) is the new EU regulation about privacy and data protection which has become fully enforceable since 25 May 2018. GDPR essentially regulates the “personal data” of EU citizens through the entire life-cycle of collection, use, retention, transfer and deletion. GDPR has brought a new level of rigour and transparency into data collection, storage and use, resulting in heavy fines for organisations for non-compliance. The GDPR generally applies to the data processing activities of “data processors” and “data controllers”. Organisations that store data are “data controllers” and those that work with this data are called “data processors”. Processing in the GDPR context means any operations performed on personal data set(s) such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction. It is generally the responsibility of the data controller to comply with the GDPR. The controller decides why personal information is collected and processed while processors process personal information based on instructions from or under a contract with the controller.
The GDPR clearly holds organisations accountable for any personal data that they hold, and there are substantial financial penalties on organizations for data breaches and non-compliance. Google has been the first tech giant to be penalised under GDPR in France, receiving a €50 million fine for privacy violation while in the UK, In the UK, the Information Commissioner’s Office (ICO) has for the first time used its new powers to punish companies (British Airways and Marriott hotel chains) that break laws protecting consumers’ data by handing them fines worth almost £300 million. The GDPR will be enforceable not only for EU companies, but also for companies that reside in other countries (for example, India), where the data of EU residents are monitored, or analysed as part of a service contract. Companies all over the world that operate internationally have therefore been ensuring that they comply with the GDPR and other new privacy regulation so that heavy penalties are not incurred for future data breaches.
Privacy legislations around the globe are tightening up with the advent of GDPR.“The principles of the GDPR are also radiating beyond Europe. From Chile to Japan, from Brazil to South Korea, from Argentina to Kenya, we are seeing new privacy laws emerge”(Ansip & Jourova, 2019). Many countries around the world are amending their privacy legislations and countries that have not had data protection and privacy legislation have been introducing newones.
The OECD guidelines on the protection of privacy and trans-border flows of personal data was developed in 1980 have been the basis for many national and international privacy regulations. The Australian Privacy Principles (APPs) outline how most Australian Government agencies, all private sector and notfor-profit organisations with an annual turnover of more than US$3 million, all private health service providers and some small businesses (collectively called ‘APP entities’) must handle, use and manage personal information. The Privacy Amendment (Notifiable Data Breaches) Act 2017 established the NDB scheme in Australia which sets out obligations for notifying affected individuals, and the Australian Information Commissioner, about a data breach which is likely to result in serious harm where examples of serious harm include identity theft, serious harm to an individual’s reputation. The GDPR and the Australian Privacy Act share many common requirements but there are some notable differences such as the ‘right to be forgotten’ under GDPR, which does not have an equivalent right under the Privacy Act. The GDPR also places obligationson the “controller” that are more onerous than the Australian Privacy Law.
Other draft legislation and guidelines that are worth noting are India’s Personal Data Protection Bill, which if passed will become effective in early 2020. In China, although the PRC CyberSecurity Law has been in effect to address cybersecurity and data protection, in May 2018, the National Information Security Standardisation Technical Committee (TC260) has issued a national standard, most similar to GDPR called the Personal Information Security Specification which covers the handling of personal information while Personal Data (Privacy)
Many mHealth technologies produce a large, long-term stream of data about a person’s health and health- related behaviours that, if aggregated, presents a huge opportunity for public health research. In order to do remote patient monitoring for the treatment and care of patients, healthcare professionals have been adopting Internet of Things (IoT)-based wearable technology which has witnessed billions of sensors, devices, and vehicles being connected through the Internet. In this section some of the key challenges are highlighted. mHealth applications and devices often collect a wide range of information for multiple uses. Challenge is to help individuals understand what data is being collected, where it is stored, who has access to which data at what granularity, what it will be used for and then notify users of any deviations from the agreed-upon protocol(Kotz et.al, 2016).
Wearable sensors is a rapidly evolving field that is being used to monitor health states and infer behaviours but as is often the case with new and disruptive technologies, they raise some serious privacy challenges. Certain practices such as continuous audio recordings can capture private conversations with other non-consenting peoplein the house,which is unethical and could be illegal in certain countries. A survey on wearables has highlighted privacy challenges pertaining to ethical issues, data jurisdiction, inadequate privacy policies of devices, bystander privacy and re-identification risks(Datta et. al, 2018).
The use of smartphones for mHealth apps raises privacy concerns as an average user’s smartphone has numerous apps and there is a possibility that one app could be gathering information about other apps on the device and use it in ways the user might not be aware of or approve of. A study reviewing data security and privacy policies of mobile apps for depression revealed that there is not much transparency around data handling as app developers have considerable latitude in their data security and privacy practices within health apps and how such practices are explained to users (O’Loughlin, et al, 2019).
According to(Kotz et.al, 2016), understanding the evolving range of relevant technologies by multiple stakeholders,involved in policy development and the enforcement of privacy legislation is crucial. This can be achieved by training and awareness. To realise the promise of mHealth devices and applications, every stakeholder in the system must understand and trust the system to provide high quality data and healthcare services while at the same time respecting patient privacy.
There are massive opportunities for mHealth applications to leverage the blockchain technology ranging from electronic medical records and pharmaceutical supply chains to smart contracts for payment distribution. Blockchain lends itself to numerous solutions such as providing patients, the authority over their entire medical history or combatting the counterfeit drug market by tracking and verifying the authenticity of pharmaceutical product. Another significant area of blockchain use is the Genomic market where companies are building blockchain platforms to enable sharing of genomic data. However, there is still some regulatory uncertainty surrounding blockchain, especially in how the technology complies with GDPR. On one hand, GDPR and blockchain technology both aim to provide more security to personal data, are geared towards data transparency and individual rights and yet the paradox is that there are key differences as well.
Some of the paradoxical challenges that blockchain technology faces when it comes to compliance with the GDPR are what constitutes personal data, immutable ledger, centralisation vs decentralisation (Bennett, 2018):
The GDPR applies to any personal data that is stored or transmitted using a blockchain network where personal data means any information relating to an identifiable natural person who can be identified directly or indirectly by identifiers such as name, location data, online identifier as wells as other data that relate to the physical, physiological, genetic, mental, economic, cultural or social identity of that person (Article 4 GDPR Definitions). Blockchain technology can hide the actual identity of individuals using the network by encrypting the data assigning them a unique identifier such as an encrypted key, however, the company holding the decryption key is the one who can actually do something with the data. but if someone holds the code to decrypt that key, then the encrypted key may still constitute personal data under the GDPR which essentially means that reversible encryption data can be considered personal data and therefore remains in the scope of the GDPR. Hashing or non reversible encryption is a way to overcome this challenge, however whether hashed personal data should be considered personal data is still unknown.
Blockchain technology is essentially a decentralised network while the GDPR, is more suited towards centralised networks with a hierarchy of a data controller controlling data processors. It could be easier fora private and permissioned blockchain network to be GDPR compliant in this challenge because in a public blockchain it would be difficult for a regulator to determine who is liable when a network is in breach of the GDPR, potentially making everyone liable. In a permissioned blockchain, access and control of data is restricted to only few trusted parties and the right to restrict who can process the data (Art 18 of GDPR). However, a privately permissioned blockchain introduces a controlling authority and a need to trust this authority, which runs counter to the distributed nature of the blockchain.
The blockchain, whether public or permissioned is immutable, but GDPR gives people the right to erase, add or modify information. Blockchain’s main benefit is the immutability of data to ensure the security and accuracy of the record. A solution to the challenge is to avoid recording any personal data within the blockchain itself or to anonymise the data, although the robustness of anonymisation techniques is not always fool-proof. It should be noted that the GDPR does not specify what constitutes erasure. In this context, some encryption techniques, coupled with key destruction, could potentially be considered erasure even if it’s not erasure in the strictest sense. Destroying the decryption key would render the data as useless, however the counter-argument is that strong encryption is still reversible and can be broken as computers get faster in future and the personal data could be revealed at a future date. The personal da a could be stored elsewhere, where one has read and write access, such as a secure server and a reference to that data can be stored in the blockchain as a hash function. The hash in this case is not reversible back to the data. Hash can be used to verify the integrity of the data in the central server. However, the hash itself may be classified as personal data as it links to the personal data. If the actual data is removed from the block chain then the hash becomes useless and is no longer considered personal data because it points towards nothing.
These are pieces of software that can be deployed to a blockchain network and executed independently from their publisher(s) so there is a debate as to whether smart contracts are operated by the publisher or the network user or by both. Article 22 of GDPR gives people the right not to be subject to solely automated decisions and profiling under certain circumstances that have a “legal or similarly significant effect on individuals”. If smart contract developers have to allow for human intervention, then the trust that transaction participants have in smart contracts would be reduced. Finck (2019) evaluates and concludes that smart contracts do qualify as a form of solely automated data processing under Article 22 GDPR in certain cases, which means they will not be automatically compliant with GDPR, however they can be designed to be compatible with the GDPR requirements. The future of smart contracts will not be one of total automation.
The challenges and provide scope for further research into privacypreserving blockchain technology. Ling & Zhang (2018) proposes a blockchain based secure and privacy preserving PHI sharing scheme using two kinds of blockchains - private and consortium blockchains. Fan (2018) proposes a consortium blockchain based solution called MedBlock with high information security combining the customised access control protocols and symmetric cryptography.
While many challenges exist for blockchain technology to be compliant with privacy legislation, especially in the EU, it is equally important to understand that governments need to balance the right of safeguarding personal data with other fundamental rights. The right to data protection needs to be balanced with other equally important concerns around public health and innovation. European regulators have stated that while their goal is the protection of individual rights and personal data, they are equally committed to blockchain technology as a platform for innovation. Understanding the interplay between blockchain and the GDPR compliance should take place on a case-by-case basis, by analysing where the personal data appears, how it is processed and who is responsible for that processing. GDPR also stipulates that data protection should be designed into the platforms and by default, and not added on top. Blockchain technology is at a foundational stage and often developed by open source community, therefore, there is a lot of scope for data protection to be designed in blockchain based solutions. The purpose of GDPR and other privacy legislation is not to ban certain technologies but rather to ensure that adequate steps are taken to address risks to data privacy.