Who owns your data?

Many health plans, hospitals, and even physician offices are putting patient data on the web to help connect to consumers. Many of us are also using service providers (SaaS, ASP, etc) to manage our data. All of these things are great and many of us have thought about the security implications: don’t put things on laptops, keep data from traveling onto USB drives, etc. Lots of thought goes into security these (though probably not as much as is really required).

But, what about privacy implications? Who owns the data that we capture from our end users? Sure, HIPAA lays out some privacy guidelines but what about sharing rules and data ownership guidelines? Have you looked at your contracts recently to see what rights vendors/consultants who have access to your data have with respect to that data? When all the systems are in your own environment you have a bit more control but in the case of ASPs and SaaS providers you’ll want to be sure you have roles, rights, and responsibilities fully worked out so you don’t get caught with a privacy violation due to an error in omission. I think giving your partners and vendors shared data rights and reuse rights makes sense for many reasons but how do you articulate those rights?

The presumption of privacy and security by visitors to our sites is fundamentally tied to the confidence they hold in us. If our policies and procedures aren’t clearly identified internally we can never really tell our visitors what they should expect.

One of the biggest issues in data sharing is the agreement on data ownership and privacy guidelines. If you’ve done some work in this area and would like to share your thoughts, drop me an email, leave a comment here, or better yet give us the opportunity to learn from you by posting a guest article.

Newsletter Sign Up

16 thoughts on “Who owns your data?

  1. I haven’t done any work in this area yet, but I would like to comment on this subject. Data privacy is a more general topic, but healthcare adds an additional layer of questions.

    My concern is that regulators and lawmakers are not knowledgeable to enact legislation on medical data at this point, e.g. genotyping data and biobanks. There are data generated during clinical trials which should be shared by the community (something the FDA is actively looking at). Patients rights group need to be made aware that data sharing in itself does not violate patients rights. Also, if the data are shared, and in some cases made available in repositories, to whom do any downstream revenues belong?

  2. Wonderful points, Deepak. Although I didn’t mention it, the downstream revenues issue is a huge one. It’s almost as if we need a whole conference or gathering focused on the issue of data privacy, ownership, revenue, etc given that we’re all struggling with it. I’m with you in thinking the government by itself can’t be relied upon due to their unfamiliarity with the issues.

    I did a gig for NIH a while back where one of the issues was sharing research data; many of the researchers were understandably reluctant to sharing their data since they wouldn’t either get credit or be left out of the revenue stream if the data made some money.

    Big issues.

  3. From today’s Sydney Morning Herald

    Smartcard campaign aims to ease fears
    INDIVIDUALS will legally own the Federal Government’s proposed smartcard and the personal information held on it as part of a strategy to counter “Big Brother” fears.
    Most Government and bank-issued cards remain the property of the issuer, but the smartcard will be covered by legislation ensuring personal ownership to reassure the public that the information stored on it is theirs and cannot be demanded for identification.
    The Minister for Human Services, Joe Hockey, will today make public further details about the card, which will be needed to obtain Medicare and welfare benefits from 2008.
    Mr Hockey is expected to respond to the latest report on the card, prepared by the consumer and privacy taskforce chaired by the former chairman of the Australian Competition and Consumer Commission, Allan Fels.
    Professor Fels has recommended that ownership of the card be vested with the individual and has called for specific legislation to cover the card.
    The microchip-embedded card will store, at the individual’s choice, emergency contacts and details of allergies, organ donor status and medication needs.
    It is expected to be used by about 14 million people at a cost of more than $1 billion.
    Police and banks will not be able to demand the card for identification, but holders will have to produce it when claiming government benefits.
    Mr Hockey has come under pressure from banks and authorities for the card to be used voluntarily as part of the proof-of-identity points system, given the widespread use of the Medicare card for identification.
    Government sources said that the voluntary use would not clash with the undertaking that the card would not be part of any compulsory identification rules.
    The Australian Federal Police have told the Government that Medicare cards feature in more than 50 per cent of identification fraud cases.
    The proposed smartcard would carry a digital photograph and name of the holder, but the address or date of birth would not be printed on the card.
    Mr Hockey is expected to argue that Australia has been a “complacent comfort zone” when it comes to card technology and security. Many European countries replaced the magnetic strip used on cards in Australia with a microchip some years ago.
    An alliance of banks, credit card companies and other card businesses is pressing the Government to use existing card infrastructure for the access card, rather than developing a separate network.
    The Government has commissioned a report into the card’s infrastructure requirements.
    Mr Hockey says the card will not result in the development of a giant database. Personal information would stay with each agency involved – Medicare, Centrelink and Veterans’ Affairs.
    However, it would do away with millions of paper files.

  4. Shahid,

    Pardalis, Inc. has patented methods for dealing with all of the issues identified above and further developed a its first version of a hosted web service we call the Common Point Authoring (CPA) system.

    The CPA system promotes the sharing of confidential, trustworthy and traceable data along complex supply chains with methods for protecting the ownership rights of information producers even after data has been shared.

    Please visit http://www.pardalis.com for more information. You are most welcome to contact me for further information. I would enjoy hearing from you.

  5. Although we ought to keep control on privacy of our information & data, but we can control up to a limit. If we are having service providers like (SaaS, ASP, etc), then also we are not sure that our data & info are safe.

  6. Data is an important aspect to concentrate on and its security is very much important. In this modern world where there is no privacy, securing data is very much difficult, SPAM is increasing too everyday.

Add Comment