E-HEALTH

By Pia Staudenmaier

September 13, 2020

The new digital way gives us the opportunity to collect all the necessary medical data to have the best treatment for every patient. Most of this information is, undoubtedly, very sensitive. The disclosure could lead to discrimination, professionally, by health insurances and even by society. The freedom from discrimination of any kind is set in Article 2 of the Universal Declaration of Human Rights (UDHR) and Article 12 grands freedom of arbitrary interference with privacy. Choosing what happens with your data is covered by the right to self-determination from Article 1 (2) of the Charter of the United Nations (UN Charter). Following the importance of digital privacy, the European Union passed the General Data Protection Regulation (GDPR) which builds on the idea that every information processed should be covered by consent. 

Consent is crucial for the success of digital medical solutions. In analog times few people would have the change to access medical data and these people are legally bound by medical confidentiality. Confidentiality is defined as the process of and obligation to keep a transaction, documents, private and secret aw well as the right to withhold information, e.g. medical information, from others. Today, the information is stored by third parties, private companies. Patients need reasons to trust these entities to approve eHealth solutions. 

Approaches

A selective overview of some eHealth solutions will depict different approaches and thus give an understanding of  why and where consent is important. Countries such as England, Estonia, Australia and Ghana all run government owned e-health systems that are centralised. Meaning the data is stored all together, which aims to have comprehensive access. Whereas in Germany so far different companies provide services, among them the insurance companies.

Also in China, two big companies that are mostly controlled by the government store medical information. There is no opportunity to opt-out of the system as it is connected to the Chinese Social Scoring System. Since the pandemic started, even public transport and stores are not accessible without it.

Other countries failed to maintain the opt-out system. Especially England’s care.data programme had to be paused several times due to massive criticism. The National Health Service had failed to properly educate the public about risks and benefits. As a consequence of the breach of sensitive data to commercial organisations the British Medical Association demanded the whole system to be opt-in. Within weeks millions of people opted out which led to the end of care.data.

Australia on the other hand started as an opt-in system (MyHealthRecord) and due to low participation rates changed to opt-out. Putting the focus on the success of MyHR, everything got forced into the centralised document store with a limited consent model. Critics question the way the Australian Government informed their citizens about MyHR and the legitimacy of the consent. Over 30% of the population already opted out of the system.

Another failed system is the virus infection tracking app Smittestopp from the Norwegian Government. Though there is consensus among health institutes, that these apps help to control transmissions, the app had to be taken down after Amnesty International rated it one of the most alarming apps worldwide. The app collects health information as well as accurate and hourly updated location data that is linked to an individual,  in doing so it became a fully functional surveillance device. While Ghana's virus tracking app is free to opt-in, it could not accumulate enough users due to security breaches.

On the contrary, Germany's tracking app with a decentralised approach, where no personal data can be linked to an individual whatsoever, was ranked one of the most secure apps in the world.

Balance between privacy and utility

Many factors can contribute to a trustworthy medical system. The right to self-determination (Article 1 (2) UN Charta), the right to live without arbitrary interference with privacy (Article 12 UDHR) and the protection from discrimination (Article 2 UDHR) has to be in balance with the benefits and the utility of medical programs. Which for its part is contributing to the right to life from Article 3 UDHR. 

Having mandatory programs like in Australia, England and Norway can logically help to have consistent data. But as the cases have shown, people will not use the technical capabilities if they do not have control over it.  A survey in the European Union (EU) showed that the major barriers to sharing electronic health data was the premier risk of privacy breaches.

The EU defined consent to be the fundamental reason for lawful data collection according to  Article 6 (1) (a) GDPR. Albeit, the processing of health data is prohibited under Article 9 (1) GDPR, there  are many exceptions (Article 9 (2) GDPR) such as inter alia statistical research and  defence of legal claims. 

It can be difficult to understand the complexity for some people. Critics say even the language in which the consent is framed can lead to misunderstandings. Which can be overwhelming and thereby cause loss of trust. Article 12 (1) and 32 of the GDPR require information to be in a easy accessible form and consent should be given by a clear affirmative act. Unequal power balances can lead to a feeling of duress, for decisions to be free, the controller needs to eliminate all imbalances of power and indirect externally effects. Therefore no government nor any company should have the opportunity and the legal basis to use health information to their advantage.

Having the control to delete information and to revoke consent gives power to the patient. The Australian legislation reacted to the above mentioned pressure on MyHR and passed a bill that allows patients to permanently delete the records.  It grants the right to be forgotten not only for health records but in any situation. No health record would be released without a court order or personal permission.

In Estonia 90% of the doctors trust and use the centralised record that is encrypted by blockchain technology. They preserve the right to determine access to the data to the patient which shows that well functioning eHealth records can be used responsibly. 



E-health can be compatible with privavy

Lawfulness, fairness and transparency are the principles of the GDPR and consent is the foundation to all data processing. This should apply for all health records. It is essential for every health care system to be trusted by citizens. Which can only be achieved through control of data and information. As some countries proved in the past months and years, it is possible to find creative and efficient solutions for a system that protects privacy and retains self-determination. Health information is intimate information, therefore digital responsibility should be treated just like patient confidentiality.