Go for a run: data is collected. Post a tweet: data is collected. Take a genetic test to find out who your ancestors were: data is collected. 

It’s fast becoming a cliché, but it is true that a tsunami of healthcare-related data about patients’ genetic makeup, lifestyle choices and social profile, is imminent. This information promises to enable healthcare providers to diagnose illnesses earlier, medicate more precisely, and even prevent patients from becoming sick in the first place. But, in order for the healthcare profession to harness the true power of all this data, it will require changes to legal practice and regulations.

This was the conclusion arrived at by Dr Muhammad Rizwan Asghar1, principal investigator on the Precision Driven Health (PDH) research project to review privacy and consent management in healthcare, with a focus on emerging data sources. The project reviewed legal and regulatory requirements in New Zealand, Australia, the European Union, and the United States of America, and found that in none of these countries are there systems to allow for the collection of, and access to, some of the new data with potential for use in health.

While there is legislation that provides for traditional data (i.e. medical record, scans, x-rays etc) to be collected and used as part of an Electronic Health Record (EHR), there is little governing the use of new data sources. In fact, most of the electronic systems that were studied by the research team didn’t even mention emerging data sources.

Should healthcare providers want to accommodate new data, the challenges faced will include an inability to easily request patient consent for the purpose required, patient data being stored on different systems that can’t “talk” to each other, and uncertainty regarding how long the data retention period should be. 

Dr Asghar’s research suggests that what is required is “dynamic consent”. This would enable patients to freely approve - or withdraw - their consent for the use of any identifiable data, and always remain informed about why and how their data is being used.

Dynamic consent will require changes to regulation, as well as the electronic systems that handle patient consent. It is not simply a matter of extending the current consent processes as neither the law, nor the technology, allows patients control over their own EHR – all they can do is request a copy to view and/or edit their partial EHR information.

This research highlights how PDH’s partners can now work on finding ways – in law and in practice – to collect and use data, thereby enabling healthcare providers to offer their patients not only personalised care, but personalised privacy as well.

To learn more, please refer to the academic paper

1 Dr Asghar was assisted in his research by Dr Mirza Mansoor Baig – Research Team, Orion Health; Dr Giovanni Russello - Cyber Security Foundry, The University of Auckland; TzeHowe Lee - Cyber Security Foundry, The University of Auckland; Dr Ehsan Ullah – Clinical Quality and Safety Service, Auckland District Health Board, and Prof Gillian Dobbie - Cyber Security Foundry, The University of Auckland.