By Bogi Eliasen, Copenhagen Institute of Future Studies
In the current state of personal data management, key data aggregators have emerged. Some of these are sector specific to health, while other household names such Google, Facebook, Apple and Microsoft span multiple sectors. Moreover, as new business strategies emerge the distinctions between sector specific aggregators are increasingly blurred. While these companies have provided many societal benefits and conveniences, several disadvantages arise from this model of personal data management;
• First, there is no incentive for data interoperability (and portability) as it disables users from taking their data to a competing service. This hoarding suppresses innovation and research.
• Another drawback is that privacy and transparency become a secondary concern. This secrecy
erodes public trust, which is further undermined by privacy breaches that circulate the media.
As healthcare systems become increasingly digitalised and transition from reactive towards more proactive models of care, new opportunities arise to establish a person centric approach to health data management. In this domain, the MyData movement originating from Finland has made significant progress. Fundamentally, MyData refers to a new approach to personal data management and processing.
The three guiding principles of MyData18 are:
1. Human-centric control and privacy: individuals are empowered actors, not passive targets, in the management of their personal lives both online and offline – they have the right and practical means to manage their data and privacy.
2. Usable data: It is essential that personal data is technically easy to access and use – in machine readable formats via secure, standardised APIs (Application Programming Interfaces)
3. Open business environment: Shared MyData infrastructure enables decentralized
management of personal data, improves interoperability, makes it easier for companies to comply
with tightening data protection regulations, and allows individuals to change service providers
without proprietary data lock-ins.
In light of GDPR, a MyData-based ecosystem of health data management can be considered
complementary, and not mutually exclusive to GDPR. This person centric approach to data inherently structures consent in the flow of data. By design, it addresses the right to data portability, right to access and right to have data forgotten. Furthermore, it promotes the right to privacy by design.
The Nordic Model
Imagine a future where Nordic citizens access their health data through a My Nordic Health Card. It is linked to an online platform where medical reports, emergency contact, organ donation directives, allergies, and blood type are stored in a digitally interoperable format. With the individual’s permission, or in the event of an emergency, this information is accessible to all hospitals and healthcare professionals in the Nordic countries. For the individual, their health data is both portable and interoperable.
On the My Nordic Health Card, individuals determine the level of access to their health information in a tiered system. Lower tiered access grants viewing rights only, compared to higher tiered access in which content can be edited, but with transparency on who made the edits.
Dynamic consent is one of the central features in this online portal. Private companies must seek
explicit consent from individuals, through clear procedures and with the provision of user-friendly
documents that explain the scope of use of health data. If the scope expands or changes, patients can be updated real-time with new consent solicited through the portal. Patients can dynamically approve or withdraw consent.
Get the report here: