Telehealth providers need to go beyond compliance to meet the moral imperatives of our technological age.
By Kim-Fredrik Schneider, Co-Founder and CEO of Abi Global Health
The General Data Protection Regulation, or GDPR as it is commonly known, was a distant compliance project for many companies, until it wasn’t. Rumors of GDP-sized fines for non-compliance quickly sharpened the attention of many tech companies, and data protection by design was understood as a minimum requirement for any business looking to survive and thrive in our new age of cloud-based consumer data management.
While this is great news, and an unprecedented achievement, there is still a problem. Although many companies reached the minimum requirements for managing customer data, after that they just stopped. This is a major issue for patient information management, especially in the growing field of telehealth.
My company, Abi Global Health, provides Abi, a service that uses AI to enable real doctors to give remote micro-consultations via text. As I wrote about previously in the Journal of mHealth, at Abi we like to think about not only data ethics but also the ethics of data exchange, and how that underpins our service. There are three key pillars to consider: that the service is accessible, that the service is secure, and that it is trustworthy.
To make sure our platform goes beyond just compliance we engaged with some of the best privacy professionals in the field of telehealth and mHealth, including Philipa Jane Farley, a consultant & auditor for cybersecurity, GDPR data, protection and privacy, and the director of ProPrivacy. I invited Philipa to share her 12 Step Guide For Data Ethics with the readers of the Journal of mHealth.
1 – Join The Dots
I think a lot of people reading the Journal of mHealth would understand data protection by design, and its precursor privacy by design. Data protection by design is the exercise of embedding the principles as embodied in the GDPR. It’s not a simple process, and it involves technical measures, physical controls, and policy and procedural controls. So when we’re looking at a service like Abi, a telehealth service, where we different systems interconnected, various stages of having to protect data and control data, and putting the choice of the access to the service in the hands of the user, it can turn into quite a complex assessment, or a complex management process, understanding all the different actors involved.
2 – Keep The Correct Records
It’s not just technology, it’s not just the GDPR. We’re dealing with medical regulatory requirements here too. So we have to bear in mind the lawfulness under the data protection requirements, the lawfulness under the medical requirements and very specifically, when we’re looking at the different data processing activities within these systems, we have to identify our legal basis for processing. That’s just a technical point, record keeping is a very important part of data protection by design. If you’re looking for a partner, if you’re looking to implement a system like this, you need to know are your article 30 records of processing in order.
3 – Always Be Fair
In terms of lawfulness, fairness, and transparency, the individual end-user is central. Access to the service, to medical knowledge, medical health and medical assistance is the consideration. When we are looking at an individual that needs help, we must not process their data in a way that’s detrimental, unexpected, misleading, or deceptive. So, when we are looking at solutions now in the telehealth space or health-related technology processing (especially with the COVID-19-related applications) we look at this notion of the processing not being detrimental, unexpected, misleading, or deceptive. If you’re using an app to process your health data, is your data being processed in a way that you would expect? We don’t want to go outside of the scope of what we’ve identified the processing should be. The individual should be central.
4 – Bridge The Digital Divide
The digital divide is a serious issue in many countries right now, and you need to factor this into your solution design. Transparency is key to building trust, so you need to know your audience and use transparent language that they can understand. If vulnerable groups such as teens and migrants might be accessing your service, for example, make sure you use clear and plain language. Never hide behind high-end terminology, we don’t want to use any language that manipulates the individual or the end-user of these applications. Designing your documentation is actually standing in the shoes of the user and going, ‘Would somebody understand this?’ For example, you might need to offer information by using pictures and video format for some data subject groups.
5 – Documentation Is Never Static
It is important to remember that the transparency documentation and the data protection notice is not a one off, it’s an ongoing obligation. So, as your service changes and as the technologies might be reviewed, you should review your notice and you want to update it as you go along. This is very much central to this principle of data ethics. You should never hide behind documentation which becomes outdated, so you need to operationalize the updating of your key data documentation as your business evolves and the world changes.
6 – Embrace Your Limits
Purpose limitation is really important with health-related processing. You need to be absolutely specific, and absolutely explicit, about your purpose. What are you achieving with this processing? What is the point of it? Further processing is a huge issue in the space at the moment where data is taken, where it was intended for one purpose in application but it’s taken and used in many other ways. There are regulations which state that humans should be asked for consent before you anonymize the data to pass it on. But first and foremost, you should have defined your purpose. If you’re intending to use the data for research purposes or statistics, for example, you should have defined your purpose widely enough, so at the outset the data subject understood what they were getting themselves into when they started using the application.
7 – Minimise Data
Data minimization is really important when we look at security considerations, because if we’re looking at any worst-case scenarios such as data breaches, we want to know that the least amount of data possible could have been breached. We want to know exactly what that is, and obviously we don’t want the end-user to come to any harm. Within data minimization and your security controls, there’s also an aspect of separation of data and various other methodologies you can put in place to secure that data. Data minimization is one thing I love about Abi; at the outset they collect the minimum amount of data. This is a huge part of data protection by design, where you can build data minimization into the application as you go along.
8 – Accuracy Is Vital
Accuracy is the next principle. Putting the ability to keep data up to date and accurate, into the users’ hands, is an easy to implement part of data protection by design. You might also require an audit trail of changes, especially in the medical health context. These are the kinds of questions you should be asking about telehealth and mHealth applications: how do you manage those changes to the medical record, and how much control does the user have? Furthermore, if you allow the user to manage their record of data, it does instill confidence in them and builds up that trust in the user.
9 – Storage Has An Expiry Date
Storage limitation is another principle. So very specifically, we would say that partners or the people along the data processing chain need to collaborate in this regard. Regulatory requirements would be the primary driver when it comes to determining storage requirements: how long are you going to keep the records for, and what needs to be kept? Usually, you cannot just keep data indefinitely. You can’t say ‘I might need it one day.’ Previously, we said exactly what you’re going to use it for, and that should drive your decisions on how long you are going to keep the data for.
10 – Deletion Policies Needs To Be Clear
It is recommended, and this is part of your data protection by design and the framework that you have over it, strong policy documentation and record-keeping of deletions and data destruction. And again, the need to collaborate between parties is very important here, it helps you respond to data access requests and ensure that the rights of data subjects are protected.
11 – Integrity And Confidentiality
In the medical field, with health data, there are very important requirements to make sure that confidentiality is maintained and there is the assurance of data integrity. If you’re looking for a partner in the space, you’re going to be asking questions on security audits and penetration testing, that kind of thing. And within that, we don’t only look at the tech measures that are taken, but we look at physical security, as well as organizational measures related to the access to data and policy in that regard. I would also include user education here. We need to respect the fact that people have a choice in their use of technology. If they choose to access services a certain way, there is that onus on the provider to make sure that there is that element of user education and a choice.
12 – Be Accountable
You should always be able to demonstrate compliance with the principles of data protection. Can you tick all the boxes in your data protection by design exercise, as in substantively tick all the boxes? Can you say that this is built into the application procedures and processes? A key element for accountability would be appointing a data protection officer (DPO) if you’re required to appoint one, and doing DPIAs (data protection impact assessments). Your DPIA should be a living process that gets updated and reviewed as technology moves on. As risks change, as your user profile changes, and your stakeholder engagement needs to be reviewed, that DPIA is key to the accountability and the linchpin to the data protection by design process.
I would like to thank Philipa for these valuable insights. As we can see, these are 12 very clear and practical steps that organizations in the sector can take to go beyond GDRP, and offer data ethics by design. If trust is the new oil, data ethics is the framework that can establish and maintain this most fragile and valuable of assets.
Kim-Fredrik Schneider is the Co-Founder and CEO of Abi Global Health.
