By Kim-Fredrik Schneider, Co-Founder and CEO of Abi Global Health
Privacy guru warns that mHealth companies need to be ethical with their data to survive.
In this third guest article for the Journal of mHealth I spoke to one of the leading influencers on consumer privacy and data protection, Emerald de Leeuw LLB LLM MSc.
Emerald was a leading early campaigner for companies to prepare for the General Data Protection Regulation (GDPR) and her pioneering work continues today as she heads the EMEA privacy team at Logitech. Emerald is a member of the board of advisors of the law school at University College Cork, a contributing lecturer on technology and data protection law at the Law Society of Ireland, and a contributor for Cybersecurity at MIT Sloan. She was awarded the European Innovator of the Year 2017, Forbes Female founder to watch 2018, and German Marshall Fund YTILI Fellowship.
My company, Abi Global Health, provides Abi, a service that uses AI to enable real doctors to give remote micro-consultations via text. As I wrote about previously in the Journal of mHealth, at Abi we like to think about not only data ethics but also the ethics of data exchange, and how that underpins our service. In this interview, Emerald shares her thoughts on how companies in the mHealth space need to put data ethics at the heart of everything they do to survive and thrive.
—–
Emerald de Leeuw:
Ethics and telemedicine is not a new topic. The conversation actually started way back in the 1980s. In 2006, the American Society for Bioethics and Humanities was officially assigned by the WHO to investigate the ethical issues in telemedicine. But during the 2020 pandemic this topic is more important than ever, as people are less inclined to go to a doctor’s office.
One of the more pressing issues surrounding telehealth today is consumer privacy and COVID-19 tracking apps. People are wondering what are the consequences, short-term and long-term, if we trade-off privacy in place of public health? There is already so much wrong with the fact that that particular question is being asked, it’s a false dichotomy. We can have public health, and private care through the likes of telemedicine, and we can have privacy, and solid ethical practices, all at the same time.
We often hear privacy and data protection used interchangeably, but they really aren’t the same thing. The right to privacy is not just the right of an individual, it’s also a social value, it’s universal, whereas the right to data protection isn’t quite there yet. If you look at the Charter of Fundamental Rights of the European Union, you’ll find the right to privacy and the right to data protection, in articles seven and eight respectively. I personally believe that it’s really important to look at the body of law in a holistic way to understand where legislation comes from and what the intent is of the legislation. If you understand its intent, you will naturally already make better decisions.
The Digital Revolution
The digital revolution provides us with many benefits: for health, for the environment, etc. But technology should not dictate our values and our rights. The brilliant author and speaker Tristan Harris once said, “Most recent conversations about the future focus on the point where technology surpasses human capability, but they overlook a much earlier point, which is where technology exceeds human vulnerabilities.” Tech has moved so quickly that our lizard brains, that part of our brain that is impulsive and that we don’t really have conscious control over, struggles to keep up with the evolution of technology. This is where privacy engineering and ethical design come in.
When it comes to healthcare, it becomes even more important that the technology, as well as the design of the service delivery, is aligned with our innate human vulnerabilities. It’s crucial that the person actually understands what they’re consenting to. Healthcare data is uniquely sensitive, and requires a more nuanced approach than the standard Ts & Cs on a social media platform.
If we look at consent just from the medical setting, some of the things you should be including would be: a description of the medical procedures, the positive results expected from a treatment, a description of the potential risks, any alternative treatments you could choose. But then we haven’t quite combined that type of consent with the consent and transparency requirements required under data protection law.
Lessons from the GDPR
So if we look at consent under the GDPR, and we look at article six, which is just consent for regular personal data, then it makes it really clear that this consent needs to be: freely given, specific, informed, unambiguous, and should be a clear indication (by statement or a clear affirmative action) that a person agrees to having their data processed in a certain way. Now that’s all well and good, but when it comes to data that pertains to health you also need to look at article nine which speaks of explicit consent, which implies a higher bar.
Nobody really knows what that higher bar is yet, but I think it makes it really clear to us that the individual should be fully aware, not just of the treatments, but also of the exact data processing involved. Where does the data go? Who has access to it? How long is it retained? Will it be anonymized? Or will it simply be pseudonymized? And of course, what are their rights as regards their personal data?
Better UX Design Is Key
This is where design comes in. You absolutely need a privacy policy, but you absolutely cannot present this as an impenetrable block of legal text. Think about other ways you can communicate this information. Could you have a web page on privacy that describes in a video or with graphics, in layman’s terms, what actually happens to the data? Can you come up with another creative way in which you can display something as complex as a privacy policy? Because the really hard thing about privacy policies, and also meeting this transparency requirement (particularly when the processing of the data is of a rather complex nature) is how do you make sure you meet all of the requirements of the policy itself while keeping it easy to read and making it understandable. Design an additional layer of transparency, have a basic privacy page where you explain what is happening in friendly language.
Why is this important for mHealth? The presence of the informed consent not only supports the patient’s ethical rights, but also removes any concern around the confidentiality of the data.
Ethical UX Design
Invalid consent could destroy your brand reputation, and land you with a hefty fine for breaching the GDPR. When designing digital products and services, it’s vital that this digital interface actually gives us a better experience than before. You can achieve this by adopting a human-centered approach to user experience (UX) design.
UX designers need to think not only about security, privacy and data protection, but also about some innate human vulnerabilities, for example: our limited attention span. Ask yourself, is it clear to the user what they are opting into? We also need to consider the effect that technology can have on a user’s mental health. I think this is especially important in a medical setting, you should never add more strain on top of what is likely to be a stressful situation to start with. In telemedicine, in particular, the doctor-patient relationship is crucial. Your customers will be wondering will they have the same bond with the person providing healthcare advice as they would have in person?
Can You Be Data Ethical By Design?
For companies reading this and wondering how they can be more data ethical by design, my advice would be to educate yourself on humane technology, and carry out a data ethics impact assessment. Ask yourselves: am I being inclusive? Will this be discriminatory in any way? Am I considering, for example, the person’s attention span? Are there additional things I can do on top of the GDPR essentials? Do I have a user-friendly page on privacy, or a page on our core values and beliefs?
Do it now, because the moment you make a mistake, the trust is gone.
—–
Thanks, Emerald. As the previous Journal Of mHealth articles have explored, trust is indeed the new oil in the field of telehealth, and in today’s market every company in telehealth and mHealth needs to be ethical with their data to survive.
Kim-Fredrik Schneider is the Co-Founder and CEO of Abi Global Health.
