Governance: Health data

The following indicator is under consideration for this pilot edition of the Barometer: To what extent do relevant laws, regulations, policies, and guidance provide a basis for protecting and sharing health data?

Feedback on draft Global Data Barometer Indicators

You are looking at a draft indicator to be included in the expert survey of the Global Data Barometer. Between now and May 10th we are inviting your feedback on this indicator and the elements it contains. You can provide your feedback by (a) completing the feedback form below; or (b) adding in-line annotations.

Feedback form

You can share your feedback on the Governance: Health data indicator here, or make use of Hypothes.is annotations

Your name: Your e-mail:

Your feedback:

Send

Question sub-components

Show/hide supporting questions

Existence

• Do relevant laws, policies, regulations or guidance discuss management of health data as structured data and the safe sharing of data?

  • Relevant laws, policies and guidance explicitly block any data sharing and/or lack any protections for privacy of sensitive data

    Supporting questions: Please briefly detail the barriers created (e.g. requirements for paper-based filing only)

  • There is no mention of data in relevant laws, policies or guidance
  • A framework for collecting and sharing data safely is set out in non-binding policy or guidance

    Supporting questions: Please provide a URL to the most relevant legislation, policy or guidance

  • A framework for collecting and sharing data safely is set out in binding policy, regulations or law

    Supporting questions: Please provide a URL to the most relevant legislation, policy or guidance

• Are there laws, policies or regulations addressing the management of this information in any form?

  • No
  • They are being drafted, or are not yet implemented.

    Supporting questions: Please provide brief details

  • They exist and are operational

Elements

Part 1: Identifying, protecting, and sharing health data.

• Relevant frameworks recognize and protect the principles of consent and privacy. (No, Partially, Yes)

• Relevant frameworks include mechanisms to securely share health data for research purposes. (No, Partially, Yes)

• Relevant frameworks use a definition of health data flexible enough to encompass not only medical records, but health data generated by consumer devices. (No, Partially, Yes)

Part 2: Data practices more broadly.

• The framework authorizes remedies for noncompliance. (No, Partially, Yes)

Part 3: Immutability of governance.

• Relevant frameworks have been suspended or otherwise altered for public health exceptions. (No, Partially, Yes)

Extent

• How comprehensive, in terms of jurisdiction, is the coverage of the laws, regulations, policies, or guidance assessed for this question?
  • They cover one or more localities, but there are many other localities without such rules/guidance, or with rules or guidance of a lesser quality.

    Supporting questions: Which locality does this framework cover?

  • They cover one or more localities and are a representative example of the kind of rules/guidance that can be found for all, or most, localities.
  • They provide national coverage.

Definitions

Definitions and Identification

This indicator examines governance frameworks that provide a basis for protecting and sharing health data. The governance and re-usability of data in the health sector must combine respect for consent and privacy rights with a focus on population and patient health.

Consequently, this indicator is based on the presence and strength of legislation, regulations, policies, or guidance that govern whether:

• Health data is collected and maintained as structured data across the whole country.
• The principles of privacy and consent are respected and protected.
• There is a mechanism to securely share data for research purposes.
• Health data is defined with sufficient flexibility to encompass not only medical records, but health data generated by consumer devices.
• Remedies for violations are enforceable and proportional.

In light of the coronavirus pandemic, this indicator also examines aspects of the flexibility and stability of such governance frameworks, asking specifically about:

• Whether relevant frameworks have been suspended or otherwise altered for public health exceptions.

Given the personal nature of much health data and the related difficulty of de-identifying it, many countries have specific laws, regulations, policies, or guidance for generating, handling, storing, and sharing health data. Indeed, some countries' most robust forms of data protection focus specifically on health data. In other countries, general data protection provisions may encompass some or all concerns regarding health data.

Research Guidance

Starting points

• • With regard to governance exceptions or amendments in the context of COVID-19, the COVID-19: Data Privacy & Security Guidance on Handling Personal Data During a Pandemic (Global) Tracker lists specific governance guidance and updates related to handling personal data and data protection in the context of COVID-19 by country. Note: this database doesn't guarantee comprehensiveness, so no information should be understood as a starting point for looking elsewhere, not as proof of nonexistence.

  Sources:

  For data privacy laws more broadly:

  • DLA Piper maintain a detailed analysis of the privacy framework in over 100 countries. Comparing your country of study with other countries can help with judging the extent or key elements of the framework.
    • Global Table of Privacy Laws (2017) contains details of countries that, as of 2017, had or were drafting laws with 'largely comprehensive' coverage of public sector, private sector, or both (sec), and notes the presence and name of Data Protection Authorities (DPA).
    • DataGuidance.com provides links to laws and summary information on Jurisdictions. (Note that the license of OneTrust's paid for services prohibits use of the content in third-party products. Use this source for background/contextual research only, and do not cite any verbatim text in justifications).
    • UNCTAD maintain a dataset of draft or enacted privacy laws with links to a specific legal text. Check carefully to make sure the most recent law is referenced, as the UNCTAD data may not reflect recent legislative reforms.
    • The WorldLii National Data Privacy Legislation collection also provides access to laws for a number of countries.

• Search:

  • For news and articles about health data or medical data and recent data protection or data privacy framework reforms.
  • The website of any data protection authority.
  • The website of national or subnational departments of health. In addition to informational texts explaining laws and regulations, sometimes searching FAQs and for ways to report violations can lead you to the relevant frameworks.

• Consult:

  • Civil society organizations focused on health and patients rights.
  • Civil society organizations focused on data protection.

What to look for?

Look for evidence that can answer the following questions:

• Are the principles of privacy and consent recognized in the governance frameworks? Are they specifically protected?
• Is there a mechanism defined for securely sharing health data for qualified research purposes?
• Are there clear remedies provided for violations of privacy and consent?
• Is health data narrowly defined as medical records, or is its definition broad and flexible enough to encompass health data generated by consumer devices as well as health data that may take different forms in the future?
• Has the governance framework been suspended or otherwise altered in the context of COVID-19?

National and sub-national considerations

In some countries, frameworks that govern health data may be established primarily by individual states, regions, or cities. To assess such countries, researchers should select the strongest examples of sub-national practice, and then indicate whether this is an outlier or an example of widespread practice.

Indicator Justification

Health research, public health work, and provision of primary healthcare all draw substantially upon data. Data is thus an important tool for achieving SDG 3, "Ensure healthy lives and promote well-being for all at all ages." More specifically, data plays a key role in accomplishing SDG 3.B, which calls for supporting research and development of vaccines and medicine, and SDG 3.D, which calls for strengthening capacities for managing national and global health risks.

At the same time, health data is intimately personal, to the point of making de-identification extremely difficult and at times impossible, and privacy is a fundamental human right, recognized as such in the UN Declaration of Human Rights as well as a host of other international and regional covenants. As Privacy International notes, this includes the protection of personal data.

The need to protect personal data is explicitly called out in international and regional agreements such as the OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, the Council of Europe Convention 108 for the Protection of Individuals with Regard to the Automatic Processing of Personal Data, the Asia-Pacific Economic Cooperation (APEC) Privacy Framework 2004, and various others, as well as in more than a hundred data protection and privacy laws at the national level.