There has been increased interest over the past decade over what to do with the growing volume of digital information collected on individuals that are potentially used or sold by companies and governments. This interest is even more heightened when health data is involved and how this data might be used in ways contrary to the interests or values of individuals. In parallel, new data protection laws have passed in many parts of the world and increasingly in several states within the United States that express the control of data privacy as a human right.
It is commonplace to merge the concepts of data privacy and security, even though each has a unique role. Data security is the step taken to prevent unauthorized access to data. A common security approach involves data encryption that requires user-specific information to decrypt the data back to its original form. Privacy-preserving technologies, or PPTs, are a newer class of technologies that support the distribution of encrypted data that can be selectively decrypted to reveal some or all of the data that is encapsulated. PPTs are especially exciting for the sharing of genomic data so that only some of the data is made available to a researcher, which presents a lower risk to the individual for subsequent data misuse.
Security-based protections such as PPTs and privacy-based protections are very different in how they are implemented. With security-based approaches, data are distributed to researchers that are approved to access the data. Once access is granted, the control of the data is lost. Over time there can be many copies of the data that have been granted to multiple researchers, as shown in Figure 1A.
In contrast, privacy-based approaches maintain control of each piece of data within an environment that supports the removal of the data if an individual’s consent is withdrawn. Under the privacy-based approach, an individual has a virtual string on their data that supports the pulling back of their data at any time, as shown in Figure 1B.
Figure 1B. Use of permissive data is used within an environment that enforces privacy policies.
The question of which approach is better rests largely on the regulatory environment in which the research is being performed. In Europe, compliance with the General Data Protection Regulation, or GDPR, requires that the data rights of individuals persist when they share their sensitive personal data, such as health data. In states such as California, the California Privacy Rights Act (CPRA) that has come into law in 2023 requires similar protections for individuals. For historic datasets, databases, and biobanks that include genomic data, the use of PPTs has provided a more secure way to distribute such sensitive personal data.
Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data—health records, lived experience, disease history, genomics, and more—for research.
Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.
By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.