data rights
Privacy and Security

Breaking the Mental Model: Individual Data Control Can Deliver Better Research

by Luna

The majority of individuals on Luna want to accelerate research and ensure their data is used as they allow. We considered a recent article in Forbes, and we broke down two recent legal opinion articles on medical data privacy and rights when it comes to your data’s application in research (article links below).

As standard practice in US healthcare, laboratory results, doctor’s conclusions, and any other information collected during your virtual or in-person visit is digitally captured and stored for later reference by the healthcare provider. This information is protected under the Health Insurance Portability and Accountability Act, referred to as HIPAA, to protect your private information from disclosure to parties outside of your care team. There are provisions under HIPAA for the de-identification of health data (which is simply the removal of your name, address, and other information that would clearly link the data back to you) so it can be shared freely for health research purposes – so-called secondary use of health data. Some types of health data, such as DNA information that may be collected to make treatment decisions, are inherently challenging to de-identify, and some argue impossible, despite their significant utility for research.

The balance between research benefit (i.e., the advancement of knowledge to guide improvements in diagnosis and treatment of diseases) and the role that individuals play is evolving. Many of the contemporary data protection and privacy laws around the world such as Europe’s General Data Protection Regulation (GDPR) and California’s Privacy Rights Act (CPRA) are built upon HIPAA and Fair Information Practice Principles (FIPPs) from the 1970s to define a right for individuals to control the use of data that is collected from them. And while this right to have control over the use of one’s data is absolute, the intersection between secondary use of de-identified data and the control granted by privacy legislation needs to find common ground for health data from all peoples to be included for research to have representation from the widest range of backgrounds possible.

As it pertains to the secondary use of health data, a case can be made that shifting the control of data use from institutions to individuals provides a direct pathway to greater study participant engagement and more inclusive participation of individuals in future research studies.

The debate on this intersection of approaches is couched in terms of data ownership and control of data use. Unlike many other tangible assets like real estate or a piece of furniture, data can be used simultaneously by many parties without degrading the value of each party’s use of the data. This difference has shifted thinking to consideration of the control of data use (i.e., rather than data ownership) to be of paramount importance. And moreover, the trend globally and increasingly at the State level in the US is that the control of data use should rest with the individual on whom the data was collected. This argument is most compelling when considering an individual’s DNA data that uniquely characterizes them. As it pertains to the secondary use of health data, a case can be made that shifting the control of data use from institutions to individuals provides a direct pathway to greater study participant engagement and more inclusive participation of individuals in future research studies.

Articles Reviewed for this Blog

“The Future Of Personally Identifiable Information And Health Data”
https://www.forbes.com/sites/forbestechcouncil/2023/07/18/the-future-of-personally-identifiable-information-and-health-data/?sh=694704622468

“Data Unlocked: Why Rights Mean More Than “Ownership” in B2B Data Sharing”
https://gowlingwlg.com/en/insights-resources/articles/2023/data-unlocked-rights-over-data/

“Ensuring Data Privacy in Genomic Medicine: Legal Challenges and Opportunities”
https://www.jdsupra.com/legalnews/ensuring-data-privacy-in-genomic-8975727/

About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data—health records, lived experience, disease history, genomics, and more—for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.

data rights
Privacy and Security

De-identified, Pseudonymized, Anonymous Data, Oh My!

by Luna

It seems like everywhere we turn these days some aspect of data privacy is in the news with this or that company sharing your data in some form or fashion. Amongst many of these reports are the use of your de-identified data. What is de-identified data and how is it different from pseudonymized or anonymous data? And how do any of those relate to your personal data/information covered by modern data privacy regulations?

De-identification removes features like your name, address, and date of birth from your data. It is reversible if those accessing your de-identified data have enough other information that can be tied to the remaining details in the de-identified data. Think of this like pixels in an image. With enough pixels, the full image comes together, even if some pixels are missing.

Pseudonymization replaces certain pieces of information in your data set – for example associating your data with a unique ID in place of your name or address. This is also reversible if those with access to your data have enough other information (or have access to the key or decoder that connects your name back with that unique ID).

Anonymization is NOT reversible which means that, in addition to removing your name, address, date of birth, zip code, and so on, other information such as medical diagnoses, job title, and/or geolocation must also be removed.

So, what about DNA data? Everything stated here certainly suggests that DNA information about you that is large enough (e.g., your entire genome sequence) or specific enough (e.g., gene variations that led to a medical diagnosis) could never be considered anonymous. This is why DNA is used in applications ranging from family finder tools to crime scene investigations.

According to many data privacy regulations, de-identified data is likely still considered your personal data/information and you have the right to know how it is being used and prevent it from being used for purposes you don’t agree with, if you choose.

Data privacy regulations vary based on where you live. Some country or state-level data privacy regulations consider your data as personal information unless it has been anonymized. Others only require de-identification or de-identification PLUS defined additional steps (sometimes many such steps!) to help prevent re-identification so it’s no longer considered your personal data.

Yes, this is all a bit confusing and constantly evolving. So, when you see news articles bandying about a company selling access to “de-identified” data that is no longer in the control of you – the individual the data represents – it should set off warning flags. According to GDPR (Global Data Privacy Regulation in Europe) and CCPR (California Privacy Rights Act) and similar US and non-US data privacy regulations, de-identified data is likely still considered your personal data/information and you have the right to know how it is being used and prevent it from being used for purposes you don’t agree with, if you choose.

About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data—health records, lived experience, disease history, genomics, and more—for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.