phone security

The Role of Cybersecurity in the Management of Data Privacy


The focus on data privacy from the general public has surged over the past few years. A large cohort of individuals with little to no experience in informatics now needs to understand the digital environment at a level of detail beyond their expertise or experience.

The intersection between privacy and the much more common issues concerning data security and data breaches has resulted in a digital environment where few can make confident and informed decisions. As a result, most individuals conflate data security with the privacy policies in place.

The differences between data security and data privacy

Data security features are measures that allow an individual or an organization to exert control over a digital asset. Security is typically implemented in overlapping layers to minimize the likelihood that control or access to a digital asset will be lost. End users most obviously experience security through password-mediated access control, possibly with a second level of identity verification such as a code sent to a mobile phone via text for identity confirmation. There are also many security safeguards put in place at the infrastructure level to avoid unauthorized access by programmatic “hacking.” Collectively, all these cybersecurity features provide a foundation for control of a digital asset.

In contrast, data privacy is a set of policies layered on top of controlled digital assets. Data privacy can be expressed as a set of rights guaranteed to an individual to access, correct, share, un-share, restrict, transport, and delete their digital assets. Data privacy equally requires a level of transparency around the processing or use of data so the individual can exercise those rights in an informed manner. Absent data security measures to exert control, data privacy policies cannot be implemented.

The intersection between privacy and the much more common issues concerning data security and data breaches have resulted in a digital environment where few can make confident and informed decisions. As a result, most individuals conflate data security with the privacy policies in place.

Data privacy policies need to persist over the lifetime of a digital asset whereas data security features are temporal. Once access is given by satisfying all security safeguards, all control of the data asset by the owner is lost. Data privacy rights require a persistent environment that provides data security to prevent external access while allowing agreed use of the data asset for approved purposes. 

Scott Kahn
Scott Kahn, PhD, Chief Information and Privacy Officer, Luna

Playing in the sandbox

The use of such securely isolated environments called “sandboxes” supports independence between the individuals (i.e. data users) gaining access to digital assets in the sandbox and the inclusion of digital assets in the sandbox by the data owners. This effectively maintains a level of control over the data asset by the data owner even as the asset is being used or processed within the sandbox by the data users.

There are many new data privacy policies being enacted into law around the world that, to a greater or lesser extent, confer data rights to data owners. The European Union has enacted the General Data Protection Regulation (GDPR), which serves as an exemplar for many countries outside of the EU and for several states within the U.S. But regardless of the data privacy policies in place, all privacy controls are built upon a cybersecurity foundation of data security measures that support control of data assets within a digital environment.

The interplay between security control and an implemented set of privacy policies takes center stage within the Luna platform. 

Security controls are reviewed via SOC 2 protocols that are documented and audited on a regular basis. Data privacy policies are reviewed regularly and assessed with regard to the data rights conferred to individuals and to the potential risks to these individuals incurred by sharing their data. 

Data privacy impact assessments (DPIAs) are performed for the Luna platform and for the sandboxes employed by researchers. It’s noteworthy that within the Luna platform the full spectrum of research inquiry is supported while simultaneously supporting the data privacy rights of all individuals willing to share their health data to advance medical science.

Read about Luna’s Data Protection Impact Assessment.


About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data — health records, lived experience, disease history, genomics, and more – for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.


Scott Kahn, Ph.D.

Scott Kahn, Ph.D.

CHIEF INFORMATION + PRIVACY OFFICER

Scott is the former CIO and VP Commercial, Enterprise Informatics at Illumina. At Luna, he’s integrating data privacy and security provisions that keep member data safe, private, and secure.


global COVID

Genetic Privacy During the COVID-19 Pandemic


The profile of genetic testing–and the resulting genetic data–has been elevated in public discussions. One reason is because of the COVID-19 pandemic, but also because of an increasing focus on data privacy and the growing belief that individuals should have control of their data.

While concerns exist with the collection of consumer transactional data by Big Tech, considerations of one’s uniquely identifying genetic data–and the privacy controls applied to it–have become more focused. Unlike consumer data that can be expunged and obfuscated, genetic data describes an individual through their entire life. The impact of a data breach with genetic data can have consequences that cannot be undone.

Privacy concerns: consumer data versus genetic data

It is commonplace to securely encrypt data while it’s being stored and even to use technologies like homomorphic encryption to control access to genetic information for research purposes. Such techniques have been used to propagate the most common mode of data use in which it is downloaded onto a researcher’s computation environment. Each download of data is a separate copy that carries with it the liability that the information could be shared or hacked and used for purposes other than it was provided for under informed consent.

An alternative solution, and one that is inherently compatible with modern data privacy frameworks such as the European Union’s General Data Protection Regulation (GDPR), is to not make copies of data. Instead, the use of a computational environment, also known as a sandbox, that can access the data may be provided to each research team to perform analyses. The advent of powerful and readily available cloud-based information services has made this latter solution viable.

While concerns exist with the collection of consumer transactional data by Big Tech, considerations of one’s uniquely identifying genetic data–and the privacy controls applied to it–have become more focused.

It is also important to consider that not all genetic information carries a high potential risk to the individual. DNA data on a person’s cancerous mutations are different than the individual’s germline DNA and cannot be used to re-identify an individual. Similarly, the data on a particular variant of a virus, such as SARS-CoV-2, cannot be directly traced back to the individual from which the sample was collected. In both cases, genetic information is distinct from an individual and does not carry a risk to the individual from which it was collected.

Scott Kahn
Scott Kahn, PhD, Chief Information and Privacy Officer, Luna

Weighing risks for different types of data

The different risk aspects of different types of genetic information can be different for individuals, institutions, and governments. Whereas individuals may not be at risk of re-identification from pandemic-related DNA data, institutions and moreover governments might experience negative consequences upon disclosure of a novel variant as was seen with South Africa’s disclosure of the omicron variant.

While all public health efforts were bolstered through knowledge of omicron’s existence, the economic consequences felt by South Africa through the travel restrictions and related actions were a far cry from an expression of gratitude by the rest of the world.


About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data — health records, lived experience, disease history, genomics, and more – for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.


Scott Kahn, Ph.D.

Scott Kahn, Ph.D.

CHIEF INFORMATION + PRIVACY OFFICER

Scott is the former CIO and VP Commercial, Enterprise Informatics at Illumina. At Luna, he’s integrating data privacy and security provisions that keep member data safe, private, and secure.