Who owns your personal health and medical data?

Presenting my talk at the Mayo Clinic Social Media and Healthcare Summit (Photo by Jason Pratt / Mayo Clinic)

Tomorrow I am speaking on a panel at the Mayo Clinic Healthcare and Social Media Summit on the topic of ‘Who owns your big data?’. I am the only academic among the panel members, who comprise of a former president of the Australian Medical Association, the CEO of the Consumers Health Forum, the Executive Director of a private hospital organisation and the Chief Executive of the Medical Technology Association of Australia. The Summit itself is directed at healthcare providers, seeking to demonstrate how they may use social media to publicise their organisations and promote health among their clients.

As a sociologist, my perspective on the use of social media in healthcare is inevitably directed at troubling the taken-for-granted assumptions that underpin the jargon of ‘disruption’, ‘catalysing’, ‘leveraging’ and ‘acceleration’ that tend to recur in digital health discourses and practices. When I discuss the big data phenomenon, I evoke the ‘13 Ps of big data‘ which recognise their social and cultural assumptions and uses.

When I speak at the Summit, I will note that the first issue to consider is for whom and by whom personal health and medical data are collected. Who decides whether personal digital data should be generated and collected? Who has control over these decisions? What are the power relations and differentials that are involved? This often very intimate information is generated in many different ways – via routine online transactions (e.g. Googling medical symptoms, purchasing products on websites) or more deliberately as part of people’s contributions to social media platforms (such as PatientsLikeMe or Facebook patient support pages) or as part of self-tracking or patient self-care endeavours or workplace wellness programs. The extent to which the generation of such information is voluntary, pushed, coerced or exploited, or indeed, even covert, conducted without the individual’s knowledge or consent, varies in each case. Many self-trackers collect biometric data on themselves for their private purposes. In contrast, patients who are sent home with self-care regimes may do so reluctantly. In some situations, very little choice is offered people: such as school students who are told to wearing self-tracking devices during physical education lessons or employees who work in a culture in which monitoring their health and fitness is expected of them or who may be confronted with financial penalties if they refuse.

Then we need to think about what happens to personal digital data once they are generated. Jotting down details of one’s health in a paper journal or sharing information with a doctor that is maintained in a folder in a filing cabinet in the doctor’s surgery can be kept private and secure. In this era of using digital tools to generate and archive such information, this privacy and security can no longer be guaranteed. Once any kind of personal data are collected and transmitted to the computing cloud, the person who generated the data loses control of it. These details become big data, part of the digital data economy and available to any number of second or third parties for repurposing: data mining companies, marketers, health insurance, healthcare and medical device companies, hackers, researchers, the internet empires themselves and even national security agencies, as Edward Snowden’s revelations demonstrated.

Even the large institutions that are trusted by patients for offering reliable and credible health and medical information online (such as the Mayo Clinic itself, which ranks among the top most popular health websites with 30 million unique estimated monthly visitors) may inadvertently supply personal details of those who use their websites to third parties. One recent study found that nine out of ten visits to health or medical websites result in data being leaked to third parties, including companies such as Google and Facebook, online advertisers and data brokers because the websites use third party analytic tools that automatically send information to the developers about what pages people are visiting. This information can then be used to construct risk profiles on users that may shut them out of insurance, credit or job opportunities. Data security breaches are common in healthcare organisations, and cyber criminals are very interested in stealing personal medical details from such organisations’ archives. This information is valuable as it can be sold for profit or used to create fake IDs to purchase medical equipment or drugs or fraudulent health insurance claims.

In short, the answer to the question ‘Who owns your personal health and medical data?’ is generally no longer individuals themselves.

My research and that of others who are investigating people’s responses to big data and the scandals that have erupted around data security and privacy are finding that concepts of privacy and notions of data ownership are beginning to change in response. People are becoming aware of how their personal data may be accessed, legally or illegally, by a plethora of actors and agencies and exploited for commercial profit. Major digital entrepreneurs, such as Apple CEO Tim Cook, are in turn responding to the public’s concern about the privacy and security of their personal information. Healthcare organisations and medical providers need to recognise these concerns and manage their data collection initiatives ethically, openly and responsibly.