“Patient Privacy in a Mobile World – A Framework to Address Privacy Law Issues in Mobile Health“
From the Executive Summary of this new white paper:
Amid the rapid growth of mobile network technology and infrastructure throughout the world, especially in low- and middle-income countries, the potential of mobile to support the achievement of health priorities is an area of active exploration and engagement. According to a 2011 World Health Organization report, governments cite issues related to data privacy and security and the protection of individual health information as two of the top barriers to the expansion of mHealth. Protecting personal health information that is collected and transmitted over mobile devices is essential to bringing mHealth to scale and providing a mature foundation for its continued growth.
The mHealth Alliance, the Thomson Reuters Foundation, Merck, and Baker & McKenzie partnered on a project to better understand privacy and security policy issues related to mHealth and identify gaps that must be addressed to protect health data. The partnership undertook a global landscape analysis of current privacy legislation and regulation was undertaken, with a closer look at a selected group of case study countries in Africa, Asia and Latin America, to establish a baseline for the discussion and provide examples of what different approaches to privacy regulation are already in use. The results of this review show that the world of privacy law is roughly divided into three major camps: (1) omnibus data protection regulation in the style of the European laws that regulate all personal information equally; (2) U.S.-style sectoral privacy laws that address specific privacy issues arising in certain industries and business sectors, so that only certain types of personal information are regulated; and (3) the constitutional approach, whereby certain types of personal information are considered private and inviolate from a basic human rights perspective but no specific privacy regulation is in place otherwise.
Among the new laws that have been adopted in recent years, the European omnibus approach has been the most popular. This may be attributed at least in part to the cross-border transfer restrictions found in the European laws, which allow free transfer of personal information across borders only to those countries deemed to have “adequate” data protection regulation in place (i.e. laws similar to those found in Europe). To date, the European Commission has recognized the adequacy of privacy laws in Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Jersey, the Isle of Man, Switzerland, Uruguay and the U.S. Department of Commerce Safe Harbor Privacy Principles. However, for the rest of the world, this style of law poses an additional barrier to the cross-border transfer of personal information, an issue that is especially relevant to mHealth and its many transnational aspects.4
Otherwise, this paper summarizes the other major aspects of current laws to provide a snapshot of where the laws stand today and a baseline for discussing potential reform and the adoption of new laws. Interestingly, very few of the existing laws cover health information specifically (the United States being the prime exception) and fewer still make any reference, even in terms of regulatory guidance, to mHealth. The current application of these privacy laws to mHealth issues, therefore, is by extension of existing, more general principles related to privacy protection. For this reason and to provide more specific examples that can be used to address mHealth privacy issues, this paper also offers an overview of medical ethics and patient confidentiality codes in effect throughout the world.
This paper then goes on to set forth a functional framework for addressing privacy law issues around the globe, which adapts and is sensitive to particular cultural, technological and institutional contexts. The main pillars of the framework are: (1) fact gathering and analysis that aim to identify the key drivers for privacy regulation in a particular jurisdiction and the existing environment for the development of such laws; (2) determining scope of coverage in a thoughtful and deliberate manner that takes into account the results of the fact-gathering stage and the potential impact of scoping decisions on the further uptake of mHealth in a particular jurisdiction; (3) deciding the nature of any notice and consent requirements built into the privacy law reflecting the cultural and technological context of the jurisdiction where the law would be implemented; (4) incorporating the principle of data minimization into any law as a best practice; (5) encouraging the right of data integrity and accessibility for data subjects while requiring such requests to be commercially reasonable and feasible for the entities storing data to honor; (6) requiring the adoption of reasonable data security measures while remaining nimble and open to new technological advances in this area; (7) ensuring that data is protected throughout its lifecycle through cross-border and third- party transfer restrictions, while being sensitive to the operational burdens such restrictions could place on market participants and the consequences for the uptake of mHealth; (8) determining the enforcement and sanctions mechanisms built into the law to credibly encourage compliance, which also requires an honest assessment of the jurisdiction’s enforcement resources.
The hope is that the work undertaken here can provide a working taxonomy and toolbox for those who continue to explore and develop these issues in the coming months and years. It is worth noting that this paper does not set out to prescribe legal solutions to specific data privacy problems or advocate for one universal model law for the entire world. The authors believe that a one-size- fits-all approach is simply not appropriate in the privacy context and much less in an environment, such as mHealth, where the technology and the issues are still evolving every day.
Read the report here (pdf).