|19th March 2015
Following on from our Top 7 Trends in Pharma Marketing for 2015 post, it is clear that the pharma marketing trends we expect to transform the healthcare sector are easier said than done. Aurélie Pols from Mind Your Privacy has written this guest blog to talk about the first steps you need to take when considering data privacy and security.
In 2002 statistician Andrew Pole was asked by his colleagues in the marketing department at Target “If we wanted to figure out if a customer is pregnant, even if she didn’t know, can you do that?” Little did he know that by exploring customers' shopping behavior and merging data to predict the potential pregnancy state of an individual, he would be crossing some important legal boundaries. Following a data breach, Target found themselves in the news headlines, however little to nothing has been written about the creation of a health state variable – being pregnant or not – based on shopping behavior.
As former counselor of the CNIL President for Advanced Studies, Development and Cooperation, the French Data Protection Agency, Marie Georges stated at the Madrid Google Cathedra in 2014 “You can’t use created sensitive data without consent. The Target case would not have been possible in Europe”. Europe talks about Data Protection: the riskier the type of data used, the more protected the data should be, thus the higher the accompanying information security measures should be. Typically, a health state like pregnancy requires careful care when being used and would at least require some form of consent.
Rules and regulations of advertising health related products differs in the US and in Europe; even the basis of when and where data privacy legislation comes into effect follows totally different ideologies.
The US focuses on limiting the liability of companies using data, through a variety of sector based Privacy legislation of which HIPAA – The federal Health Insurance Portability and Accountability Act of 1996 – is the most well-known. US Privacy legislation is called upon once some form of PHI - Protected Health Information - is collected. When the individual is identifiable Personally Identifiable Information (PII) legal experts are consulted. In the absence of PII, there is no concern over privacy legislation in the US.
The EU focuses on protecting citizens through overarching directives and regulations – typically the Data Protection Directive (DPD - enacted in 1995) and the currently proposed General Data Protection Regulation (GDPR). Europe takes a broader approach to PII: it depends “upon whether a natural person is capable, directly or indirectly, of identification through a linkage or some other reference to available data”. PII logic is based on ill-defined variables and a concept that does not hold under European legislation, including in the UK.
While risks of identifying individuals increase as more data is collected and centralized, as the recent UK based NHS scheme called care.data revealed, the first step is understanding your companies’ liability for the data that is being collected, processed and possibly shared between systems, either through national borders or with other legal entities. Talking about digital, companies often find it difficult to understand what their corporate, pathology or disease related properties are collecting in terms of data. The way in which websites and mobile apps are built have consequences on what type of data is transiting between visitors of a particular app or property and the company responsible for the available online information.
Following European privacy thought process, the company putting available information accessible to online users is considered to be a “Data Controller”. Independent of evolving legislation, in Europe but also increasingly in Asia and Latin America, the principles that the EU Data Protection Directive requires data controllers to observe, when processing personal data, reflect good business practices. They contribute to reliable and efficient data processing, which is useful in our increasingly data-driven world. It also has the benefit of protecting the rights of those about whom the data is collected, the data subjects, fostering trust and avoiding brand erosion through unsystematic privacy management practices. Loosely described and dependent upon how the current Data Protection Directive has been transposed into local law, digital marketers, as data controllers, must keep in mind some basic principles related to:
In addition, companies and the data controllers, use intermediaries such as digital agencies but also tools in order to support their digital communications. Starting with any information that might be collected, digital marketers need to make sure these data collection practices are in line with what is stipulated within their policies. After all, they are liable for anything that might be out there, collected, processed or re-used on their behalf. Such intermediaries, also called data processors, are separate legal entities from the data controller and process personal data on their behalf. Additionally, the data processor become partially responsible for the safeguard of the data collected, depending upon the legal contracts set-up between the various intermediaries (sometimes 3rd, 4th and 5th parties) and the initial data controller.
If, for example, the data collected is stored within the cloud and could possibly fall under another legal jurisdiction as the one where the initial data collection took place, it is the duty of the data controller to assure the same rights are assured, even under this extra-territorial storage facility. It is therefore crucial to understand exactly what data is collected, even if not processed, where this data resides and who has access to it. Such undertakings are usually referred to as defining the data flows.
While Europe is trying very hard to become the international reference for a Data Protection framework, there is one set of rules called Fair Information Practice Principles (FIPs or FIPPs) that are globally agreed upon. Indeed, even the revised OECD Privacy Guidelines issued in 2013 references to the Fair Information Practices, which contain the following 5 essential points:
For global companies managing data on multiple continents and in a variety of countries, reality shows that 100% compliance with each local and evolving data privacy legislation remains unrealistic. While respecting FIPPs should be considered as an initial best practice, a lot of data-driven companies are today focused on risk management exercises related to privacy. As systems are rolled out globally (or per continent), it is nonsensical to set too many exceptions for smaller countries where the risk of perceiving any kind of privacy backlash is unlikely to exceed amount to more than 500 euros.
Typically, companies do not set up exceptions for countries such as Slovakia, except if they have a good reason to do so. The way to look at privacy in our digital age and to move the subject further is therefore to understand the data flows, which data type where and accessed by whom, and embed this tactical understanding into a larger 3 step risk management framework:
|14th August 2018
Blue Latitude Health speaks to Medopad’s Martha Carruthers to learn how the start-up’s modular apps are helping patients with complex diseases.
|6th August 2018
Senior Associate UX Consultant Amit Sheinholtz was recently awarded City University’s prestigious prize for Outstanding Project of the Year. BLH caught up with him to get the inside scoop on his master’s thesis on mental health apps and what it takes to create excellent research