It’s time for an informed public debate about the many questions raised by the commodification of “big data” in health, according to Canberra Law School academics, Bruce Baer Arnold and Wendy Bonython.


Who is taking care of your health data?

Bruce Baer Arnold and Wendy Bonython write:

Are the UK and Israeli health systems heading for a privacy trainwreck? Will Australian policymakers take us down the same track by selling bulk health data?

Data contained in health records can be benign, even trivial. However it can also be intimate, important and ineradicable.

Add in data from genetic sequencing activities, such as direct-to-consumer (DTC) genetic testing, or whole genome sequencing, and combine it with similar information from other people, and it becomes a commercially valuable database, ripe for exploitation by biotech, pharmaceutical, and health insurance companies.

Last year saw watersheds in the history of health ‘big data’. US-based Merck announced an agreement with Israel’s Maccabi Healthcare to “leverage Unique Real-World Database to Inform Novel Health Approaches”. The FDA stopped some of 23andMe’s activities. The 100K genomics project began receiving samples, and a new UK agency began preparing to sell millions of deidentified National Health Service (NHS) records.

If you aren’t a Merck investor or Maccabi doctor, the first announcement probably passed unnoticed. It triggered little discussion in specialist fora previously agog with legal aspects of deCODE’s plan to build a genetic profile database of all 320,000 people in Iceland.

Maccabi is a comprehensive health maintenance organisation with hospitals, nursing homes, pharmacies and pathology facilities. After major investment it has electronic information about over two million members – around a quarter of Israel’s population.

Its records encompass medical conditions attributable to lifestyle, for example cancer and heart-lung disease associated with smoking, and conditions associated with the genetic profile of particular demographics. Merck promises the dataset will be safely deidentified.

From a research perspective, the announcement was exciting. It is the first time ‘Big Pharma’ has acquired access to comprehensive health data of about 25% of a nation’s population. The data is not a one-off snapshot. Instead it covers a period of twenty years and will apparently be provided on an ongoing basis.

For an Australian equivalent think of a US drug company getting hold of twenty years of medical records for everyone in Sydney, Melbourne and Brisbane.

The UK Government has gone one better, with an announcement that the Health & Social Care Information Centre  – an agency that brings together NHS data from across the nation under the ‘’ scheme – will share deidentified data with researchers. Pay a fee and you’ll have a population database at your fingertips.

Civil society advocates and practitioners are quite sensibly expressing concerns about They note cautions in the major Caldicott study of the UK e-health system, asking whether commodifying national datasets poses substantive risks that aren’t properly addressed.

In a world of Edward Snowden and recurrent financial data breaches, is it wise to aggregate and sell data about every patient? Can purchasers be trusted? What about consent, and about emerging EU and OECD data protection frameworks?

Last month Genomics England (government owned) started receiving blood samples from people with rare genetically inherited diseases for DNA sequencing as part of the 100K Genome project. That project aims to sequence the entire genome of 100,000 UK citizens over the next four years, cross-matching DNA sequence data with health information stored in NHS records.

There has been surprisingly little discussion of 100K by activists, with a tacit acceptance of assurances that “All data will be held securely in the UK, strictly protecting confidentiality in line with stringent existing NHS arrangements.”

Presumably not the same ‘stringent’ NHS arrangements that were seriously breached 186 times in 2011-2012.

The main commercial objective of DTC enterprises is creating major databases of genetic sequence data, often cross-matched with personal and/or health data. Last year the FDA belatedly cracked down on 23andMe over health prediction testing. Current FDA intervention will do nothing to address data protection and access concerns evident since the DTC sector began.

The FDA freeze on some services raises questions about the sector’s sustainability and the fate of extensive datasets created by DTC companies. Who owns the data if 23andMe is acquired by GSK? What’s happened to deCODE’s data from Iceland?

None of these projects have engaged meaningfully with data reidentification, highlighted by researchers who took deidentified big data and reidentified individuals using public sources. ‘Deidentified’ needs to be more than a fiction to ensure health data isn’t stripmined.

Genetic sequence data is not exclusive to any one person: by using sequence data from a particular individual, we can make reasonable inferences about the genetic sequence of their relatives, including ancestors and descendants many generations into the future.

Furthermore, once that data is released, it is permanent. You can’t change your DNA. Neither can your relatives, even if your decision to contribute a sample to a sequencing project was not theirs, notwithstanding what the consequences of your decision might be.

We might accordingly question promises that partners will “fully protect and maintain patient privacy”, particularly where data moves across national borders for processing in locations where protection may be ineffective.

Question too whether sharing will “support personalized health care delivery strategies across several therapeutic areas, including prevalent and costly chronic diseases …  enable better understanding of unmet patient needs, real-world outcomes achieved with medical treatments, and optimal approaches for improving patient adherence”.

What does this mean for Australia? There’s no indication that our bureaucrats are racing to emulate the UK in exploiting a population-scale data set. That’s a good thing.

We should, however, be wary about policy makers who emphasise secrecy, are getting ready to sell the national health insurer and dream of making billions by selling health data. Expect to see claims of transcendent public good and reassurance that all data will be thoroughly deidentified and only entrusted to the bluest of blue chip researchers.

If regulatory frameworks change, our officials and commercial bodies are likely to embrace overseas models. Faced with pressure to contain health costs and increase ‘wellness”, would Australian regulators say no to commodification of data that after all is the property of insurers and health enterprises and governments, not individuals?

Let’s not dismiss commodification out of hand – there are benefits. We need, however, an informed public debate.

If we want to avoid a trainwreck, we need to start thinking about rights, responsibilities, regulation and possibilities in the new world of health big data.

• Bruce Baer Arnold is an Assistant Professor at Canberra Law School. He’s written widely on privacy and new technology. Dr Wendy Bonython is an Assistant Professor at Canberra Law School, with a background in molecular medicine. She’s written widely on direct to consumer genetic testing and other areas of health law.