Patient data ownership: who owns your health?

"Notwithstanding the lack of property rights in health information, there are many non-proprietary ways via which the law controls health information; the tort of misuse of private information (which is based on Art 8 of the Human Rights Act 1998), the EU General Data Protection Regulation (GDPR), contract law, the law of negligence, the criminal law, and the law of confidentiality (although some consider confidential information to be a type of intellectual property). Consent is highly significant in each of these legal frameworks, but it is not an absolute requirement for the use and disclosure of health information. Second, there should be additional guidance from information law agencies, medical advisory, and licensing bodies, in consultation with lawyers and health professionals, to describe the conditions under which patient information can be disclosed. This will help to address current legal uncertainty about permitted and restricted disclosures. Third, we suggest developing interoperable data and platforms would be a far better support for innovation based on health data than recognizing property in data. Finally, we suggest a greater focus, and more research into, health data transactions based on a service model, rather than a goods model. In this way, transactions would focus on data flows as actions, rather than data as discrete assets. 110: EU Trade Secrets Directive (2016/943). Although not mandatory under the EU Directive, in the UK the law of confidentiality and trade secrets does not limit the ability of those holding trade secrets or confidential information from disclosing, for reasons of public interest, information, including trade secrets, to public, administrative or judicial authorities for the performance of the duties of those authorities. Lion Laboratories Ltd v Evans [1985] Q.B. 526, [1984] 3 WLUK 239; X Health Authority v Y 1988] 2 All E.R. 648; Campbell v Mirror Group Newspapers Ltd [2004] UKHL 2;2 EU Trade Secrets Directive (2016/943), Art. 2(1)(a)-(c); Trade Secrets (Enforcement, etc.) Regulations 2018 s.2. The EU regulations specifically enumerate cases in which trade secrets may be disclosed: exercising freedom of expression and information; revealing wrongful or illegal activity to protect the public interest; exercising legitimate authority by representatives after disclosure by workers under Union or national law; and protecting legitimate interest recognized by the EU or national law. EU Trade Secret Directive Article 2(b). 215: Bradford et al., supra note 209, at 28–29. The HIPAA Privacy Rule contains numerous exceptions when authorization for disclosure is not required. 45 C.F.R. § 164.512."

"Kathleen Liddell gratefully acknowledges the support by the Novo Nordisk Foundation for the scientifically independent Collaborative Research Program for Biomedical Innovation Law (grant NNF17SA0027784) and the Gordon and Betty Moore Foundation (Grant Agreement Number 9974). David A. Simon gratefully acknowledges the financial support from the Academy of Finland research project, Fairness, Morality, and Equality in international and European Intellectual Property Law (FAME-IP). All authors gratefully acknowledge support from the NIHR Southampton Biomedical Research Centre. 32: Biobank Sverige, Agreement on the Transfer of Human Biological Materials 2 (2019), 3 Transfer of Biological Materials and Personal Data; Generation Scotland, Data/Material Transfer Agreement 3 (2018), 1.2 Grant and Scope. 203: Patrick Hummel, Matthias Braun, Peter Dabrock, Own Data? Ethical Reflections on Data Ownership, inPhilosophy andTechnology (2020); Katherine A. Mikk, Harry A. Sleeper, Eric J Topol, The Pathway to Patient Data Ownership and Better Health, 318(15) JAMA 1433 (2018); Roberts, supra note 10; McGuire, Roberts, Aas, & Evans, supra note 24, at 62. James Rule & Lawrence Hunter, Towards Property Rights in Personal Data, inVisions of privacy: policy choices for the digital age 168–181 (Rebecca A. Grant & Colin J. Bennett eds., 1999); Purtova, supra note 241. For media coverage: FT.com, Digital Privacy Rights Require Data Ownership, FinancialTimes (2018), https://www.ft.com/content/a00ecf9e-2d03-11e8-a34a-7e7563b0b0f4 (accessed Feb. 14, 2020)."