Digital Health, Privacy, and Data Protection Flashcards

Digital Health Definition

• A poor definition of digital health focuses solely on the application of digital and disruptive technologies in healthcare settings.
• A better definition emphasizes the proper use of technology to improve health and wellbeing at individual and population levels and enhance patient care through intelligent processing of clinical and genetic data (Fatehi et al., 2020).

Factors Driving Innovation in Healthcare

• Increasing costs/expenditure.
• Population health and societal changes.
• Population growth, particularly aging populations.
• Increasing chronic and comorbid conditions.
• Increasing demand for healthcare from expert patients.
• Lifestyle risk factors and inactive lifestyles due to digital life.
• Unequally distributed healthcare access.
• Health and social care crises, including waiting lists and staff shortages.

Aims of Digital Health Initiatives

• Improve medical knowledge.
• Enhance patient engagement.
• Improve access to healthcare.
• Development of new treatments and interventions.
• Enable personalized and precision medicine.
• Facilitate sharing and coordination of patient information.
• Support and improve collaboration among healthcare providers.
• Improve care coordination.
• Improve the quality and efficiency of care.
• Enhance assessment, decision-making, treatment, and monitoring processes.
• Improve quality and safety in healthcare delivery.
• Promote evidence-based medicine (EBM).
• Reduce inefficiencies and costs in the healthcare system for both patients and providers.
• Support the achievement of policy aims.

Factors Impacting Health Outcomes in the Digital Environment

• According to Richardson et al. (2022), digital equity framework identifies influential factors impacting individual health outcomes within the digital environment.

Health Literacies

• Health literacies are defined as a person’s capability to understand, read, use, and obtain health care information (Simpson, Knowles, and O’Cathain, 2020).

Health Education England (HEE) Health and Care Digital Capability Framework: Domains of Capability

1. Communication, collaboration, and participation.
2. Teaching, learning, and self-development.
3. Information, data, and content literacies.
4. Creation, innovation, and research.
5. Digital identity, wellbeing, safety, and security.
6. Technical proficiency

Digital Literacies Beyond IT Skills

• Digital literacies encompass the ability to access, manage, evaluate, and create information safely and effectively using digital technologies. It ensures effective use of digital tools while maintaining privacy, security, and ethical standards.
• Confidence in using digital technologies, characteristics, and behaviors such as willingness to embrace change, digital resilience when technologies go wrong or have adverse outcomes.
• Understanding the adverse side of digital literacies such as cyber threats and misinformation.
• Knowing when not to use digital sources.
• Digital literacies are capabilities that fit someone for living, learning, working, participating, and thriving in a digital society (Health Education England, 2018).
• Abilities to access, manage, and integrate, communicate, evaluate, and create information safely and appropriately through or with digital technologies.

Correlation vs. Causation

• Increasing age correlates with decreasing digital skills, but correlation does not equal causation.
• Inverse correlation: Indicates a relationship where one variable decreases as the other increases.
• Causation: Implies that one variable directly causes a change in another.
• Spurious Relationship: Occurs when two variables appear related but are influenced by a third, unobserved variable.
• Confounding factors:
  • Relevant education, work, or interests.
  • Digital divide.
  • Health conditions impact on fine motor skills, cognition, etc.

Facilitators in Digital Health Projects

• Refer to Svendsen et al. (2020) for examples of facilitators in digital health projects.

Key Terms and Definitions

• Privacy, security, and information governance are key terms.

Legislation

• Focuses on aspects of the UK GDPR and DPA 2018.

Qualities and Characteristics of Personal Data

• Understanding the attributes of personal data is crucial.

Ethical Issues

• Ethical considerations in digital health are significant.

Intended Learning Outcomes

1. Define key terms including Privacy, Data Security, and Data Protection.
2. Describe the characteristics of personal data.
3. Recall and explain key components of regulations governing data protection.
4. Describe the key ethical concerns related to security and privacy in digital health.

Barriers and Challenges in Implementing Digital Health Initiatives

• Security and privacy are frequently cited barriers.
• Security breaches of healthcare systems have raised concerns over data privacy and security.
• The potential of digital health technologies will only be realized if people accept and make use of them.

Synnovis Cyber Attack

• The Synnovis cyber attack caused two cases of severe patient harm on January 23, 2025.
• Two patients suffered long-term or permanent damage to their health.

Privacy

• Article 12 of the Universal Declaration of Human Rights (UDHR) treats privacy as a distinct human right: “No one shall be subjected to arbitrary interference with his [sic] privacy, family, home or correspondence, nor to attacks upon his honour and reputation.” (United Nations, n.d.).
• Privacy is the right to be let alone, free from interference or intrusion.
  • Over simplistic definition

Types of Privacy (Koops et al., 2016)

• Spatial privacy:
  • Personal zone: solitude.
  • Intimate zone: intimacy.
  • Semi-private zone: secrecy.
  • Public zone: inconspicuousness.
• Bodily privacy: freedom from being let alone.
• Informational privacy: emphasizes freedom to self-development.
• Communicational privacy:
• Intellectual privacy
• Decisional privacy
• Associational privacy
• Behavioral privacy
• Proprietary privacy
• Access control

Instagram Terms of Use

• When users share, post, or upload content covered by intellectual property rights, they grant Instagram a non-exclusive, royalty-free, transferable, sublicensable, worldwide license to host, use, distribute, modify, run, copy, publicly perform or display, translate, and create derivative works of their content, consistent with privacy and application settings (Instagram Terms of Use, January 1, 2025).

What is Privacy?

• The rights of an individual or an organization.
• Access and control.
• How (and what) information is collected, stored, processed, used, and shared.
• Not just ‘information’ or ‘data’.
• Situated – depends on context.

Data Security

• Data Security involves standards and technologies that protect data from intentional or accidental destruction, modification, or disclosure.
• Also referred to as information security (IS) or computer security.

Key Principles of Data Security: CIA Triad

• Confidentiality (C): the prevention of unauthorized disclosure of information.
• Integrity (I): the guarantee that information that is sent is the same as the information received and that the information is not modified in transit.
• Availability (A): ensuring that information is available in a timely and uninterrupted manner when it is needed.
• Resilience: the ability of systems to continue operating under adverse conditions and to restore them to an effective state (Agarwal and Agarwal, 2011; ICO, n.d.d).

Cyberthreats

1. External Threats: Malware (e.g., viruses, spyware, ransomware), hacking, phishing (including vishing, SMS phishing/smishing), SIM hijacking/SIM swapping, malvertising
2. Internal Threats: Insider threats (e.g., human error or malicious intent) e.g. PHW personal data breach e.g. loss of physical devices (e.g., laptops, mobile phones)
3. Unsecured networks

Security Measures

• Encryption: Converting data into a secure format (e.g., “John Doe” > a3f1b4c8d2e9a5f76b8d9).
• Access Control & Authentication: Ensuring only authorized users can access data.
• Data backups: Regularly backing up data to prevent loss.
• Data masking: Hiding sensitive data.
• Data erasure: Securely deleting data.
• Network protections: Using VPNs and firewalls.

Information Governance (IG)

• Information Governance (IG) is used in terms of the security and protection of data in clinical settings.
• It provides a framework of legal, ethical, and quality standards.
• Supporting the provision of high quality care.

Responsibility for Data Security

• Everyone within an organization is responsible for data security.

Consequences of Inadequate Data Security

• Physical harm (e.g., disruption of medical devices).
• Privacy breach.
• Loss of data, documents, photos etc.
• Identity theft.
• Stalking.
• Spam.
• Emotional consequences (embarrassment, distress).
• Companies face fines and reputational damage.

Data Security vs. Data Privacy

• It is possible to have good data security, but poor data privacy.

Health Data Regulations

• Regulations govern health data.

The Caldicott Report 1997

• 1997: Caldicott committee presented its report on patient confidentiality “Report on the Review of Patient-Identifiable Information”.
• Addressed concerns about patient information and security.
• The Caldicott Report 1997 provided guidance to the NHS on the use and protection of personal confidential data.
• Consisted of a series of recommendations.
• Introduced the role of the Caldicott Guardian.

The 6 Caldicott Principles

1. Justify the purpose.
2. Do not use PII unless it is absolutely necessary
   • PII = Personally/Patient Identifiable Information
3. Minimize PII.
4. Restrict access.
5. Everyone should be aware of their responsibilities.
6. Understand and comply with the law.

Caldicott Revisions

• ‘Caldicott 2’ - Principle 7: The duty to share information can be as important as the duty to protect patient confidentiality.
• ‘Caldicott 3’ –Principle 8: Inform patients and service users about how their confidential information is used.
• ”You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons and legal basis.”

UK Data Protection Act 2018 and General Data Protection Regulation (UK GDPR)

• These regulations are crucial for data protection.

The General Data Protection Regulation (UK GDPR)

• Came into effect on 1st Jan 2021.
• Sets out the key principles, rights, and obligations for most processing of personal data in the UK (except for law enforcement and intelligence agencies).
• Based on EU GDPR (General Data Protection Regulation (EU) 2016/679).
• Defines personal data (including sensitive data).
• Covers principles, lawful basis for processing, individual rights, accountability and governance, security, international transfers, exemptions, etc.

Data Protection vs. Privacy

• Data protection is not the same as privacy.

What Does ‘Data Protection’ Mean?

• Data Protection is used to describe:
  • the process of protecting data.
  • the complex relationship between the collection and dissemination of data and technology, the public perception and expectation of privacy, and the laws and regulations that make it illegal to store and/or share some types of information about people without their knowledge or permission.
  • it is concerned with both the integrity of the data, protection from corruption, and (to some extent) privacy of data.

Protection of Personal Data under UK GDPR

• “personal data means information about a particular living individual”.
• It doesn’t need to be ‘private’ information.
• even information which is public knowledge or is about someone’s professional life can be personal data.
• It doesn’t cover truly anonymous information.
• but if you could still identify someone from the details, or by combining it with other information, it will still count as personal data.

Legal Definitions of Personal Data

• Personal Data: Information that can directly or indirectly identify an individual (identified or identifiable).
• Data: Objective (e.g., factual), subjective (e.g., opinion), and sensitive.
• Special categories of personal data require a higher level of protection:
  • race;
  • ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric data (where this is used for identification purposes);
  • health data;
  • sex life; or
  • sexual orientation.

Examples of Personal Data

• NHS number.
• Date of birth.
• Address.
• Mobile phone number.
• IP address.
• Location data.
• Social media ‘handle’ or username.

GDPR: Rights for Individuals

1. Right to be informed.
2. Right of access.
3. Right to rectification.
4. Right to erasure.
5. Right to restrict processing.
6. Right to data portability.
7. Right to object.
8. Rights related to automated decision making including profiling.

Consent for Processing Personal Data

• Consent is not always required to process personal data.

Lawful Bases for Processing Data

• Organizations can use personal data without consent if they have a ‘lawful basis’.
• The six lawful bases for using data are:
  1. Consent
  2. Contract
  3. Legal Obligation
  4. Vital interests
  5. Public task
  6. Legitimate interests

GDPR: Definition of Consent

• “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she [sic], by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
• Key Elements of Consent:
  • Freely Given: Must be a real choice with no negative consequences for refusal or withdrawal.
  • Specific: Consent applies only to the stated purposes and cannot be extended beyond them.
  • Informed: Clear, accessible information must be provided; complex legal jargon invalidates consent.
  • Unambiguous: Requires a clear affirmative action (e.g., ticking a box, clicking “agree”).

Challenges of Relying on Consent in Digital Health Projects

• There are challenges in relying on consent in digital health projects.

Informed Consent

• What if they do not consent?
• What choice do they have?

Ethical Considerations

• Patient Autonomy & Informed Consent
• Confidentiality & Trust
• Risk of Harm & Discrimination
• Equity & Justice
• Data Exploitation
• Bias in data and algorithms
• Balancing Privacy and Innovation

Review Data Security and Data Privacy

• Get Safe Online: https://www.getsafeonline.org/

Summary

• Defined key terms incl. Data Privacy, Data Security and Data Protection
• Described the characteristics of personal data
• Recalled key components of regulations governing with data protection

References

• Agarwal, A., & Agarwal, A. (2011). The security risks associated with cloud computing. International Journal of Computer Applications in Engineering Sciences, 1(Special Issue on), 257-259.
• ICO (Information Commissioner’s Office) (2017). Big data, artificial intelligence, machine learning and data protection (V2.2; Data Protection Act and General Data Protection Regulation, p. 113). ICO. https://ico.org.uk/media/for-organisations/documents/2013559/big-data-ai-ml-and-data-protection.pdf
• ICO (n.d.a). Introduction to DPA 2018. https://ico.org.uk/for-organisations/guide-to-data-protection/introduction-to-dpa-2018/some-basic-concepts/#4
• ICO (n.d.b). Guide to the General Data Protection Regulation (GDPR). https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
• ICO (n.d.c). What are identifiers and related factors? https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/what-is-personal-data/what-are-identifiers-and-related-factors
• ICO (n.d.d). Security. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/
• Koops, B.-J., Newell, B. C., Timan, T., Skorvanek, I., Chokrevski, T., & Galic, M. (2016). A typology of privacy. U. Pa. J. Int’l L., 38, 483–575. Source Credits
• All images sourced from Microsoft, ChatGPT or Unsplash.com
• Content acknowledgement: With thanks to Dr Jodie Croxall