Draft:Health Data Sovereignty

Health data sovereignty is a concept about the management, ownership and governance of data in a health context. It encompasses aspects of health management, equity, rights, and technology.

What is 'Health'?
The World Health Organisation (WHO) defines health as “a state of complete physical, mental, and social well-being and not merely the absence of disease or infirmity”. .  This definition has since been the subject of criticism since its inception in 1946  but is acknowledged as a foundation for building new ways of thinking about health, considering different models for medical, wellness, and environmental viewpoints.

Data: not just technology
In the context of health data sovereignty, “data” is information about the people's health. This data may be stored in written form in a hard-copy file at a health centre, hospital, or other institution (e.g., school, prison); it may be specific physical measurements of a person stored in a digitised format as part of an electronic health record (e.g., height, HbA1c levels); or it could be the collective knowledge about a group of people held by an authority (e.g., a parents recall of all their children’s pertussis vaccination status, a community leaders understanding of the proportion of people in their community who have unmet health needs, historical information about a group coded as traditional song). The concept of data in general is wide and varied so it is useful to consider a formal definition in a health context, one such definition is provided in para. 35 of the General Data Protection Regulation (GDPR) of the European Union (EU):"“Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.”"

Sovereignty: ownership and self-determination
Sovereignty as it relates to data is the right that people have to exercise control over information about themselves. This includes ownership, how health data is managed and stored, what it is used for, who has access to it, and how long it is retained. Having sovereignty over health data includes the power to determine how relevant standards and protocols are defined and applied to management of the data.

Within a global context, data sovereignty can be understood as data being subject to the laws of the country or nation where it is stored. However, there may be different perspectives in how data sovereignty is understood, for example, legal frameworks versus rights.

Early history of health data
Health data has been recorded physically for thousands of years. The first known health records are Egyptian medical teaching documents dated around 1500-1700 BC. Early health records were didactic in form, describing pathology and intended for teaching rather than as a record of treatment. Unsystematic recording practice continued with little standardisation until the early eighteenth century when didactic medical records in Europe, following the work of Linnaeus to name and classify organisms, shifted to physician written documents describing the patient as a whole along with their symptoms, diagnoses, treatments, and social setting. As medical knowledge expanded in the 19th century, the role of hospitals changed across Europe and North America to being centres for treatment, necessitating the keeping of records of not only care, for use by physicians, but admission and discharge information kept for funding and insurance purposes. This increase in record volume resulted in the creation in the 1850s of the first medical records databases in London and Ontario to improve data storage and access.

The early 1900s saw binding and centralising of records along with legislation about the management and storage of records, primarily for insurance and quality improvement use. The 1940s gave rise to rules around paper based records, which became the forerunner of those used with computerised health records.

Electronic patient records
By the early 1970s electronic patient records were entering the health workplace in both the UK and USA, and health professionals had begun to adopt the free sharing of data with health consumers. In the late 2000s the use of electronic health data was widespread in Western nations, although uptake in developing nations lagged due to infrastructure, governance, and technological issues. By 2011 over 50% of European and US physicians reported having an electronic health record, by 2016 this number was over 70%. The increased use of electronic health data resulted in the need for digital storage and increased ease of access for health professionals, researchers, and health users alike. Electronic health data records collections now contain quantitative, qualitative, and transactional data and are held in fragmented multiple systems, primarily at the point of care, dictated by the purpose of the collection, and by the nature of the organisation collecting the data.

The development of the Web and the internet enabled wider health data sharing. Early forms of health data (e.g., hard copy records, acetate X-rays, cine-films, etc.) had limited access hampered by geography and single-user access constraints, whereas digital forms of health data allowed access across geographic borders, with data being accessible by multiple users simultaneously. This increased accessibility has necessitated regulation and legislation to define who has sovereignty over health data at a national, provider, and individual levels.

General data sovereignty issues entered mainsteam public consciousness following global surveillance disclosures. Since then sovereignty has generally been considered at the nation-state level, in contrast to the increasing discussion of Indigenous Data Sovereignty, which acknowledges traditional indigenous nations alongside the concepts of personal and collective sovereignty. Health data sovereignty shares principles of Indigenous and general sovereignty, considering where data is stored, which entities manage the data, and how health consumers can interact with and have effective ownership (if not actual control) of their information.

Indigenous data sovereignty
Indigenous Data Sovereignty aligns to ‘data sovereignty’ but extends to include the social structures of Indigenous peoples. It speaks to the rights of Indigenous peoples to make decisions about the design, collection, ownership, governance, interpretation and use of data about Indigenous peoples, their ways of life, lands and resources. This includes agency over how Indigenous health data is collected, stored, used and accessed. Indigenous Data Sovereignty is a movement that emerged from frustrations with poor data practices where non-Indigenous users of data purported to be unbiased and have the authority to speak to Indigenous realities. Indigenous peoples have a history of being subjected to data production aligned to colonial objectives, but Indigenous peoples have their own histories and traditions of collecting and protecting data that existed pre-European colonisation.

The United Nations Declaration on the Rights of Indigenous Peoples (UNDRIP) is an international human rights document setting out minimum standards and rights of Indigenous people around the world, including the affirmation of rights in treaties and other agreements with different States. Articles 3, 4 and 5 speak to the rights of Indigenous peoples to self-determination. Article 31 acknowledges rights of Indigenous peoples to “maintain, control, protect and develop their cultural heritage, traditional knowledge and traditional cultural expressions, as well as the manifestations of their sciences, technologies and cultures” (p. 22). Many of the articles in the declaration can be applied to Indigenous data, and as such support Indigenous data sovereignty. Another Indigenous rights instrument that predates UNDRIP is the Mataatua Declaration on Cultural and Intellectual Property Rights of Indigenous Peoples that provides recommendations to Indigenous peoples and member States of the United Nations that align with data sovereignty.

Aotearoa New Zealand: Māori data sovereignty
Māori are the Indigenous people of Aotearoa New Zealand. Te Mana Raraunga, the Māori Data Sovereignty Network, defines Māori Data Sovereignty as “the inherent rights and interests that Māori have in relation to the collection, ownership, and application of Māori data”. Māori Data Sovereignty principles have been defined by Te Mana Raraunga. Within an Aotearoa New Zealand health context, He Korowai Oranga lays out a Māori health strategy to guide the government and disability sector “to achieve the best health outcomes for Māori” in New Zealand. It is implemented through a Māori health action plan that includes the development and implementation of a Māori data sovereignty approach in partnership with Māori. For example, the New Zealand Government through a number of its agencies has partnered with the Data Iwi Leaders Group to provide an avenue for Māori individuals to link their iwi affiliations with their National Health Index number to improve and inform “datasets about iwi, for iwi”.

Australia: Aboriginal and Torres Strait Islander data sovereignty
In Australia, the Maiam nayri Wingara principles assert the rights of Aboriginal and Torres Strait Islander peoples to access, control, collection, analysis, stewardship and dissemination of data in ways that are meaningful and relevant that enhance self-governance and self-determination, and the right to not participate in processes deemed to be inconsistent with these principles.

Canada: First Nations data sovereignty principles
Indigenous data sovereignty concerns were initially voiced by Canadian First Nations communities in 1995 in relation to rights over health survey data collected by the government in First Nations communities. This led to the development of a model known as OCAP® that has been built on First Nations principles of ownership, control, access and possession.

Technology
Changes in technology both enable and complicate health data sovereignty.

Consumer access
Consumer devices, including smartphones and wearable devices such as Fitbits or Apple Watches, have increased the immediacy and volume of health information and consumer expectations of access to, and control over, health data. Health information storage and sharing models through Apple Health and others have opened up possibilities for more granular information sharing between consumers, and expectations for direct access to health information. The development of patient portals linked to healthcare providers has also increased direct consumer access to information about their care.

Cloud computing
Modern computing loads, including health systems, have increasingly moved towards the cloud during the 21st century. Many of these services are run by multi-national companies with servers in multiple locations. Due to this, it is increasingly difficult to determine which jurisdictions specific data is held in or transferred through. This is a complicating factor for national sovereignty over data.

Distributed ledgers
Blockchain technology offers some options for decentralising how data is stored. Such distributed ledger technology can be designed with rules that specify how an authority (e.g. tribal leadership) deems how Private- and/or Consortium-blockchains should be managed. Depending on how a blockchain is designed and built, users could also have the option to control who their health data is shared with and monetise it by allowing researchers access for specific purposes.

Impacts on provision of care
Individual health data sovereignty enables data to follow the patient, and to be shared with their consent; it also enables self-care and community care. A decentralised model of health data sovereignty also enables communities to have the data to support their own health needs.

This model of individual and community data ownership can clash with efforts to improve data availability for clinicians. Findable, accessible, interoperable, reusable (FAIR) data principles have been criticised for separating the use of data from the individuals and communities that they are about.

Legal implications
The legal aspects of data sovereignty in healthcare vary from country to country, although there are similarities. Data covered by this includes individuals' personal health information, such as electronic health records, test or intervention results, and genetic data. When personal health information is shared or transferred, there is ambiguity regarding consent practices in different jurisdictions at the point where the data is created, such as hospitals or healthcare centres. This means that patients may or may not have consented to share their health data. Appropriate regulations and practices can ensure that the privacy and sovereignty of health data are protected and that people have control over sharing their health information.

Legislation around health data sovereignty is directed by different national approaches. Examples of this are the 2016 GDPR legislation enacted by the European Union, which gives citizens the right to be forgotten, and to control what data is collected and how it is used. A different approach is that of the 1996 HIPAA and 2009 HITECH legislation enacted by the USA, which has a strong privacy focus but allows the individual little say over how data is governed and used following collection. Debate continues around the ownership of privately collected health data however nationally collected data is usually covered by digital and privacy legislation.

Research and monetisation
National, Indigenous, and individual sovereignty over health data introduces complexities for centralised or commercial biomedical and public health research. It also opens up opportunities for individuals and communities to participate more actively and benefit more directly from research, including through monetisation.

Data monetisation is the process of using data to obtain an economic benefit. Organisations can monetise their data by providing data access to third parties, (direct monetisation), or by using analytics to derive insights from data to improve internal processes, products, and services (indirect monetisation). The monetisation of health data means obtaining economic value from health-related information. Health data, including electronic health records, genetics, biometric measurements and lifestyle information, can provide valuable insights to stakeholders such as researchers, medical providers, pharmaceutical companies and technology companies.

Companies can use health data to identify promising targets for drug research or evaluate the efficacy and safety of new treatments, e.g., Geisinger Health System's Data-Driven Medicine Initiative. Geisinger partnered with Regeneron Pharmaceuticals to sequence its patients' DNA and use the genetic data to identify individuals who could participate in clinical trials of new drugs. In this example, strict privacy and informed consent controls were implemented to ensure data sovereignty and protect patient privacy.

Setting up platforms for data as a service, selling data for performance benchmarking, and developing specialised solutions through partnerships are other innovative ways of monetising healthcare data. These strategies have the potential to revolutionise the healthcare industry by improving patient care, reducing costs and facilitating the development of innovative drugs and therapies that would benefit many people.

Data sovereignty and monetisation are interconnected concepts in the digital environment. Data sovereignty empowers individuals and organisations to have control over their data, while data monetisation enables economic value generation from data assets. Monetising data offers opportunities for research, innovation, and improved services. However, it must be carried out responsibly to respect legal regulations and ethical principles, protect privacy, ensure transparency, and promote trust among individuals and organisations, which is the aim of data sovereignty.

Economic
The effective storage and management of health data (both physical and digital) relies on the presence of stable infrastructure. Where there is a deficit in the provision of basic human needs or instability in governance and political systems, health data sovereignty may not be practical, achievable, and a priority for citizens, health providers, and government agencies. Where a nation does not prioritise spending on health digital technologies, progressing the objectives of health data sovereignty is unlikely to be achieved. Additionally, the storage and management of digital health data may present unsustainable economic costs over time due to expanding data volumes. In mid-2020 it was estimated that the quantity of global health data storage was approximately 2,300 exabytes, with volumes growing at 48% annually.

Technology
Fragmented and non-uniform collection of health data into disparate non-interoperable technologies impedes availability, access and assertions over health data, limiting the enacting of health data sovereignty principles. Greater health data access has resulted in challenges balancing rights over health data sovereignty with security requirements. The digitising of health data and rapid expansion of internet connected devices accessing this data has increased the attack surface, allowing exploitation by bad cyberactors. Healthcare data cyberattacks in the USA cost USD$21 billion in 2020, with healthcare data breaches in the USA doubling between 2019 and 2022.

Political
Political systems dictate how health data sovereignty is prioritised and enacted. Health data is recognised by governments as an asset that can be shared or withheld in response to political ideation or global politics. Governing bodies may not provide citizens with rights to health data access or may act against health data sovereignty for certain population groups.

Future
Health Data Sovereignty intersects with several domains, most notably digital technology. Efforts are either planned or underway to create nationally-accessible electronic health records. Enabling access to digital sources for health data opens up possibilities for research and monetisation. Recent legislative moves and regulations such as the GDPR (EU), HIPAA (US), and HIPC (NZ) attempt to provide some level of consumer protection although these are not always successful in preventing the use of big data for commercial benefits

Widespread digitisation has led to understanding health consumers as “sovereign patients” who wish to be involved in decisions about how their health information is used. Future developments in Health Data Sovereignty are likely to include further app-based developments to increasingly enable people to view information on mobile devices, based on extensible technology standards and specialised health communication protocols, including Fast Healthcare Interoperability Resources (FHIR) and GDPR-compliant tools to record informed consent.

The related field of Indigenous Data Sovereignty will likely lead to opportunities for self-determination that align with values of Indigenous peoples and frameworks that support diverse views of health data. Such views are especially important for all population groups who have been researched without the ability to control how data about them has subsequently been used.