1
BIG DATA AND SECONDARY USES OF DATA: PRACTICALTIPS TO AVOID PRIVACY PITFALLS AND REGULATORY RISK
16th Annual Compliance and Ethics Institute October 18, 2017 | Caesars Palace | Las Vegas
Corey M. Dennis, CIPP/US Director of Privacy & Counsel
Pharmaceutical Product Development LLC (PPD)
Asra Ali, MS, CHC, CHPC, CIPM Compliance and Risk Manager
Healthscape Advisors
Introduction• What is “big data”? Modern-day data analytics.
• Data is growing faster than ever before and by the year 2020:
– every person in the world will create ~1.6 MB data per second
– digital universe will grow to 44 zettabytes (44 trillion gigabytes)
– 6.1B+ smartphone users globally
• Cross-Industry Benefits
Sources: Bernard Marr, Big Data: 20 Mind-Boggling Facts Everyone Must Read, Forbes (Sept. 30, 2015), https://www.forbes.com/sites/bernardmarr/2015/09/30/big-
data-20-mind-boggling-facts-everyone-must-read; Scott Ferguson, Big Data, Analytics Market To Hit $203 Billion In 2020 (Oct. 4, 2016),
http://www.informationweek.com/big-data/big-data-analytics-market-to-hit-$203-billion-in-2020-/d/d-id/1327092.
2
1. Understand what “big data” means
• Definition:
– Extremely large data sets
– analyzed computationally
– reveal patterns, trends, and associations (esp. relating to human behavior and interactions)
• 5Vs
– Volume
– Velocity
– Veracity
– Variety
– Value
Source: IBM Big Data & Analytics Hub, http://www.ibmbigdatahub.com/infographic/extracting-business-value-4-vs-big-data; see also
Identifying opportunities for ‘big data’ in medicines development and regulatory science, European Medicines Agency (Feb. 2017),
http://www.ema.europa.eu/docs/en_GB/document_library/Report/2017/02/WC500221938.pdf.
2. Understand how big data can be leveraged at your organization
• Big data can reduce US healthcare costs by $300-$450B and improve care
– Secondary use of data facilitates medical research
• White House has invested $200M in big data projects
• Strong link between financial performance and effective use of big data across all industries
– Analytics to improve products/services and improve marketing
– 10% increase in data accessibility = $65M+ in additional income for F1000 companies
• Big data/analytics market to grow from $130B to $203B by 2020
Sources: Big data: Lessons from the leaders, Economist Intelligence Unit (The Economist) (2012),
https://www.sas.com/resources/asset/EIU_SAS_BigData_120822.pdf; see also Marr & Ferguson, infra.
Source: http://www.mckinsey.com/industries/healthcare-systems-and-services/our-insights/the-
big-data-revolution-in-us-health-care.
3
3. Understand applicable legal requirements/best practices
• U.S. privacy laws/enforcement– Federal: HIPAA, FTC Act, FCRA, anti-
discrimination laws
– State: medical privacy, breach notification, information security
• Health Big Data Recommendations (Fed. Advis. Comm. on Health IT Policy)
– address harm/discrimination
– address uneven policy enforcement (e.g., promote FIPPs for data outside HIPAA)
– promote robust de-identification methodologies Source: http://www.zdnet.com/article/where-are-us-data-breach-laws-
toughest-check-this-map.
3. Understand applicable legal requirements/best practices
• FTC data broker report (2014) and enforcement actions
– transparency/consent/choice
– privacy by design
– data minimization/disposal
– avoid discrimination
• Center for Digital Democracy Report on Wearable Devices/Big Data and Privacy/Security (2016)
• FTC Report on the Internet of Things (2015)
4
3. Understand applicable legal requirements/best practices
• EU data protection principles
– Fair/lawful processing (transparency/consent)
– Purpose limitation
– Adequate/relevant/not excessive
– Accuracy
– Retention (only as long as necessary)
– Subject rights (right of access/correction)
– Appropriate technical/organizational measures
– Not exported unless country ensure adequate level of protection
3. Understand applicable legal requirements/best practices
• EDPS Opinion 7/2015: “Meeting the challenges of big data”
– Transparency
– User control
– Protection by design
– Accountability
• UK ICO report: Big data, artificial intelligence, machine learning and data protection (2017)
– Fairness/transparency
– Consent/legitimate interest
– Purpose limitation
– Information security
– Anonymization
5
4. Be mindful of the FCRA and discriminatory practices
• FTC Report—Big Data: A Tool for Inclusion or Exclusion? (Jan. 2016)
• FTC Act Section 5 (unfair/deceptive acts)– consent and privacy misrepresentations
– data security of databases
• FCRA
– applies to consumer reporting agencies (CRAs), credit bureaus, and employment screening companies, but can be broader (e.g., data brokers)
– governs consumer reports used to determine eligibility for credit, employment, insurance, and housing
– example: company makes credit decisions based on consumer’s zip codes, which impacts particular ethnic groups
Source: https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-
understanding-issues/160106big-data-rpt.pdf.
5. Privacy By Design and Privacy Impact Assessments
• Privacy/security embedded proactively when system/practice designed
• Privacy/transparency embedded into all lifestyles stages
• FTC Privacy Report (2012)– Privacy by design and simplified
consumer choice/transparency
• EU General Data Protection Regulation (May 2018)
– Article 25 (Data protection by design and by default)
– Article 35 (Data protection impact assessment)
Source: FTC Issues Final Commission Report on Protecting Consumer Privacy (2012),
https://www.ftc.gov/news-events/press-releases/2012/03/ftc-issues-final-commission-report-
protecting-consumer-privacy.
6
6. Anonymize Data
• HIPAA De-identification Standard– Safe Harbor Method
– Expert Determination Method
• EU anonymization– Opinion 05/2014 on “Anonymisation
Techniques (WP216)
• NIST Standard – Suppression
– Averaging
– Generalization
– Perturbation
– SwappingSource: Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance
Portability and Accountability Act (HIPAA) Privacy Rule, U.S. Dept. of Health and Human Services (2012),
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/De-
identification/hhs_deid_guidance.pdf; see also Kelsey Finch, A Visual Guide to Practical Data De-Identification (Future of Privacy
Forum), https://fpf.org/2016/04/25/a-visual-guide-to-practical-data-de-identification.
7
7. Conduct Vendor Diligence
• Review vendors practices for compliance with laws and best practices (e.g., consent/notice, security, etc.)
• Conduct security assessment of vendor
• Identify sub-vendors/data sources
• Implement strong contractual language (e.g., reps/warranties on data and data collection)
Source: Big Data Security Risk in the Enterprise: The Pitfalls of Hadoop, ITBusinessEdge,
http://www.itbusinessedge.com/slideshows/big-data-security-risk-in-the-enterprise-the-pitfalls-of-
hadoop.html.
8. Ensure robust information security
• Anonymization/pseudonymization
• Data minimization
• Access/account controls
• Ensure secure infrastructure
– infrastructure security/secure computations
– granular access controls/audits
– secure data storage/logging
– end-point validation and filtering)
• Encryption in transit (and at rest)
• Secure data disposal
Source: Expanded Top Ten Big Data Security and Privacy Challenges, Cloud Security Alliance (April 2013),
https://downloads.cloudsecurityalliance.org/initiatives/bdwg/Expanded_Top_Ten_Big_Data_Security_and_Privacy_Challenges.pdf.
8
9. Enable International Data Transfers
• U.S.-EU Safe Harbor Framework (2000) declared invalid in October 2015
• Privacy Shield adopted July 2016
• Other legal EU data export mechanisms:
– Model Clauses/Standard Contractual Clauses (“SCCs”)
– Binding Corporate Rules (BCRs)
– Consent (limited circumstances) Source: http://www.technoid.com.au/2011/12/16/caltech-and-uvic-team-smash-
data-transfer-record.
10. Know (and Own) Your IP Rights
• Vendor insists on "owning" data and algorithms that they shouldn't
– new land grab for rights to new or enhanced algorithms
• In data analytics and IoT, information is collected and pulled in many more directions than before and involves more parties
– mapping now must also track the rights and obligations of each involved party
• Derived information should also be addressed (i.e., times and location of use, behavior patterns) and other new purposes
9
Big Data and Secondary Uses of Data: Practical Tips to Avoid Privacy Pitfalls and Regulatory Risk
QUESTIONS?
Corey M. Dennis, CIPP/US
Director of Privacy & Counsel
Pharmaceutical Product Development, LLC (PPD)
Asra Ali, MS, CHC, CHPC, CIPM
Compliance and Risk Manager
Healthscape Advisors
Top Related