Cutting through the noise around the General Data Protection Regulation (GDPR) comes MyLife Digital, whose technology platform, Consentric helps healthcare organisations and suppliers manage data protection compliance in the most effective way possible. UKCloud Health talked to its Co-founder and Chief Commercial Officer J Cromack about citizen-centric data protection and the impact of GDPR on the NHS.
MyLife Digital was set up in late 2014 with a mission to rebalance the control of personal data between the organisation and the citizen. J Cromack together with four other founders, including Jeffrey Thomas (UKCloud Health’s chairman) saw that one of the challenges around personal data was that it was all in the hands of the organisations. At the time, before GDPR, most felt they owned the data.
Now that is starting to change, as GDPR is forcing companies to be more respectful of the personal data they hold.
However, the company’s vision is to achieve something much greater than GDPR. “We want to see individuals being empowered to control their personal data, and give organisations the tools to be transparent and accountable,” says Cromack.
MyLife Digital is working across multiple sectors to achieve that vision with its Consentric data protection platform. Healthcare is one.
How health and care organisations can deal with GDPR
Under GDPR, organisations need to have one of six lawful bases for processing personal data. For health and care organisations, collecting and using data in the public interest is one such basis, especially when the data is required for direct care. When the data is required to be used by commissioners, the lawful basis for data processing could be compliance with a legal obligation.
Consent is another lawful basis, but one which requires extensive details of how the data will be used, processed and the like. It is a basis which is not recommended for all.
“The challenge is to manage the matrix of permissions to individuals and clinicians capturing data,” says Cromack, “and give clear statements around that consent or other lawful basis for processing the data.”
On top of this complexity comes the need for detailed records of processing activity, and the rights and freedoms of the data subject. For example, people have the right to object to their data being used in certain ways, such as for profiling and risk stratification.
“Our platform provides all of those controls that are required to manage issues such as objection handling to these certain activities,” says Cromack. Consentric is a tool that organisations can use to record the lawful basis for processing and empower the patient to better control and understand the management of their data including Subject Access Requests.
Who is the platform for?
Consentric works at enterprise level, and also with smaller application developers and other healthcare innovators via an open API, for whom data protection compliance will be critical.
One such customer is Digital Diabetes Coach, which is an NHS IoT test bed project, funded by Innovate UK and led by the West of England Academic Health Science Network. This online service provides care and lifestyle information for patients, and the consortium behind it have chosen to use a combination of consent and public interest as the lawful basis for processing data.
“Where you are using consent, you have to demonstrate when and where you got consent from, what information was given when the data was captured, who is receiving the data, and the purpose for use of the data. You have to capture consent for each purpose. We can demonstrate how and where consent was given, for what purpose, and the information provided at the time through Consentric,” said Cromack.
This is one small part of Consentric, which integrates with systems across one or many organisations to give a single point of reference to support data protection compliance. It does this alongside a suite of tools and processes that gives its customers ‘GDPR by design’. For example, it will force the organisation to question the lawful basis being used to process the data and the need for privacy impact assessments for processes that will be using special categories of data (sensitive data).
The company is developing citizen ‘strongboxes’ that provide a single source of personal data that citizens can control, and which could help defuse a potential data protection time bomb for healthcare under GDPR and handle data portability requests.
Individuals will have the right to free access to data held on them; what are known as subject access requests (SARs). Until now, this has been something for which healthcare providers such as GPs could charge. Under GDPR, there will be no charge.
Cromack explains: “This could be a massive burden to the NHS if people demand access to their medical records.” Strongboxes would allow for ‘pre-canned’ SARs to address this. “There is a significant innovation opportunity in allowing citizens to access their own data through a strongbox.”
How has working with UKCloud Health helped you?
“UKCloud Health is UK-based sovereign, assured platform, that gives us great flexibility and cost effectiveness. It enables us to scale according to our growth ambitions,” said Cromack.
Such flexibility is in evidence around the support required for Diabetes Digital Coach. Whilst they are not using the UKCloud Health’s access to the NHS N3/HSCN network, Cromack can see that in future this may be required.
“Diabetes Digital Coach is not a referral system, so we are not pulling data out of the network. But when we are looking to expand on the test bed, it will be critical to have the portal integrated and connected to the NHS network. UKCloud Health gives us more ability to scale the platform. I would not be comfortable doing that on any other platform.”
With its strong vision, and with the help of the right technology and partners, MyLife Digital is showing that citizens and organisations can work together to realise the potential of personal data.