Cutting through the noise around the General Data Protection Regulation (GDPR) comes MyLifeDigital, whose technology platform helps healthcare organisations and suppliers manage data protection compliance in the most effective way possible. UKCloud Health talked to its CEO J Cromack about citizen-centric data protection and the impact of GDPR on the NHS.
MyLifeDigital was set up in late 2014 with a mission to rebalance the control of personal data between the organisation and the citizen. CEO J Cromack and co-founder Jeffrey Thomas (UKCloud Health’s chairman) saw that one of the challenges around personal data was that it was all in the hands of the organisations. At the time, before GDPR, most felt they owned the data.
Now that is starting to change, as GDPR is forcing companies to be more respectful of the personal data they hold.
However, the company’s vision is to achieve something much greater than GDPR. “We want to see individuals being empowered to share their data with who they want, and give organisations the tools to be transparent and accountable,” says Cromack.
MyLifeDigital is working across multiple sectors to achieve that vision with its Consentric data protection platform. Healthcare is one.
How health and care organisations can deal with GDPR
Under GDPR, organisations need to have one of six lawful bases for processing personal data. For health and care organisations, collecting and using data in the public interest is one such basis, especially when the data is required for direct care. When the data is required to use by commissioners, the lawful basis for data processing could be compliance with a legal obligation.
Consent is another lawful basis, but one which requires extensive details of how the data will be used, processed and the like. It is a basis which is not recommended for all.
“The challenge is to manage the matrix of permissions to individuals and clinicians capturing data,” says Cromack, “and give clear statements around that consent.”
On top of this complexity comes the need for detailed records of processing activity, and the rights and freedoms of the data subject. For example, people have the right to object to their data being used in certain ways, such as for profiling and risk stratification.
“Our platform provides all of those controls that would be required to manage issues such as objection handling,” says Cromack. Consentric is also a tool that organisations can use to record lawful bases for processing and manage many of the associated requirements of GDPR, such as legitimate interest assessments.
Who is the platform for?
Consentric works at enterprise level, and also with smaller application developers and other healthcare innovators, for whom data protection compliance will be critical.
One such customer is a Digital Diabetes Coach, which is a test bed project led by the West of England Academic Health Science Network. This online service provides care and lifestyle information for patients, and the consortium behind it have chosen to use consent as the lawful basis for processing data.
“Where you are using consent, you have to demonstrate where you have got consent from, what information was given when the data was captured, who is receiving the data, and the purpose for use of data. You have to capture consent for each process. We can demonstrate how and where consent was given, for what, and the information provided at the time through Consentric,” said Cromack.
This is one small part of Consentric, which integrates with systems across the organisation to give a single point of reference for data protection compliance. It does this alongside a suite of tools and processes that gives its customers ‘GDPR by design’. For example, it will force the completion of privacy impact assessments for applications that will be using special categories of data (what used to be known as sensitive data).
The company is also looking to provide citizen ‘strongboxes’ that provide a single source of personal data that citizens can control, and which could help defuse a potential data protection time bomb for healthcare under GDPR.
Individuals will have the right to free access to data held on them; what are known as subject access requests (SARs). Until now, this has been something for which healthcare providers such as GPs could charge. Under GDPR, there will be no charge. Organisations should share the personal data they hold with another organisation of the citizen’s choice.
Cromack explains: “This could be a massive burden to the NHS if people demand access to their medical records.” Strongboxes would allow for ‘pre-canned’ SARs to address this. “The innovation involved in allowing citizens to access their own data, through a strongbox, could be significant.”
How has working with UKCloud Health helped you?
“UKCloud Health is UK-based sovereign, assured platform, that gives us great flexibility and cost effectiveness. It enables us to scale according to our growth ambitions,” said Cromack.
Such flexibility is in evidence around the support required for Diabetes Digital Coach. Whilst they are not using the UKCloud Health’s access to the NHS N3/HSCN network, Cromack can see that in future this may be required.
“Diabetes Digital Coach is not a referral system, so we are not pulling data out of the network. But when we are looking to expand on the test bed, it would make more sense if we could have the portal integrated and connected to the NHS network. UKCloud Health gives us more ability to scale the platform. I would not be comfortable doing that on any other platform.”
With its strong vision, and with the help of the right technology and partners, MyLifeDigital is showing that citizens and organisations can work together to realise the potential of personal data.