As health systems increasingly rely on data to tackle chronic diseases, balancing privacy with innovation remains a critical challenge. In our discussion, Charles Alessi highlights the need to find a “least worst” solution in maintaining privacy and enabling innovative use of health data, consistently adopted across EU member states.
As healthcare systems increasingly prioritize data-driven solutions to address chronic and preventable conditions, there is a growing tension between innovation and data privacy. We recently caught up with Charles Alessi — medical doctor, author, and polymath thought leader in health policy and digital adoption — where this tension was a central theme.
The challenge of GDPR and privacy legislation
In the European Union, the General Data Protection Regulation (GDPR) represents a landmark in protecting citizen privacy and autonomy. “Let’s be frank, GDPR is probably the best thing to happen to a citizen,” with regards to data privacy, says Alessi. “Let’s get that out of the way. But because interpretation of GDPR is so variable, it’s potentially an impediment, “ continues Alessi. He explains that if the custodians of data security protect a citizen’s data to such a “degree of absurdity” that it shuts the data up in a time capsule, this effectively eliminates the ability for innovation and policy research to improve health outcomes for this and all citizens.
“The opposite stance as a guardian of data is to take an attitude of ‘Let’s not worry about privacy and just give it all up’, in which case I’m failing you. Now the judgement is to find the place which is the least worst between these two viewpoints,” says Alessi.
“This is going to be difficult, sensitive work, but in my personal view it’s important to find the least worst solution and actually achieve that consistently among member states.”
– Charles Alessi, Chief Clinical Officer, editohealth
The “least worst” approach and the challenge of anonymization
Alessi’s conceptualization of the “least worst” solution illuminates the challenge inherent in data anonymization: how can we remove, as much as possible, the possibility of identifying an individual in a dataset without removing the usefulness of the dataset as a whole?
Legacy anonymization technologies often manipulate the data in such a way that while reidentification risk in the data is low, the most interesting or useful aspects of the data are wholly removed— a solution far from the “least worst” and veering much closer to the “worst”. Yet there are millions of different ways to manipulate a particular dataset such that the risk of reidentifying an individual is very low, and one of these million solutions is bound to be able to retain the features of the data overall that are interesting and useful for secondary data use.
VEIL.AI’s next-generation anonymization technology utilizes artificial intelligence to find that needle in a haystack, minimizing the reidentification risk in the data while retaining the aspects of the data that can be used to inform health policy and for research and innovation to improve health outcomes.
In our discussion, Alessi pointed out that the goal of completely eliminating reidentification risk is aspirational — “Nirvana,” as he put it. Instead, the focus should be on quantifying and reducing this risk to an acceptable level. Which leads to another major barrier for secondary health data use in Europe: the lack of consistent definitions of “sufficient anonymization” between countries that adopted GDPR.
“The opposite stance as a guardian of data is to take an attitude of ‘Let’s not worry about privacy and just give it all up’, in which case I’m failing you. Now the judgement is to find the place which is the least worst between these two viewpoints,”
– Charles Alessi, Chief Clinical Officer, editohealth
Anonymization standards, GDPR, and the European Health Data Space (EHDS)
While GDPR legislation assures that privacy legislation does not apply to anonymized data, the legislation itself does not specifically define what constitutes “sufficient” anonymization. As Alessi pointed out, the only way to truly secure data is to store it safely in an impenetrable, inaccessible location like a “time capsule”— or to delete it entirely. Anything less than these extreme measures mean that data about a person has some probability of reidentification, even if that chance is infinitesimally small.
This has led to varied interpretations of GDPR in technical terms, with different definitions of ‘sufficient’ anonymization among EU member states. In terms of harmonization and cross-border data sharing, this situation is obviously not ideal.
One vehicle for the harmonization of GDPR interpretation across member states may be the recently approved European Health Data Space (EHDS), which is a set of laws and regulations meant to ensure the secure and seamless flow of health data across borders for primary health care (treating patients) and for secondary use like research and innovation. “This is really important,” states Alessi, explaining that EHDS enables the potential to develop a common model for the “least worst” solution for anonymization and consistent standards for sufficient anonymization. “This is going to be difficult, sensitive work,” states Alessi, “but in my personal view it’s important to find the least worst solution and actually achieve that consistently among member states.”
A path forward: Next-generation anonymization
Implementation of EHDS will likely involve the establishment or adaptation of an existing national data authority, which manages the secure and compliant access to health data for secondary use in each member state. Such a national data authority already exists in Finland, the Finnish Social and Health Data Permit Authority (Findata), representing a single entry point and permit issuer for secondary data use in the country.
Finland has, to date, five years of experience with legislation for the secondary use of health data, including with the national data authority Findata. This Finnish model can be thought of as a reference point and benchmark for secondary data use in Europe within the EHDS framework— in fact, the planning for this in the TEHDAS and TEHDAS2 projects has been spearheaded by the Finnish Innovation Fund SITRA.
VEIL.AI has a unique position in this implementation, with five years of experience in the most advanced GDPR health data regulatory environment in Europe. VEIL.AI’s next-generation anonymization technology can produce anonymous data in line with the most strict interpretation of GDPR, while simultaneously retaining data quality and utility. These benefits have been shown in a peer-reviewed published case study with Bayer AG. In this case study we showed that anonymized Finnish health data performed just as well in analysis as the traditional pseudonymized data in analyses by Bayer researchers. The anonymization of the data was also approved by Findata, allowing transfer of the data from Findata’s secure operating environment to an external secure operating environment in another European country.
To learn more about how VEIL.AI can support your organization in maximizing data utility while ensuring compliance, contact us today.
