Using Blockchain for Consent and Access to Private and Sensitive Data in the GDPR Environment Gary Leeming, Chief Technology Officer Connected Health Cities, University of Manchester 1
Connected Health Cities Development of digital learning health systems Improved health and wealth for the UK 15 million Social contract with local citizens to use their data (3-5 million)
Learning Health System
What is GDPR? New EU data protection legislation Increases protections and rights for use of citizens data Sensitive data, such as health, has further protections Balanced against research requirements But untested in law so uncertainty remains
Consent, data and research Consent carries different meanings research requires informed consent Consent is not the only model for accessing data in health research Anonymised data not protected but patient level data has risks of re-identification How do we keep citizens informed and involved in use of data?
Blockchain in Health Research Distributed Ledger Technology can be applied to healthcare data sharing agreements to: Remove the need for trusted third parties Ensure auditable trails of data sharing requests and permissions Offer field tested state of the art in privacy and encryption
Consent Use Case Take the underlying technology (Distributed Ledgers) and apply it to a consent model (Research / Secondary use) Allow patients fine-grained control / view of who can use their data and for what purpose Technical solution consent model is adaptable
Design Aims Allow patients fine-grained control / view of who can use their data and for what purpose (Completely) Distributed / Decentralised Secure Anonymous / Strongly identifiable Robust Provable transactions / transparent auditing For recording of consent not management of data
Design and Implementation Test version implemented on private Ethereum ledger Ethereum selected because of ability to easily implement contracts
Research Organisations propose topics of research and Participants grant permission for Data Custodians to release their data for that particular use Three classes of user
Research Organisation Post research requests ( Proposals ) Run blockchain nodes Use inbuilt gas mechanism for participation impetus Submit off-chain data request with proposal signature Publish / push research results
Data Owner Data Custodian Manage access to patient data Act on behalf of participant (contractually) Grant publication of research requests to Research Organisations Revoke research requests
Participant View proposals View outcomes Set Preferences General (Allow, Consent, Deny) Proposal Type (Grant, Consent, Deny) Pharma, Public, Gov, NHS, Insurance etc Proposal (Grant, Deny)
Future Development Reimbursement for use of data Management of data assets and compute Reproducibility Integration with other Ethereum applications, e.g. UPort
Contact Details gary.leeming@manchester.ac.uk @grazulis With thanks to Prof. John Ainsworth and Dr James Cunningham Cunningham, J, Leeming, G, Ainsworth, J Computable Information Governance Contracts, January 2017, Studies in health technology and informatics 235:476-480, DOI: 10.3233/978-1-61499-753-5-476 Cunningham, J, Ainsworth, J Enabling Patient Control of Personal Electronic Health Records Through Distributed Ledger Technology, January 2017, Studies in health technology and informatics 245:45-48