Serious Privacy

The Healthiest Data Show on Earth (with Irith Kist)

dr. k royal, paul breitbarth, irith kist Season 5 Episode 16

Send us a text

On this week of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal (our views are our own and do not reflect the views of our employers) connect with Irith Kist, the Data Protection Officer at the Netherlands Cancer Institute, also a member of the Data Protection Advisory Commission of the City of Amsterdam. However, she is also a health data researcher herself, and on the 5th of June, she will defend her dissertation at Leiden University called A Fair Balance.

This is a topic we love to discuss – health data and how sharing it is important for the advancement of medicine and health treatment, but the disparities on how data is treated globally is not ideal for research purposes.


If you have comments or questions, find us on LinkedIn and IG @seriousprivacy @podcastprivacy @euroPaulB @heartofprivacy and on Blue Sky under the same - Serious Privacy, EuroPaulB, and HeartofPrivacy - and email podcast@seriousprivacy.eu. Rate and Review us!

Proudly sponsored by TrustArc. Learn more about NymityAI at https://trustarc.com/nymityai-beta/

#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO

Please note this is largely an automated transcript. Please listen to the audio for accuracy.

[00:00:00] Paul Breitbarth: A few weeks ago, we promised you we would spend more time discussing health data, and so we do. Today, we have a guest joining us, Irith Kist. Irith is the Data Protection Officer at the Netherlands Cancer Institute, also a member of the Data Protection Advisory Commission of the City of Amsterdam. However, she is also a health data researcher herself, and on the 5th of June, she will defend her dissertation at Leiden University called A Fair Balance.

Health data protection and the promotion of health data use for clinical and research purposes. And we think that's a great topic to discuss on this week's episode. My name is Paul Breitbart.

[00:00:49] K Royal: And I'm K Royal and welcome to Serious Privacy. So Irith, as, as you may know, I am very, very excited about this topic being a former nurse, a registered nurse from a long line of nurses. My daughter just graduated as a doctor and I was an oncology and hospice nurse no less.

So I was really excited to have you on here. Something I feel very strongly about. But before we get there, we have the unexpected question. To be fair people, this was the second question I read when I opened up a list of questions, but it's perfect. 

[00:01:20] Paul Breitbarth: Oh, 

[00:01:22] K Royal: What sport would you compete in if you were in the Olympics?

[00:01:27] Irith Kist: Oh either track or gymnastics. I'm a, I'm a marathon runner and I used to be in gymnastics before I switched to marathon running. And before that, high school I did the 400 and a 440 a 80 r dash,

[00:01:46] K Royal: oh wow. Okay. That was not a hard question at

[00:01:50] Irith Kist: No, not at all. Not at all. And, and to prepare for my defense, I also ran the half marathon of Leiden. That's where the city where I'm going to defend my thesis. So I thought it would be good to combine my athletic ambitions together with my academic 

[00:02:07] K Royal: Combine your passions.

[00:02:08] Paul Breitbarth: And it was a very warm addition this year, wasn't it? 

[00:02:11] Irith Kist: Well, it was warm, but I love to, to run in warm weather. So I was prepared. I did not Push it too much. It was perfect for me. Yes. It was a wonderful, wonderful track. Yeah.

[00:02:24] K Royal: Nice. Paul. 

[00:02:26] Paul Breitbarth: you know, I'm not the biggest sportsman on earth understatement.

[00:02:29] K Royal: had to laugh when I came out with this question cause neither he or I.

[00:02:33] Paul Breitbarth: but if I were to compete in the Olympics, it would have to be crew. so very nice. that's the I, I did a bit of rowing in university, never at any high level, only very friendly competitions. But I really enjoyed it. And it's also the one sport where if you have. Never done any crew in your life and you start university and you do your first trainings You can get to the Olympics in a few years time I’ve seen actually people do it. six years of crew and winning an Olympic medal  just starting at university. It's a sport. You can learn very fast and it's nice because You're outside, you're on the water, it's not always nice weather, it's sometimes really early, but that also makes that, you know, when it's early, early mornings, on the water, sun rising, there's also something romantic about that.

[00:03:25] Irith Kist: Yeah, 

[00:03:26] K Royal: is. That sounds amazing. Y'all make me sit here and wonder what in God's name could I say that I could possibly compete in when I have done 

zero athlete? I know, right? You know what? I'm going to go with one that's the only activity I was ever very active in, although I never competed, was never on any teams because we were very poor and you know, the girl wasn't worth it.

paying to compete in anything. Swimming. I was an incredibly, incredibly strong swimmer. At three years old, I was swimming the Olympic pool. If I had a pool now and actually enjoyed going out in the heat and getting in the water that's too cold for me, I would still swim.

But I don't, but y'all make me go, maybe I should, 

[00:04:10] Irith Kist: Yeah. You, you might want to do that.

[00:04:13] K Royal: extra poundage here that could benefit from some athleticism here. So there we go. So let's, let's dive 

[00:04:20] Paul Breitbarth: maybe reconsider that pool in the new garden, 

[00:04:23] K Royal: Maybe, 

[00:04:24] Paul Breitbarth: or in the basement,

[00:04:25] K Royal: Maybe, you know, I've always wanted one of the, what do you call it? This swimming pool. It's the one with the, the 

[00:04:34] Paul Breitbarth: the infinite, oh, the one, Oh, where you swim against the, the 

[00:04:38] K Royal: yeah. So the pool itself is only 12, 12 feet long or whatever, but you swim against the wave of the water moving. The other way that I've seen it done is you still need the same size pool, but rather than the expense of the water moving, you anchor yourself. To something off the side of the pool. And that way you're constantly swimming against the thing that's holding you. And that's 

[00:04:59] Paul Breitbarth: It would be really healthy, right? To do some swimming. So with that, let's move into health data. 

[00:05:06] K Royal: Yes. There you go. Nice segue there. I love it. I love it. I love it. I love it. So let's move into health data. 

[00:05:11] Paul Breitbarth: Irith, can you, I mean, I just read out the title of your, of your PhD. But can you tell us a bit more, what is it actually about?

[00:05:20] Irith Kist: Yes. What I tried to find in my research is the balance between the data protection of health data. on the one hand, and of course, the necessary data sharing for both care and research purposes on the other. When the first day, when I started working here at the Netherlands Cancer Institute I realized that, of course health data are sensitive data and need very, very, very thorough protection, but at the same time, cancer research cannot take place without the data sharing.

We at the Netherlands Cancer Institute, or not we, but our wonderful medical teams, they cure cancer types of which, for instance, there's one patient here in Holland, there's one patient in Portugal, one patient in the U. S., one patient in Brazil and you need to share those data across the globe because of, you know, the, the findings that you could have in data sharing.

[00:06:22] K Royal: Yeah, and the patients want you to, I've never met a patient that's undergoing something that would say, Oh no, don't share my data because I don't want anyone else to benefit from anything that I'm going through, good or bad. Patients always want to share that data because they want others treatment to be better or progress to be better based 

[00:06:44] Irith Kist: Yes, 

[00:06:45] K Royal: learn from their case.

[00:06:46] Irith Kist: exactly. And rarely it does occur when, for instance, people have their, their beliefs, their ethical values, and perfectly fine. If you don't feel comfortable in data sharing, then you know, you're more, more than welcome not to do that. But yes, you're so right. Patients tell us here in interviews.

Yeah. If, if, if my children or grandchildren are, you know, the future generations can benefit from the research carried out on my data, I'm more than happy to contribute. So, and then of course, when I realized that, and after having talked to, to patients and to colleagues here I learned that in the Netherlands we are still facing multiple questions surrounding data sharing.

And also with a general data protection regulation, the GDPR, in Europe, we, we still have a fragmented landscape in data sharing. So, you know, the Netherlands Cancer Institute works closely, let's say with hospitals in Germany, UK, Spain, you name it. And yet the various legal bases that are still used for data sharing in cancer research still vary.

So The data are not shared and research does not start. So that was the second reason. And then of course, the third reason is I started my research in February, 2020. So that was in Holland, you know, a couple of weeks prior to the pandemic, the start of the pandemic. And then it became even more important that it was, it was of utmost importance to learn from each other about what, what happens to, to the populations in the world.

Yeah.

[00:08:32] K Royal: Well, and the way treatment worked over COVID was not the way that treatment worked before COVID. did not have the personal support of their loved ones in the hospital with them.

And a lot of doctor visits went to being remote. If they were not in a facility, they went to being remote. That always takes a little bit away from the information you gather as well, because you don't have as much visual input or, or, tertiary input coming from that. But on the other hand, remote visits also meant the doctor, that patients usually saw their doctors more often because maybe they were located in, in a place that was hard to travel to or something like that.

[00:09:13] Irith Kist: Yes. 

[00:09:14] K Royal: that impacted your research at all?

[00:09:16] Irith Kist: I did not focus on that part because that has to do with the, the action, the measures that you actually take in how is the contact between the practitioner and between the patient, in fact. However what I did write in one of my articles is that the triangle between the care provider, the care recipient.

And in case a person is not able to decide for himself the formal or informal representative, that triangle is so important because the patient trusts his, his, his doctor or his nurse or the, the, the health practitioners who he visits, he, or she visits. So it's of utmost importance that that triangle of, of, of, of relationships continues to exist and did continue to exist also throughout COVID in Holland.

Of course, and I do advocate the fact that there is a strong favor for just personal informational self determination, the autonomy of the patient, shared decision making. I, I, I do applaud that. At the same time, I, I do see, I do, notice from our patients that there is they want to be informed, however, they not necessarily do want to voice.

They're yes or no themselves. They want to be informed, they want to know what the research institute or the hospital does with his or her data yet do not want to reach that decision over and over and over again. If he coins if he gives permission for the use of his data or not.

[00:11:05] K Royal: Consent fatigue, 

[00:11:06] Paul Breitbarth: So how do you inform a patient

that is, is so much focusing on, on getting better that maybe not all information may land? It's complex, especially when data will be used for further research. How, how should we decide what information to provide and what to explain later or in a different way? I can imagine that's a continuous 

[00:11:30] Irith Kist: Yes, if you, one of my recommendations in my research has been that three pillars are important in, in the communication. First, communicate on different levels. Some patients want to be informed and want to use the internet. Some people, some patients still want to have an information leaflet in their hands.

Some patients want to be able to call our information center and some patients want to hear the information from their health practitioner, practitioner themselves. So first of all, the level of communication should be fourfold, I would say. Then it's of utmost importance also that you have layers of information.

Some people just, just want to hear, Oh, your data are going to be used, be used for further research. Is that all right? And some people would like to hear but what type of research can I read more about it? Can you, for instance, publish research that has taken place with, well, not necessarily my personal data, but with data in general of the patients.

and of course the information should be in a clear language for the general population. It should not be too difficult, should not be too easy, and I always advise To have the information available in several languages. We are a multi cultural country in Holland. I love that. And I think we should, admit that yes, we have patients from all over the world in our country.

And you know, the information should be available in more than one language and not only in Dutch, not only in Dutch and English, but in more languages.

[00:13:14] K Royal: right.

[00:13:15] Paul Breitbarth: Well, especially at the Netherlands Cancer Institute, which is also a renowned research center and treatment center, right?

So patients also come specifically to your center 

[00:13:26] Irith Kist: Exactly. 

[00:13:27] Paul Breitbarth: from all around the world.

[00:13:29] Irith Kist: Exactly. Exactly. Yes.

[00:13:31] Paul Breitbarth: So when I talk about health research and research data and that it's complex and that maybe we need to do more Oftentimes the argument you hear back is yes, but GDPR has the general exception in article 39 for all kinds of research So that should suffice. Why doesn't it?

[00:13:52] Irith Kist: Yes. Very good question. And let me, allow me to dig into the legal details of the GDPR. See, first of all for the use of Personal data in general, there needs to be a legal basis and we find the legal basis the six legal basis in article six of the GDPR. For health data, there needs to be an exemption to the general prohibition that sensitive data among which health data cannot be used for other purposes.

If. An exemption cannot be invoked. And then of course for health research, we have article 89 in which you know, a further specification is given as regards the further use of data for health research. Now here comes the, I would say the complication. One is that one of the exemptions to the prohibition of the use of health data for research is consent.

The consent needs to be free, specific, unambiguous, and voluntarily. and, and of course, you may wonder, well, But if a patient comes here, can he give specific consent for the use of his data for, for research? Because research at the outset may not be clear as to what will be investigated in the long run.

We have studies that continue for 20, 30, 40 years. So consent might not be the most wonderful legal basis to, to use furthermore. If you want to give a more broad consent, then of course, recital 33 of the GDPR states, well that consent still shoot, shoot. Not be too broad, we have to decide on the granularity of consent and of course, you would need to be as specific as possible.

So that about the legal basis of consent and the exemption to the prohibition. Then of course, some countries do use the legal basis of the general interest, the public interest and the legitimate interests. And together with, of course, the exemption of health research in Article 9. 2. J of the GDPR, together with Article 89.

Holland, however has not granted that exemption as one of the possible options in health research in Holland. So in Holland the legal basis to be used is consent. If not, if You fulfill a number of obligations to be met in the Dutch sectoral legislation of health law. Then still you need to fulfill those obligations and you could use the data with what we call the so called opt out.

So the patients do not have to explicitly consent. But they do, they do not object to the use of their data. And the system is complicated, in my view, because, as I said, in Europe, with different legal bases, you see that GDPR has created a fragmented landscape, and in Dutch sectoral law, what we see is that some hospitals use the explicit consent.

And some other hospitals still use what we call the up to out, no objection system.

[00:17:28] Paul Breitbarth: yeah, it's a fairly difficult situation and Others have called in the past and I don't recall exactly whom, but for additional legal basis to be included in the GDPR. So in, in Article 6, to have a specific legal basis for health data and health research there. Are you in favor of that?

[00:17:51] Irith Kist: Well, in my, 

[00:17:53] Paul Breitbarth: solutions?

[00:17:54] Irith Kist: yes, thank you, in my article in my thesis on the comparison that I made between the UK developments after Brexit and the mainland developments, The UK is also contemplating to, to, to have a separate legal basis for health research or for research in general. And in my view, legislation is a means, legislation is not the end result, because still the law needs to be implemented.

That's, that's one hesitation that I have with additional legislation. if you were to include a, a a next legal basis, I do think that we still have the same questions raised, namely, okay. Well, what then is health research who can carry out health research? So, first, in my view, there's, there should be a common understanding about the fact that we do want.

And we, as in Europe we do want to share our data for scientific research purposes. And I, in my view, the current legal basis leave enough room for carrying out health research. Yet the interpretation of consent, but also the interpretation of the other legal basis that, for instance, what is a public interest and what is a legitimate interest still leave room for ambiguity and for, you know, questions to be raised and to be said between the research institutes.

I'm not going to share my data because. I'm not sure that your legal basis will be upheld in our country. And don't worry, stuck the European health data space. now of course proposes. solutions to this issue with regard to health data for primary and secondary use. However secondary use, the definition of, of secondary use in the European health data space does not coincide with primary use.

Further processing in the GDPR. So still there needs to be clarity about the definitions of further processing and the secondary use of health data.

[00:20:14] Paul Breitbarth: I get it one of the Topics you mentioned when we when we discussed for you to come on, to the podcast is the risks that you observe with technological innovation wearables smart watches probably also artificial intelligence all those kind of things 

[00:20:33] K Royal: Right. 

[00:20:34] Paul Breitbarth: What do you say about that in in in your writings?

[00:20:38] Irith Kist: Yes. 

[00:20:38] K Royal: Did you see that look on her face, Paul? She was like,

[00:20:41] Paul Breitbarth: I did. Yes. It's almost like you were making a face, right?

[00:20:44] K Royal: right. I mean, mirror images here. Yes. It's exhausting to think of all the complications and prohibitions on using sensitive data. And then all the other things that you heap on top of it. There's like, Oh, but wait, what about this?

[00:21:03] Irith Kist: Yes. 

[00:21:03] Paul Breitbarth: the benefits that a smartwatch can have. I mean, I see a lot of research being done, supported by Apple and Google and whether that's good or not, I'll leave that up to the experts, but with a lot of data that is, that is gathered via the smartwatches. So I can also imagine that there are positives here 

[00:21:21] Irith Kist: Yes. 

[00:21:21] K Royal: There, there are, and I'll, I'll give you a personal one myself. I didn't start using a smartwatch until the Android one came out with fall detection. because I tend to fall. I have a lot of disabilities. I love it when doctors like, so have you fallen? I'm like, in how long? Cause

I have severe neuropathy in my feet.

I can't usually feel my feet. So I fall. It's not a big deal. People on the street think I'm drunk cause I'm falling for no reason, but Hey, you know, those are things you get over. But also a certain medication I was taking was messing with my heart and I was using the EKG function on the watch. I get it.

It's not a medical EKG. However, it did give me enough knowledge to say, you know what? I should probably go see a doctor about this. And I wound up having to come off the medication. So they, they, they do have significant benefits.

[00:22:14] Irith Kist: yes. And of course, I also see here at the Netherlands Cancer Institute that it's, it's marvelous what computers can see with their eyes, so to speak, what a human being cannot see with his or her eye. So technology is effect, innovations are effect and innovations will proceed. Having said that, having said that,

[00:22:40] Paul Breitbarth: There's always a

[00:22:41] K Royal: Having said that,

[00:22:42] Irith Kist: I I'm going to dig into the situation of the individual that, yes, uses wearables, that yes, is going to buy a DNA test on the internet and, and then it becomes a bit tricky. Imagine that I, and that's the example that my colleague and I, with whom I wrote the article we're, we're using in, in, in, in this chapter.

Imagine that I bought this DNA test on the internet and imagine that the results came back and it said, Oh, you know what? You're doing all right now, but you might have genetic disease that you did not know of. Oh. There is no doctor involved yet. But I now have received that information and it might all sound a bit science fiction here, but It's not.

I mean it, it, it does occur in the world. There is no doctor there. There is no practitioner patient relationship yet because I just bought this on the internet.

[00:23:44] K Royal: Right.

[00:23:45] Irith Kist: What then is my protection? And also the critical question that you could pose, of course, is, well, do I need to be protected since I want it to get that information for myself?

In my view, since it still concerns sensitive data, health data, I would say that, yes, I, as a person then would need protection and not only as regards my health and my wellbeing, but also as regards the further processing of this data. What would this company do with this data? Would the data be shared with others?

How will I be protected in a 

[00:24:24] K Royal: Right. 

[00:24:25] Irith Kist: my, with my personal health data? So yes, I do. Hmm. Hmm. Hmm. Hmm. 

[00:24:29] K Royal: let's be clear, it depends on where that company is located, too.

[00:24:33] Irith Kist: Of course. Yeah. Yeah. Yeah. That goes without saying that goes without saying, of course. Yeah. So of course I do applaud innovations and, and AI. And at the same time, I'm hesitant as to well, what is the end and how could the patient doctor relationship still be, be there or, or should there be another 

[00:25:00] K Royal: Right. And, we, we also see this arise in other similar situations. So here in the United States, they've issued the health information blocking. rule, which means that people cannot be blocked from having their information. It's driving a lot of compatibility between electronic record systems. And it applies, you know, to, to medical, not necessarily to these side variations.

one of the things that we're going that it addresses is the fact that when it first came out and was looking at being implemented, one of the things that was an exception was that you could withhold, you could block information from a patient if it was for the patient's safety and well being.

And so I of course interpreted that, well, yeah, if you're running lab results and you don't know if a tumor is benign or cancerous, then you don't want to give the result to the patient without talking to the doctor because they could see that as you're saying, see a lab result come back and absolutely freak out because they don't have a medical professional explaining the results of this to them.

So I had at the time advised one of my consulting clients that yes, that would be an exception, but you probably can't go too far. You might be able to withhold it for up to 48 or 72 hours. And then the doctor needs to be on the phone with them explaining it. You can't withhold it for 30 days or 90 days.

Turns out that when they implemented it and came out with the guidelines and one of the examples They used well, what about if a lab result is very bad and carries very bad repercussions, potential repercussions for the patient.

Can we withhold that for, you know, up to a certain time period in order to give the medical practitioner time to talk to them? And the answer was no, that is illegal information blocking. And even if that person was to see the result, completely freak out, have a heart attack and die, because that was just horrible information to them.

Doesn't matter. You cannot block the information from them. And so now I've noticed when I log into my medical portals and I go to look at lab results or test results, there is a statement up there. This has not been reviewed by a practitioner. This has not been discussed with the person. Please, please reach out to us if, if you have questions because most people don't have the medical knowledge to interpret the black and white findings. 

[00:27:26] Irith Kist: exactly, and people start looking on the internet, what, what, what, yeah, what could be. We have had similar situation here at not only the Netherlands Cancer Institute, but in Dutch hospitals in general. We, we used to have the situation that we had lab results, for instance, and there would be a time where a consult with the patient was made so that, you know, the doctor or the health practitioners would see the patient and then the data would be published.

Yet a patient's organization said, no, no, no, no, no, we, we want to have access to our lab results, our data immediately. So that's the situation now that yes, you could access your data immediately. On the one hand that sounds good. You know, you, you, you could access your data. Fully, I fully agree with you that many times, you know people start interpreting you see, you see figures, you feel, you see numbers, you see, you, you see information that you, that you think you could interpret yet as a non medical profession, you cannot interpret.

So, here we have the right to information, but also, in my view sometimes the right not to be informed also weighs just as much. 

[00:28:49] K Royal: Right?

[00:28:50] Paul Breitbarth: Well,

[00:28:51] K Royal: It 

[00:28:51] Irith Kist: Yeah. 

[00:28:52] Paul Breitbarth: and also here you see a difference between the North American and to some extent British approach and the more continental European one where America especially is much further ahead when it comes to electronic patient files and digitization of results. I recall about a decade ago, we had a very strong debate here in the Netherlands about interoperability of patient files and accessibility of patient files and having everything in one single patient file or not.

[00:29:25] Irith Kist: Yeah.

[00:29:26] Paul Breitbarth: Parliament then decided no that goes too far and it should be for the patient to decide what information is shared with whom.

Is that in any way or form also hindering research, the fact, or is it only hindering certain forms of treatment, that information is not available to all of the medical practitioners all of the time?

[00:29:48] Irith Kist: I would say both. See, in Holland we have the different consent mechanisms to imagine, and I start again with a practical example, imagine that my GP, my general practitioner sends me to. A, a regional hospital and the regional hospital then sends me to the Netherlands Cancer Institute. When I'm at the Netherlands Cancer Institute, I tell the Netherlands Cancer Institute, Oh, but 10 years ago I was treated for a different type of cancer in hospital Y in the Netherlands.

Then the Netherlands Cancer Institute would need to ask permission from me first before it can receive the data from the hospital where I was treated 10 years ago. That's Dutch law, it's not European law, it's Dutch law. And that is This is not progressing the, the information that the doctor needs to have about me to have a clear picture about me.

So in my view, it hinders. The speedy treatment of patients and, and here we are talking still about a situation where I can speak, where I can talk. Of course, we're seeing during the pandemic where patients literally could not speak or talk and yet the right information about the medical history, about the medicine use was not provided in time when they were in the emergency situation.

Yeah. Then when we talk about research what, what has become apparent is that, information with regards to certain population groups, is not included in research. So we are facing a new form of discrimination, I would say, where, where, where data from people across the globe are not included in the proper, proper features in the, in the, in the, in the proper division simply Because we do not have the data from certain groups, certain populations, certain minorities throughout the world.

[00:32:01] K Royal: Well, and not to mention that some of this research grew up over time and I, I, an example I can give is the symptoms of a heart attack. That medical information grew over time based on men. who were working hard and working long hours and drinking and smoking and doing whatever. And it turns out the symptoms of a heart attack in a woman.

differ. But so many women were dismissed from the emergency room or from their physician's offices because, no, you're having a panic attack because their symptoms of an M. I. showed up differently. So it could be something as simple as gender, but it could also be something much more profound, such as certain ethnicities.

have a proclivity for certain diseases. Sickle cell anemia is only available in certain populations. Some populations have an extreme sensitivity to certain medications. You cannot use it on them. If they're not allergic per se they may never have taken the medication because it's something that their, population cannot take.

can have a profound difference on it. And so this is one of the things that makes me think about me very concerned about information not being able to be shared. You don't have to go to the levels of information on tumor registries or donation registries or anything like that. It could be something as simple as, 

[00:33:19] Irith Kist: Exactly. Exactly. And it's very important also when we talk about the, for instance, the, the registries for diabetes, for cancer, for heart attacks, you name it. And it's important that those registry have a hundred percent coverage. And if you're going to leave out, you know, certain numbers of patients, then of course you, you, you might have a bias in your, in your research data.

So, so yeah, I, I think it could have an impact both in care and in research, if we are not able to share the data that is needed. What I do see at the same time is that of course, Those data need to be protected, needs to have the security and the patience, need to be informed, and need to be able to say, No, I don't feel comfortable about this. That's their right as well. Yes.

[00:34:14] K Royal: Well, and here one of the things that we have HIPAA, that's the, the predominant medical, Health law here in the United States, you will find here that doctors and facilities too will ask for the patient's signature to acquire their records from another physician. That's not required under HIPAA. You don't need the patient's written consent to get their treatment records. If it's for treatment especially, you don't need a patient's consent to get those. HIPAA was never intended to block treatment of, of a patient. And some, sometimes it's as simple as someone's in the hospital, they can't speak, they can't act, and yet the doctors won't talk to, or even if they can, maybe something else is going on.

And the doctors will say they can't talk to the spouse or the daughter or the caretaker, whoever is in the room with the person taking care of them, because HIPAA prevents it. It actually doesn't. HIPAA gives the treating Provider the discretion to communicate with a caretaker if they believe it is in the best interest of the patient.

[00:35:19] Paul Breitbarth: hmm. 

[00:35:20] Irith Kist: Yes. 

[00:35:21] K Royal: as long as the patient has not specifically said, do not tell this person or something, but generally they don't exclude specific people from being able to tell. One of the other interesting differences in health care is that, you is that, If they came up with a relatively new rule, that if a person pays for healthcare in cash, They can request that that information not be provided to their provider another provider or to their insurance company. So it doesn't go on their record. So if I wanted to find out if I was susceptible to a particular genetic disease, I could pay for it in cash.

And then they would be prohibited from sharing that information with my insurance company or filing something on it. And so that that's another way that they're giving people autonomy over some of their health data under certain circumstances  with that as well. And I always thought that was a very unique, provision to 

[00:36:18] Irith Kist: Yeah, I could. Mm hmm. 

[00:36:20] K Royal: anywhere else, or is it, or does it not need to be present anywhere else?

[00:36:24] Irith Kist: It's not present in our laws, in the Dutch laws, neither is it in the GDPR. The GDPR is a framework, which is regulation, of course that, you know, does not prohibit or prescribe anything. It gives a framework. I do understand that patients, when they have concerns, about data sharing, they're largely spoken, there are two concerns they have, and that is, You know, the use of their data only for commercial purposes, that is one and the second hesitation or the second concern they have is that their data be shared with financial companies or insurance companies.

And then, for instance, in their future life. They're not allowed anymore to buy a home and to have a mortgage on their home. So I, I fully understand that, you know, if you go back to what is the patient confidentiality about, it is about the fact that you as a patient should be able to go to your doctor and to share anything and everything with him without it being used against you in the future.

I fully agree with that, but that has nothing to do with the fact, in my view, if fully pseudonymized or even anonymized data are used for further research to further, to promote health care and, and the, the, the community of, of, of care in the world. Yeah. 

[00:37:58] Paul Breitbarth: We are coming to the end of the recording also, also looking at the time. 

[00:38:02] Irith Kist: Oh, yes. 

[00:38:04] Paul Breitbarth: but before we wrap up, as I think a final point what recommendations do you make in 

[00:38:10] K Royal: Oh. 

[00:38:11] Paul Breitbarth: on, on how to improve this landscape?

[00:38:14] Irith Kist: Yes. In short, I'll be, I'll, I'll be short and precise. First be clear about the legal basis whether it be consent, whether it be public interest, whether it be legitimate interest and, and approve from each other the use of the various legal basis. Perhaps that European health data space is going to solve that.

Second, be. Open minded about if you were to use consent as a legal basis, be open minded about you know, the, the granularity of consent and how broad it should be in my, in my view. Third as regards compliance focus on risk based compliance rather than rule based compliance. Focus on preventive actions rather than on repairing the situation.

And also it applies to the data protection authorities to, to also have a look together how we, how we can prevent the situation beforehand and forth with regards to, of course the patients throughout the world, make sure we inform all patients, all civilians in a transparent, in an open way.

And in, in a manner that is understandable for, for the patients throughout the world as well. So be accountable for the actions, be transparent as a data controller and be open to your patients at all times.

[00:39:43] K Royal: Be honest. 

[00:39:45] Irith Kist: Yes, of course. 

[00:39:47] K Royal: Sorry, I was a cancer research 

[00:39:48] Irith Kist: Yeah. 

[00:39:49] K Royal: up against a lot of doctors not being honest. So yeah, be honest.

[00:39:53] Irith Kist: Honest, transparent in my view has in it will also to be honest. Yes. Yes. 

[00:39:59] K Royal: ethical and, and all that 

[00:40:01] Irith Kist: Yes, 

[00:40:01] K Royal: into it. Absolutely. Okay, Paul, I will quit asking questions.

[00:40:07] Paul Breitbarth: Well, first of all, let's say good luck with the defense of your, of your, dissertation. 

[00:40:12] K Royal: going to be fine.

[00:40:14] Irith Kist: Thank you, that makes me, 

[00:40:16] Paul Breitbarth: confident as well. There is actually a live video stream for 

[00:40:20] K Royal: Nice. 

[00:40:22] Paul Breitbarth: Will 

[00:40:22] Irith Kist: it's in Dutch, no, unfortunately, it will be in Dutch. I will send you, the, the dissertation itself is in English, so I will of course send you the, the link to my dissertation after the 5th of June,

[00:40:38] K Royal: I can join the, I can just cheer you on without understanding what you're saying. Yeah. 

[00:40:42] Irith Kist: You could do that. 

[00:40:44] K Royal: Probably at the absolutely wrong point, but

[00:40:48] Irith Kist: But yeah, thank you so much. And I'm looking forward to any future cooperation and to, to hear from you about your future podcasts as well. My

[00:40:57] Paul Breitbarth: Absolutely. And if anybody has suggestions or ideas or wants to join this debate feel free to do so on our LinkedIn page. You'll find us as Serious Privacy. You will find Kay on social media as Heart of Privacy. Myself as Europol B. Thank you for joining us for yet another episode of Serious Privacy. Until next week, 

[00:41:16] Irith Kist: Yes. Thank you. 

[00:41:18] Paul Breitbarth: goodbye.

[00:41:18] K Royal: bye y'all. 

People on this episode