Trusted Data Safe Havens for Healthcare

Elizabeth Elliot, Dave Robertson, University of Edinburgh
Focus Area: 

Our challenge is the controlled sharing of healthcare data across Europe. We aim to provide a framework (technical integrations, contacts network, business process) by which appropriately consented health data can be accessed and shared across jurisdictions for research purposes with accountability to the governance of regional data safe havens.

Who benefits and how: 

Much of the value from trusted cloud computing is derived, not from selling general architectures, but from applying these architectures and systems to high-growth, high-impact areas. Healthcare systems and the search for new medical insights and therapies, provide a massive potential market for data analytics. Industry has produced a wide variety of tools capable of enriching and analysing medical data but have little means of access to actual data sets representative of substantial human populations, so their sophisticated systems are of limited value in healthcare. Meanwhile, there is great activity in European regions to develop carefully managed, large repositories of medical data derived from regional healthcare authorities, governed according to the practices of local jurisdictions and compliant with privacy and data protection regulations. These safe havens are primarily public sector and come into limited contact with industry tools and me!

This gulf prevents the development of strong industry engagement to derive value from safe haven data. The solution to this problem is not simply to move healthcare data to a trusted cloud architecture; there needs to be a framework for engagement between havens and industry, combined with automated methods for the necessary transfer of data and provision of services. That framework must respect the governance rules of local and national data jurisdictions.


EIT Digital Framework for trusted healthcare

Our aim is to develop a sustainable, commercially viable route for provision of medical/healthcare data safe havens operating on trusted cloud architectures and facilitating commercial access to data/metadata while also (verifiably) satisfying data governance requirements. This is a very large area of development so the project will be targeted to open the way for a series of initiatives that build on its success. 

Vendors who are developing systems operating in this space have two principal ways to interact with their clients: performing bespoke analytics tasks or offering data services to clients who run their own analytics (perhaps with software services also supplied by the vendor). These clients may be either in industry (e.g. pharma companies) or in the public sector (e.g. national health services) which gives a strong procurement driver.

Our work adds value to this ecosystem in two ways.

A principal obstacle to an industry vendor offering services to clients is fast, reliable access to data by the vendor.  Our framework will make this process more efficient (through automation and clarity of business processes) and more reliable (through improved integration of governance principles within/between jurisdictions).

 A principle obstacle to a data safe haven (operated in the public interest) offering engagement with industry vendors of data services is guarantee of appropriate use of data and incentive to make data available for commercial activity. Our framework will provide a more rigorously defined contract between custodians of safe havens and service vendors, thus giving greater reassurance that governance constraints are preserved. It will also clarify the business model for service operation “downstream” of the safe haven, thus allowing financial and other incentives for safe havens to be built into framework agreements.

These ways of adding value are driven by the framework rather than by specific technical solutions for analytics tools or cloud infrastructure, so our contribution is on systems and business model integration to expand the market.

The long term goal is to be able to maximise automation of the process of data acquisition and analysis across healthcare jurisdictions while also being able to verify at every stage that the operations performed on data are within the safe envelope specified by the system of governance applicable to all the data concerned. This requires standardisation of data schemas, ontologies and meta-data (around the group of key data assets in the safe haven); formal definition of the processes/and analytics methods used in data management, along with the security policies (and accompanying permissions and obligations) used to ensure governance compliance. Ideally, these are defined independently of the infrastructure used to host the data, so allowing automation via compatible local (bespoke) servers, trusted cloud architectures or personal devices.