Data privacy is changing. Led by California, many states are enacting stricter laws governing how data is used and protected, creating a patchwork of varying requirements for companies to meet. At the same time, patients are questioning how their data is being used and why. Nevertheless, many patients are willing to share their data—provided they see the value in doing so.
At Digital Pharma East 2022, Phreesia Life Sciences’ Director of Analytics, Amy Patel, sat down with Jorge Andres Morales, North America Compliance Manager with ViiV Healthcare, and Amy Papili, Associate Director of U.S. Privacy at AstraZeneca, to discuss how data privacy is changing and what companies need to do to adapt.
“We’ve seen such a change in these past few years, and particularly in the past few months, with things happening in the policy landscape that make it much more apparent to patients how their data can be utilized and leveraged, sometimes in ways that are maybe not comfortable,” Patel said.
Those changes necessitate a response from the pharma industry, she added, as well as “an increasing level of responsibility that we all need to take when we think about the privacy of data on behalf of our healthcare providers and especially our patients.”
Here are three key steps to take before launching any campaign to practice responsible data use, ensure greater transparency and keep respect for patients’ privacy at the forefront.
1. Think about data privacy and engage with experts early on in a project
Papili sees value in all teams within a company having a “certain awareness” of data privacy, but the complex, fast-changing nature of the field means that only those who consistently work on the topic will fully grasp the issues it presents. Bringing privacy experts on board before starting a new project can help avoid problems down the line.
“If I can come in early, I like to try to identify where some of the pitfalls may come in from a data privacy perspective,” Papili said. “The worst-case scenario is for somebody to come in late and for me to say, ‘You can’t do it that way,’ or ‘You have to do it a different way.’”
Early engagement helps privacy experts understand a campaign and why it’s important to the company, ultimately allowing them to give better advice. That advice is shaped by the response to such questions as, “What are you collecting?”, “Why are you using it?”, “How long are you retaining it?” and, “Are you collecting more than you need?”
That final scope-of-use question covers a common pitfall.
“Focus on what you really need when you are collecting information,” Morales said. Technology enables the collection of many data types, such as location, but he advises companies to gather only the information they need to achieve their patient-messaging goals. For some projects, an email address and first name may be enough.
2. Be transparent with patients about the use of their data to gain and retain their trust
Ensuring compliance with privacy requirements is only part of the challenge. It’s also vital to communicate with patients about the use of their data so that they fully understand what information they’re consenting to provide and exactly how it will be used.
“It’s very important that we tell people what we are collecting and how we’re using it. It’s important that it’s clear and that people can understand it,” Papili said.
Morales expanded on that consideration, noting that while data-privacy documents are reviewed by legal departments that use their own terminology, it’s important for organizations to put themselves in patients’ shoes and ensure that all privacy notices are “written in simple and plain English so that they’re easy to digest and understand,” he said.
Transparency is the right, patient-centric approach, and it’s also required under some data-usage laws. For example, personal information can only be used for the original purpose for which it was obtained. If someone wants to use that information for a different purpose, they must notify the individuals who provided it. Transparency also extends to informing patients if a data breach occurs, not only because some laws require it, but also to “gain the trust of our patients,” Morales said.
3. Make sure third-party partners’ practices meet the company’s data-privacy standards
Third-party relationships are the final piece of the data-privacy puzzle. A company can establish effective internal controls and clearly communicate its privacy policies to patients, only to be undermined by an external partner’s lax practices.
Papili recommended that pharma companies ask their third-party vendors to explain their privacy practices and how they control, use and share data. That approach reflects a philosophy that “they’re all part of the same team” and that reputations “can quickly be destroyed,” she said. Once lost, patient trust is hard to regain.