Processing of consent on different data channels in the health sector
Consent is now a fundamental part of data collection and storage. Regulations such as GDPR, CCPA, POPI, and PIPEDA give people more control over the personal data they share, but can create restrictions on organizations that obtain and access that information.
Complications can arise in this process, especially in healthcare. Due to the interactions between many touchpoints, a single person may have different profiles on multiple systems. These different profiles can lead to difficulties in determining the identity of a patient and accessing his medical data. Other barriers can arise when consent is delegated to a caregiver or guardian and not directly given by the patient.
Yet despite the challenges, it is still possible to create a unified data profile of an individual with their full permission.
Cassie by Syrenis is a cloud-based Software as a Service (SaaS) platform designed to ensure that an organization’s data management and storage processes comply with various regulations around the world, while navigating successfully in consent hierarchies. We spoke to Syrenis CEO Glenn Jackson to find out more.
How would you best explain the importance of consent for data?
Glenn Jackson: Data is the most important digital asset available today. And due to global regulations, consent for the use of personal information is essential in most developed countries. This is because the information about me is invaluable. And therefore, it should be up to me to decide if I share this data with an organization. It is up to me, as an individual, to give my consent to an organization, which can then use it as I choose.
But this consent also builds trust with the brand. So if I allow an organization to use my data, that’s fine. If I don’t, then they shouldn’t be using it. It is vital that the trust in the use of my data is managed properly.
Why is consent particularly important in health care?
GJ: If you think about the importance of data, there are degrees of information that you share with people. An example could be, I’ll follow you to a website. Another thing is where I am going to share my personal health information with you. It’s personal to me, and I don’t want you to share this.
Health has always been highly regulated. This is because of the type of data healthcare organizations store, and so making sure it’s super secure and not shared without my consent is critical.
We know that online scams are happening and have increased during the pandemic. It scared people off, because the parties are suggesting that they know information about them.
In the healthcare context, it’s really important that you know that your data is secure and not being made available more widely. So, it is the importance of the data that healthcare organizations hold and therefore the consent to use that data that needs to be rock solid.
And in the health field, is consent only important in relation to medical treatment?
GJ: No. Consent concerns every piece of data that will ever be collected and stored. Some data is more important because it relates to an individual’s health, versus the ability to track people’s online activities. So, everything is important, everything is governed by the regulations. But some things carry more weight than others.
What are some of the issues with consent hierarchies?
GJ: As soon as you step into healthcare, you have to look at the patients you deal with. Also, I might be dealing with a minor, my son or daughter might be young, they might need my consent. You may be disabled and have a caregiver. There are many relationships between individuals for which consent may need to be given on behalf of another person.
It then becomes quite complicated to know how consents can be identified. And then there may also be occasions when consent has to be withdrawn or withdrawn.
A caregiver may not be with their patient, or a dependent may live far away from them. And therefore, we need to find a way to be able to identify this delegated consent on a digital platform. So it’s more complicated in healthcare than it might be in retail or other organizations.
If I give my consent for someone to receive information about my treatments, they may draw conclusions. So, it’s really important that I can control this. And security is key, especially because there could be at least a three-way relationship now.
What are the regulatory issues and their impact on the use of personal data?
GJ: If you think of all the touchpoints where we drop data. The health environment tends to be made up of larger organizations. They can have interactions between a patient, a healthcare provider, a pharmaceutical company and a healthcare organization. There are so many interactions going on everywhere. It is important to ensure that consent is shared between all of this data. And that these consents are easily identifiable and up to date so that they comply with all the necessary regulations.
Thus, consent to the use of this personal data is collected from all these different points of contact. They are stored and all organizations involved must ensure that they understand the consent the data subject has given.
Because in order to comply with regulations, it is important to provide an audit trail to show that all the different departments within an organization are complying with the requests of the person concerned.
The regulations are not there to inhibit business, they are there to essentially protect the data subject against the misuse of their personal data. But the larger the organization, the more difficult it becomes to do so. Because there are so many different touchpoints that you have to interact with. This is why it is so essential to be able to see a single version of the truth when it comes to the consent of a data subject.
How can Cassie help with all of this?
GJ: What Cassie actually does is in three main parts. We allow data collection from all points of contact. It could be a website, it could be a mobile app, it could be in your existing apps where you collect all this information. And all of this comes together in a single, verifiable source of truth.
“It’s so essential to be able to see only one version of the truth when it comes to a person’s consent. “
And this is really important. Because a large organization can have four or five different systems, and the same individual can appear in any or all four or five different systems. We match it up so that we know that a person entering through an app can be identified as the same person who might log into a website, or fill out a form or whatever. We match that all together.
Second, I need to be able to verify where all this data is coming from. Who changed it? Why did they change it? Who, what, why, when and where, all this information on the auditability of this data. And then the systems that need to use that data must have access to it, in order to be able to use it properly.
Then, we pass that data downstream to all the other solutions that can use it, whether it’s big CRM platforms like Veeva in healthcare, Salesforce or Marketing Cloud, or all those big platforms that consume these data. Cassie does it in near real time.
How does Cassie ensure consent and data compliance?
GJ: Typically Cassie tends to work with clients who have a large number of people involved – it could be a client, a patient, or an employee, it could be whatever you can attach consent to.
Cassie is sitting in the cloud. From what I think there are multiple auditors – they’re API managers that clients can communicate with or Cassie provides embed code that clients can drop onto a website or digital form. These are all methods of collecting data wherever our client wishes. Thus, we can collect a lot of compliant data once the data subject has given their consent to this data that we collect. Then Cassie keeps this in a centralized cloud database.
Remember, compliance is about where I reside. If I live in the European Union, I am covered by the GDPR. If I live in South Africa, I am covered by POPI. If I live in California, I am on CCPA. Data collection and storage should be specific to the region in which I live. And then the rules on how you use the data should be specific to the region I live in.
We give healthcare organizations the assurance that the data they use is compliant because Cassie is in the middle of their digital realm. Cassie allows our clients to say, “This data is compliant, we have consent for it. And that gives confidence to the customer to use it.