In 2012 Gartner reported "big data will deliver transformational benefits to enterprises within 2 to 5 years, and by 2015, will enable enterprises adopting this technology to outperform competitors by 20% in every available financial metric."

Big data, the art and science of combining multiple sources of information about specific targets or sectors from which to then draw value added outcomes is only of value when big analytics are utilised.

Simply amassing large volumes of data including personal data does not of itself add value. It is only when good analytics are applied to the data sets and databases that real value can be extracted.

In the healthcare and life sciences sectors big analytics is already producing results for the industry and patients alike. In their 2014 report titled "Order from Chaos" EY explained that when destructive consumer technology, personalised medicine, big analytics, maturing capabilities of cloud computing and healthcare cost reductions are combined "these five trends create an environment that gives life sciences and healthcare organisations the opportunity to provide true patient – centricity that delivers outcomes. They may enable organisations to develop models of preventative and outcome based healthcare that aligns the goals of pharmaceutical companies, medical device companies, healthcare practitioners, providers, payers, and most important the patient".

The increase in wearable technology is beginning to enable individuals with particular health problems and/or allergies to take day to day control of their health and the increase in vitro devices which incorporate communication devices that provides benefits in the form of just in time patching and fixing.

Whilst technology coupled with science brings undoubted benefits to the industry and to the patient regulators are also concerned about data privacy and patient's rights.     

During October 2014, a number of press announcements indicated a growing interest by Regulators in the impact that medical devices have upon personal data, and shows an increasing shift in attention on companies in the medical device and medical technology sector. On the 1st October 2014 the US Food and Drug Administration (FDA) announced that it had finalised recommendations to manufacturers for managing cyber security risks in order to better protect patient health data and information.

In its recent survey about the use of medical devices, the UK Information Commissioner's Office (ICO) has indicated an increase in its attention on similar issues by gathering views on the types of medical devices being used in the UK and how they impact upon the collection and processing of personal data including the need for increased information security.

Conventional medical devices such as pacemakers, and other implanted devices, have for a number of years contained technology that is intended to manage the performance of these devices for the benefit of both the manufacturer and the patient but which raise concerns over the management of patient's personal data. For example, pacemakers may contain RFID chips to enable remote monitoring of the device and the patient but which without suitable controls may lead to infringements of the rights of individuals in respect of their personal data as well as the risk of data security incidents.

When using big data to identify 'personal insights'  the EU Regulators have said that companies must ensure that free, specific, informed and unambiguous 'opt-in' consent is obtained for tracking and profiling for purposes of direct marketing, behavioural advertisement, data-brokering, location-based advertising or tracking-based digital market research. Furthermore data subjects are given access to their 'profiles', including the logic of the decision-making (algorithm) that led to the decisional criteria; the source of the data that led to the creation of the profile; the ability to correct or up-date their profiles and easy access to their profiles in a portable, user-friendly and machine-readable format.

The Data Protection Act 1998 sets out the rights of data subjects as well as the obligations of data controllers in relation to personal data and whilst big data does not always include personal data in the majority of cases in the healthcare and life sciences sector not only is the data personal but also categorised as "sensitive data" which under the act requires more explicit consent to processing.  Just because personal data is available to a data controller does not mean that it can be used for purposes other than that for which the data subject has given consent.  When the principles of the act are not complied with as regards big data and big analytics this can often lead to big problems.

By way of reminder the principles of the act are as follows:

  • data must be fairly and lawfully processed with consent of the individual.
  • data may only be obtained for specified lawful purposes, and may not be further processed in any manner incompatible with that purpose.
  • data must be adequate, relevant, and not excessive in relation to that purpose(s) for which it is collected.
  • data must be accurate and, where necessary, kept up to date.
  • data must not be kept longer than necessary.
  • data must be processed in accordance with the rights of data subjects. 
  • security measures must be taken against unauthorised or unlawful processing, and against accidental loss, destruction, or damage.
  • data must not be transferred outside the European Economic area unless the recipient country provides adequate data protection.

A recent example of poor planning and communication of data use to individuals was in relation to the governments care.data programme where because the public were not adequately consulted and the promotion of care.data was more focused on helping the NHS as an institution rather than giving benefits to patients following a large public outcry the project was suspended.  In recent submissions to the Science & Technology committee of the House of Commons in respect of their investigation into responsible use of data the website trust pointed out that the "furore surrounding care.data indicates that data subjects are no longer content to accept assurances of the benefits of data analysis and sharing in the absence of a robust and trusted ethical framework."

What the healthcare and life sciences sector now needs is guidance and self-regulation in respect of big data particularly regarding data protection, information security and the use of de-identification and anonymization techniques use in big data projects.  

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.