Make the burden of trust as low as possible!

Ultimately, the use of data, of medical data, is a matter of trust at the level of the individual.

Marc van Lieshout gave this interview in 2019. He died on 19 August 2021.

But regulations are not made on an individual level, the use of data always has a broader perspective, a social dimension: how do we make the use manageable and controllable? As far as I am concerned, the big challenge is to make the burden of trust as low as possible.

The speaker is Marc van Lieshout, senior privacy researcher at TNO. He focuses on privacy-friendly service development in healthcare.

"People are willing to make their own data available. That is not a problem. We have done research on this; people are prepared to make data available if it serves the public interest. Think, for example, of crowd control at events. There are two conditions: to be sure that data is only used for that purpose and that there is no commercial objective. People are altruistic; they want to cooperate if it benefits others.


"Medical data has no legal right of ownership. It is confusing to talk about 'ownership of data'. That does not exist. You do have control over your individual data. The law gives individual patients the right to determine to some extent what happens to their individual data." Can or should the government encourage better use of data? Marc van Lieshout: "I don't think that's the crux of the matter. By combining a lot of data, we can already understand diseases much better and get ideas for better treatments. At TNO, we are fully engaged in this: we focus on lifestyle and what keeps people healthy. The problem is that our country is not socially and insurance-wise equipped to invest in prevention.

"The patient is increasingly in the driver's seat when it comes to using his own data. That is quite complicated. How much knowledge do you need? It is an illusion to leave control entirely in the hands of the individual. We must organise it in such a way that people can fulfil the role of director. This leads to cooperatives, for example. In America, patients have united. There, under the motto 'Live better, together', the platform Patientslikeme was created, the largest personalised health network in the world. "More than 650,000 people have said: we manage our own data, it's a kind of cooperative of health data and they develop their own guidelines and procedures for use. Interestingly, they also make the data commercially available for third parties to do research with." Patientslikeme has already led to more than 100 scientific publications.


It is confusing to talk about 'ownership' of data.

Patient consent is not strictly necessary to use medical data, says Marc. "In an Opinion, the group of European privacy supervisors, the European Data Protection Board (EDPB), indicated that it is even better to use another basis, such as the public interest of the processing, for medical scientific research. The advantage of working with a 'health data cooperative' is that you always know who it concerns, and can therefore always inform people about your activities. In addition, researchers use techniques to mask which patient certain data refers to. For example, you can mix up columns or add noise, so that the analysis remains the same for the entire group, but you prevent the results from leading directly to a specific person. These statistical tricks are to prevent information from being traced back to the patient level. And you can play with that. A 2014 Opinion by the Article 29 Working Party (the predecessor of the current EDPB) outlined how data can be anonymised with proper encryption. In medical research it is already common practice never to work with names, but with identification numbers. Data can then be encrypted using cryptographic techniques. In Europe, we are now formulating an answer to the question of which organisational and technical conditions you must meet in order to be allowed to carry out these analyses. There are no standards yet available for organisational and technical arrangements with which you must comply in order to get the answer 'it's all right'. It is precisely there that the PHC Catalyst Alliance must do the right things. Part of the work consists of formulating and contributing to the standards."