For many strands of businesses, collaboration is an increasingly common activity as companies pool resources and combine technology. An example of this is with drug development and this needs data governance.
Data governance is required in order to protect personal data and to ensure that ethics are upheld. This may sound straightforward but it comes at a time when public trust in how ‘big business’ uses ‘big data’ is at a low standing, given recurrent data breaches, exposed databases. cyberattacks, and the misuse of personal data.
Hence, as well as embedded ethics, data governance is also required for data security. Furthermore, it is increasingly common for data to be shared for research collaboration. Therefore, a framework is needed to promote common understanding between companies as to what can permissibly be done with shared data.
As to what is meant by ‘data governance’, perhaps the most straightforward definition is ‘rules and norms of handling data’. Rules should lead to policies and procedures that direct the safety, quality, and proper use of data.
Data governance refers to the overseeing and management of data on both a macro and a micro level. The former concerns Internet governance within an institution and the latter is refers to data management (1). The second point should be embedded into a pharmaceutical or healthcare organization’s corporate data governance.
On a wider scale data governance embraces:
Figure 1: Generalized Data Governance Cycle
It is also important to apply data governance to research data management processes, and each institution providing digital data should have a data governance procedure in place. Data governance concerns the rules, policies, standards; decision rights; accountabilities and methods of enforcement. Adopting data governance is also advantageous, since it can act as a service based on standardized, repeatable processes and is designed to enable the transparency of data-related processes (2). It is increasingly common for genetic, phenotypic, and other health-related data generated from and for pharmaceutical and healthcare research is collected and used, including sometimes outside of the organization. With this latter point, such data usage is designed to encourage and facilitate data sharing for secondary research purposes. It is important that the wishes of the patient are protected.
This leads onto data ethics, which is about developing a code of behavior encompassing such areas as data handling (generation, recording, curation, processing, dissemination, sharing, and use); plus the use of algorithms and different forms of artificial intelligence.
Some of the areas where data governance needs to apply in relation to digital data management are included in this article.
Records management is concerned with the creation, retention and storage and disposition of records. A record can be digital information, including an electronic batch record, a drug database, laboratory application data, or even a collection of e-mails. In each case, lifecycle management is important, beginning with the point of data creation to the eventual disposal of the record.
Patient data held in any form is personal data. This refers to data that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with a particular person. Included within this definition is data likely to be seen as 'sensitive', and this has proved a trickier area to define. As to what is meant by sensitive data, this would include genetic data.
This means the use of digitally available data and algorithms for prediction and surveillance, especially where the identification of people is possible, needs to be processed in a responsible manner, in compliance with data-protection regulations and Digital Transformation and Regulatory Considerations with due respect for privacy and confidentiality. Not only will this place a pharmaceutical or healthcare organization at odds with national or supranational legislation it will prove counterproductive in terms of future data acquisition attempts in that failing to handle data responsibly will undermine public trust. Patient confidentiality is addressed below.
Patient data needs to carefully looked after and the consent of the patient sought. This extends to data collected from mobile and wearable medical devices, especially where these are enabled to collect physiological and behavioral data and subsequent analyzes of a patient’s physical and mental health. For pharmaceutical companies, the use of such data helps to reduce medical research costs and the analysis of collected data enables much bigger studies to be conducted.
It is important that those involved with the collection, processing, and storage of patient-centric data have a framework in place that safeguards the ethical, security, and data control considerations. Given the spread and sharing of data, this may require a relatively complex ecosystem, especially where data forms part of collaboration among scientific researchers and healthcare providers (3). Data sharing is something where there is benefit since it can be more ethical to share data in order to avoid unnecessary repetition, especially in the case of genetic studies that use extract human biological samples for analysis. However, the reason for sharing data need to be carefully controlled and untraceable to a named patient.
Pharmaceutical data governance strategies should ensure that data are collected, stored, and used ethically and lawfully. To add to this, the data gathered from individual patients (and participants in clinical trials) needs to be gained and permission sought for the use of the data. Here the concept of data governance needs to extend to understanding the patient’s own data governance preferences.
It may also come to pass that organizations will start to offer patients ownership and control of their personal data.
Experimental methodology is evolving and requires constant adaptation to avoid false identification of outbreaks that could cause harm.
As an example, digital disease detection needs codes of best practice to meet ethical requirements as well as clear communication to the public to prevent hype. Data protection is also a problem associated with big data, but according. This can be partly addressed where data is restricted to large groups and does not go down to “individual level”. This makes it possible to compare large groups by minimizing any data protection problems.
In particular, pharmaceutical companies and healthcare organizations need to have in place an ethics policy. Such a policy should be agreed and rolled out prior to undertaking any big data analytics that involve the use if patient data. As an example, this means having data rendered pseudonymous before analysis begins.
Studies suggest that the main concerns expressed by patients and study participants in relation to their data relates to data privacy and a degree of mistrust in terms of how samples are used and who has access (and why) (4).
DATA GOVERNANCE FRAMEWORK
In light of the issues raised above, pharmaceutical and healthcare companies need to develop a data governance framework. What might this contain? Some issues to consider are presented below (5):
Work Out What Your Data Is
Classify your data and its protection requirements and implement adequate controls to protect against data breaches. Follow security measures to keep patient personal information safe from inappropriate and unauthorized access and ensure the minimum level of access to perform required functions.
Track and Trace
Keep an accurate inventory of hardware and software and keep everything up to date. Old, unsupported software that has not been patched can open up vulnerabilities to employees and to the entire company.
Follow The Rules
Make sure you are staying compliant with all national, regional and industry privacy laws and regulations that apply to your business. GDPR, CCPA/CPRA, and other data privacy and protection regulations have started to really take hold.
Know Your Weaknesses
Be aware of flaws in your security measures, including Virtual Private Network (VPN) connections. VPNs are dedicated network systems that install a dedicated router, set up a virtual dedicated line on the internet and are used as a means of securely connecting to corporate networks from outside the company. But there are more and more cases of VPN vulnerabilities being exploited by hackers.
For organizations using databases on cloud systems, they should consider setting up a cloud-based Web Application Firewall (WAF). This is a next-generation firewall that is essential for security measures. Ransomware attacks, phishing, credential stuffing and clickjacking are all security issues that WAFs aim to prevent and protect against.
Let Your Patients and Study Participants Know What You are Doing and Why
It is important that the organization is transparent about how it collects, uses and shares personal information. It is essential to communicate clearly and concisely to the patient what privacy means to the organization and the steps taken to achieve and maintain privacy.
WHAT MAKES FOR ‘GOOD’ DATA GOVERNANCE?
There is no common framework for data governance and practices vary considerably between organizations. There is an ISO standard (ISO/IEC 38505-1:2017) (6) but there is no requirement for businesses to adopt this. Some organizations employ a chief data officer who sits at the strategic board level, whereas other companies do not have a chief data officer at all. The downside with the latter is that there exists a disconnect between data governance strategy and implementation. The gaps that result from this can cause ethical or legal issues.
As to what makes for a good data governance policy, it should entail:
- Establishing data governance principles.
- Developing a data governance model using these principles.
- Making stakeholders and employees aware of the principles and establishing suitable procedures.
- Establishing rules about the use and protection of data within the organization.
- Ensuing that the data governance system is subject to regular audit.
A good example of data governance is with the policies established for health data research with initiatives such as the UK Clinical Practice Research Datalink, a real-world research service supporting retrospective and prospective public health and clinical studies. With security issues, digital identification and strong authentication can provide security for data and can be an enabler of better data governance.
With pharmaceutical organizations increasingly reliant upon personal data for the development of medical devices and new medicines (in particular personalized medicines), the need for good data governance is of something of societal and ethical importance. This is not only to convince the patient or clinical trial participant that their data is being handled appropriately, but also with ensuring the security of that data. As an example of a series data breach, in January 2021 it was reported that important documents had been exposed as part data breach relating to Europe's drug regulator - the European Medicines Agency (EMA). These documents were potentially related to the Pfizer / BioNTech coronavirus vaccine (7).
- Dai, W. and Wardlaw, I. (2016) Data Profiling Technology of Data Governance Regarding Big Data: Review and Rethinking. Information Technology, New Generations. Advances in Intelligent Systems and Computing. 448: 439–450
- Koltay, T. (2016) Data governance, data literacy and the management of data quality, IFLA Journal, 2 (4): https://doi.org/10.1177/0340035216672238
- Perez-Pozuelo, I., Spathis, D., Gifford-Moore, J., Morley, J., and Cowls, J. (2021) Digital phenotyping and sensitive health data: Implications for data governance, Journal of the American Medical Informatics Association, ocab012, https://doi.org/10.1093/jamia/ocab012
- Haga SB, O’Daniel J. Public perspectives regarding data-sharing practices in genomics research. Public Health Genomics. 2011;14: 319–324
- Sandle, T. (2021) Now’s the time for businesses to refresh their data privacy, Digital Journal, 25th January 2021 at: http://www.digitaljournal.com/business/now-s-the-time-for-businesses-to-...
- ISO/IEC 38505-1:2017 Information technology — Governance of IT — Governance of data — Part 1: Application of ISO/IEC 38500 to the governance of data, International Standards Organization, Geneva, Switzrland
- Sandle, T. (2021) Looking behind the European medicines data breach, Digital Journal, 21st January 2021 at: http://www.digitaljournal.com/tech-and-science/technology/looking-behind...