Mathematical Reconciliation of Medical Privacy Policies
Article No.: 5, Pages 1 - 18
Abstract
Healthcare data are arguably the most private of personal data. This very private information in the wrong hands can lead to identity theft, prescription fraud, insurance fraud, and an array of other crimes. Electronic-health systems such as My Health Record in Australia holds great promise in sharing medical data and improving healthcare quality. But, a key privacy issue in these systems is the misuse of healthcare data by “authorities.” The recent General Data Protection Regulation (GDPR) introduced in the EU aims to reduce personal-data misuse. But, there are no tools currently available to accurately reconcile a domestic E-health policy against the GDPR to identify discrepancies. Reconciling privacy policies is also non-trivial, because policies are often written in free text, making them subject to human interpretation.
In this article, we propose a tool that allows the description of E-health privacy policies, represents them using formal constructs making the policies precise and explicit. Using this formal framework, our tool can automatically reconcile a domestic E-health policy against the GDPR to identify violations and omissions. We use our prototype to illustrate several critical flaws in Australia’s My Health Record policy, including a non-compliance with GDPR that allows healthcare providers to access medical records by default.
References
[1]
ABC News. 2018. Health service providers suffer the most data breaches, as overall numbers jump. Retrieved from www.abc.net.au/news/science/2018-07-31/information-commissioner-health-sector-leads-data-breaches.
[2]
Paul Ashley, Satoshi Hada, Günter Karjoth, Calvin Powers, and Matthias Schunter. 2003. Enterprise privacy authorization language (EPAL 1.2). Submission to W3C (2003).
[3]
Australian Digital Health Agency. 2018. My Health Record—Keep track of your important health information all in one place. Retrieved from https://www.myhealthrecord.gov.au/.
[4]
Amit Basu and Robert W. Blanning. 2007. Metagraphs and Their Applications. Vol. 15. Springer Science 8 Business Media.
[5]
Tim Berners-Lee. 2018. You own your data, and choose apps to manage it. Retrieved from https://solid.inrupt.com/how-it-works.
[6]
Ebay. 2018. User Privacy Notice. Retrieved from www.ebay.co.uk/pages/help/policies/privacy-policy.html.
[7]
European Commission. 2016. General Data Protection Regulation (GDPR). Retrieved from https://gdpr-info.eu/.
[8]
Facebook. 2018. Data Policy. Retrieved from www.facebook.com/policy.php.
[9]
Simon Godik and Tim Moses. 2002. Oasis eXtensible access control markup language (XACML). OASIS Committee Specification cs-xacml-specification-1.0 (2002).
[10]
Marit Hansen, Meiko Jensen, and Martin Rost. 2015. Protection goals for privacy engineering. In Proceedings of the Security and Privacy Workshops (SPW’15). IEEE, 159--166.
[11]
Thomas Linden, Rishabh Khandelwal, Hamza Harkous, and Kassem Fawaz. 2020. The privacy policy landscape after the GDPR. Proc. Priv. Enhanc. Technol. 2020, 1 (2020), 47--64.
[12]
Luca Marelli, Elisa Lievevrouw, and Ine Van Hoyweghen. 2020. Fit for purpose? The GDPR and the governance of European digital health. Policy Stud. 14, 5 (2020), 1--21.
[13]
T. Mulder and M. Tudorica. 2019. Privacy policies, cross-border health data and the GDPR. Inf. Commun. Technol. Law 28, 3 (2019), 261--274.
[14]
NewScientist. 2017. Laws of mathematics don’t apply here, says Australian PM. Retrieved from www.newscientist.com/article/2140747-laws-of-mathematics-dont-apply-here-says-australian-pm/.
[15]
Yvonne O’Connor, Wendy Rowan, Laura Lynch, and Ciara Heavin. 2017. Privacy by design: Informed consent and Internet of Things for smart health. Procedia Comput. Sci. 113 (2017), 653--658.
[16]
Jillian Oderkirk, Elettra Ronchi, and Niek Klazinga. 2013. International comparisons of health system performance among OECD countries: Opportunities and data privacy protection challenges. Health Policy 112, 1--2 (2013), 9--18.
[17]
Harshvardhan J. Pandit, Declan O’Sullivan, and Dave Lewis. 2018. An ontology design pattern for describing personal data in privacy policies. In Proceedings of the Workshop on Ontology Design and Patterns co-located with the International Semantic Web Conference. 29--39.
[18]
D. Ranathunga, H. Nguyen, and M. Roughan. 2017. MGtoolkit: A Python package for implementing metagraphs. SoftwareX 6 (2017), 91--93.
[19]
D. Ranathunga, H. Nguyen, and M. Roughan. 2020. Verifiable policy-defined networking using metagraphs. IEEE Trans. Depend. Sec. Comput. Preprint (2020), 1--15.
[20]
D. Ranathunga, M. Roughan, H. Nguyen, P. Kernick, and N. Falkner. 2016. Case studies of SCADA firewall configurations and the implications for best practices. IEEE Trans. Netw. Serv. Manag. 13, 4 (2016), 871--884.
[21]
Reuters. 2017. U.S. appeals court blocks D.C. law restricting gun rights. Retrieved from www.reuters.com/article/us-usa-guns-washingtondc-idUSKBN1AA27U.
[22]
Welderufael B. Tesfay, Peter Hofmann, Toru Nakamura, Shinsaku Kiyomoto, and Jetzabel Serna. 2018. PrivacyGuide: Towards an implementation of the EU GDPR on Internet privacy policy evaluation. In Proceedings of the 4th ACM International Workshop on Security and Privacy Analytics (IWSPA’18). Association for Computing Machinery, New York, NY, 15--21.
[23]
W3C. 2006. The Platform for Privacy Preferences 1.1 (P3P1.1) Specification. Retrieved from www.w3.org/TR/P3P11/.
[24]
Yajing Wang. 2019. A Comparative Study of Chinese and European Internet Companies’ Privacy Policy Based on Knowledge Graph. Master’s thesis. University of Turku, Finland.
[25]
Carl Yang, Yichen Feng, Pan Li, Yu Shi, and Jiawei Han. 2018. Meta-graph based HIN spectral embedding: Methods, analyses, and insights. In Proceedings of the IEEE International Conference on Data Mining (ICDM’18), Vol. 2018. IEEE, 657--666.
Index Terms
- Mathematical Reconciliation of Medical Privacy Policies
Recommendations
Privacy policies of personal health records: an evaluation of their effectiveness in protecting patient information
IHI '10: Proceedings of the 1st ACM International Health Informatics SymposiumIn recent years, there has been growing demand by patients for access to their own health information via tools like Personal Health Records [1]. The Markle Foundation [2] defines the Personal Health Record (PHR) as an electronic application through ...
Understanding GDPR Non-Compliance in Privacy Policies of Alexa Skills in European Marketplaces
WWW '24: Proceedings of the ACM Web Conference 2024Amazon Alexa is one of the largest Voice Personal Assistant (VPA) platforms and it allows third-party developers to publish their voice apps, named skills, to the Alexa skill store. To satisfy the needs of European users, Amazon Alexa has established ...
Evaluating the Privacy Policies of Mobile Personal Health Records for Pregnancy Monitoring
A mobile personal health record (mPHR) for pregnancy monitoring allows the pregnant woman to track and manage her personal health data. However, owing to the privacy and security issues that may threaten the exchange of this sensitive data, a privacy ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
March 2021
174 pages
Copyright © 2020 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 08 December 2020
Online AM: 07 May 2020
Accepted: 01 April 2020
Revised: 01 March 2020
Received: 01 September 2019
Published in TMIS Volume 12, Issue 1
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed
Funding Sources
- The ARC Center of Excellence for Mathematical and Statistical Frontiers
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 192Total Downloads
- Downloads (Last 12 months)20
- Downloads (Last 6 weeks)2
Reflects downloads up to 13 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format