key: cord-279699-068kdv9y authors: Yang, Kwangmo title: Big Technology and Data Privacy date: 2020-07-31 journal: Healthc Inform Res DOI: 10.4258/hir.2020.26.3.163 sha: doc_id: 279699 cord_uid: 068kdv9y nan In the amended Act, pseudonymized information may be processed without the consent of data subjects for statistical purposes, scientific research, and the preservation of records for the public interest, and so forth. A specialized institution designated by the Protection Commission or a related administrative agency may combine pseudonymized information stored outside the organization. Moreover, it may become possible to combine claim data of the National Health Insurance Service or the Health Insurance Review & Assessment Service with the patient information stored in hospitals. The amendment of the PIPA follows the trend of the protection of personal information standards of developed countries. This means that it is also a change to meet the protection standards of the European Union's General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA) of the United States. Meeting strict GDPR personal data protection standards is tough, especially for the companies exporting to Europe. Therefore, Korean laws have been amended to comply with the GDPR requirements to facilitate the export of local products abroad. The GDPR, like the TDB, also defines pseudonymized data as personal data and renders information no longer re-identifiable if there is no additional information [4] . We may infer that the GDPR recommends pseudonymization to process and utilize data. The HIPAA by the US government achieves the deidentification of protected health information through the expert determination method and safe harbor method [5] . The expert determination method has the disadvantage that it is necessary to appoint an expert for each study, requiring more money and time investment. On the other hand, it also Editorial This is an Open Access article distributed under the terms of the Creative Commons Attribution Non-Commercial License (http://creativecommons.org/licenses/bync/4.0/) which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited. ⓒ 2020 The Korean Society of Medical Informatics has an advantage of having the flexibility to determine identification according to technological changes. Each expert must document the methods and results of analysis and may be required to submit documents upon request by the Office for Civil Rights. The safe harbor method is used for the de-identification or removal of personal information in accordance with the Privacy Rule of HIPAA. If an individual is not identifiable even with the combination of removed data and other information, it is possible to freely collect and process information without the restrictions of the HIPAA. While simplicity is an advantage, the downside is that the value of the data may be reduced. The GDPR and HIPAA ensure the protection of personal information and allow the flow and use of health information. Korean law has been amended in line with this trend; however, the law still has shortcomings. As many civil society organizations have pointed out, it is a great pity that the TDB does not have the profiling protection measures specified in the EU's GDPR. In a recent Korean case, the government sent a text message for mandatory health checks to those who had been in Itaewon and had access to the telecommunications base station for more than 30 minutes during the massive outbreak of COVID-19 from Itaewon clubs. Although this was to prevent spread of the epidemic, it makes one wonder whether the telecommunications company was obliged to disclose the list of names of individuals who had only been in the area of Itaewon and not in the clubs. It would have been very controversial under a similar circumstance in Europe. On March 22, 2017, the United Nations Human Rights Council expressed concerns regarding profiling in modern society. It stated that individuals may be discriminated against through profiling and that individual rights are likely to be violated in digital environments [6] . If these changes are permissible, it may undermine and interfere with the freedom of expression and opinion. The ambiguity and vagueness of the Act needs improvement. According to the amended PIPA, pseudonymized information may be processed without the consent of the data subjects for statistical purposes, scientific research, and the preservation of records for the public interest. In this context, the scope of consent is ambiguous. If literally interpreted, consent may be waived for for-profit organizations when collecting statistical data. Some individuals may find it unacceptable to imply consent. Also, it is unclear whether pharmaceutical companies undertaking clinical research to develop new medications or companies developing digital therapeutics are waived from obtaining consent and are free to use health information for scientific research. The Korean government also has not made sufficient effort in communicating with Korean citizens. We may refer to the case of the English care.data programme, a national datasharing initiative for health records, which was discontinued for a number of reasons. The majority of the UK healthcare services are publicly funded. The general practitioners (GP) of the National Health Service (NHS) are organized into regions, and each patient is designated to a GP for medical care. GPs are contracted with the NHS and are paid by the NHS-funded budget. Consequently, patients' health information is stored with GP clinics on-site and is not managed by health authorities. As a result, the care.data programme was introduced. Essentially, the patients could opt out of the scheme if they wished not to disclose personal information to care.data. More than one million patients have opted out of the care. data programme because of lack of awareness of and trust in the project. Soon after, the project was stopped. Many reports claimed that poor communication was a major factor that resulted in the failure of the project. Likewise, the changes made to the TDB should be actively communicated to Korean citizens. The majority of the citizens do not understand the changes that the TDB will bring. Experts are also unable to articulate what route should be taken. Nevertheless, it will be a good starting point to transparently talk about why the TDB was amended and how the TDB can be improved. As we are facing the big technology paradigm of the big data era, more efforts should be made to ensure that individual data privacy is not infringed. Kwangmo Yang (https://orcid.org/0000-0002-7176-4935) Three Data Bills [Internet]. Sejong, Korea: Ministry of Culture, Sports and Tourism Legal feasibility study and guidelines for the utilization of health insurance big data and the provision of health service Personal Information Protection Act Ministry of Government Legislation European Commission. EU General Data Protection Regulation (GDPR) European Commission; c2019 US Department of Health & Human Services. Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule US Department of Health & Human Services The right to privacy in the digital age The Office of the High Commissioner for Human Rights