Public comprehension of privacy protections applied to health data shared for research: An Australian cross-sectional study.

INTRODUCTION

Sharing of health data for secondary uses such as research and public policy development is common. There are many potential benefits, but also risks if information about an individual's health record can be inferred. Studies show cautious willingness amongst the public to share health data for beneficial purposes, as long as they are confident in their data privacy and security. There has been relatively little research into whether the technical guarantees of privacy-preserving technologies are well understood by people asked to consent to sharing their data.

OBJECTIVES

We sought to assess how accurately people understood the effectiveness of techniques for protecting the privacy of shared health data.

METHODS

We designed an online survey describing a data-sharing scenario motivated by medical research where data could be shared: raw (including identifiers), de-identified (using k-anonymity), aggregated, and differential privacy applied to aggregated data. Respondents were asked about willingness to share their data, and how likely it was that they could be identified. They were also asked for the meaning of 'de-identified' and whether they would agree to sharing information for 'not solely commercial' purposes, thus mirroring the consent language used by Australia's My Health Record system.

RESULTS

Our findings revealed substantial tolerance for researcher use of health data with consistent preference to share data when better privacy-preserving techniques were employed. This was not entirely consistent as slight preference was shown for aggregated data over differential privacy, despite differential privacy being objectively more secure. We conjecture this was because differential privacy and its benefits were not well understood. Similarly, respondents showed no consistent understanding of the term 'de-identified', indicating that this needs to be carefully defined in contexts that seek consent. Finally, many respondents who indicated a willingness to share for purposes that were 'not solely commercial' nevertheless rejected at least some specific scenarios that mixed research and commercial objectives, again indicating a possible gap in their understanding of the terms.

CONCLUSIONS

We found overall preference for better privacy protection of data as a precondition for secondary use, but limitations in respondents' understanding of key terminology and the differing privacy guarantees of available techniques. Further effort is needed to word secondary data use consent policies to ensure public understanding of commonly used terms and methods, if genuinely informed consent for data sharing is to be gained.