This is an open-access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in the Journal of Medical Internet Research, is properly cited. The complete bibliographic information, a link to the original publication on https://www.jmir.org/, as well as this copyright and license information must be included.
Personal information, including health-related data, may be used in ways we did not intend when it was originally shared. However, the organizations that collect these data do not always have the necessary social license to use and share it. Although some technology companies have published principles on the ethical use of artificial intelligence, the foundational issue of what is and is not acceptable to do with data, not just the analytical tools to manage it, has not been fully considered. Furthermore, it is unclear whether input from the public or patients has been included. In 2017, the leadership at a web-based patient research network began to envision a new kind of community compact that laid out what the company believed, how the company should behave, and what it promised both to the individuals who engaged with them and to the community at large. While having already earned a social license from patient members as a trusted data steward with strong privacy, transparency, and openness policies, the company sought to protect and strengthen that social license by creating a socially and ethically responsible data contract. Going beyond regulatory and legislative requirements, this contract considered the ethical use of multiomics and phenotypic data in addition to patient-reported and generated data.
A multistakeholder working group sought to develop easy-to-understand commitments that established expectations for data stewardship, governance, and accountability from those who seek to collect, use, and share personal data. The working group cocreated a framework that was radically patient-first in its thinking and collaborative in the process of its codevelopment; it reflected the values, ideas, opinions, and perspectives of the cocreators, inclusive of patients and the public.
Leveraging the conceptual frameworks of cocreation and participatory action research, a mixed methods approach was used that included a landscape analysis, listening sessions, and a 12-question survey. The methodological approaches used by the working group were guided by the combined principles of biomedical ethics and social license and shaped through a collaborative and reflective process with similarities to reflective equilibrium, a method well known in ethics.
These 6 commitments—and the development process itself—have broad applicability as models for (1) other organizations that rely on digitized data sources from individuals and (2) patients who seek to strengthen operational policies for the ethical and responsible collection, use, and reuse of that data.
The volume of data generated from digital tools and devices grows unabatedly every day. Although we may acknowledge uncertainty about how the data we generate are collected, used, and shared, often these concerns are offset by the convenience digital devices bring to our daily lives. Yet, these conveniences mask the reality that our data, including health-related data, may be used in ways we did not intend when they were originally shared [
Data are a unique commodity of the 21st century. Access to and use of data has proven to be a successful business model for many of the world’s most profitable companies. US regulatory and legislative requirements designed to protect personal information, including health-related data, fall short of ensuring complete control over data access. The General Data Protection Regulation of the European Union, considered to be one of the most restrictive data protection laws in the world, allows for the secondary use of data for research purposes without explicit consent that, based on findings from a German study, was acceptable to a majority of survey respondents [
In a recent study, researchers seeking to identify factors that influence consumers’ willingness to share their digital data found that privacy concerns shifted with the context of use and reuse but that overall willingness was strongly influenced by underlying concerns about privacy [
Technology companies seeking to harness the power of large and ever-expanding data sets have developed expertise in rapidly emerging data science methodologies. By 2017, Apple, Google, DeepMind, Microsoft, IBM, and others in the technology sector founded the Partnership on AI (artificial intelligence) with the goal of building a diverse, balanced, and global set of perspectives on AI [
In contrast, the cocreation process described herein serves multiple stakeholders, including the companies and organization that collect, use, and reuse data and the patients and public from whom data are derived with 6 socially and ethically responsible cocreated commitments.
The goal of this project was to develop a radically patient- and public-first set of commitments for the ethical and responsible collection, use, and reuse of data for the digital age. To accomplish this goal, the working group used a participatory research approach guided by cocreation, a collaborative design process in which interaction with consumers plays a central role from start to finish [
The work described herein contributes new knowledge to the field of data governance and stewardship derived directly from patients and the public. The core foundational question—
The results are 6 commitments that go beyond the minimum data governance standards of security and privacy by prioritizing social legitimacy, accountability, and trust as essential components of ethical and responsible data stewardship.
In 2017, a multistakeholder working group convened by PatientsLikeMe (PLM), a web-based patient research network [
In January 2018, a working group was formed, including the authors of this paper, to cocreate a new kind of community compact to lay out how a company that collects, uses, and reuses shared data ought to behave and what it promises both to the individuals who engage with them and to the community at large.
The objective of the working group was to generate a set of easy-to-understand commitments designed to have an impact in the real world that established expectations for good stewardship, governance, and accountability from those who seek to collect, use, and share personal data. As such, the project was not research-led or driven by publication goals per se. Our methods were intended to maximize the opportunity to deliver a set of real commitments with positive benefits for patients and the public.
To accomplish this objective a mixed methods approach was used including a landscape analysis, listening sessions, and a 12-question survey that embodied the conceptual frameworks of cocreation and participatory action research.
Invitations to participate in the 1-hour listening sessions were sent via a private electronic message to company employees and to current and alumni members of PLM Team of Advisors (TOA). TOA members are selected annually via an application process to provide insight and perspective on company activities and initiatives. Listening sessions with company employees were held in person. Sessions with TOA were held virtually via a web-based meeting platform.
Invitations to participate in the 12-question survey were sent via a private message to members of the PLM Ambassadors, a larger set of PLM members not selected to join a TOA cohort who agreed to be available to participate in ad hoc activities seeking patient perspective and active involvement. Completion of the survey took approximately 15 minutes.
Participation in the listening sessions and survey was voluntary, and members were not remunerated for their participation. Independent ethics review was not sought as members of the PLM TOA and Ambassador groups previously agreed to engage in activities seeking their perspective and insight on a variety of topics. The plain language overview of PLM Privacy Policy is accessible on every page of the website. The overview describes how data are used and shared and includes a link to full policy [
The qualitative data generated from the listening sessions were documented by 2 members of the working group who together reviewed their notes after each session. Themes were categorized to differentiate those who offered observations about the general tone and intent of the commitments from those who provided specific recommendations for vocabulary changes and other editorial suggestions. A summary of each listening session was discussed with the working group during regularly scheduled meetings, and decisions regarding refinements to the commitments were consensus driven.
Survey data were collected using a proprietary survey tool and stored in a secure database. Two members of the working group reviewed the raw data for survey completeness. The qualitative data were independently reviewed by 2 working group members using the thematic categories previously created for the listening sessions. Graphs and charts representing the quantitative survey responses were created along with a summary of the analysis of the qualitative responses. The working group discussed the survey results and qualitative findings during regularly scheduled meetings, and decisions regarding refinements to the commitments were consensus driven.
The working group integrated the principles of social license and the conceptual framework of cocreation into the development of the commitments to embody a participatory action research approach [
A reflective process that allows for inquiry and discussion as components of the “research.” Often, action research is a collaborative activity among colleagues searching for solutions to everyday, real problems. ([
The essential components of social license—legitimacy, credibility, and trust—were well established in the web-based patient network. The environment provided a suitable foundation for using the conceptual framework of cocreation. Cocreation is characterized by a continuous and iterative process within which participants play an active role and often use mixed methods for gathering qualitative and quantitative data. Cocreation inspires the generation of unique views and ideas that reflect the collective knowledge, expertise, and perspectives of all involved [
As patients, employees, and subject matter experts participated in cocreation, the working group refined the content and structure of the commitments. This process bore similarities to a method well known in ethics—reflective equilibrium—the essence of which is to go back and forth between different sources of empirical and normative information to reach a well-argued position [
The methodological approaches used by the working group were guided by the combined principles of biomedical ethics and social license and shaped through a collaborative and reflective process. We sought to anchor both the process of cocreation and the outputs that emerged with the web-based patient research network’s core values of patient-first, transparency, openness, and ensuring trust [
Over 9 months of iteration and input, we developed 28 versions of the commitments document. The first version of the document was inspired by the concept of earning and maintaining social license from those entrusting the company with their personalized data. It also sought to incorporate tenets of health care ethics and focused heavily on autonomy: self-determination, negative autonomy (that people should expect freedom from external interference in one’s own life), and positive autonomy (that people should be able to evolve, develop, and shape their lives according to their own desires and nature).
Subsequent versions benefited from continuous processes of ideation and refinement by the cocreators who included patients, consumers, bioethicists, legal scholars, employees, and company leadership. Trust in the process was an essential component of its success.
Cocreation process used to develop Commitments for the Digital Age. PLM: PatientsLikeMe; TOA: Team of Advisors.
In November 2017, PLM leadership approved a recommendation by the Vice President of Policy and Ethics and an external medical ethicist to establish an independent ethics advisory group. In addition, a founder asked for “a public declaration that states what we believe, how we behave, and based on what we promise what members of PLM can expect when engaging in research with us.” The work on both activities began in December 2017, resulting in the first iteration of the company’s
A small working group, including 2 patients, a health technologist, a legal scholar, and an open-source data scientist, was formed to help guide the work of establishing the ECAB and cocreating the public declaration of commitments to participants in company research. Between January and March 2018, the group engaged in a modified Delphi process including a series of in-person meetings, phone calls, and rounds of independent document review between discussions. No questionnaire was used, but a single facilitator led and documented each of the discussions. During this time, the declaration evolved from focusing equally on beliefs, values, and commitments, to focusing more intentionally on clear, robust commitments to which a company that collects, uses, and reuses patient data could be held accountable. By March 2018, version 17 of the declaration titled
The working group solicited input on the evolving document from 3 sources during this phase. All participants described below received the
One-hour listening sessions with PLM TOAs, a patient-only panel that helps bring the patient voice to the forefront of health care (n=100)
One-hour listening sessions with PLM employees (n=25)
Twelve-question survey deployed to PLM Ambassadors [
The qualitative listening sessions provided an opportunity for participants to share their perspectives on a range of topics related to the content of the
Respondents to the quantitative survey were asked to select the single most important commitment among the 6 presented (
Most and least important priorities of patient respondents to the survey (N=718).
Commitment | Priority, n (%) |
Continuous learning environment | 235 (33) |
Respect for autonomy | 186 (26) |
Accountable governance | 85 (12) |
Open communication | 81 (11) |
Value for people | 64 (9) |
Safe and responsible conduct | 61 (8) |
I prefer to skip | 6 (1) |
At the end of the survey, respondents were provided with a free text box for comments (
Regarding specific, substantive themes, 15% were related to privacy and security, though some of these were noting recent data breeches or acknowledging related trade-offs, for example, “I think there is a point when the potential value of data outweighs the need for protection,” rather than merely expressing concern. Nine percent of the comments were related to selling data, some opposing it in general and some requesting additional clarity about company practices, for example, “Do you sell the data to researchers… Do you give data to pharmaceutical companies as they do research?” Eight percent expressed concern about the accessibility of these commitments, for example, “I know if I wasn’t taking the survey, I’m not sure I would have read it as thoroughly as I did.” Finally, 8% noted the importance of accountability, specifically the company leadership’s willingness to follow through on the commitments, for example, “Who has written this document? How well do they represent the executives?” and “It sounds pretty good, reads very positive. Of course, it’s just a bunch of words that don't do anything themselves.” This healthy skepticism underscored an activity that the ECAB was already considering, namely the creation of success metrics to evaluate the company’s performance over time.
Free-text survey responses underscore importance and concerns of patients about commitments (N=191).
Comment | Value n (%) |
Positive feedback | 82 (43) |
Edits and structure | 35 (18) |
Privacy and security | 28 (15) |
Feedback to PatientsLikeMe | 19 (10) |
Personal comment | 17 (9) |
Selling data | 17 (9) |
Leadership intentions | 16 (8) |
Access and understanding | 13 (7) |
After completing an analysis of the qualitative and quantitative data, the working group refined the 6 commitments in the charter and reprioritized the order to reflect respondent input.
In addition to the iterative work on the charter, the process of establishing the ECAB continued with identifying and vetting nominees. The newly selected ECAB members received a briefing packet that included the cocreated version 26 titled
The newly established ECAB met virtually for the first time in September 2018. The 9 members, 5 of whom were patients and consumer representatives, discussed the commitments document and provided feedback on language, tone, and title. The ECAB finalized the document now titled
We are continuously developing and advancing a robust and dynamic knowledge repository as a continuous learning network, where meaningful data and insights are shared to support decision-making, and where effective tools to act on those decisions help people thrive on their own terms.
We respect each person’s autonomy and the relationships that support it. In our view, autonomy also means each person controls their data and its use.
We enable individuals to choose the services that fit them, to choose the level of privacy they want, and to partner in research that interests them.
Individuals decide what they want to contribute to and to be informed (or not) about individual or collective results.
We believe that informed consent is much more than a signed form.
It is an adaptive mutual process in which individuals are given timely information, they need to understand the choices available to them, and they are free to act on those choices without interference.
Each piece of data is a moment in real life that must be respected.
We have a profound responsibility to protect that data to make sure that how, when, and why they are accessed or used, and by whom, aligns with the personal interests of individuals, the collective norms of their community, and the laws and regulations of the country they call home.
We will continually encourage feedback, and we will keep ourselves honest about providing opportunities to do so.
We also know we have a responsibility to share what we learn, our successes, and our mistakes proactively with individuals and with the world at large.
We acknowledge that like most digital and web-based platforms we must have greater inclusivity and diversity in our environment, and that this must be practiced, not preached.
We seek to understand diverse perspectives and believe that everyone benefits when we combine the power of our collective human voices with advances in biomedical and biological research and the dynamic technologies with which we interact in our daily lives.
Through a continuous and intense process of cocreation spanning 9 months, 6 commitments for the digital age were developed to provide ethically responsible guidance for shared power and governance between a company that collects, uses, and reuses data and the community from whom data are sourced.
The 6 commitments in order of priority as determined through the cocreation process are (1) continuous and shared learning; (2) respect and empower individual choice; (3) informed and understood consent; (4) people-first governance; (5) open communication and accountable conduct; and (6) inclusivity, diversity, and equity. In these commitments, the ethical norms of privacy and security are clearly visible. At the same time, there is a strong commitment to respect autonomy and to help people thrive on their own terms by starting from the diverse lived experience of each individual.
The final version of
The processes undertaken represent a collaborative experiment to create an advisory structure and set of expectations through which a business and a self-selected community can successfully partner to navigate new and uncertain ethical spaces related to privacy, autonomy, equity, and the potential individual impact of participating in novel research endeavors. There was an additional relational effect of going through this process with a company’s employees and constituents together. In cocreation, those involved started to experience the philosophical benefit of cocreation itself, a process that was more than creating a document. Over the iterations, the commitments became less about a company’s beliefs and more about a company’s commitment to ethically responsible conduct. In essence,
In comparing our work with other literature and conceptual frameworks, we noted interesting differences that illuminate the dearth of patient and public participation in data governance and stewardship. A systematic review of literature published between 2001 and 2009 on the state of data governance in companies and corporations prompted the paper’s authors to develop a new conceptual framework for data governance and to recommend 5 promising fields for future research [
Widely used ethical frameworks that are relevant to health data such as the World Health Organization/CIOMS principles, the Belmont report, and the Taipei principles of the World Medical Association have ethics committees as their prime addressee [
The cocreated commitments, while general in nature, do offer actionable guidance when considered in specific use cases. DATAGov, a project that seeks to coproduce a “model for involving patients and the public in decision-making processes about the use and sharing of health data for rare diseases” is a prime example [
The timeliness of our work and relevance beyond the original intent are made obvious in a recent Harvard Business School series titled
Leaders of digitally mature organizations align their employees around a shared purpose that puts ethical decision-making on behalf of stakeholders at the center. These companies earn the right to collect and use employees’ and customers’ data, for example, by being transparent about their intentions and relevant processes. When they use that data, they actively ensure they are abiding by the expectations they set when they gather it. Organizations want to get to the point where customers want to share their personal information because they trust they will benefit from its use. Building this trust needs to be a multi-pronged effort embraced by all in the company—not just policed by those in compliance roles. (p. 5)
It is important to note limitations in the generalizability of our work, in terms of both the process and the commitments. First, the web-based patient research network had an active and engaged member base that was available to participate. There was already a baseline understanding about some of the principles we engaged them on. Many companies may not have access to this kind of population. Second, and related, is an inherent bias in our sample as members of the PLM network, by definition, are people participating in a web-based data sharing platform. Furthermore, survey participants may represent a more engaged, equipped, and empowered subset of the company’s patient membership. Third, the company had an executive (SO) entirely dedicated to ethics and policy who was able to dedicate significant time to the logistics and continuous learning this project required; such a resource may not be available within similar organizations.
Another important limitation is that because of a change in the ownership of the company, the commitments were not codified upon their completion. Therefore, we cannot comment on the challenges of adoption, implementation, or maintenance over time, or the related accountability mechanisms. Full realization of these commitments is undoubtedly a rigorous and continuous undertaking that requires ongoing socialization, reflection, measurement, and adaptation.
A working group came together to cocreate with a web-based patient community a public declaration of commitments for ethically responsible behaviors for data collection, use, and reuse to which a company could be held accountable by those with whom it engaged in the conduct of its business. The declaration would respect current ethical, legal, and societal standards for responsible collection, use, and reuse of patient data in the 21st century era, and it would be adaptable to ever-evolving technological capabilities.
We believe that these commitments have broad applicability and call upon health systems, clinical organizations and providers, technology companies, software developers, data scientists, researchers, and others who rely on data sourced from individuals to use our work as a model for making similar commitments. In this digital era, the public deserves trustworthy stewards of their data who willingly integrate and publicly share the ethical and social commitments to which they can be held accountable.
artificial intelligence
Council for International Organizations of Medical Sciences
Ethics and Compliance Advisory Board
PatientsLikeMe
Team of Advisors
We, all members of the working group and elected members of the PLM ECAB, thank the participants who contributed to the cocreation process, especially the patients who generously shared their time, perspectives, opinions, and insights to ensure that the
The data sets generated and analyzed during this study are not publicly available as they contain information that could compromise research participant privacy and consent.
None declared.