A problem? Nope, its a series of individual problems, each of which has privacy implications
Health-related personal data is some of the most sensitive personal data there is and, in the majority of cases, unlike a leaked phone number or bank account details, it is data that cannot be changed.
Some of the risks to personal data include:
- anonymisation of data is hard to perform correctly, especially in a health context where for example certain medical conditions might be 'rare' enough to defeat any anonymisation attempts. Also some (much?) medical research cannot work with anonymous data and rather requires pseudonymised data. So you are relying on the competence and willingness of organisations to anonymise or pseudonymise personal data correctly, especially in the case of pseudonymisation where the org in question may not understand the 'trackability' of particular items of personal data and so leave them present/unaltered in any 'pseudonymised' data they create.
- even if organisations implement proper data security (which is in of itself questionable) there still remains the risk of data breaches
- once personal data is shared there is a loss of control over that data (at least by the data subject themselves, if not by other orgs) from that point onwards. If the recipient org(s) later decide to change what they do with the personal data then its realistically too late (for the individual) to do anything about it. The same applies in the case of anonymised data (which is *not* personal data) - if, for sake of argument, I don't agree with animal testing and an org who receives my anonymised data stated at the time they do not test on animals I may be happy for my data to be used to create their anonymous dataset but if that org later decides to start animal testing there is nothing I can do. Any Privacy Notices or other policy documents reflect a particular point in time and do not reflect on any future intentions.
- inadequate enforcement of data protection law which means that many organisations do not take the laws seriously (or even consider them at all) as the risk of being "caught" is low, the risk of enforcement action is lower, and the risk of a substantial fine or action taken against individuals is even lower.
So as someone who has worked in 'enterprise'/largescale IT for his whole career "I've seen things you people wouldn't believe" (https://en.wikipedia.org/wiki/Tears_in_rain_monologue) and so I am reluctant for my most sensitive personal data to be at risk of either accidential or purposeful misuse, a risk that increases greatly as more organisations have access to it.
With this mind I do not agree with opt-out scenarios for health data - I have already suffered from unlawful processing of my health data in the past due to this: healthcare systems were launched where allegedly letters where sent out notifying of a cut-off date for opting out and I never received the letters and so was unable to opt-out in time to prevent my health data being shared against my wishes (and also in breach of data protection law).
Biting the hand that feeds IT
