It is todays reality that all of us are intricately entangled via information based economy and are bound to face the repercussions of this rapid technological advancement (either good or bad). Information based economy has changed the way we govern, socialize, do research and business [ 1 ]. Correct use of big data, by implying apt data techniques, can enhance the possibilities of efficient and effective services and the quality goods provided [ 2 ]. However there are also concerns regarding the fair use of data [ 3,4 ]. Not only at the onset of data handling but each step in data pipeline can give vent to ethical issues pertaining to inaccuracy, inequality, non-transparency, intrusion [ 1 ]. Moreover today’s world of ICT is so pervasive and ubiquitous that it is nearly impossible to identify that who is behind what [ 5 ]. However, this does not mitigate the importance of data pooling or in simple words data sharing. Data sharing is coordinated data pooling amongst organizations or nation states. This involves multiple monetary, temporal, language based, privacy and security oriented constraints. However, it is capable of giving vent to more impactful far reaching outcomes than the sum of respective separate outcomes [ 6 ]. Thus, Data sharing/data pooling is quintessential for the better insights across sectors and across nation states.

General Data Protection Regulation, GDPR [ 7 ] normative promises to ascertain socially responsible big data practices in the best interest of its citizens and in a way that it facilitates technologically driven businesses by pooling data across EU. Protecting privacy and improving the control over the personal info of EU’s citizens are also of vital importance for EU’s political drive. On the other hand, provision of sharing healthcare data across borders in EU is integral for collective healthcare advancement across EU. The latter is part of Articles 7-8 of Charter of Fundamental Rights of the European Union on the “respect for private and family life” and the “protection of personal data”, respectively [ 8 ]. While passing through various data travel paths, to maintain patients privacy, GDPR, inter-alia, entails that patient data must only be used for research after patient’s informed consent. Exception remains for quality control and improvement purposes. For some researchers [ 9 ]. Informed consent in addition to disintegrated healthcare providers, diversified governance structures, intricate legal and ethical pre requisites of each data subject collectively can potentially hinder the efficient data handling in EU. To counter this, an urge is felt to anchor those fast advancing technological tides in the best of social interest where policy, society and science aggroup [ 10 ].

For overall satisfaction of the patient, patient’s trust upon the healthcare providers is quintessential. Trust being an integral part of any value model, has to persist between the value actors throughout the healthcare service for healthy outcomes. And to that end healthcare providers are moving from volume based fee-reimbursement healthcare model to value based, patient centric healthcare model [ 11 ]. This affirms the shift from exclusively monetary gains oriented healthcare to more value based healthcare system [ 12 ]. In a value based healthcare system, physical/tangible or first order value transactions between the value actors appear exactly the same as that of volume based healthcare but the latter contains qualitative intrinsic value as it equally values patients satisfaction along with patients health improvement [ 19 ]. Shared decision making, an integral part of value based healthcare model, inculcates that during a healthcare process from presentation of the ailment by the patients to the healthcare provider to his/her diagnosis, treatment and to healthcare outcome, each step is mutually decided between the provider and the patient for the latter’s engagement, adherence, effective and efficient cost involving decision making and overall satisfaction [ 13 ]. Patients values, preferences and overall satisfaction is integral for the long lasting sustainability of the healthcare services [ 14 ]. The value based healthcare is largely practiced for more cost effective, quality assuring and more patient engaging health outcomes for the benefit of related stakeholders ranging from healthcare providers to the patient himself [ 15 ].

At organizational level Big Data Analysts BDA have diagnosed a number of values that are generally prioritized by healthcare providers while dealing with healthcare data [ 16 ]. Amongst those ten enumerated values, 4 of them are directly related to patients information security, namely personalized healthcare, patients value care risks, privacy protection, transparency while the rest 6 are related to the uninterrupted efficient healthcare data sharing. Though privacy protection is considered as the least valued organizational value by BDAs but it is well integrated in respective domain’s systems in the form of Privacy by design/architecture. Privacy by architecture is system based which incorporates ISMS standard parameters in alignment with organization’s objectives and goals. This takes place in three phases namely minimization, enforcement, and transparency [ 17 ]. On the other hand, Privacy by policy for organizations and individuals is the application of regulations, laws, policies and processes by which personal information is managed [ 18 ]. It is mainly related to privacy securing data processing of the data subjects. Its bi-product is Information Security Management System (ISMS) with availability, integrity, confidentiality and accountability as its standard indicators. First two indicators encompass “patients security” and the remaining two involve “patients privacy” which collectively come under the tag of Information Security [ 19 ]. Apt security measures are designed at administrative as well as at technical level to protect Information Security. Privacy by design and privacy by policy encourages the idea of treating privacy as a subjective value object as they set standardized indicators for value actors to offer and receive.

Value modeling bridges the gap between IT and organizational undertakings and that is what needed for this research. E3-value toolkit is chosen for the purpose to highlight values of key stakeholder and their respective value transfers.

The paper comprises three sections. First section is based on the introduction, state of the art, problem statement and cause of the paper. Second section constitutes Privacy as a (subjective) value object, objective of using e3-value model, first model using ontology of Padlock Chain Model, its discussion and then the second model using Padlock Chain Model ontology and its discussion, is followed by the limitation of the second model and conclusion in the end. 2

Privacy As A Value Object Privacy is a fundamental human right [ 20 ] at European level (European Convention on Human Rights) [ 8 ] and also as per national constitutions and charters of rights. Idea of privacy is sometimes elusive and far reaching. From the right to be forlorn, to control over personal information, to the rights and responsibilities relating individuals and organizations with respect to their collection, execution, disclosure, and retention of personally identifiable information (PII) all come under the tag of privacy. Moreover, legally, privacy violations are reap with consequences where hefty compensations are to be faced as per GDPR, 2018. From Consumerism perspective, privacy is protected, apt use of the personal information of customers/data subjects, and the meeting of expectations of customers about its use. This may entail the idea of informed consent of the data subjects (consumers/customers) and the idea of patients respective notice and choice as per privacy by policy suggested by Spiekermann and Cranor [ 18 ]. Privacy has been an integral fundamental right which needs to be protected but is regarded as given less of an attention when dealt in big data handling, storage, processing, recovery and data retention [ 5,8 ]. Bigger data and better algorithms have gradually mitigated the significance of privacy breaches of individuals in favor of their informed consent [ 3 ]. If emerging technologies are to be classified with respect to their ethical issues, each one is diagnosed to have the prime issue of privacy protection [ 4 ]. Shift of autonomy and decision making is moving from individuals to technology [ 5 ]. Considering the importance of privacy assurance and the fears it entails, it is vital to first evaluate the current situation and then to entail measures to guarantee privacy protection by setting set standards for all stake holders with standardized indicators and their respective metrics.

In this wake, the presence of both i.e. privacy by policy and privacy by architecture is highlighted. By modeling the value actors in an e3-value model and by highlighting privacy as a (subjective) value object for the market segment of patients that can be offered and received as a value object along with some other tangible value activity. Privacy being a subjective term (varies as per ontological requirements/ priorities of each value actor) is not explicitly defined in each value transaction rather other physical and tangible services/products are depicted where the privacy as a (subjective) value object is always intrinsic. Still, Privacy can be deemed as a (subjective) value object as it satisfies four possible attributes to be called as a value object in padlock chain model. Privacy can be reckoned as a value object if it proves to have attributes given below. Below are the attributes with respective logic that proves privacy to be a (subjective) value object: 1. Business goal: Service-based Logic ascertains that patients are prioritized and so is their right over control of their data sharing. 2. Proof of Performance (POP): When healthcare services are regulated by Independent Regulatory Authorities. 3. Accreditation: when the services are accredited by standard authorities, in this case International Standard Organization (ISO) and Netherlands standard authority (NEN). 4. Exchanged against healthcare data/patients sensitive information: This is what expected by the patients.

Currently all above mentioned indicators are satisfied for the privacy to be considered as a value object but subjectively. Because the level of its measurement is only nominal(named indicators) but lags behind in ordinal(set order of priority), interval (proportionate order), ratio (quantitatively calculable) based measurements. The research aims to proceed step by step from nominal to ratio based measurement of privacy preservation within and amongst healthcare provider’s information systems by focusing on lab as an epicenter. This paper is based on the first step in providing the ground for the privacy to be called as a value object, subjective though, to proceed further.

Privacy protection is expected by the patients from every domain that is directly or indirectly involved, in first data sharing and then data handling, that carries patients personal information. It is to keep in mind that when data securing sensitive personal information is collected, stored or accessed, different data protection requirements are met in different phases of data handling. Similarly different privacy issues arise at different stages of data handling and are handled differently as per organizational objectives and goals. As e3-value model focusses more on the stakeholders and their respective priorities, similarly value based healthcare model prioritize patients for the benefit of all. 2.1 Objective behind using E3-value model E3-value model can be an apt source to highlight certain very integral elements from the onset of this research in a conveniently understandable manner [ 21 ]. E3-value model provides with the web of enterprises where value actors (stakeholders) are highlighted from the “creation, execution and consumption” of the value objects i.e. goods and services. In this value mode the first model will be shaped from the perspective of patients as a market segment interacting with other value actors at the onset of an ailment.

It becomes evident that “Who is offering what of value to whom and expects what in return?” In an ideal patients value care scenario, If a patient offers his/her sensitive personal info to other value actors, Privacy is a common factor which he expects in return along with other healthcare outcomes. As an element of consumerism, key stakeholders are ideally the data subjects and in this case the market segment of patients are selected to testify the postulates of privacy by policy (being an integral part of GDPR, 2018). Linear relationships make it evident that value actors who come in contact with one another for a period of time (generally with an ailment) and undergo value transfers of value objects are part of an ideal situation where they trust one another for the timely mutual satisfaction of their respective needs. So trust is a constant in e3-value model.

It is assumed that with e3-value model it will be easier to unravel the optimal value care which assures patients privacy with uninterrupted, pooling of medical data.

Following are the two models with their respective discussions, concept, scope, conclusion and references are in the end.

Both the models are built on the guidelines of Padlock Chain Model in Dutch healthcare setting. First Model is taken form the patients perspective, later, in second model, the focus is drawn between the privacy assuring bilateral relationship between Lab (biobank and bio-depositary) with other key stake holders in Dutch backdrop. Value actors are divided into four main heading that are following: 1. Principals: who wish to satisfy their prime need. 2. Agent: chosen by the principal to satisfy his/her prime need. 3. Regulator: bodies to regulate and give accreditations to the healthcare providers, if the latter manage to satisfy the pre requisites of being privacy preserving entities. 4. Third Party: instituted to assist and facilitate the agents but are not in direct contact with the principal.

Similarly these four main actors perform following four main activities. 1. Front-end activity (principal undergoes). 2. Counter response (Agent responds to the front end activity). 3. Regulation and giving accreditations to the health care providers (regulators and international and national standard organizations regulate and give accreditations). 4. Back-end activity (performed by third party).

Aim is to analyze privacy protecting measures with simultaneous, uninterrupted, pooling of healthcare data across different domains of healthcare providers. 2.2 Model 1: It is largely assumed that to draw an e3-value model, physical or tangible value transactions are recommended as they are better wholly demonstrated which is in contrast to the qualitative value transactions such as, privacy, security, transparency, autonomy, confidentiality. As the latter ones are all respective terms and depend largely upon the purposes and requirements of the stakeholders involved. E3-value model is opted in representing privacy from being a subjective value to a (subjective) value object in a value model as it satisfies all four attributes to become a value object (explained earlier in privacy as a value object) in an e3-value model. Besides, It becomes easier to utilize e3-value model for otherwise complex healthcare eco system as it focuses on linear inflow and outflow of the value transfers within a time frame between key value actors. Which makes it easier to locate the temporal and spatial transactions between the value actors involved in a value model and to diagnose the bottlenecks(if there are any) in performing effectively and efficiently a value transaction. In future, to quantitatively measure the value objects, indicators will provide us with the required parameters for the measurement and analysis of the value objects exchanged. For quantitatively measuring privacy for the healthcare providers each domain’s implementation, enforcement and transparency (privacy by design) will be evaluated at the backdrop of ISMS indicator i.e. availability, integrity, confidentiality and accountability which are sub groups of patients security and patients privacy respectively and together form Patients information security as is prescribed by privacy by policy. See Fig. 1.

Discussion. The ontology is used to represent value network to match privacy protecting data base requirements while sharing sensitive healthcare data. It is based on Padlock Chain Model with focus on privacy protection [ 22 ]. In this model value actors are divided as per their roles i.e. principal, agent, regulators and third party actors. The principal at the onset of a prime need, delegates duty to the agent, who performs the duty in a confined period of time called contract [ 23 ]. Contracts that are outcome oriented are most efficient as they co-align the agents priorities with that of the principal regarding risk sharing. This gives vent to the rewards to the agents that emanate out of patients value care [ 23 ]. The Statement of Applicability (ISO 27001 Clause 6.1.3 d) is this link between the risk assessment and treatment and the implementation of information security. Similarly transparent information system also serves the principal as it reveals the agents undertakings form the beginning of the contract [ 23 ]. The Netherlands certified Transparency in Healthcare On 7 September 2015, according to the international ISO27001 and the Dutch NEN7510 standards for Information Security Management Systems (ISMS). This guarantees that Transparency in Healthcare (TiH) meets the highest standards for data security and regulatory compliance [ 24 ]. Some healthcare providers are on the lead in this then the rest. Hospitals usually make a transparency window with the patient for the satisfaction but rest of the providers including general practitioners lag far behind in this. Regulators are of two kinds. One kind covers the International Standard Organizations (ISO) and national standard organization (NEN) that give accreditations to the healthcare providers after finding them in compliance with the former. The other kind is of Agencies like Inspectie Gezondheidzorg / jeugd (IGJ) that keep an oversight and have powers to ask the healthcare providers for compensations if found non-abiding [ 25 ]. IGJ works along with governmental independent regulatory authority, Nederlandse ZorgAuthoriteit (NZA). NZA offers least regulation and facilitates competition in highly disintegrated Dutch healthcare market [ 28 ]. That ranges from large number of health insurance companies, to private/semiprivate hospitals, from numerous pharmacies to labs. Patients are mostly open to whichever hospital, general practitioner, pharmacy or health insurance they wish to choose from.

During value transfers, for patients, there is an outflow of data carrying personal sensitive info of the patient to the domain specific healthcare provider such as General Practitioner, pharmacy, hospital + EHBO, lab (biobank and bio repository) and health insurance company and expected inflow of the privacy as a (subjective) value object from the respective domain as per their security systems. For better insight one of the key healthcare providers are to be analyzed as the framework is represented in second model to evaluate the privacy protecting bilateral relationships between lab (biobank and biorepository) and other key stakeholders see model 2 below (from enterprises perspective), see Fig. 2. 2.3. Model 2: Laboratories (Biobanks and biorepositories) play a pivotal role to facilitate healthcare data sharing. Samples and data collected from them pave the way for valuable health research. Efficient sharing and pooling of this data is an important prerequisite for advancements in biomedical science [ 9 ]. In this wake, data curation is integral initially, for first hand data based insights and later for future reference to rightly anticipate and derive. With increased access to and collective databases from multiple sources, better insights from records of patient data in the form of data catalogues is achievable. In this respect, apprehension resides regarding “where the data goes to”, “by whom it is used” and “for what purpose” which, so far, had not been dealt aptly [ 29 ]. To simplify the understanding of this rather complex value network padlock chain model provides linear and easily comprehensible model to start with. This model represents labs bilateral relationship with other key value actors in privacy protecting, healthcare data sharing. Here again, as is evident from the model below, actors are distributed as per their respective goals and are named as principal, with prime need, agent, who is assigned to fulfil the prime need, third party, who performs duties to facilitate the agent but is not in direct contact with the principal and regulator, who regulates and gives accreditations to healthcare providers if found abiding. All these actors do value transactions as front end activity, counter activity, back end activity and regulation respectively. They make use of their respective “privacy by design” parameters instilled in their respective data bases. Simultaneously, Privacy by policy is ensured by International and national standard organizations along with domain specific national regulatory authority. Informed consent plays an important role in completing the privacy preserving healthcare data sharing within and across healthcare providers. Labs are obliged to take informed consent of the patients before taking their bio samples or to collect their sensitive data. There is a big loophole as the informed consent in labs is based upon an opt out procedure instead of being an opt in procedure. This means that patients can opt out of becoming data subjects for further scientific studies or clinical trials if they explicitly say so. Else they are considered to be confirming to the terms and conditions of becoming data subjects for both clinical trials and clinical studies. Once granted informed consent, the lab’s processing of patients data is also subjected to further scrutiny and justly so [ 25 ][ 26 ].

Discussion: Informed consent serves as a starting point for both, “privacy by design” and “privacy by policy”. But it is shown as a part of privacy by policy in model 2 (see below) because it is obligatory upon lab (biobank and biorepository) to take informed consent at the onset of the patients interaction with the lab or at the beginning of the contract. Rest of the privacy preserving procedures serve as succeeding steps to informed consent.

International and national standard organizations/ NGOs play significant role in setting standard ISMS parameters for Dutch privatelab in Dutch healthcare setting. Non-governmental organizations (NGOs) like Interna-tional Organization for Standardization (ISO) and NEN, Dutch Network of standardi-zation bounds labs to follow privacy by policy rules and regulations. ISO, an interna-tional federation of national standards bodies from 164 countries including NEN, facil-itates standardization processes to support the international exchange of goods and ser-vices. NEN is the Dutch network within the Netherlands for development of standardsand their respective application nationally and internationally. These NGOs along with regulator and the informed consent context allows labs to instill privacy in their value network by policy. While talking about value objects and their transfers, generating point or the source of the value objects matters a lot. For example when a patient goes to the biobank or lab for a blood test, results are generated from the lab making lab a source generating point for related information or data. There the power of the patient reduces in favor of the decision making of the lab management in regard of the inflow and outflow of that information. Simultaneously privacy by policy takes precedence to further the interest of patients as data subjects. Tackling of that information largely depends upon the lab or in other words upon the privacy protecting ontologies of lab.

Limitation: The second model lags behind in providing comprehensive and over encompassing analysis comprising multiple stakeholders at a time with their intrinsic privacy protecting values. So overall a disintegrated modeling or value network is doable in this regard.

Conclusion: The paper provides with the ontologies both from patients perspective and from the organizations(lab) perspective to maintain an equilibrium in safeguarding individuals fundamental rights while not ignoring the goals and objectives of the organizations. Given models provides the basis for further research in first analyzing the standard parameters from nominal to ratio based measurements to provide with the standard metrics for key stake holders to confirm the transfer of privacy as an objective value object within healthcare.