Multi-Party Privacy Policy Management in the Context of Health Monitoring: An Exploratory Study

There is an increasing number of assisted living technologies and health monitoring systems to provide electronic health services and help patients and the elderly stay at home longer. It ensures users’ safety and reduces caregivers’ workload. Regardless of the benefits that health monitoring systems have brought to users, they are in the face of privacy challenges, which can influence users’ adoption of these technologies. One of the challenges is multi-party privacy policy management. As different parties may have different considerations in the same scenario, they can make different privacy decisions. Therefore, a privacy policy management scheme is required to deal with conflicts. In this paper, we present the work of a user study with the scope of collecting several participants’ opinions on multi-party privacy policy management in the context of health monitoring. One focus group and eight semi-structured interviews were conducted. Our questions for participants adopt strategies from online social networks. After that, we discuss participants’ views on privacy decision conflict resolution in different health conditions and whether a recommendation system is needed to help with multi-party privacy policy management. We try to make prioritization based on participants’ views and the emergency level of events in different scenarios, increase technology adoption, and ensure health services are better delivered. The results reflect the importance of adopting flexible strategies like majority weighted voting in different health conditions, which serves as a basis for multi-party privacy policy scheme development.


INTRODUCTION
Despite the conveniences that health monitoring systems have brought, users' adoption of these technologies is affected by several factors.Users' privacy attitudes about assisted living technologies is one of them [1].Therefore, privacy policy management is required to help improve the adoption and implementation of these technologies.
Privacy policy management involves at least two parts: individual privacy preferences and multi-party privacy preferences.Past studies have shown that most of the efforts are made by researchers from an individual's point of view (mostly care receivers' point of view) [2][3].Under some of the scenarios, however, there might be multiple users involved in the decision-making (e.g., care receivers, informal caregivers like care receivers' relatives or friends, and formal caregivers like care receivers' family doctors or clinical staff).The caregivers can be either in the monitoring environment or help care receivers make better decisions.And a multi-party privacy management scheme is required to manage these users' privacy preferences.
When caregivers are in the monitoring environment together with care receivers, as some of the data is co-owned by several parties, such as audio or radio recordings, each party's privacy concerns need to be considered.Their privacy preferences in different scenarios need to be carefully collected and compared so the monitoring system can protect multiple users' privacy properly at the same time.A typical scenario is when a caregiver is going to visit a care receiver at his/her private home, as both the caregiver and the care receiver are in the health monitoring environment, both of their privacy should be protected when utilizing the electronic devices.To be more specific, if an electronic door lock is automatically unlocked by the caregiver without considering the care receiver's will, it may be an intrusion into the care receiver's privacy.Another case can be image sharing.When image sensors are monitoring a private home and collecting recording data continuously, if someone does not give consent to share the image data with clinical staff, all users in the private home might need a negotiation to reach an agreement.Therefore, the conflict resolution step should be considered in multi-party privacy policy management.
When caregivers are not in the monitoring environment, there might still be cases in which different parties' privacy preferences need to be taken into account together.For example, care receivers may lose the capacity to make rational decisions.In these scenarios, other parties' decisions would be of significant importance.If these parties make different decisions, it would also lead to conflicts.An example can be when clinical staff require raw recording data to be sent out to make accurate decisions, family members may prefer privacy-enhanced data to be sent out to protect care receivers' privacy.
With the aforementioned dilemma, a multi-party privacy policy management scheme can be a good solution to help the health monitoring system with the negotiation and synchronize multiparty privacy settings when conflicts are detected.In this paper, we aim to solve the second case when caregivers are not in the monitoring environment and adopt appropriate privacy conflict resolution protocols based on profession's opinions.We present the results of a small-scale user study and collect researchers' views from different professional backgrounds.The results serve as a basis for multi-party privacy policy management in health monitoring.

RELATED WORKS
There are lots of research works regarding multi-party privacy in healthcare.From the perspective of technical-level multi-party privacy, different techniques are used which ensure secure communication not only among several parties but also between smart devices and health centers.Kaur et al. [4] propose an efficient multiparty scheme for healthcare recommender systems.Kumar et.al [5] put forward Secure Multiparty Computation (SMC) based homomorphic encryption for e-Healthcare systems.Xu et al. [6] utilize federated learning to achieve secure computing.
Nevertheless, these patient-oriented models are mainly used for protecting the privacy of health data during processing (technicallevel) rather than privacy decision management (policy-level).Other works try to overcome the challenge at the control level.And these works regard personalized access controls as one of the solutions to help with multi-party privacy.According to Misra and Such [7], personalized access control decisions can minimize users' burden of expressing their individual sharing preferences.Yi et al. [8] propose electronic health records (EHRs) access control protocol for multiple parties so that they can cooperate to control clinical's access to EHRs.Rezaeibagha and Mu [9] also introduce a dynamic access-control policy mechanism to provide secure and privacy-preserving data sharing in EHR systems for hybrid clouds.
More research works regarding multi-party privacy are in the domain of Online Social Networks (OSNs), especially for privacy violation detection and multi-party privacy conflicts negotiation.The multi-party privacy management in conflict resolution is from the perspective of the policy-level.The review made by Alemany et al. [10] summarized Such and Criado's work with regard to multiparty privacy social media [2].In 2016, Such and Criado [11] [12] suggested three multi-party coping strategies, which are uploader overwrites, majority voting, and veto voting.In 2018 [2], they summarize six main approaches as technical support for multi-party privacy management.They are manual approach, auction-based approach, aggregation-based approach, adaptive approach, gametheoretic approach, and fine-grained approach, respectively.Nevertheless, each approach has its pros and cons.The manual approach completely depends on users without any technical aids, which will become an unbearable burden to users [13].The auction-based approach is a semi-automated method using a bidding mechanism for the winning user to determine a particular item, but users may have difficulty comprehending the whole mechanism.The aggregationbased approach includes majority voting and veto voting.However, majority voting may not protect sensitive information from being disclosed and veto voting may be too restrictive for some of the rules.The adaptive approach considers more factors compared to veto voting but will add up the difficulty to model all possible situations [11].The game-theoretic approach is expected to work well by introducing game-theoretic solution concepts such as the Nash equilibrium, the disadvantage of this approach is that it does not avoid the fact that users' behavior does not seem perfectly rational in practice and lacks validation in daily privacy decisions [12].Finally, the fine-grained approach allows individuals to decide independently on the sharing data but might negatively impact the utility of the data [2].
In all, with the limitation that only few works are found from the privacy policy-level in healthcare, in our work, we focus on policy-level privacy management, and the approaches mentioned in Online Social Networks are adopted to inspire participants to raise appropriate methods when accidents happen in the health monitoring environment.This work is a pivotal step towards the domain of healthcare.

METHODS
In our study, we aim to select and adopt the most appropriate protocols or methods when different privacy decisions are made by difference parties.Therefore, the qualitative method [14] was selected to collect participants' views on the protocol adoption regarding multi-party privacy policy management.One focus group and eight semi-structured interviews were conducted in total.The questions are created with the following goals: 1) discovering the existing barriers in health monitoring systems; 2) figuring out the conflict resolution protocol when care receivers are in different health conditions or scenarios; 3) figuring out the feasibility of a recommendation system which can help with the privacy policy management.To have a comprehensive overview of the management mechanism, we targeted participants from the following three professional backgrounds: healthcare staff, technical researchers, and legal researchers.Eleven participants were successfully contacted, the number of which fell within a reasonable range suggested by [15] (see Table 1).It is worth mentioning that as the authors (residents in Norway) were collaborating with two research institutions in Germany and Belgium, participants working on similar projects were contacted by us from these two research institutions as they had good insights on the topic.When we contacted one participant from the local municipality where the authors reside, the participant brought in two other colleagues with the same backgrounds.Therefore, we shifted the one-to-one interview into a focus group to collect their insights on the current health technology implementation status and emergency handling methods.For the rest of the participants, semi-structured interviews with a list of predetermined questions were conducted.Rather than structured interviews in which questions are also predetermined, by conducting semistructured interviews, questions could be prepared by us in advance to cover all the topics we want to investigate while key information would not be missed.
In the focus group, several open-ended questions were asked by us.They are shown as follows.The first two questions cover the emergency handling mechanism adopted in the municipality currently when medical incidents involve users' privacy, including whether regulations are applied when medical incidents happen, how care receivers' privacy will be protected or dealt with, what medical help will be delivered if the incidents involve care receivers' privacy, etc.The third question to the seventh question collect participants' views on the methods or protocols when different privacy decisions are made by different parties and negotiation is needed to deal with conflicts in different health conditions.The eighth question asks whether an AI recommendation system is needed to help synchronize privacy decisions.
•Q1: What is the current mechanism of emergency handling that you are using in nursing homes or private homes?
•Q2: Does the municipality have existing standards or regulations adopted?
•Q3: There will be events that are hard to be handled because they are not considered and included by the system at the beginning.The system may also have difficulty evaluating the care receivers' status when an incident happens.The system might lack users' decisions on these events.How do you think we can help properly deal with these events that are not pre-configured or pre-considered?
•Q4: Do you think care receivers' privacy preferences should always be prioritized if they have the capacity to make decisions?(If not, what are the exceptions?) •Q5: What kinds of methods/protocols do you think we should use to synchronize the conflicts when care receivers have the capacity to make decisions?For example, based on prioritization, majority voting, majority weighted voting (if so, how should we assign the weight?), ethical code, social norms, regulations, etc.
•Q6: What kinds of methods/protocols do you think we should use to synchronize the conflicts when care receivers are in danger or make irrational decisions?For example, based on prioritization, majority voting, majority weighted voting (if so, how should we assign the weight?), ethical code, social norms, regulations, etc.
•Q7: What kinds of methods/protocols do you think we should use to synchronize the conflicts when care receivers don't have the capacity to make decisions?For example, based on prioritization, majority voting, majority weighted voting (if so, how should we assign the weight?), ethical code, social norms, regulations, etc.
•Q8: Do you think we should have an AI system for a recommendation?If so, do we need the system at the beginning or after the users have made decisions?
We selected Q3 to Q8 from the focus group as the pre-determined set of open questions for the semi-structured interview.The first two questions were not included because they were more relevant to the current status rather than personal views.
After recording the interview results, we adopted content analysis to code the data and summarized the results.The next section presents the generated results.The participants in the focus group provided insights on the general status of the emergency handling of the monitoring systems (Q1 and Q2).In real-life cases, a consent form will be signed by users at the beginning.If incidents or activities happen, measures will be taken according to the consent form.The participants agreed that as the monitoring systems might use privacy invasive technologies, legal bases are required for the implementation.In the municipality where the participants located in, Norwegian Patient and User Rights Act [16] as well as Health and Care Services Act [17] have provided the legal bases of the consent form.For users who are competent to consent, a consent form is sufficient for the use of interventional technology as part of health and care services.However, there are no specific classification standards regulating different measures to be taken in different health conditions.Currently, it is the common case in Norwegian nursing homes that the monitoring system will monitor care receivers during the daytime and caregivers will take care of care receivers at night, which indicates that there is a combination of technologies and humans.The participants mentioned that though they were using technology to handle the emergency, most of the caregivers from the local municipality are not using the most updated technologies.On the one hand, they do not trust technologies, on the other hand, they are not used to the technologies or do not want to be replaced by the technologies.In general, the adoption of these technologies depends on age (the young generation is more open to technologies) and education (staff with higher education levels are more open to technologies).

Dealing with events that are not pre-considered
Regarding Q3, participants have different concerns.In all, five categories have been summarized by us according to participants' views.
•Consent given in compliance with regulations Some participants mentioned that care receivers should give consent in compliance with regulations at the beginning (P1, P2, P3, P8, P9, P10), which is regarded as a default step.And extra measures or processing steps need to be in compliance with the consent.
•Someone else decides for care receivers Some of the rest of the participants put forward that there should be an extra handling step, like formal caregivers need to help with unknown conditions (P4, P6, P7, P8, P9).And family members (informal caregivers) should take over the responsibility if the unknown events are relevant to financial issues (P9).
•Checking existing privacy models or similar scenarios Some participants raised concerns if it would still be possible for the system to classify the event based on existing scenarios or characteristics of different sensors (P5, P8, P11), which indicates that existing privacy models will be checked in these cases.
•Enabling on-site decision-making for care receivers One participant raised the importance of enabling care receivers' on-site decision-making when it's hard for caregivers to make decisions.(P5) •Setting standards or thresholds of sensor data One participant mentioned the importance of setting standards of thresholds of sensor data.The thresholds will reflect the risk level of the incidents.The corresponding measures can then be taken.(P11)

Prioritizing care receivers' decisions when they have the capacity
For Q4, all participants agree that care receivers' decisions should always be prioritized.Though some of them emphasized that there should be exceptions like when care receivers are in danger, their permission should be asked at the beginning and someone else should help make decisions for them, these exceptions are out of range in this question because we have set the precondition that care receivers have the capacity in these situations.
4.4 Methods/Protocols to be taken when care receivers are in different health status For Q5 to Q7, three categories were summarized by us.(To illustrate, the same categories which have been summarized before are marked with "*".) •Majority weighted voting should be adopted, prioritization of care receivers' decisions when they have the capacity to make decisions* Most participants except P10 agreed that majority weighted voting should be adopted, and care receivers should be assigned more weights when they have the capacity (prioritization).Among the participants who agreed on majority weighted voting, participants with a healthcare background agreed that informal caregivers were more important and should be assigned more weights (P1, P2, P3, P9).Some participants thought formal caregivers should be assigned more weights both under Q6 and Q7 (P4, P6, P7, P8), while one participant thought the weights of the informal and formal caregivers should be adjusted in Q6 and Q7 (P11).And one participant was uncertain of the weights of the informal and formal caregivers (P5).
•Checking regulations or contracts before majority weighted voting Among participants who agreed that majority weighted voting should be adopted, two of the participants thought regulations or contracts should always be checked at the beginning before the majority weighted voting is applied (P7, P10).
•Enabling on-site decision-making for care receivers* One participant emphasized the importance of on-site decisionmaking for care receivers in real-life cases so that the most appropriate measures can be provided by the caregivers despite the pre-established policies.

Controversy over whether there should be a recommendation system or not
Results of Q8 showed six participants agreed there should be a recommendation system, while four participants are uncertain if there should be a recommendation system or not.And one participant thought it would be better not to have a recommendation system (P7).The participants from local municipalities have provided more specific reasons for their uncertainty.Because there should always be formal caregivers that control the quality of the data.If researchers cannot get enough data to make the training, users cannot rely on the recommendation system.

DISCUSSION
Our study several limitations.Firstly, since only limited works relevant to multi-party privacy policy management in the domain of healthcare can be found by us, we lack standard criteria for different incidents' sensitive levels and urgent levels in the health monitoring environment.Even though appropriate protocols have been selected by participants, it still remains a barrier for the monitoring system to assess care receivers' health status and determine the strategy.Also, as has been mentioned by some participants (P7, P10), regulations or contracts need to be checked prior to majority weighted voting, it highly depends on the system to identify the incidents while protecting care receivers' privacy properly, so that it will know if the regulations are adaptive to the specific scenario.Secondly, in this article, we consider one of the multi-party privacy scenarios, under which only one care receiver is monitored.We would extend it to more complicated scenarios so that multiple users' privacy involved in the same monitoring environment can be properly managed.
Last but not least, we barely present the views of the participants.Future work can be putting forward a well-designed scheme with their views taken into consideration.

CONCLUSION
This paper presents the results of a user study in which we collect participants' views on multi-party privacy policy management in the health monitoring context.The focus group and semi-structured interviews have provided an overview of the status of health monitoring technology in the authors' resident country and different concerns from experts with different professional backgrounds.In all, results show that participants have a common sense that a consent form in compliance with regulations should be prepared to help mitigate the risks of unknown events.They have the tendency to select majority weighted voting to be the protocol of conflict handling.Nevertheless, they have not provided unanimous opinions on whether there should be a recommendation system.Nor have they assigned similar weights when care receivers are in different health conditions.In future studies, the specific weights need to be further investigated based on the care receivers' capacity to make rational privacy decisions.More complicated scenarios will also be taken into account to improve the multi-party privacy policy management scheme.

Figure 1 :
Figure 1: Decision processing and conflict resolution flow based on participants' answers

Table 1 :
Demographic Characteristics of the Participants