Health data has become one of the most valuable and sensitive assets in modern healthcare systems. It underpins clinical decision-making, enables continuity of care, supports research and innovation, and increasingly powers digital health services, analytics, and artificial intelligence.

At the same time, failures in how health data is governed, shared, or protected can erode trust and place unsustainable burdens on clinicians and health systems. For this reason, health data stewardship is not merely a technical or administrative concern. It is fundamentally a question of responsibility: who is answerable for health data, and on whose behalf?

Why health data stewardship cannot be reduced to a single role.

The literature is clear that health data stewardship cannot be reduced to a single role or institution. Early interpretations of data stewardship focused on optimising data management for efficiency and interoperability, often framed through principles such as accessibility and reuse.

While this approach has delivered important advances, particularly in research data management, it is insufficient in healthcare. Health data is personal and relational. Stewardship must therefore extend beyond optimisation to encompass ethical, legal, and social responsibilities.

Stewardship as a shared responsibility across the health system.

Responsibility for health data is distributed across a complex ecosystem of actors, each with distinct but overlapping obligations.

The Role of Government and Public Authorities.

Governments and public authorities hold a foundational stewardship role because they set the legal, regulatory, and policy environment within which health data is collected, used, and shared. This includes defining privacy protections, security requirements, rules for secondary use, and accountability mechanisms in the event of errors.

International experience shows that where governance is fragmented or weakly enforced, health data initiatives struggle to earn and retain public trust. Conversely, coherent and transparent governance frameworks provide clarity and enable coordination across the system.

Data Governance Spaces in a National Digital Health Service
Source: Paparova et al. (2023), Information and Organization

Health Organisations as Operational Stewards.

Health system organisations, including ministries of health, national agencies, hospitals, and primary care providers, carry direct stewardship responsibilities because they generate and operationalise health data.

Their obligations extend beyond technical security and regulatory compliance. They are responsible for ensuring data quality, accuracy, and appropriate access, and for embedding data practices that support safe, effective, and equitable care.

The experience of patient portals illustrates the consequences of failing to treat stewardship as both a social and technical responsibility. Poor design, limited interoperability, and uncontextualised release of results can increase patient anxiety, add to clinician workload, and undermine the patient–clinician relationship. These are not merely design flaws. They are stewardship failures.

Clinicians and the burden of digital data.

Clinicians occupy a distinctive position within the stewardship landscape. They are both producers and users of health data, and they remain professionally and ethically accountable for how data is interpreted and acted upon in care.

The expansion of digital communication channels and patient-facing records has increased expectations of constant availability and rapid response. Without appropriate safeguards, this contributes to burnout and moral distress. Stewardship that improves access while transferring unmanaged burdens onto clinicians cannot be considered responsible.

Technology vendors as stewards by design.

Technology vendors and digital health companies are also key stewards, particularly as private actors increasingly design and operate critical health data infrastructure.

Their responsibilities include building systems that are secure by design, interoperable, usable, and aligned with clinical and patient needs rather than regulatory minimums alone. Evidence from cybersecurity research shows that technical safeguards are insufficient if human factors, workflow, and training are neglected.

Distribution of Healthcare Data Breach Mitigation Solutions by Year and Field
Source: Nemec Zlatolas et al. (2024), Cluster Computing

Vendors, therefore, share responsibility for mitigating risk and avoiding design choices that increase the likelihood of error or misuse.

Patients, communities, and the limits of individual responsibility.

Patients and the public are not passive beneficiaries of stewardship but central stakeholders. Modern governance frameworks increasingly recognise individuals’ rights to access, understand, and in some contexts influence how their data is used.

At the same time, placing full responsibility on individuals to manage complex data environments is neither realistic nor fair. Effective stewardship must balance individual rights with collective benefit, ensuring people are meaningfully informed and supported without being overburdened or exposed to harm. This balance is particularly important for secondary uses of data, such as research or system planning.

Stewardship, equity, and collective rights.

Indigenous communities and groups subject to historical or structural disadvantage raise additional stewardship responsibilities. Literature from Aotearoa New Zealand and internationally highlights that health data can affect not only individuals, but also communities and collective wellbeing.

Stewardship in these contexts requires recognition of collective interests and respect for principles of self-determination. Failure to do so risks reinforcing inequities rather than addressing them.

Overview of the Data Stewardship Organisation (DSO) Concept
Source: Jernite et al. (2022), ACM FAccT Conference Proceedings

While not directly plug-and-play for healthcare, the DSO model illustrates governance architectures that prioritise the agency of data subjects and rights holders as data use becomes more complex.

Connecting the layers of responsibility.

Taken together, the evidence points to health data stewardship as a shared and layered responsibility, not a single office or role. Governments provide the mandate and guardrails. Health organisations operationalise stewardship in care delivery. Clinicians enact it in practice. Vendors embed it in technology. Patients and communities shape its legitimacy through trust and participation.

Effective stewardship depends not on concentrating responsibility in one place, but on clearly articulating how these responsibilities connect and overlap.

Stewardship in service of trust and better outcomes.

The purpose of health data stewardship is not data for its own sake. It is to support better health outcomes, more equitable systems, and sustained public trust.

When stewardship is narrowly defined as compliance or efficiency, systems fracture, and people suffer. When it is understood as a collective ethical responsibility, health data becomes a shared asset that can be used confidently and wisely in the service of both individuals and society.

The challenge now is not whether health data matters, but whether our stewardship models are fit for the responsibility they carry.

Authored by Tom Varghese, Global Product Marketing & Growth Manager at Orion Health.

References

  • Irizarry, Taya, Annette DeVito Dabbs, and Christine R. Curran. “Patient Portals and Patient Engagement: A State of the Science Review.” Journal of Medical Internet Research 17, no. 6 (2015)
  • Johnson, Adam M., Andrew S. Brimhall, Erica T. Johnson, Jennifer Hodgson, Katharine Didericksen, Joseph Pye, G. J. Corey Harmon, and Kerry B. Sewell. “A Systematic Review of the Effectiveness of Patient Education through Patient Portals.” JAMIA Open 6, no. 1 (2023)
  • Morley, Jessica, Lisa Murphy, Abhishek Mishra, Indra Joshi, and Kassandra Karpathakis. “Governing Data and Artificial Intelligence for Health Care: Developing an International Understanding.” JMIR Formative Research 6, no. 1 (2022)
  • Nemec Zlatolas, Lili, Tatjana Welzer, and Lenka Lhotska. “Data Breaches in Healthcare: Security Mechanisms for Attack Mitigation.” Cluster Computing 27 (2024): 8639–8654.
  • Stillman, Michael. “Death by Patient Portal.” JAMA 330, no. 3 (2023): 223–224. 
  • Wendelborn, Christian, Michael Anger, and Christoph Schickhardt. “What Is Data Stewardship? Towards a Comprehensive Understanding.” Journal of Biomedical Informatics 140 (2023)
  • Gue, D’Arcy. “How Patient Portals Are Failing Healthcare & Patients.” Medsphere Systems Corporation, March 21, 2019.