Presentation Material
Abstract
Headspace and Ginger merged in October 2021 to form Headspace which operates in 170 countries and provides mental healthcare services to more than 100 million members. This session will educate the audience on Headspace’s approach to scaling a privacy program and building a Privacy Operations Center. Will take a technical deep-dive into patented Vault architecture.
AI Generated Summary
The talk details Headspace’s dual approach to enhancing privacy for its mental health services, combining organizational restructuring with a novel data storage architecture. The first part describes the establishment of a Privacy Operations Center (POC), a centralized function integrating governance, cross-functional partnerships (security, privacy, legal, compliance, product engineering), tools, and awareness programs. A key innovation was a custom two-tier data classification system (parent/child) to accommodate diverse regulatory requirements (e.g., GDPR’s special categories vs. HIPAA). This underpinned a Product Risk Review Process, embedding privacy and security reviews into the product development lifecycle before code is written. The POC also implemented automated code scanning for PII/PHI collection justifications and maintains a dashboard tracking DSAR processing, training, and privacy-by-design metrics.
The second part presents the “Vault Architecture,” a technical solution for protecting extremely sensitive clinical data like psychotherapy notes. It uses client-side encryption and decryption in the browser, with cryptographic keys generated and stored exclusively in the clinician’s password manager. This prevents any backend access, including by privileged internal users or in mass exfiltration events. To address operational corner cases (e.g., lost keys, legal requests, disaster recovery), a separate, offline “Secure Enclave” database receives a one-way data feed, acting as a highly restricted restore mechanism. The combined system is termed “Cathedral and Bazaar,” referencing the offline secure enclave and the online encrypted database.
Practical takeaways include conducting a cost-benefit analysis to determine if a POC is warranted for an organization’s privacy risk profile. For the Vault Architecture, applicability is limited to data with no need for full-text search, analytics, or AI processing. Initial steps involve forming cross-departmental partnerships, developing granular data classification, and, if justified, designing a client-side encryption system with a secure offline enclave for key recovery and legal compliance. The approach prioritizes prevention of insider curiosity and mass data theft through architectural isolation.