Tuesday, September 15, 2015

So what is data privacy anyway?

The last post covered the latest thinking on how the federal government, in particular the agency, Health and Human Services, has decided to go about protecting your privacy.  I listed 6 problems with this rather feeble approach.  In this post I want to do a more thorough look at what we mean by data privacy.

First, let's think a bit about what we mean by data privacy.  The data part is easy, by data we mean digital data, that is data that is captured, stored and/or manipulated by a computer (whether it is your desktop, a server, a laptop, cell phone, tablet or a digital device).  The problem comes when you try to define what data an individual can claim to own.

For example, consider Facebook.  Facebook gives you many options on who can see or share the posting you put on Facebook.  But Facebook is a privately owned corporation.  They give you access to a set of routines that provide you the ability to share or not share data that you post.  Does this make it your data or is Facebook providing you with a convenient application that gives you the illusion of ownership?  Why should Facebook which not only provides the service but also has to pay for its incredibly expensive infrastructure actually allow you to control "your" data.  What does Facebook get out of this?

The current answer is a combination of the following:

  • Facebook needs to be responsive to the needs of the majority of its members if it expects to stay in business and it appears that its members want these controls and maybe even more.
  • The federal government is looking at this issue and Facebook would prefer to handle the issue of privacy without being compelled to follow any new laws that may conflict with its business model.  So it hopes it can mollify concerns before they escalate and Facebook loses the amount of control it now enjoys.
This is not a very satisfactory answer.  Though it is a typical answer which is not based on any recognizable principles as much as a tactical approach to the current environment.

So what's a good answer?  One place to start is in healthcare.  In 1996 the Health Insurance Portability and Accountability Act (HIPAA) was passed.  This act defines the clinical health data that is considered private to an individual  In particular it defines "covered entities" such as your doctor, hospital, clinic, insurance carrier or anyone working in a healthcare institution that provides you with service.  Covered entities are required to  ensure that no "personally identifiable information" is disclosed without your consent with one exception.  This means that your doctor can't legally discuss or share anything they know about you with anyone (with one exception, see below) if the discussion links you personally to information the doctor gleaned while providing you with medical services.

That is, HIPAA actually codifies in law what medical data you own as a citizen.  And this is really the only way the concept of data ownership can be defined, Government must do it.  Unfortunately, so far,  government is not up to completing the task.

The other interesting aspect of HIPAA is the exception for treatment, payment and operations or TPO.  This says that a doctor or other healthcare professional can share your data for the purpose of providing you with a medical service.  

Oh yeah!  Doctors need your data to provide you with the medical services you expect.  This raises a very important issue which is hardly ever discussed though obvious.  That is that data sharing is not really something that can be understood in one context.  The context in which data sharing needs to be understood is the utility of the data sharing.   Presumably, you should have no problem having your doctor share your data if the purpose is to provide you with the service you went to the doctor in the first place.

The lack of considering the utility context is exactly what is wrong with the segmentation approach discussed in the last post.  Doctors not patients are the ones that understand the data in a patient's medical record.  The patient goes to a doctor to obtain a service they can't do for themselves.  What sense does it make for the patient to be the one to decide what data can be shared with other healthcare professionals?  In the context of the medical utility of a person's medical data, a physician is the person who best understands what data should be shared for what purpose.  Putting the patient in charge of data sharing makes no sense (except as it mollifies certain patient advocates).  There are many other arguments people make to defend this foolish idea, I will get to them in a future post.

It's not hard to generalize these ideas.  Data sharing really has 2 major contexts:
  • Sharing data for the purpose of providing an individual with requested services and
  • Sharing data for other purposes.
And, in order to tie this to the concept of data ownership we need laws.

In sum, ownership of data must be defined in law if it is to have any useful meaning and the law needs to also recognize the distinction between sharing data for a purpose the owner has requested and sharing data for other purposes.  In the next post I will share a proposal I have for a simple to understand (not so simple to implement) solution for data privacy.