Building Trust Privacy

A New Hippocratic Oath: “First, do no harm… to me or my healthcare data”

I was recently invited to contribute a paper on personal data in the healthcare context to a journal on the Privacy and Security of Medical Information published by Springer-Nature. The paper, “Trust and ethical data handling in the healthcare context” examines the issues associated with healthcare data in terms of ethics, privacy, and trust, and makes recommendations about what we, as individuals, should ask for and expect from the organisations we entrust with our most sensitive personal data.

It’s a topical subject, from an Internet Society perspective, because the Internet appears to offer some attractive solutions to pressing problems that confront people and governments, around the globe.

We live in a time of aging demographics, with increased life expectancy and high expectations of the number and type of ailments that can be successfully treated. This, in turn, raises serious questions about the economics of healthcare, and how it should be funded – with widely differing models in countries with state- or insurance-funded systems, and some hybrids of the two.

In the context of the Internet, the monetisation of personal data is unquestionably one of the strongest economic factors: it funds and drives many of the products and services we are offered. Arguably the Internet, as we know it today, could not exist in its current form without the large-scale collection and monetisaton of personal data.

But are these two forces – the economics of healthcare for an aging demographic on the one hand, and the economics of the personal data ecosystem on the other – destined to collide? And if they do, what are the prospects for personal privacy? What implications would that collision have for us as patients, and for the organisations that process healthcare data?

I hope you’ll read the paper and let us know what you think of the approach we suggest.

I also hope organisations will take to heart the paper’s recommendations – to build ethics into the fabric of their products and services, aim for better privacy outcomes, and build trust with us, their users.


Thoughts from the Ethical Data-handling Panel at CPDP2016

At last week’s Computing, Privacy and Data Protection (CPDP) conference in Brussels, I had an exceptional set of panellists to moderate on the topic of ethical data-handling:

  • Michelle Dennedy (Chief Privacy Officer, Cisco)
  • Gemma Galdon Clavell (Founding Partner, Eticas Consulting)
  • Gloria Gonzalez Fuster (Research Professor, Vrije Universiteit Brussel)
  • Daniel Pradelles (@@@, Hewlett Packard Enterprise)

Our session was ably chaired by Jacques Bus (Founder, Digital Enlightenment Forum).

Ethical data-handling is a strange beast: in one sense, it is still a new and emerging discipline, with relatively few leading-edge deployments one can point to; then again, there’s a history of at least a couple of decades of academic research on the subject – more, if you include the specialist area of clinical data. “Being ethical”is also something all of us probably think we know how to do, even if it’s something we don’t often consciously think about —but

I’ve been investigating ethical data-handling for a little over two years now, and one thing seems clear to me: there’s a gap between all that research, and practical implementation of ethical principles in the modern environment of pervasive computing. My main goal for this panel was to find out if that gap could be bridged, either by using existing knowledge and materials, or by identifying and creating the missing pieces. I came away optimistic.

It seemed to me that a framework for ethical data-handling needs four basic elements:

  • A clear conceptual model of ethical and principles
  • Building ethical data-handling practice on existing regulatory compliance
  • Ethics in the design process
  • Ethics and operational practice

In all those areas, my conclusion from the panel was that the information is there to be drawn on and that, if an organisation wants to put ethical data-handling into practice, there’s really no excuse for saying “we can’t find out how to do it”. That said, the materials aren’t all in one place, and they aren’t all assembled into a coherent package – so there is still work to be done. I’ll be inviting the panellists to follow up by helping me create a landing page that pulls all the elements together, and complements the “how to”information with some guidance on “why to”, as well.

I’m hoping we will end up with a page that helps answer the following questions:

  • What do we mean by “ethics”in this context? How is that different from legal compliance?
  • We already do risk management and data protection. Why would we want to do this as well? What’s the pay-off?
  • OK – you’ve convinced me; practically, what do we do next?
  • Can we really build ethical principles into a product design and development process?
  • Having developed and deployed an ethically-based system, how do we “operationalise ethics”?
  • Can this work across different cultures and jurisdictions?

If you think this framework is missing something crucial, please let us know…and keep an eye on this blog for further developments.