It seems like every year I have to buy a new hard drive; each almost doubles the size of the previous one, and yet my OS keeps warning me I am nearly out of space. For a time I feel irritated (I haven’t really got that much more information have I?). Then I go and look at the contents of my old drives, and realise that it’s not just that the new OS is bigger. I really have been collecting much more information, and in much richer formats.
And it’s not just me. What about governments and corporations? The desire to collect and store more and more data seems unstoppable. Mostly the reasons are not just benign; they are as close to altruistic as possible for these organisations. Take eHealth for example; contrary to some fringe conspiracy theorists (aka my mates in the pub) eHealth is not a nefarious plan by shadow government to mine our most intimate of data (you know, the stuff we talk to our mates about in the pub) but rather a responsible reaction to the increased load on a vital service we all at some point or other rely on.
But just because something is benign and responsible doesn’t mean it isn’t impactful and corruptible. The desire to produce a system, for a reasonable cost, inevitably means that tradeoffs must be made. The reality is when these tradeoffs occur, those not represented at the decision tend to be those most disappointed by the result. How many meetings have you sat in where those not present have ended up with the most "to do’s"?
Of all the trade off that provide the most concern; those surrounding consent and access to data are the most troubling. Again, it’s important to realise these tradeoffs are not malignant in nature, but often the most logical solution to a complex problem. We (being society in general) want solutions to problems for a reasonable amount of money, and unfortunately managing privacy is a costly business.
Consider; if there are four million people in a jurisdiction who are treatable by a health service, that’s four million people who will have differing views on consent. Some will openly give consent to all healthcare professionals as long as they know that the information will only be used for intended purpose (in this case ensuring treatment is effective, timely, and safe). Other will consider that only directly associated healthcare professionals should have access, whilst another group will only want those people in immediate contact to have access. Of course others who would grant no one access, nor have any data related to them stored.
These are the broad stokes but as any system designer or developer will tell you, the devil is in the detail. A common scenario in design of these systems is that of a young woman (let’s call her Mary). Mary’s father is a physician, and as such has access to the eHealth system. Mary is concerned she might be pregnant and attends a clinic for investigation. Under no circumstances does she want her father to know, yet she cannot hide the entire record from him. How does the solution account for this?
Within eHealth solutions two broad models are considered for consent; implicit and explicit. Briefly explicit considers that all storage and release of information is allowed only with the patients expressed consent. Implicit works on the premise that the patient is deemed to have given consent by their presence in the health system. Implicit consent is for example how most hospital systems work. The important piece, as far as privacy is concerned, in implicit consent is that the patient has an ability withdraw consent, for a particular record (e.g. that visit to a family planning clinic), to a particular provider (e.g. Mary’s father), or in general.
Typically we start from the laudable position of explicit consent, and rapidly move to the concept of implicit consent. This is not because of an inherent deviancy, but simply due to the inescapable fact that explicit consent is intensely complex and costly to implement. In fact in many cases this one point would result in the end of the project, the project which was initiated to bring benefit to the population in the first place.
So how do we proceed? There is a reasonable fear of exposure of personal information, either intended or unintended. Governments have a long history of using information for purposes other than the reason it was initially collected. This tends to happen over time. System A is built for a ministry and works so well that another ministry wants access to this very valuable data source, and often for benign purposes. As the information is released further and further away from the initial collection point, the protection of the data tends to diminish and the risk of misuse of the data increases. Worse, the original owner of the data may be entirely unaware of the reuse of the data and any consent system they originally had control via is breached.
In most western countries we have strong Freedom of Information and Privacy acts. They generally say the same thing, that is the data belongs to the individual, and they have rights over its collection, use and distribution. The danger is in the push to move government services onto electronic systems, these Acts are weakened.
All of these systems require trust. In many societies there is an inherent lack of trust in government agencies as they are often "faceless" and not personally accountable. To build trust we need to have some adult conversations about how much data we are willing to provide to these systems, and how that information will be controlled. The benefits of the systems must be rationally discussed as well as the risks associated with data loss. All of these solutions must be developed with the end user (the citizen) in mind rather than the simplification of the system.
More than anything though, we need to be careful that the rush to develop a beneficial solution does not result in too many tradeoffs being made. At some point we have to consider that if a solution is currently too complex to implement, we should not proceed until the complexity is manageable. The benefits of data collection, and the benefits can be huge, cannot blindly outweigh the risks of unintended release or reuse of intensely personal data.