I took a somewhat unconventional take on privacy issues a few weeks ago, but suffice it to say again, privacy is a big deal. You are more well acquainted with the complexities of privacy issues than most, as you are obligated to protect the privacy of your patients. The average person, however, only has themselves to worry about, and as a rule, they like to be in control of what information is available to whom, which is in fact the central challenge of the information age: Who has the information, who has a right to it, who owns it, and what do any of those things mean any more anyway?
This is a reminder that we’re in week two of my self-imposed “Locked Up” series. I recently signed my first of perhaps several non-disclosure agreements and I am coming to realize that this written promise of discretion is in a lot of ways just another guard against unwanted information loss. While I am not as cynical as some of my acquaintances, privacy issues are certainly something where my experience lies closer to “normal people” – meaning unlike you, I’ve only really ever had to worry about my own privacy. Among people I know, telling them I made a promise not to tell them something is equivalent to telling them I’m building a gun that shoots miniature nuclear anthrax knife-bombs. And that I’m testing it on kittens.
And, yes, there are plenty of people who make a career out of designing weapons, but often discretion is equated with spy-movie if-I-told-you-I’d-have-to-kill-you secrets. These same people would not be so quick to deflower their own privacy, and yet my unwillingness to violate the secrets of others is seen as sinister, but I don’t suppose I need to work hard to convince medical professionals about the dissonance of this belief.
My NDA is pretty tame and easy to parse. The meat of it is that I am being given access to personal information on a lot of people, and I am to respect the privacy of these people. Does this sound familiar to any of you? My father only just recently outlined the issues you will face in the near future and while medical professions might be on the front line of these matters, they are quite a bit more transcendental. What’s to be done with all this personal information floating on the cloud? It’s an information age question, and impacts all of us.
In one corner you have individual dignity, and in the other you have public good. Because a blog is so public, I’m going to exercise more discretion than necessary and simply say that I went to visit some company, (we’ll call them Big Time), in a lab funded for by some Branch of the Government of the United States, (Or BOGUS). Big Time “owns” a large amount of data about their employees and BOGUS is interested in using it to learn more about cyber security. Improving medical treatment is an easier sell than cyber security as a public good, but the tension of interests is still there.
In addition to privacy concerns, there is an amusing helping of lawsuit-or-unfortunate-news-story prevention details that are pushed in my NDA. These details can look like overcomplicated legalese, but they are also indicative of exactly how complicated issues surrounding giant stores of personal information can be. One, BOGUS isn’t spying on Big time’s employees. Big Time is. BOGUS is just taking the opportunity to use the information. This is perhaps a simple public image matter, but still, some distinction is being made between who generates and keeps and “owns” the data and who merely has the privilege of using it.
More interesting, we the scientists are not to share any complicated conclusions from the data with Big Time themselves. We discover an enormous embezzlement ring? We can’t say anything to them. Sound strange? Well, right now we’re just handling numbers, but if our methods become evidence, if the connection between those numbers and the people they represent is used to cast some judgment on them, then suddenly every employee in the database has become a human test subject in a science experiment with providing consent. You can call it a flaw or fluke of our current legal framework, but the real point is that our current legal framework is just not prepared to handle information age issues.
Also, the volume of data we get to interact with brings up another issue that is not so readily apparent, but easily applies to medical records case as well. People like to think that information about them is inherently theirs – but what of the effort that goes into collecting the information. What of information that the person would not have if not for the intervention of an outside party. How many steps did you take today? How many minutes did you spend waiting at a traffic light last month? This is information about you, but it is not information in your possession. If someone were to put the effort into tracking this information … who owns it? While I am data mining Big Time employee information, the completeness and minutia of that information is wholly from the effort of Big Time, not the individuals generating it.
Yes, the instinct is to side with the individual, but at the very least we have to admit that the matter is not very cut and dry. If you were to ask me what you could do to confuse or amuse our system, how you could “trip a wire,” I would turn the question back to you: It’s you. It’s your information. Why do you need my help making it weird? The fact that some people would ask how to game such a system is telling of how disconnected the personal information is from the application.
More telling, really, is that I can’t give an answer. And I don’t mean my NDA prevents me, I mean I have no idea. I am privilege to personal information in the same way that someone who stands in Time Square for a whole day would be; that person will see a million people but won’t really remember any of them. Personal information can become so macro that, in a way, it ceases to be personal information anymore.
Next week: the misadventures of dealing with locked up data that isn’t anywhere near the Internet.