That old “need to balance privacy and sharing” chestnut

October 25th, 2012 by Rob Navarro

The Cameron government has re-opened the debate on how much of our patient data is accessible to others who are not directly caring for us. Dame Fiona Caldicott has been tasked with the review and was just quoted as having been influenced by the NHS’ Future Forum question “where does the balance between privacy and sharing lie?”.

Whilst many a conference and report on health data sharing has concluded with the same question, it is actually the case that we need not resort to such a desperate last measure. It would be a truly dismal world if for the health economy to grow a patient’s trust in their health data needs to suffer. This is clearly an idea of “last resort”.

The reader will be pleasantly surprised to learn that in fact there is no need to sip from that poisoned chalice.

It turns out such “last resort” thinking is a product of staring at shared database designs (e.g. safe havens, shared warehouse, trusted data linking services etc). Having picked this way to solve the problem one finds oneself marched quickly to the aforementioned iniquitous balance. (“Do patients or the health economy matter more?”)

If instead one asks the question “how can we find potential research subjects whilst preserving patient privacy?” (say) then the floor is opened to more palatable solutions. In this case the patient qualifying criteria are sent to GP computers whose GP’s can then choose whether to contact their matching patients or not. Patients always have rights of refusal.

Now imagine the poor soul who simply copies a system design from Banking and wants to build a database to find research subjects. This now needs to include everyone to ensure all rare characteristics are included (and some would argue to be unbiased). All UK patients! Lickety spit we are right back at the “balance question”.

That projects like the Research Capability Programme (now CPRD?) or Predictive Analytics for Commissioners (calling on new safe havens) hit the same “balance” question is not surprising. It also doesn’t mean the question needs answering either!

What is called for (and I respectfully call out to Dame Caldicott to take note) is focused attention on how individual projects can get just the data they need. Some guiding principles that always help simplify matters:

1) Supply the least information that answers the question (“zero knowledge” techniques included)
2) Ensure the least number of people have access to the data for the smallest period of time
3) Patients always get quibble-free opt outs
4) De-identify the data when extracting from its “home” base (part of 1. above)
5) Attempt to measure the illicit re-identification risk to patients of each project

This kind of scheme makes it easy to seek patient or physician consent that is meaningful because the purpose for collecting is singular and well understood (As are the names of staff accessing the data). Sometimes it also justifies opt-out if the re-identification risks are measurably low enough.

The future is bright, let’s not get bogged down in questions of “balance” when better paths exist that protect patients AND help grow the health economy.

You can have your cake and eat it, just settle for a smaller cake

August 27th, 2010 by Rob Navarro

I’ve heard many times through many media the need for “balance” in the privacy of sensitive data with its utility. But how to find that balance? Who decides whether harmonious equilibrium has been achieved? How much personal harm is OK? How much protection is enough? Will it stay that way? are all questions that bedevil this approach.

Far better to turn the issue around, decide where the harm could come from and then set about minimising that. It turns out that virtually all harm flows from people being identified in the data about them when they would rather that not happen. Stop this illicit re-identification and you stop any potential harm (there is an exception to this which I’ll talk about later).

Now if one focuses on reducing all sources of illicit re-identification then the use of that sensitive data cannot be harmful and so can proceed. No balance necessary, just privacy and utility!

If you were wondering about the “smaller cake” in the title, this comes from noticing that the most effective way to reduce illicit re-identification risks is to hold less (and less sensitive) data, accessible by fewer folk for less long. No real surprises there.

Latest From Blog

Oct 25

The Cameron government has re-opened the debate on how much of ou ... Read...

Aug 27

I've heard many times through many media the need for "balance" i ... Read...

Latest News

Safemerge v2 released

May 2013 - Building on Sapior's market lead in e ... Read...

Self service Pseudo service launched

March 2012 - Sapior has launched a self service ... Read...