[MyData & Open Data] [globalpriv-discussion] Catalonia to sell "anonymised" medical records

Thu Apr 2 16:10:18 UTC 2015

I should say that I also agree with stef: the most privacy-respecting
solution would be opt-in. Any centralised aggregation is, of course, a
honeypot.

Despite a number of attempts, including the representative body of the UK
medical profession voting for care.data to be opt in, it has not been
possible for us to shift things that far in this country. (Other countries
may be different, especially if the advocates can get ahead of the curve,
and I guess it is a bit ironic for folks in the UK to be offering up models
of good practice while NHS England attempts to push ahead with possibly one
of the worst schemes ever devised.)

On the other hand, there are legitimate issues - e.g. about the
representativeness of opt-in-only datasets for policy/service planning and
national statistics (those least likely to opt in and thereby become
'invisible' may be amongst the most disadvantaged) - but it tends to be the
conflation of genuine statistical uses and ethically-approved research with
commercial exploitation that really messes things up. 

While sub-optimal, medConfidential has had to take the pragmatic approach,
working to ensure that people can definitively exclude all of their (and
their dependents') data from the dataset - which was not going to be the
case with care.data and other secondary uses of NHS patients' data - and to
ensure their consent choices are respected across the entire health and care
system - which is going to take quite some work yet.

Phil

-----Original Message-----
From: mydata-open-data [mailto:mydata-open-data-bounces at lists.okfn.org] On
Behalf Of stef
Sent: 02 April 2015 16:31
To: Whitley,EA
Cc: Judith Vidal-Hall; Tamir Israel; Phil Booth; mydata-open-data; Gemma
Galdon Clavell
Subject: Re: [MyData & Open Data] [globalpriv-discussion] Catalonia to sell
"anonymised" medical records

On Thu, Apr 02, 2015 at 02:39:36PM +0000, Whitley,EA wrote:

> One model to consider is the UK's ADRN ( <http://adrn.ac.uk/>
http://adrn.ac.uk/) - which is for administrative data sharing (rather than
healthcare data) and essentially involves:

> 

> A trusted third party does the linking between various data sets and the
removal of key identifiers.

> This linked-and-with key-identifiers-removed data set is then available
for use by accredited researchers on approved research projects in a secure
environment.  Any data that is due to be removed from the secure environment
must then pass through statistical disclosure control mechanisms before it
is released.

this sounds like an attempt to adjust existing practices to new legal
constraints? the "trusted 3rd party" how is the trust ensured? 

 - heavy fines in case of incidents?

- cryptographic proofs?

- legislation that has rarely if ever been enforced?

most security failures happen when old assumptions about an environment have
changed, it seems this to be the case. from a threat modelling point of
view, it is clear, that the ones who are least privileged are the
"researchers being fed with data by the 3rd party". i guess that was
previously an attack vector that has now much reduced significance in such a
setting. but i think as a security person, not only about a single attack
vector, but as a prudent attacker about all of them, and the cheapest of
all. so in this case, i still see a very juicy attack surface at the 3rd
party and also at the data source supplying the 3rd party.  as most such
systems, this only creates a 2-class system, with privileged data handlers,
and unprivileged users. i applaud the reduction of threat from the users,
but i am not fooled that the other two principals in this setting are still
cause for concern. a good system, would remove the privileges also of these
other two principals.

it is also interesting to see how this is a cost issue, i mean the secure
handling of the data at the privileged principals. the price of defending is
usually much higher than the attack, even irans atom program has been
sabotaged through an airgap. if the data is valuable enough, you will surely
encounter an attacker or insider who will only spend a fraction of your
defense costs and walk out with the jewels. out of embarrassment and
business-continuity, we'll never even know about this. 

i'm sure the adrn model is very good if looked at it from a
statistician/government point of view, i'd wager also adversaries like it,
until the other 2 prinicipals shed their privileges.

a proper privacy respecting solution, would keep all the data firmly in the
the control of the datasubjects, who on an individual basis could opt-*in*
statistical computations based on zero-knowledge protocols and cryptographic
multiparty computations, combined with complete financial and criminal
liability for everything that is not covered by mathematical proofs.

--

otr fp:  <https://www.ctrlc.hu/~stef/otr.txt>
https://www.ctrlc.hu/~stef/otr.txt

_______________________________________________

mydata-open-data mailing list

 <mailto:mydata-open-data at lists.okfn.org> mydata-open-data at lists.okfn.org

 <https://lists.okfn.org/mailman/listinfo/mydata-open-data>
https://lists.okfn.org/mailman/listinfo/mydata-open-data

-----

No virus found in this message.

Checked by AVG -  <http://www.avg.com> www.avg.com

Version: 2015.0.5863 / Virus Database: 4321/9437 - Release Date: 04/02/15

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/mydata-open-data/attachments/20150402/628bb4e6/attachment-0003.html>