[MyData & Open Data] [globalpriv-discussion] Catalonia to sell "anonymised" medical records
Phil Booth
phil at einsteinsattic.com
Thu Apr 2 22:33:39 UTC 2015
Yes, that was one of the first 'successes' we had in the UK - we won a 'no
quibble' opt-out for anyone who wanted to exclude their (GP-held)
identifiable data to be collected, regardless of the fact that the proposed
outputs were claimed to be "anonymised". It's great news if this might be at
all useful in Canada.
Of course, it took over a year's more work to ensure that this political
promise by the Secretary of State for Health was actually going to be
respected by the people pushing the care.data programme, and the right is
still (as I write) not a statutory one, as it should be.
I'm inclined to agree that there could be *much* better interfaces for
consent, but I fear the (economic) incentives are unfortunately stacked
against their development. What pass for 'privacy settings' are in most
cases exactly the opposite; an attempt to make choices deliberately
confusing/frustrating by corporations and bureaucracies that are highly
motivated to make their own use of the data they hold - cf. Facebook
settings, etc.
(In much the same way as there's still a great deal of work to be done
around 'ease-of-use crypto', I reckon there's still plenty of R&D and
operationalisation to be done on the individual articulation of privacy
choices / privacy sensitivity - and it falls slap bang in the centre of
humankind's blind spot around risk, to boot.)
Phil
From: Tamir Israel [mailto:tisrael at cippic.ca]
Sent: 02 April 2015 21:37
To: phil at einsteinsattic.com; 'stef'; 'Whitley,EA'
Cc: 'Judith Vidal-Hall'; 'mydata-open-data'; 'Gemma Galdon Clavell'
Subject: Re: [MyData & Open Data] [globalpriv-discussion] Catalonia to sell
"anonymised" medical records
Does the UK system allow opt-out (I agree opt-in is important, bc many will
not even know to opt out) even though the information is 'anonymized'?
If so, it's a useful point of critique of the Canadian proposal, as well as
Gemma's. Once the debate is open (and it's no longer a fait accompli) it
becomes easier to argue for explicit consent.
I personally think that in the digital era, it can be a lot easier to set up
an interface to navigate explicit consent. In fact, you can likely achieve
more nuanced opt-in (on a case by case basis, for example) than with a
blanket opt-out. Regarding the accuracy of the datasets, perhaps the same
argument can be made for opt-out (as in those who go through the trouble of
opting out, as in an important sub-set (those worried about stigmatization)
will be excluded.
On 02/04/2015 12:10 PM, Phil Booth wrote:
I should say that I also agree with stef: the most privacy-respecting
solution would be opt-in. Any centralised aggregation is, of course, a
honeypot.
Despite a number of attempts, including the representative body of the UK
medical profession voting for care.data to be opt in, it has not been
possible for us to shift things that far in this country. (Other countries
may be different, especially if the advocates can get ahead of the curve,
and I guess it is a bit ironic for folks in the UK to be offering up models
of good practice while NHS England attempts to push ahead with possibly one
of the worst schemes ever devised.)
On the other hand, there are legitimate issues - e.g. about the
representativeness of opt-in-only datasets for policy/service planning and
national statistics (those least likely to opt in and thereby become
'invisible' may be amongst the most disadvantaged) - but it tends to be the
conflation of genuine statistical uses and ethically-approved research with
commercial exploitation that really messes things up.
While sub-optimal, medConfidential has had to take the pragmatic approach,
working to ensure that people can definitively exclude all of their (and
their dependents') data from the dataset - which was not going to be the
case with care.data and other secondary uses of NHS patients' data - and to
ensure their consent choices are respected across the entire health and care
system - which is going to take quite some work yet.
Phil
-----Original Message-----
From: mydata-open-data [mailto:mydata-open-data-bounces at lists.okfn.org] On
Behalf Of stef
Sent: 02 April 2015 16:31
To: Whitley,EA
Cc: Judith Vidal-Hall; Tamir Israel; Phil Booth; mydata-open-data; Gemma
Galdon Clavell
Subject: Re: [MyData & Open Data] [globalpriv-discussion] Catalonia to sell
"anonymised" medical records
On Thu, Apr 02, 2015 at 02:39:36PM +0000, Whitley,EA wrote:
> One model to consider is the UK's ADRN ( <http://adrn.ac.uk/>
http://adrn.ac.uk/) - which is for administrative data sharing (rather than
healthcare data) and essentially involves:
>
> A trusted third party does the linking between various data sets and the
removal of key identifiers.
> This linked-and-with key-identifiers-removed data set is then available
for use by accredited researchers on approved research projects in a secure
environment. Any data that is due to be removed from the secure environment
must then pass through statistical disclosure control mechanisms before it
is released.
this sounds like an attempt to adjust existing practices to new legal
constraints? the "trusted 3rd party" how is the trust ensured?
- heavy fines in case of incidents?
- cryptographic proofs?
- legislation that has rarely if ever been enforced?
most security failures happen when old assumptions about an environment have
changed, it seems this to be the case. from a threat modelling point of
view, it is clear, that the ones who are least privileged are the
"researchers being fed with data by the 3rd party". i guess that was
previously an attack vector that has now much reduced significance in such a
setting. but i think as a security person, not only about a single attack
vector, but as a prudent attacker about all of them, and the cheapest of
all. so in this case, i still see a very juicy attack surface at the 3rd
party and also at the data source supplying the 3rd party. as most such
systems, this only creates a 2-class system, with privileged data handlers,
and unprivileged users. i applaud the reduction of threat from the users,
but i am not fooled that the other two principals in this setting are still
cause for concern. a good system, would remove the privileges also of these
other two principals.
it is also interesting to see how this is a cost issue, i mean the secure
handling of the data at the privileged principals. the price of defending is
usually much higher than the attack, even irans atom program has been
sabotaged through an airgap. if the data is valuable enough, you will surely
encounter an attacker or insider who will only spend a fraction of your
defense costs and walk out with the jewels. out of embarrassment and
business-continuity, we'll never even know about this.
i'm sure the adrn model is very good if looked at it from a
statistician/government point of view, i'd wager also adversaries like it,
until the other 2 prinicipals shed their privileges.
a proper privacy respecting solution, would keep all the data firmly in the
the control of the datasubjects, who on an individual basis could opt-*in*
statistical computations based on zero-knowledge protocols and cryptographic
multiparty computations, combined with complete financial and criminal
liability for everything that is not covered by mathematical proofs.
--
otr fp: <https://www.ctrlc.hu/%7Estef/otr.txt>
https://www.ctrlc.hu/~stef/otr.txt
_______________________________________________
mydata-open-data mailing list
<mailto:mydata-open-data at lists.okfn.org> mydata-open-data at lists.okfn.org
<https://lists.okfn.org/mailman/listinfo/mydata-open-data>
https://lists.okfn.org/mailman/listinfo/mydata-open-data
-----
No virus found in this message.
Checked by AVG - <http://www.avg.com> www.avg.com
Version: 2015.0.5863 / Virus Database: 4321/9437 - Release Date: 04/02/15
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/mydata-open-data/attachments/20150402/f87f88a6/attachment-0003.html>
More information about the mydata-open-data
mailing list