[odc-discuss] Precluding re-identification?

Luis Villa luis at lu.is
Thu Nov 2 23:52:43 UTC 2017

Hi, Howard-

I suspect you're not going to find any currently-existing open license that
addresses your concern; most were not drafted with privacy concerns in
mind. At best what you'll find is an explicit exclusion of privacy rights,
saying that other terms may govern those. As an easy-to-understand example,
you can take a look at Creative Commons BY 4.0 Sec. 2.b.1, which explicitly
excludes privacy rights. You could use that license, then state that in
your opinion Sec. 2.b.1 means that you have not granted permission to
re-identify. (ODC BY 1.0 Sec. 2.4 attempts to do something similar, albeit
in a more roundabout way.)

Unfortunately, in at least some jurisdictions (probably including the US),
people don't need your permission to re-identify. In those jurisdictions,
it won't be enough to say "we don't grant permission" - some type of
binding contractual relationship, on top of or alongside the open license,
would be necessary to prevent a recipient of the data from re-identifying.

This is unfortunate, but more an artifact of the weakness of many non-EU
privacy regimes than a problem with the licenses themselves - the licenses
can't regulate a right that isn't provided by law. (It is also very hard
for them to regulate something that varies so much from country to country.)

If you're interested, email me off list and I can suggest a few attorneys
who might be able to help you address this problem creatively.


On Thu, Nov 2, 2017 at 11:38 AM Howard Look <howard at tidepool.org> wrote:

> Greetings,
> I'm new to odc-discuss. My apologies if this has been covered. I could not
> find a discussion with my searching.
> Our open source, non-profit company makes software that is used by people
> living with diabetes. We ask people to donate their diabetes device data
> via the Tidepool Big Data Donation <http://tidepool.org/bigdata> project,
> which many have done. We would like to now make some these anonymized
> datasets available publicly.
> I would prefer to not invent a new license, but it appears that the
> current ODC-By would allow for downstream re-identification. What do people
> do that would like to preclude re-identification of open, anonymized
> medical data?
> For example, people using our software sometimes tweet their continuous
> blood glucose graphs. It would not be hard to do analyze the image, and
> look for the same pattern of CBG readings in the anonymized database to
> identify a person.
> This restriction is intended to preclude Protected Health Information from
> being re-identified. However I understand why the license does not allow
> for further restrictions.
> What have other folks done who want to make individual medical records
> available but preclude identification?
> Thanks,
> Howard
> --
> *Howard Look*
> President, CEO and Founder
> *Tidepool* is an open source, not-for-profit effort to make diabetes data
> more accessible, actionable, and meaningful by liberating data from
> diabetes devices, supporting researchers, and providing great, free
> software to the diabetes community.
> *Email:  *howard at tidepool.org
> *Web:    *Tidepool.org <http://tidepool.org/>
> _______________________________________________
> odc-discuss mailing list
> odc-discuss at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/odc-discuss
> Unsubscribe: https://lists.okfn.org/mailman/options/odc-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/odc-discuss/attachments/20171102/01d4af7e/attachment-0003.html>

More information about the odc-discuss mailing list