Technology isn’t stuck in the 90s. Why is privacy?
Open up any word processing system or many other apps, and you may notice the icon for “Save:” is a 3.5-inch floppy disk. We use this icon dozens of times a week, typically without thinking about it, but it conceals a striking fact. The most common version of the 3.5-inch floppy came out in 1991; the last major revision was in 1996. For context, Computer Science seniors this year were born in 2001. They’ve never used a floppy disk; they’ve probably never seen one in person outside of a museum.
And yet — there’s the floppy disk on your menu bar for saving projects every day. It’s much like the “Phone” or “Camera” icons in our cellphones — handheld receivers and camcorders that most of us don’t own largely because the cellphone itself has replaced them. So why do we keep these tokens of an earlier age? Why not adapt? The answer, I think, is that these images and icons serve a different purpose now: to evoke a sense of an object, but not the object itself. When we don’t adjust to changing reality, all there is to do is attempt to make sense of the change with reference to the past.
It’s a concept easy to see at work in privacy law — particularly the privacy of health data. Although there have been a spate of new privacy laws over the last few years, the fundamental rules have changed little in nearly 30 years. In 1995-1996 we saw the launch of HIPAA in the United States and the Data Privacy Directive in the EU. Interestingly, although both laws have had modifications over the years (the HI-TECH Act and GDPR), the basic premises remain the same: healthcare data is subject to high levels of protection. For many companies, this has been the final word, and the phrase “We can’t, because of HIPAA” or “The GDPR says no” are conversation stoppers.
But like an icon that’s incomprehensible to anyone under 30, an approach to privacy rooted in the mid-Nineties is an argument against itself. What’s more, it’s not even an argument that makes sense anymore. Largely unseen changes in the legislative and regulatory framework, combined with technological advances, mean that petabytes of valuable — invaluable — health data are waiting to be unlocked. The key is finding a method and a motivation that works. To cut to the chase, statutory pseudonymisation is one approach that meets the legal standards, has regulatory blessing, and — crucially — is technologically and commercially feasible. We’ll explore how below.
Anonymisation no longer supports lawful global data flows
The approach of “anonymising”(or de-identifying under HIPAA) data to enable privacy-respectful data use is “broken” and is no longer workable when dealing with international data flows. This is highlighted by the different approaches taken by the EU, UK, and U.S.to anonymisation/de-identification, as summarized below and as more fully detailed in the white paper memorandum found here. For context, though, a summary works well.
The EU takes a global anonymity approach, in the sense that the data cannot be tied back to an individual person. This is the highest, and most difficult, standard. The UK takes a middle path, recognizing “local anonymity,” which means that data is anonymous as long as it cannot be deciphered by those likeliest to use it. The US, unsurprisingly, has the most lax approach, allowing data to be used unless it falls within a very specific category (like HIPAA, which is far narrower than most people assume) or very specific data types (like social security numbers).
We’ve set them out above, but it’s helpful to think of them as overlapping circles of a Venn diagram. In one circle is the US’s approach. In a second, the GDPR, and a third, the UK’s middle-of-the-road approach. But at the centre of all of them is a locus of compliance where global processing activities will satisfy all relevant obligations for processing, retention, and use. This generally means GDPR compliance, but that’s relevant for two reasons. First, as the de facto global standard, meeting GDPR’s obligations for security and safekeeping is the only way to create a scalable approach to data management. The second reason is less understood, which is that complying with GDPR in all material respects, is the same as complying with HIPAA. That’s right: restricted dissemination, security, recordkeeping, RBAC, data minimisation are all principles in GDPR that are present in HIPAA. In fact, HIPAA is less stringent than GDPR, because it only cares about health data in the limited context of the provision of or payment for healthcare.
None of this is that surprising, or it shouldn’t be. When you organise your privacy and data security protocols around the highest level of compliance (e.g., GDPR), you’re certain to tick many other boxes along the way. The surprising part is what happens when you overlay another Venn diagram on top, with usability, scalability, and commercial value as the three overlapping zones. Like this:
Now we have an entirely new framework to think about. The centre of the diagram is now no longer a cost centre, but rather a compliance Garden of Eden. Hitting this “bullseye” means that you can unlock the potential value of data, even as you’re meeting the most stringent (and, therefore, most sustainable) compliance requirements. That requires an operational and a technical strategy. The EU and UK statutorily recognized means for achieving the technical strategy outlined above is the deployment of statutory pseydonymisation (so-called “statutory” because it meets the legislative/positive law requirements of both the EU and UK GDPR – see www.Pseudonymization.com/TechnicalControls for additional details and requirements).
Statutory pseudonymisation can serve as an invaluable technical safeguard to help unlock value in health data if combined with a clear product roadmap, explicit use cases and restrictions, and a thorough understanding of how data can be deployed for better, higher, more effective, and more efficient lawful purposes. This requires understanding the scope of the data, certainly, but it also means understanding the quality and utility of the data as well. That relational, contextual exercise demands input from all relevant constituencies: product, marketing, research, legal, and compliance.
The benefits of this approach? Nearly limitless utilisation of even sensitive datasets. By pseudonymising the data assets and taking only what we call the “lean data insights” from them — that is, the information you actually need to know to validate an idea — the compliance regimes are satisfied even as you reduce your overall cost in testing, because you are only analysing limited sets of data. In short, the Statutory pseudonymisation approach offers more efficient data usage and more data products by embracing a de-risked model. And all of it, from inception to data deployment to product rollout, meets the privacy expectations of consumers and regulators alike. It’s how we should approach every data question, and it’s a methodology as adaptable as it is rigorous. It’s time to move beyond floppy disks and outmoded misconceptions about privacy and unlock the value and potential of the data we have.