| May 2012 |
Announcing thedatamap.org website...
Over the last three years,
Dr. Latanya Sweeney,
the founder and
Director of the Data Privacy Lab, now a program in the
Institute for Quantitative Social Science (IQSS)
at Harvard University,
has been researching ways to gather detailed knowledge of flows of personal health information in the United States.
Earlier this year, she designed a way to leverage the help of the public to get accurate information.
The result is theDataMap™ project and the basic skeleton of the website is made available today,
thanks to the help of Dr. Deborah Peel, founder and Director
of the Patient Privacy Rights Foundation.
We live in a data-rich network savvy world. With so much personal data readily available,
you might expect to see a litany of personal harms, but pronouncements seem rare.
Dr. Sweeney cites many reasons for this, perhaps the most important being the lack
of transparency in data sharing arrangements. These hidden activities make personal harms
difficult to detect. How then can policy makers and individuals make educated decisions
about privacy and data utility in the absence of such knowledge? If a data beach occurs,
how would you know your data was stolen if you never knew the breach company had it?
There are many worthy uses for personal data beyond the person, so the goal is not to stop data sharing,
but to understand the risks so society can address the risks responsibly and reap benefits.
Working on her own, Dr. Sweeney constructed a data map of flows of personal health data
based on her own professional knowledge of data sharing arrangements. What was a little surprising
was the comparison of her data map in 2010 to that of an earlier data map in 1997. Together these show
the dramatic increase in the number and nature of data sharing during the tenure
of the HIPAA Privacy Rule, the regulation that provides privacy to medical information in the US.
(See maps
for images of these maps and more information about data maps.)
These maps shows representative, not comprehensive, descriptions of flows of health information
between organizations based on ad hoc knowledge of committee members and researchers.
What is needed is a comprehensive data map that records virtually all reports of personal
data sharing arrangements found on the web.
Few requirements force non-government organizations to disclose with whom they share
personal information, but information about the practices of these organizations
may appear in privacy notices, IPO filings, documents in legal cases, and so on.
Banks, brokerage houses, and insurance companies must have statements about information
sharing. Online companies tend to have privacy notices.
Government organizations file "system of records notices",
which describes the type of information collected and leads to information
about how the data are shared. There are many publicly available sources
that document data sharing.
Dr. Sweeney's breakthrough came when she devised a way for the general public to help.
Based on a belief that members of the public want to help,
Dr. Sweeney's plan enrolls members of the public to be Data Detectives,
who report and vet information about data sharing arrangements found on the web.
Anyone can sign-up by providing an email address (name is optional).
Once enrolled, a Data Detective can submit a report that claims a data sharing arrangement
exists between two entities by naming the entities abstractly or specifically, and
providing the URL that contains evidence of the sharing. Then, other
Data Detectives play the "Vetting Game". Given a randomly selected report
from the repository, Data Detectives review the claim made
and determine whether the contents found at the URL support the data sharing
claim and that the URL and its content seem credible. To assure accuracy, Dr. Sweeney
sometimes has the system provide a report that she knows is good or bad, and records
the accuracy of the Data Detective. If the Data Detective rejects a good report
or accepts a bad report, then the system discounts other reports made by the Data Detective.
This scoring improves the accuracy of results and leads to a rank ordering of Data Detectives.
(More about how it works...)
Dr. Sweeney will work with reporters to investigate some of the data sharing
arrangements for accuracy, and to put names and stories to the data sharing claims
to acquire deeper understanding of the nature and extent of data sharing
and related benefits and risks. Veteran reporter, Adam Tanner, has agreed
to be in residence.
A break-through in the project occurred when Dr. Deborah Peel
and the Patient Privacy Rights Foundation
heard about the project and offerred incentives to Data Detectives.
Once the project launches, planned incentives include:
- Data Hero award each month for the highest ranking Data Detective that month.
- Data Heros will be given an expense paid trip to The 3rd International Summit
On the Future of Health Privacy in June 2013, where Data Heros will receive awards
and have an opportunity to talk about their experiences as Data Detectives.
- A special track at the The 3rd International Summit On the Future of Health Privacy
will be devoted to Data Detectives and theDataMap™. Special talks will likely include
investigative reports originating from theDataMap™ findings, discussions between
Data Detectives and policy scholars about frameworks in which data sharing takes place
in the United States and real-world practices, brainstorming sessions on ways to
improve theDataMap™, and a tool and knowledge sharing exchange.
Registration fees will be waived for all Data Detectives registered at theDataMap™.
Dr. Sweeney and Dr. Peel have the project ready to launch but are awaiting
funding to make sure they have sufficient resources to ensure success.
Next week they will be presenting the project in Washington, DC
at The 2nd International Summit On the Future of Health Privacy.
|
