Announcing thedatamap.org website...
Over the last three years,
Dr. Latanya Sweeney,
the founder and
Director of the Data Privacy Lab, now a program in the
Institute for Quantitative Social Science (IQSS)
at Harvard University,
has been researching ways to gather detailed knowledge of flows of personal health information in the United States.
Earlier this year, she designed a way to leverage the help of the public to get accurate information.
The result is theDataMap™ project and the basic skeleton of the website is made available today,
thanks to the help of Dr. Deborah Peel, founder and Director
of the Patient Privacy Rights Foundation.
We live in a data-rich network savvy world. With so much personal data readily available,
you might expect to see a litany of personal harms, but pronouncements seem rare.
Dr. Sweeney cites many reasons for this, perhaps the most important being the lack
of transparency in data sharing arrangements. These hidden activities make personal harms
difficult to detect. How then can policy makers and individuals make educated decisions
about privacy and data utility in the absence of such knowledge? If a data beach occurs,
how would you know your data was stolen if you never knew the breach company had it?
There are many worthy uses for personal data beyond the person, so the goal is not to stop data sharing,
but to understand the risks so society can address the risks responsibly and reap benefits.
Working on her own, Dr. Sweeney constructed a data map of flows of personal health data
based on her own professional knowledge of data sharing arrangements. What was a little surprising
was the comparison of her data map in 2010 to that of an earlier data map in 1997. Together these show
the dramatic increase in the number and nature of data sharing during the tenure
of the HIPAA Privacy Rule, the regulation that provides privacy to medical information in the US.
(See maps
for links to images of these maps and more information about data maps.)
These maps shows representative, not comprehensive, descriptions of flows of health information
between organizations based on ad hoc knowledge of committee members and researchers.
What is needed is a comprehensive data map that records virtually all reports of personal
data sharing arrangements found on the web.
Few requirements force non-government organizations to disclose with whom they share
personal information, but information about the practices of these organizations
may appear in privacy notices, IPO filings, documents in legal cases, and so on.
Banks, brokerage houses, and insurance companies must have statements about information
sharing. Online companies tend to have privacy notices.
Government organizations file "system of records notices",
which describes the type of information collected and leads to information
about how the data are shared. There are many publicly available sources
that document data sharing.
Dr. Sweeney will work with reporters to investigate some data sharing
arrangements for accuracy, and to put names and stories to the data sharing claims
to acquire deeper understanding of the nature and extent of data sharing
and related benefits and risks. Veteran reporter, Adam Tanner, has agreed
to be in residence. In the future, Dr. Sweeney has plans to enlist the public.
Dr. Sweeney will launch the project in Washington, DC
at The 2nd International Summit On the Future of Health Privacy.
|