Over the last three years, Dr. Latanya Sweeney, the founder and Director of the Data Privacy Lab, now a program in the Institute for Quantitative Social Science (IQSS) at Harvard University, has been researching ways to gather detailed knowledge of flows of personal health information in the United States. Earlier this year, she designed a way to leverage the help of the public to get accurate information. The result is theDataMap™ project and the basic skeleton of the website is made available today, thanks to the help of Dr. Deborah Peel, founder and Director of the Patient Privacy Rights Foundation.

We live in a data-rich network savvy world. With so much personal data readily available, you might expect to see a litany of personal harms, but pronouncements seem rare. Dr. Sweeney cites many reasons for this, perhaps the most important being the lack of transparency in data sharing arrangements. These hidden activities make personal harms difficult to detect. How then can policy makers and individuals make educated decisions about privacy and data utility in the absence of such knowledge? If a data beach occurs, how would you know your data was stolen if you never knew the breach company had it? There are many worthy uses for personal data beyond the person, so the goal is not to stop data sharing, but to understand the risks so society can address the risks responsibly and reap benefits.

Working on her own, Dr. Sweeney constructed a data map of flows of personal health data based on her own professional knowledge of data sharing arrangements. What was a little surprising was the comparison of her data map in 2010 to that of an earlier data map in 1997. Together these show the dramatic increase in the number and nature of data sharing during the tenure of the HIPAA Privacy Rule, the regulation that provides privacy to medical information in the US. (See maps for links to images of these maps and more information about data maps.)

These maps shows representative, not comprehensive, descriptions of flows of health information between organizations based on ad hoc knowledge of committee members and researchers. What is needed is a comprehensive data map that records virtually all reports of personal data sharing arrangements found on the web.

Few requirements force non-government organizations to disclose with whom they share personal information, but information about the practices of these organizations may appear in privacy notices, IPO filings, documents in legal cases, and so on. Banks, brokerage houses, and insurance companies must have statements about information sharing. Online companies tend to have privacy notices. Government organizations file "system of records notices", which describes the type of information collected and leads to information about how the data are shared. There are many publicly available sources that document data sharing.

Dr. Sweeney will work with reporters to investigate some data sharing arrangements for accuracy, and to put names and stories to the data sharing claims to acquire deeper understanding of the nature and extent of data sharing and related benefits and risks. Veteran reporter, Adam Tanner, has agreed to be in residence. In the future, Dr. Sweeney has plans to enlist the public.

Dr. Sweeney will launch the project in Washington, DC at The 2nd International Summit On the Future of Health Privacy.