Data consent + privacy: What that means for digital transformation of your business
The Future of Data & Analytics is a new series by Tableau CTO Andrew Beers, where he connects with industry leaders, researchers, and innovators to discuss the biggest questions shaping the future of data and analytics.
Read more in the series: The role of data in overcoming misinformation and building trust
In our quest to take businesses through digital transformation, we are driven to collect, store, and analyze all kinds of organizational and business data. We focus on building responsible data cultures that can make use of data and connect it to business outcomes, enabling people to make informed, effective decisions quickly. Even more, we try to use that data responsibly as we pursue the truth rather than add to growing misinformation.
This month’s discussion is about the beginning of that process—collecting data, and more importantly, considering what to collect. While we spend significant time thinking about how to secure our data, it is equally important to think about what data to collect and why, and how it factors into answering our questions and influencing outcomes. At a data security conference a few years ago, a speaker had a simple recommendation about the data that you collect: “Don’t be creepy.”
That maxim isn’t enough. The question of what data to collect and how to collect it is now starting to influence government policy. The General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), privacy regulations from the European Union and California respectively, both have policies that govern consent around data collection, and what data can be collected for a variety of reasons. Beyond meeting policy requirements, really thinking through the data you need should be a core part of any digital transformation project. Seriously consider how the data will be used, and potentially misused, to achieve your goals and outcomes.
In times of crisis or rapid and significant change, we want to lean into the use and power of data and analytics even more, to successfully come out of it more resilient, informed, and better prepared for the future. This can push people to make decisions quickly on new data to collect—potentially making them bend the rules of consent and privacy in the name of public good. When COVID started, many people thought about contact tracing, including implementing some innovative approaches that had different tradeoffs and would impact privacy and effectiveness. We anxiously wait to see how well they worked, and what we will learn about consent, privacy, and innovative uses of data and technology.
What could this mean for your digital transformation? Below, we hear from four experts on the importance of consent, how priorities shift during times of crisis, and the techniques we use for sensitive data.
Eric Alper, MD
SVP, Chief Quality Officer / Chief Clinical Informatics Officer, UMass Memorial Health Care
Professor of Medicine, UMass Medical School
The need to consider the balance between personal privacy and the desire to facilitate sharing of medical information has never been greater. The federal Promoting Interoperability rules set important standards around sharing of medical information, and the Information Blocking rules make it punishable to withhold information from those who are entitled to it, especially the patient.
The pandemic created an even greater burning platform for medical information to be freely shared among healthcare settings, assuring that patients can receive the most effective and comprehensive care. However, it’s arguable that sharing personal information has never been more risky. The proliferation of actors’ intent on mining information for personal or financial gain continues, and these pursuits may sometimes be immoral, unethical, or illegal. People are freely giving their unique and valuable genetic information to online services that may not have their best interest in mind. However, aggregation of large volumes of deidentified patient data will create new opportunities for research, discovery, and improvements in public health.
When obtaining personal information in healthcare, we must carefully consider the following issues:
- While taking into account law, regulation, and ethical principles, we make use of patients’ information with their best interests in mind.
- We assure appropriate security of that information, while still making it available to healthcare providers, researchers, and public health authorities that will use it responsibly.
- We are transparent with how and why patients’ medical information is going to be used, especially for vulnerable populations, and we respect their choices for how that information will be used.
- We carefully consider how patients can also receive benefit, particularly when their information is used for financial gain.
Our personal medical information is a precious resource. During this information age and technology explosion, while we will struggle with these questions around privacy and information, if we follow these measures, we can carefully balance patient anonymity with making public health improvements.
Tableau Zen Master, and Ethicist
Consent requires a clear understanding, an opportunity for back-and-forth clarification, but perhaps most importantly to this conversation, clear limitations. So often in data discussions, we collect a broad swath of information without making clear its use or lifespan within the collection entity. We're all in this data. Some of us are explicitly counted one or more ways: a patient that's recovered, a relative of someone lost to COVID, as someone high risk, or as one of the vaccinated. But we can be hidden in this data as well: as those who contribute directly or indirectly to these counts. We are not passive observers of it, but active makers in it.
A global health crisis requires quick action. Citizen data scientists and other professionals may fill a void, but a key goal is handing over the work. The COVID Tracking Project, which started to fill a gap early on, is ceasing new collections this month and transitioning over to government entities. Since the start, they've kept stopping top of mind. We, too, need to make stopping—as much as starting—a key goal. That data must have a lifespan and be returned back in some way.
Within a pandemic, we're reindexing where ethical values fall. The following graphic shows how these values shift. Values like autonomy and privacy shift down while others such as the sanctity of life, doing no harm, trust, and justice must escalate. Justice is critical to this conversation: by June 2020, one-third of Black Americans knew someone that had died from COVID-19. We may be weathering the same storm, but we are not in the same boat.
Director, Senior Corporate Counsel, Tableau, and adjunct professor of law at Georgetown University
Informed consent lies at the heart of our modern right to privacy, and is closely linked to the universal human rights of freedom, security, and dignity. The right to control one’s data—and shield it from the state, as well as from companies or other private persons—has evolved into an essential part of our contemporary social contract. But the enormous human toll of the COVID-19 pandemic has upended this traditional formula, suggesting that looser controls on personal data might serve some greater good, by helping save lives through more sharing of personal data.
However, during a global public health crisis like the current pandemic, it remains important that we balance the harms of disclosure with the potential rewards from data sharing, and find better ways to respect individual autonomy and dignity by giving people control over their data. This is, of course, easier, said than done.
Before even asking for consent, we can do more to educate people about the benefits of data sharing, such that people may come to see data sharing as a form of individual philanthropy. We should also strive to give people a fuller understanding of their data’s direct and indirect uses—so they are able to fully judge risks and rewards. It may also be possible to require continuing consent—such that people could revoke their consent and withdraw their data from some use if it’s used improperly—or create more nuanced forms of consent, which allow certain uses but not others. As we do these things, we should also strengthen legal rules to protect individuals against misuse of their data, recognizing too (as federal research regulations do) that certain populations may require special protection. And where possible, governments and companies should find ways to enable data sharing in ways that minimize harm, such as through increasingly sophisticated means of anonymization and aggregation.
Co-Founder, Chairman & CEO, Starburst
Given the life or death nature of a global health crisis, I believe it is important to collect as much data as possible, and then restrict which aspects of that data are available to researchers. In other words, I believe that transparency and privacy do not need to be mutually exclusive. You can achieve both through the thoughtful and deliberate use of fine-grained access controls.
For example, names or other identifying information can remain hidden, while other values can be made available for analysis. Another technique is the use of data masking, where certain portions of a value (imagine certain digits of a Social Security number) can be hidden so that privacy can be maintained without impeding the required analysis. Of course, while the technology challenge is solved easily enough, we should not forget that we must also build sufficient public trust in the institutions that initially request the data so people feel comfortable that their personal data is used appropriately.