There’s a real conflict today with data privacy. On the one hand, increasingly tight privacy and security regulations are being introduced around the globe, such as GDPR and CCPA, and we are being given greater choices regarding sharing personal data. On the other hand, we are seeing an ever-increasing number of events that rip control away from the individual.
My digital footprint is growing at an exponential rate, but to an extent I choose what data is captured and stored. Every step I take is geographically tracked and logged. I have an online history of coffee shops visited, can review a detailed map of my heartrate, shopping lists are captured by voice and converted to stored text, viewing history is saved by online streaming services, and even my children’s education is captured digitally and shared via a mobile app. I’ve consciously opted-in to use a variety of online platforms, as I’ve decided the benefits outweigh the risks.
It would be naïve to believe risks do not exist when signing up to new platforms. Despite vast cyber security controls and privacy laws that companies must adhere to, situations change and unforeseen events occur. High-profile data breaches expose personal information that was assumed protected, or incidents like the Facebook-Cambridge Analytica data scandal result in personal data abuse.
The misuse of confidential data has a long history of debate, with disputes around sensitive health information accelerating several decades ago when medical records started to shift from paper-based systems to digital ones. Perhaps patient information should only be used for the individual’s treatment, but shared data supports clinical research and development. Various medical data schemes have been introduced and nations have tightened privacy policies at different rates.
In England the NHS care.data programme was launched in 2013 to consolidate and anonymise health data from GP surgeries into a central database for research purposes, but failed due to privacy concerns. More recently the national data opt-out policy was introduced to provide individuals with more control of their medical data privacy, but unforeseen circumstances such as the COVID-19 pandemic has already led to some erosion of this control. The current NHS position is:
“To help the NHS respond to coronavirus, your information may be used for coronavirus research purposes even if you have chosen not to share it. Any information used will be shared appropriately and lawfully.”
We live in unprecedented times and sharing data to help protect lives takes priority, but it demonstrates how data privacy needs can rapidly change. A similar debate occurs with the COVID contact tracing app – required to help control the spread of the virus, but impacting individual privacy rights.
Now considering events in the US, the Health Insurance Portability and Accountability Act 1996 (HIPAA) was introduced almost 25 years ago. This legislation was designed to safeguard sensitive health data, protecting patients from having information disclosed or shared without their consent or knowledge. Many debates have occurred involving HIPAA over the years, both in the courts and the public eye, but the COVID-19 pandemic has required privacy decisions to be made extremely quickly. The US Department of Health and Human Services announced early in the pandemic:
“Under the Privacy Rule, covered entities may disclose, without a patient’s authorization, protected health information about the patient as necessary to treat the patient or to treat a different patient”.
We can draw parallels between the positions taken in the US and UK – that health information can be shared appropriately to help fight coronavirus, despite it diluting the protection of personal medical data. Privacy therefore requires agility.
In a corporate sense, data privacy regulations are documented for organisations to adhere to, but the world is constantly changing. A major challenge is applying static laws, like HIPAA, to rapidly moving economic, social and technical landscapes. Proving regulatory compliance can be extremely time-consuming, repetitive and labour-intensive when done manually.
Solidatus helps organisations simplify their adherence to privacy laws by empowering customers to map the flow of relevant data through the organisation, visualising the mapping against their people, processes and regulatory needs. Solidatus transforms manual processes into automatic data operational models, which can be interacted with and remain updated regardless of external change. Creating an end-to-end holistic view of information and data provides an operational blueprint for audit and planning purposes, helping facilitate required training and associated actions to ensure ongoing compliance.
Leveraging modern technology and processes helps organisations remain compliant and easily demonstrate that they have disclosed data appropriately and not to an excessive degree. Even when privacy goalposts rapidly change, data can still be maximised to better the world, as we are seeing with the incredible COVID-19 vaccine progress. We live in extraordinarily complex times regarding data privacy, but organisations that modernise their data approach now will inevitably be in a stronger position post-pandemic.
You may also be interested in:
Solidatus is a next generation data management solution, enabling and accelerating an organisation’s ability to understand its data landscape. Unique in its unopinionated, non-prescriptive design, with a simple, open, meta model that allows users to model any scenario or use cases to suit their organisational needs, not to fit into a vendor’s view of the world. It is flexible enough to support innovation, but structured enough to allow elegance.