Interesting things are happening in the UK at the moment, on many fronts, but not least personal data.
For a country still bound by the European data regulations (GDPR) it may be reasonable to assume this would mean the country would have the least amount of controversy around personal data use. However the National Health Service (NHS) there seems to have done it’s best to find every loophole possible under the guise of “consent” and “opt-out”.
This all started with the NHS passing on medical records to third parties, be they pharmaceutical companies, consultancies or other government departments, under the guise of solving COVID, and therefore having legal and business need basis according to regulations. It snuck into the news somewhat under the radar, relatively speaking, with only a couple of newspapers picking up on it.
Despite the quiet and hard to find notification, there was considerable backlash, including petitions to the government. This however did stop the NHS. They simply reiterated controls for the average person that were in line with current privacy practices; you could object and you’d be opted out. At least for everything from that point onwards.
Media coverage showed that UK residents were rightly livid – firstly, how would they know to opt out other than through luck of reading about it or being told; surely these things should be opt in.
Secondly, the opt out only applied initially to all future data, but did not protect against any historical data already shared. Let’s be clear here – this isn’t just some data about things you’ve bought. This is your medical history, sexual health, details of procedures such as abortions. While the NHS noted they anonymized the data, we all know if you have enough anonymous data you can find individual characteristics to know who a person is. For example in a school class there might be 30 people whose names you don’t have. But once you filter for freckles, brown hair, a missing tooth it might only be one person that fits.
Eventually the NHS agreed to back down further and limit historical information, while also giving people access to where the data was shared and how. And herein lies the ultimate problem; with the current centralized systems you are expected to firstly find out all the places your data may have been shared, then go and read pages of incomprehensible listings about how it was shared. And then try and opt out.
Even then, if you manage all that, there is no comprehensive third party audit to prove where that data might still reside even if simply by accident. You can look at the shared data records here and you can see how fraught with difficulty knowing how it really affects you as an individual person is. And if applicable to you, you can opt-out here. Thankfully the deadline for opting out has been postponed.
The solution to this? Distribute the data records. Quite literally each person has their own data stored across their own devices, not in a centralized database owned by someone else. A central system can act as the broker, but would not be capable of reading or interpreting anything by itself. Requests for use can come to the person, with appropriate incentivization, rather than use of the data always being justified under a legal or business need technicality.
This allows the person to remain in control of use and data ownership, and avoids a variety of issues around corporate data storage, and expecting the average person to track down and object to all uses of their data in the world. It too has challenges, but at least they are at a scale understandable to the average person. And shouldn’t an ability to understand simply be the minimum requirement in all of this?
It’s amazing how quickly personal data has been seized on given that the www is barely 25 years old! In 1996 the only internet presence the US government had was a video of the White House cat!
The standard protocol should always have been opt-in not opt-out (even if the latter is possible.
Interesting topic!
Privacy laws/processes and any codes of ethics” around personal data collection and use currently are simply designed to obfuscate the general public. Under the few new laws businesses are only obligated to disclose information collected and shared when asked by a person and is essentially a log of what’s happened already. An onerous backtracking most cannot do.
Perhaps a real time notification to consumers for data use requests from a personal storage location? Similar to the advent of caller ID to combat the pesky telemarketers buying data off phone companies in the 90s.
Question is, can we really gain control of our own data at this point with so much out there and when our data is so profitable to big business?