The trouble with consent

Interesting things are happening in the UK at the moment, on many fronts, but not least personal data.

For a country still bound by the European data regulations (GDPR) it may be reasonable to assume this would mean the country would have the least amount of controversy around personal data use. However the National Health Service (NHS) there seems to have done it’s best to find every loophole possible under the guise of “consent” and “opt-out”.

This all started with the NHS passing on medical records to third parties, be they pharmaceutical companies, consultancies or other government departments, under the guise of solving COVID, and therefore having legal and business need basis according to regulations. It snuck into the news somewhat under the radar, relatively speaking, with only a couple of newspapers picking up on it. 

Despite the quiet and hard to find notification, there was considerable backlash, including petitions to the government. This however did stop the NHS. They simply reiterated controls for the average person that were in line with current privacy practices; you could object and you’d be opted out. At least for everything from that point onwards.

Media coverage showed that UK residents were rightly livid – firstly, how would they know to opt out other than through luck of reading about it or being told; surely these things should be opt in. 

Secondly, the opt out only applied initially to all future data, but did not protect against any historical data already shared. Let’s be clear here – this isn’t just some data about things you’ve bought. This is your medical history, sexual health, details of procedures such as abortions. While the NHS noted they anonymized the data, we all know if you have enough anonymous data you can find individual characteristics to know who a person is. For example in a school class there might be 30 people whose names you don’t have. But once you filter for freckles, brown hair, a missing tooth it might only be one person that fits.

Eventually the NHS agreed to back down further and limit historical information, while also giving people access to where the data was shared and how. And herein lies the ultimate problem; with the current centralized systems you are expected to firstly find out all the places your data may have been shared, then go and read pages of incomprehensible listings about how it was shared. And then try and opt out. 

Even then, if you manage all that, there is no comprehensive third party audit to prove where that data might still reside even if simply by accident. You can look at the shared data records here and you can see how fraught with difficulty knowing how it really affects you as an individual person is. And if applicable to you, you can opt-out here. Thankfully the deadline for opting out has been postponed.

The solution to this? Distribute the data records. Quite literally each person has their own data stored across their own devices, not in a centralized database owned by someone else. A central system can act as the broker, but would not be capable of reading or interpreting anything by itself. Requests for use can come to the person, with appropriate incentivization, rather than use of the data always being justified under a legal or business need technicality. 

This allows the person to remain in control of use and data ownership, and avoids a variety of issues around corporate data storage, and expecting the average person to track down and object to all uses of their data in the world. It too has challenges, but at least they are at a scale understandable to the average person. And shouldn’t an ability to understand simply be the minimum requirement in all of this?

Further reading