12 comments

[ 2.9 ms ] story [ 46.6 ms ] thread
A few people on HN want to use health care data from people in England. Understanding Dr Nicola Byrne's aims and concerns will be useful to help predict what policies and laws around healthcare data are going to be implemented.
This sounds like a sugarcoated "all your data are belong to us" with the usual chatter about "innovation".

I'd trust them if they offered this position to someone like Schneier.

Consider whether affiliated people on Twitter are the sort of people you'd feel comfortable being able to anonymously browse your medical history without any log of the action because it was classified as research on a data set. Researchers are people like anyone else, except they're just as awful, with more access, fewer adult incentives and boundaries, and almost no personal accountability for privacy. If you have doubts about whether you would trust U.S. college IT people to run facebook, pornhub, reddit, or tinder on your behalf, I recommend paying attention to what this new national data guardian has to say.

The risk I think she will need to manage is the pressure universities apply to health agencies for data. There is a perfect storm brewing where privacy for outsiders isn't a big cultural norm in some reserach communities, but using data for social political purposes is. Reserach ethics boards are nice, but they're like the police investigating themseves.

The question isn't so much whether we could cure cancer with just this bit more data without oversight, and more whether the people demanding it are above using a perceived crisis to squeeze the toothpaste out of the tube. She has a very interesting job ahead of her.

There are strict guidelines about what data can be shared for research purposes and researchers only get access to the data they need - not your full medical history. Access is audited and you can request information on where and for what purposes your data is shared. You can also easily opt out of your data being shared for research purposes.
Depends on what jurisdiction, and if you are familiar with privacy law in different regions, the exceptions to that are often sweeping, with the additional issue in some systems that regulations can be made by lower level authorities without the same level of public scrutiny or debate.

It's the wild west for data, and privacy people have done what they could over the last 20 years, but the tech has accelerated so much in the last 10 that those prior assurances aren't what we think they are.

All health and social care organizations in England must comply with this by September 2021 (delayed from original date due to the pandemic). This was based on a recommendation from the previous National Data Guardian.

Scotland, Wales and Northern Ireland have different policies.

Massive data sets were mobilized for covid-19, and I advise anyone politically exposed that it would be unwise to consider their health records a secure secret, and to challenge the security controls on any private electronic information.

If you really have a privacy risk, you already know how to avoid these issues, but everyone should understand and always assert their privacy rights, because there are a lot of parties interested in taking them.

> opt out

and there is the crux of the matter.

Over a thousand words, and I still have no idea what she is trying to say. Nor what the headline actually means.
tl;dr:

> And I shall not be dark, but beautiful and terrible as the Morning and the Night! Fair as the Sea and the Sun and the Snow upon the Mountain! Dreadful as the Storm and the Lightning! Stronger than the foundations of the earth. All shall love me and despair!

I not only have to trust the immediate authority over the data.

I have to trust whoever has authority over them won't change the rules.

I have to trust who has practical authority IE technical administrators.

And I have to trust the people in those positions for the entire lifetime the data is held, far in the future.

I haven't even gotten to malicious actors and the "defense is harder than offense" part of IT Security.

Good luck with that.

The only way health record digitisation even vaguely works is by people holding their own record, unlocked by themselves only when they want, to who they want. A damn good trick if you can manage it.

> The only way health record digitisation even vaguely works is by people holding their own record, unlocked by themselves only when they want, to who they want. A damn good trick if you can manage it.

This is really great point, seems like it can work with EMV cheap, eg. data only decrypted when EMV cheap is connected, and data is only access by certified software.

I would not expect this to be implemented any time soon, probably, discussion on such implementation will only start when large database of medical history is leaked online, and leak effected in some way kids with very wealthy and influential people, unfortunately.