Just because you can does not mean you should

Last month the UK government’s Competition and Markets authority issued a ‘Call for information’ on the ‘commercial use of consumer data’.

While data governance professionals have been taking measure of the ethics of data use garnered from the web for quite some time, it is gaining a higher public profile, with healthcare data an especially sensitive topic.

The CMA’s call for information takes as its starting point the recent increased sophistication of data capture: “The last decade has seen rapid growth in the volume, variety and commercial applications of consumer data, driven by technological developments which enable data to be collected and analysed in increasingly rapid and sophisticated ways. Data exchange is likely to become even more important as mobile internet devices and smart devices become more prevalent”.

Just because you can …

Just because you can do something does not mean that you should do it. That’s been a theme of Computer Weekly’s coverage of Deloitte’s research on data matters in the past few years, particularly its annual Data Nation report, which is produced under the direction of Harvey Lewis, and surveys around 2,000 UK consumers.

The first of the Deloitte reports, in July 2012, found that companies and public sector organisations in the UK needed, said Deloitte, to tread warily when it comes to performing customer data analytics. But, they added, there were opportunities for those who educate their constituencies and are clear about what customer data is used for.

A year later, in 2013, Lewis’s colleague Peter Gooch, privacy practice leader at Deloitte said, regarding the second Data Nation report, that their survey showed that people were: “More aware that something is happening with their data, but they don’t know what that is and there is increased nervousness.

“There is no real sign of a tipping point, where people see their own data as an asset that can be exploited. Consumers recognise their data as an asset to the extent that they want to protect it, but not to the extent of exploiting it.

“This almost lines up with the path that organisations have followed, going from protection to exploitation, from information security to analytics. Consumers might follow the same journey, but it will happen in pockets”.

The 2014 report, interestingly, found that the NHS was much more trusted than the private sector with personal data. 60% of the 2,025 respondents were most trusting of public healthcare providers and 51% of other public sector organisations. By contrast, 31% trusted social media companies with their data, 34% trusted telephone companies and internet service providers, and 39% were “least concerned” about having banks and credit cards companies having their personal data.

Does this comparative trust in the NHS offer a platform on which better health outcomes can be built through clinical research on open data, or is it a fragile element that could be squandered? The Nuffield Council on Bioethics has published a report critical of the Department of Health’s care.data programme, which aims to transfer the medical records of all NHS patients in England from GP surgeries to a central database, under an opt-out rather than an opt-in model.

The report, ‘Public participation should be at the heart of big data projects‘, make these arresting points:

“as data sets are increasingly linked or re-used in different contexts to generate new information, it becomes increasingly difficult to prevent the re-identification of individuals. On its own, consent cannot protect individuals from the potentially harmful consequences of data misuse, nor does it ensure that all their interests are protected. Therefore, good governance is essential to ensure that systems are designed to meet people’s reasonable expectations about how their data will be used, including their expectations about a sufficient level of protection”.

The report also cites Professor Michael Parker, the University of Oxford: “Compliance with the law is not enough to guarantee that a particular use of data is morally acceptable – clearly not everything that can be done should be done. Whilst there can be no one-size-fits-all solution, people should have say in how their data are used, by whom and for what purposes, so that the terms of any project respect the preferences and expectations of all involved.”

Data governance in the era of big data is a troublesome business. I’m chairing a panel on ‘Data governance as corporate IT is remade by cloud, mobile, social and big data‘ at the Data Governance Conference Europe on 20 May, London, and this will explore some of these issues.

Meanwhile, the CMA call for information deadline is 6 May.