THE COVID PANDEMIC has placed a spotlight on the need for better, faster ways to share data for many purposes such as monitoring the rate and spread of the disease, identifying early warning signals for break-outs, evaluating its impact on different groups within the population, and conducting ‘track and trace’ exercises. Many initiatives have mushroomed over the last few months, some of them extremely ambitious – and they have done so extremely quickly.
In one sense, that’s good – in an emergency, we have to act fast. But it also means that compromises are made and corners cut in ways that store up trouble for the future. Could this be happening with many of the current initiatives relating to health and care data? What are the costs of little or no governance, scrutiny and understanding of multiple health data initiatives when governments, academics, public sector organisations and businesses can avoid the normal controls and transparency?
Many such initiatives are now under way, most with relatively bland names that say little about what they really intend to do. Examples include Health Data Research UK (HDR UK), Data Intelligence Network (DIN) in Scotland, Secure Anonymised Information Linkage (SAIL) in Wales, Research Data Scotland (RDS), Data Lab (DL) and Centre for Ethics and Data Innovation (CEDI-UK).
As we look forward, is it time to subject such initiatives to greater scrutiny? Here are some of the questions that should be asked.
1. Of course, when we need to act fast some processes (designed to ensure transparency and integrity) may need to be short-circuited, to some degree at least. But to what degree? Take for example, the tender document for Covid-19 Surveillance: Data & Intelligence Consultancy for “ the planning and delivery of a responsive system of community surveillance of Covid-19 direct and indirect impacts ”. This was issued on May 28. The deadline for submitting tenders was noon on June 1, giving those organisations wishing to apply just one working day to research, write and complete their tender. That makes it look like some party or parties ‘on the inside’ already had prior knowledge of the tender and the timing of its issue. Whether or not this is the case, cutting corners on procurement processes that were established for good reasons is unlikely to inspire confidence in the integrity of what is being done. Surely, even in the midst of a crisis, a week’s notice would be acceptable? What oversight has there been, and should there be, of the procurement process of ‘emergency’ initiatives?
2. As initiatives multiply, what are the real motives of those involved? Many private sector profit-seeking corporations, especially in the USA, have been circling citizen and NHS health data for years, because they see it as a significant opportunity for data monetisation. Responding to Covid-19 has been a heaven-sent opportunity for them to move in under the banner of the public good. Many of the initiatives now underway have links both direct and indirect (for example, through the business dealings of individual participants) with these corporations.
What safeguards, if any, have been put in place, or are being put in place, to ensure vested interests are not and cannot use or subvert new initiatives for their own purposes? What transparency requirements should these initiatives be expected to meet? Is it enough to rely on (for example) bland, blanket assurances that existing arrangements ” to ensure privacy and ethical data use ” will be maintained?
3. What is the long term status of initiatives established rapidly as emergency responses? How will they relate to, and interact with, previously established initiatives and processes? Could ad hoc solutions that have cut corners in terms of process, safeguards, transparency etc become the de facto establishment?Could they end up replacing previously established initiatives and processes? What measures will be used, if any, to retrospectively review and fix any shortcomings in their design, operation or management?
4. What consideration, if any, is being given to alternative and potentially better ways to tackle the issues concerned? At the heart of nearly all of these initiatives, for example, is the need to share more data more quickly. But much of this data is personal data and there are strict legal rules in place to stop willy-nilly data sharing without the individual’s consent. In the urgency of achieving a goal in ‘the greater good’ many voices are being raised (mostly behind closed doors) that these rules should be eased. But the assumption behind these calls is that status quo approaches to sharing data – from one organisation to another – are the only ways of doing it. Whether intended or not this is having the effect of centralising power. Is this what our society wants, long-term? What means are being established for the public to be able debate the implications of these actions and of changing course if desired?
5. What thought is being given to other possible ways forward – ways that are distributing and empowering citizens rather than centralising and disempowering ? As we rush to complete ad hoc paper-string-and-glue solutions are we, by default, also excluding even the possibility of other, potentially better alternatives.
Many possible harms may follow badly planned and poorly implemented projects. Here are some of them.
Positive harms
- Public monies being spent on projects and initiatives that will not and cannot deliver on their promises (and where most of the money ends up in private business and persons’ pockets).
- Public servants’ time and effort wasted on pursuing white elephants with little or no public benefit, reducing fairness, equalities and human rights
- Lack of any co-production and awareness of impact on human rights, equalities and under represented groups
- Privacy invasions by academics, governments and businesses that reduce dignity and respect for citizens
- Exploitation of private, personal data for private profit
- Red flagging of people’s health and other social graph variables
Missed opportunities
- Not developing solutions that can achieve what is needed without invading peoples’ privacy or turning their data into a money-grabbing opportunity
- Not gaining the respect and trust of the public and Parliament by governments, academics and business working in secrecy
- Not developing the capabilities and infrastructure that could address many other similar opportunities to derive public good from personal data safely, ethically and efficiently
- Not protecting citizens’ privacy and data through the embracing of GDPR instead of trying to bypass it
Looking forward
As we (hopefully but falteringly) emerge from the worst of the Covid crisis, many questions now need to be asked about the health and care data initiatives it has spawned. Broadly speaking they are:
- Who are the most powerful actors in these initiatives? Are all of them truly independent and acting in the public interest? Have there been enough controls to stop unacceptable access and use of personal data, including its monetisation, as a consequence of Covid -19 ? Where are human rights and privacy going in the closed work of governments, public sector bodies and businesses ?
- Where is the governance, accountability and scrutiny to protect us from vested interests and data exploitation ?
- What safeguards and open, transparent processes are being put in place to protect the public from the illicit aggregation of data for purposes other than public and private health and safety?
- What is their long-term intent? Are they short term, temporary emergency response to one particular crisis or will they become permanent structures and institutions?
- Have well meaning civil servants been compromised in some way by lack of oversight and the hyperbole of the commercial sector?
Picture courtesy of Nik Anderson