Point of View

Sharing Data and Privacy – Both/And

August 26, 2020

Ki brings together data, data analysts, and decision-makers to make informed decisions about complex global health issues.

For this process to work, collaborators need timely, ready access to relevant data, and they are unlikely to have it without entirely new ways of sharing data.

New ways of sharing data, in turn, require an entirely new framework for protecting the privacy rights of the people whose lives are represented in the data being shared.

We advocate for both data sharing and privacy.

The challenge of data privacy is often painted as a stark dichotomy: either you are in favor of fully open and unfettered access to data, or you believe in strict data privacy without sharing, with no middle ground. The Ki team rejects this as an unnecessary false choice.

We advocate both data sharing and privacy. The central purpose of our work is to use data to improve lives. However, we don’t want to pursue this goal while undermining the trust of the people who collected the data and the respect due to the people who share their data for the benefit of others.

Highest Common Denominator

In practical terms, all the work we do adheres to the highest ethical and legal standards as laid out in the General Data Protection Regulation (GDPR). Our foundation is based on the ethical precept that “all lives have equal value.” We believe that our day-to-day work must be as ethically based as our end goals. However, committing to upholding ethical standards does not make it obvious which legal standards to follow.

In the United States, the Health Insurance Portability and Accountability Act (HIPAA) has been in force for 25 years. More recently, the European Union issued the GDPR, which is stricter in many ways and larger in scope than HIPAA, because it relates to all data, not just health data. Because many non-European countries are now devising GDPR-like regulations, we decided to use the GDPR as Ki’s starting point. We believe that this stricter standard will allow us to respect the sovereign rules of all our partners, wherever they are located.

Who Owns Data?

One way to meet the challenge of providing data access while maintaining privacy is to recognize the important differences between individual patient data and meta-data.

To be clear, we believe individual patient data (IPD) should be properly safeguarded in secure repositories with clear, GDPR-compliant terms of access. But by our definition, meta-data summarizes the content of a particular set of IPD but does not provide personally identifying information. For example, meta-data tells us that a study enrolled children under 5 years of age, but it doesn’t give us the ages of each child. Meta-data tells us that the primary outcome measure of a study was mortality but doesn’t tell us the outcome for an individual child.

Unlike IPD, we believe that meta-data should be permissively licensed and machine readable. This access would make it easier for collaborators and analysts to identify relevant data, where it is located, and who is its guardian. By providing more open access to meta-data, we could make it easier for researchers and analysts to pinpoint the IPD they need before ever having to request access to the IPD.

We believe that this is a critical step towards accomplishing the dual goal of privacy protection and optimal access.