Posted on February 3, 2019 at 3:14 PM
This post is a response to a previous blog, “Ending Privacy As We Know It”(January 10, 2019)
by Nancy M. P. King
The difficulty of maintaining privacy highlights the importance of the difference between privacy and confidentiality: if we try to keep as much as possible private because we’re worried about what will happen to it if shared at all, we risk forgoing the extremely important work of setting up rules for dealing with shared-but-still-confidential information. As you note, GINA is imperfect on that score; so, of course, is HIPAA. And when researchers collect identifiable information or biospecimens, in many instances the new Common Rule reduces the role of the IRB to a “limited review” of confidentiality protections. Carl Elliott has long criticized human subjects protections as being essentially no more than an honor system. But at the same time, researchers have often protested against stronger protections, arguing “We have no interest in the identities of the people who provide us with data, we only care about making good use of the data.” If things are going to change, then we need robust attention to what counts as ethically appropriate use of available information.
The goodwill of earnest researchers in what is largely an honor system isn’t likely to be good enough. I’m not reassured by learning that big data researchers care about my data but not about me. Many years ago I heard a Maori scientist describe medical records research in which he looked for cases of a lung condition that seemed to be more common in First Peoples, and recorded the relevant data without identifiers: “In those files I saw my mother, and my cousins, and my friends and neighbors.” From that I understood that even if we have only an honor system, we need to think more about what that honor system should honor. After all, figuring out how to do something about the misuse of confidential information goes far beyond the reach of law. It’s part of why hospitals put signs in elevators warning health care providers about what they talk about, when, where, how, and to whom. That warning shouldn’t be only the hospital’s way of saying “Be careful because we are a covered entity and that means we’ll get in trouble if you have loose lips!” It should be a reminder to respect the people who have shared their stories, their specimens, and their data with you. In other words, we should all care about the people behind the data we manipulate so freely. Actually caring about more than the data is far more likely to help recreate the culture of respect for confidentiality that we seem to have lost along with the capacity for privacy.
Easier said than done, but what isn’t?