Data and Ethics (Who Owns My Medical Records?)
Yesterday I testified to the FTC (Federal Trade Commission) as part of a panel on the effect of technology on consumers. My talk was basically a summary of this editorial that I wrote for the Financial Times.
An interesting topic during the open discussion was this: Who owns data about you? Perhaps more importantly, who should own that data? Should Amazon own the record of all the books you have ever bought, or should you? Medical records are even more personal. Should your doctor own your medical records, or should you?
Professor Deirdre Mulligan (at U.C Berkeley, Boalt Hall School of Law) was also on the panel, and I thought she had the deepest insights on the legal and policy issues around personal data. She argued that ownership is the wrong mental model. I certainly have a strong interest in my own medical records, but my doctor has an equally strong interest in the collection of medical records that he has created over the years. From his point of view, it is the record of his career. In the case of a malpractice suit, the records may be required to demonstrate his competence. In some cases, a medical center as a whole comes under regulatory scrutiny, and the records of all doctors and patients at the center may be required to understand the patterns of care.
Mulligan argued that instead of ownership, it is better to think in terms of rights and responsibilities associated with the data. As a patient, I have many rights with respect to my own medical records. I can get access to them, transfer them to a new doctor, and so on. My doctor and the medical center have rights as well, but also responsibilities. They are required to keep the records safe and private. If they are electronic, then HIPAA regulations require them to keep that data for the rest of my life. (You can be sure that the storage implications of these regulations are not lost on us.)
I used medical records as an example, but financial records have the same issues. I think they are my records, but my bank and my broker have lots of reasonable reasons—including legal reasons—to think they are their records.
In summary, if I heard Mulligan's arguments correctly, she was saying that ownership just isn't the right model for thinking about this fuzzy, blended combination of rights and responsibilities that are shared between my doctor, my medical center, my bank and me.
On the other hand, Mulligan used quite a different line of thinking for data that I create that nobody else has any rights to—like my personal calendar or my diary. She argued that it is a very odd artifact of our legal system that my rights are dramatically different depending on whether I store my calendar on my own PC or on a remote server at Yahoo! or Google. If the data is on my own PC, in my own possession, then it belongs to me just as if it were on paper. If the government wants to look at my PC, they can subpoena me, and maybe they'll win, but they certainly can't see it without my knowledge. On the other hand, if my personal calendar is stored on a remote server, the government can read it without me finding out until much later, if ever. In this case, the concept of ownership does seem more appropriate; I created the data by myself, for myself. Unfortunately, the distinction that the legal system makes based on where data is stored, doesn't match people's intuition about data that they think they own no matter where they keep it.
What's exciting to me about all of this is that it dramatically broadens the scope for NetApp. Increasingly the data we store is information about people, or information that consumers believe belongs to them personally. As a result, data management is becoming entangled with philosophical issues of ownership, rights, responsibilities and ethics. None of the technical issues of data management go away, but to really help our customers solve their problems, we also have to focus on "data rights and responsibilities management". Maybe "data stewardship" is the best term to capture this idea. I've always loved working on hard technical problems, but it's especially rewarding to me that our work also matters at a higher societal level.
[Note: The panel discussion jumped around, and the sections I'm describing were quite short. As a result, this note is partly what Prof. Mulligan actually said, but largely my attempt to understand and flesh out the points I thought she was making. If I've screwed it up, that's my fault, not hers.]
An interesting topic during the open discussion was this: Who owns data about you? Perhaps more importantly, who should own that data? Should Amazon own the record of all the books you have ever bought, or should you? Medical records are even more personal. Should your doctor own your medical records, or should you?
Professor Deirdre Mulligan (at U.C Berkeley, Boalt Hall School of Law) was also on the panel, and I thought she had the deepest insights on the legal and policy issues around personal data. She argued that ownership is the wrong mental model. I certainly have a strong interest in my own medical records, but my doctor has an equally strong interest in the collection of medical records that he has created over the years. From his point of view, it is the record of his career. In the case of a malpractice suit, the records may be required to demonstrate his competence. In some cases, a medical center as a whole comes under regulatory scrutiny, and the records of all doctors and patients at the center may be required to understand the patterns of care.
Mulligan argued that instead of ownership, it is better to think in terms of rights and responsibilities associated with the data. As a patient, I have many rights with respect to my own medical records. I can get access to them, transfer them to a new doctor, and so on. My doctor and the medical center have rights as well, but also responsibilities. They are required to keep the records safe and private. If they are electronic, then HIPAA regulations require them to keep that data for the rest of my life. (You can be sure that the storage implications of these regulations are not lost on us.)
I used medical records as an example, but financial records have the same issues. I think they are my records, but my bank and my broker have lots of reasonable reasons—including legal reasons—to think they are their records.
In summary, if I heard Mulligan's arguments correctly, she was saying that ownership just isn't the right model for thinking about this fuzzy, blended combination of rights and responsibilities that are shared between my doctor, my medical center, my bank and me.
On the other hand, Mulligan used quite a different line of thinking for data that I create that nobody else has any rights to—like my personal calendar or my diary. She argued that it is a very odd artifact of our legal system that my rights are dramatically different depending on whether I store my calendar on my own PC or on a remote server at Yahoo! or Google. If the data is on my own PC, in my own possession, then it belongs to me just as if it were on paper. If the government wants to look at my PC, they can subpoena me, and maybe they'll win, but they certainly can't see it without my knowledge. On the other hand, if my personal calendar is stored on a remote server, the government can read it without me finding out until much later, if ever. In this case, the concept of ownership does seem more appropriate; I created the data by myself, for myself. Unfortunately, the distinction that the legal system makes based on where data is stored, doesn't match people's intuition about data that they think they own no matter where they keep it.
What's exciting to me about all of this is that it dramatically broadens the scope for NetApp. Increasingly the data we store is information about people, or information that consumers believe belongs to them personally. As a result, data management is becoming entangled with philosophical issues of ownership, rights, responsibilities and ethics. None of the technical issues of data management go away, but to really help our customers solve their problems, we also have to focus on "data rights and responsibilities management". Maybe "data stewardship" is the best term to capture this idea. I've always loved working on hard technical problems, but it's especially rewarding to me that our work also matters at a higher societal level.
[Note: The panel discussion jumped around, and the sections I'm describing were quite short. As a result, this note is partly what Prof. Mulligan actually said, but largely my attempt to understand and flesh out the points I thought she was making. If I've screwed it up, that's my fault, not hers.]
Comments