Consent

Participants:

  • Christopher Wilson
  • Peter
  • Mark- Barriers
  • Helen- tracking genomes (children)
  • Helene- informed consent
  • Mark
  • Reuben- delegated consent
  • John- personal info brokers, permission hubs
  • Carl- is consent problematic
  • Simon- underlying (technical) architecture
  • Phil

Open data definition – about things like bus timetables, but not about people. There’s no trouble with impersonal. But trouble when it comes to individuals, shopping habits, health, etc. Both gov and private sector.

OECD roundtable paper – four classifications:

  • ‘derived’ – result of data mining,
  • observed data (publicly visible),
  • provided. (ref forthcoming),
  • inferred. Looking at the data origin.

There’s a difference between surreptitiously observed vs consent-based observation.

Data is ‘personal’ when it relates to a person, but also depends on what other data it could be combined with to identify someone. Depends on the context.

The main paths to open data release is through –

  1. anonymisation
  2. legislation requiring disclosure,
  3. or you get consent

The latter is hard when you don’t know the purpose in advance of the open data use. E.g. health records: there’s been a debate about the release of health records through HSCIC – ‘lightly anonymised’. Data collected by GP’s, then uploaded to a central database where anonymised, then released. You can opt out by writing a paper letter – the GP puts a flag on your record.

Another kind of consent would be where you are given lots of paper certificates (e.g. qualifications, driving license). Then you decide to give a third party sight of the data. Where the individual has control over the disclosure.

Difficulty in working out what counts as ‘incompatible’ with the original purpose of the data collection. There’s a missing point working out this. There are different issues with licensing and data protection – but the two are applied in unison. Conceptually different. One of the main reasons for licensing data is to maintain the status of non-personal.

Is a personal data license possible? what would it look like? Can you really over-ride fundamental DP principles with a license?

Licenses are often put in place to ensure compliance with DP principles. That would be relying on contract law – providing a proxy protection.

If a gov department shares data under conditions with another, that’s not open data. Can think of this as ‘front office’ / ‘back office’.

It was assumed in DP law that ‘data controller’ is an organisation. But it could be interpreted as ‘natural person’. But not thought of as individual controlling their own data.

There’s a lack of distinction around someone who could be both data controller and data subject at the same time. There’s some flexibility with relation to ‘joint data controller’ ‘data processor’.

Seems like we’re talking about the legal mechanisms but no consent itself. Let’s take a step back!

Is general consent possible for open data? There’s consent to whether personal data flows to a particular organisation (consent of access), then there’s consent of use/control (what the organisation do once they have it). You can give your genome data to the Personal Human Genome Project with consent, but the approval of a particular research is done by the organisation, no the data subject.

Think through some concrete examples:

  1. Personal Genomic Data
  2. Quantified self data is one end of the spectrum.

Think about the use of the data, consent covers that.

The point of collection, use, and origin.

Question 1: Can I consent to open data Arguably not (legally) because so broad. Not specific enough.

Question 2: *can you consent to ‘nice research’ and not ‘bad research’ *(e.g. biological warfare research)

Not many people will likely want to upload their genomic data if there are no constraints.

Let’s assume anonymisation is a black box which works. There is legislation which defines these things – people trying to make personal data not personal data using less than adequate anonymisation techniques. Consent implies permission, but what the genome project case is talking about personal ‘publishing’.

How do you get informed consent to anonymisation when anonymisation techniques are a ‘black box’ for most people.

To treat in law personal data as just being yours is wrong – e.g. the genomic data example which affects your relatives. There are certain situations, types of data, which should always remain closed.

Difference between publication and consent. Publication: take example from the copyleft people, publishing under a license for re-use, share-alike, etc. These may be useful to constrain further use of data.

At the moment if I self-disclose data, I give up certain data protection rights.

Depends on the context – e.g. social media if you publish there it doesn’t necessarily mean you’re giving anyone permission to do anything. The way to get away from that is if you publish your data on your own website.

So paradoxically I have less control over my own data if I publish it myself. The question is if someone else takes it from independent blogs, they become a data controller.

They don’t necessarily need consent if they have one of the other bases of fair processing.

The ‘lock comes down again’ every time there is a re-use. The problem is if your a data controller, you need a condition for processing. One of those conditions is consent. In practice, the other available conditions don;t work. But in a big data/ open data context it often comes down to consent. there’s a connection between the practical examples and the broader principles.

The problem is around making a broad enough consent for many different purposes, and still being valid as ‘specific’ consent. E.g. individuals may not agree with e.g. GSK activity as ‘medical research’. Are the protocols for consent applied to data controllers adequate? If you define purposes tightly enough, it may be feasible to get informed enough consent for research uses.

General principles for consent.

  1. There is independent oversight (what does independent mean?)
  2. A mechanism for feeding back to the individual how its been used and where. They must be able to find it out. It’s not too difficult if you prepare for it in advance prospectively – very hard to do retrospectively. Audit trail should be a requirement
  3. Proportionate sanctions – what would they look like?

But the UK Biobank records example – they subsequently decided they couldn’t delete everybody who wanted to opt-out. They then shared with an unspecified company they didn’t originally mention.

One of the reasons often put forward against consent, is that ‘people aren’t that bothered’. They just want the benefit / end product. People don’t want to read privacy notices. So that’s one of the practical challenges – how do you give people the information in a condensed form ? The MIT media lab clear button initiative is an example of opt-out mechanisms.

All of my data has some bearing on other people – if you exclude all personal data relating to other people, you exclude too much. E.g. household data. It’s a slippery slope. There’s a spectrum. E.g. smart meters – always family-level data. But not about specific people, like genomic data.

Anonymisation gets harder the more data you have – so every kind of data becomes relevant. There’s no hard/fast line on this. There are no stronger restrictions on access, because people couldn’t be sure that those with access hadn’t used it secretly. There is a notion (a social contract) trhat by going to the hospital that you have implied consent to data processing for delivering treatment. But secondary uses are not implied (e.g. invoice reconciliation). Even if you forget about the information content of a genome, it’s still a biometric.

Conclusions:

Different laws apply

Consent can't be completely open-ended.

It's not about just access, but also use.