Controlling your Privacy with Health Commons

posted on: March 28, 2012

If you buy into the idea that information about your body is ‘owned’ by you, then it’s obvious you should get to have a say about what happens with that data once it leaves your body. Unfortunately, today there is no clear and easy way to express how you want people to use your data. In most cases, you never even get asked.

As a result I see many eHealth project implementers making cavalier decisions about data management that impact the rights and privacy of populations, patients and doctors alike. People grab, share, analyze information they may not have the rights to, sometimes even by accident. There are so many incentives to produce and move data freely: folks could use the data for the promise of big data analysis, research publications, commercial product improvement, for the sakes of efficiency, medical research, marketing, writing grants, or operations analysis. Violating rights and expectations is especially easy as these eHealth projects tend to have a bunch of players involved, each one with their own language, objectives and culture.

Unfortunately, there is a lack of frameworks and common language in which to have a discussion about rights to share and use health data. Academics do IRB reviews, but rarely understand licensing terms. Doctors use eHealth systems but are not information specialists, but typically don’t go beyond clinical and public health use. Private systems may or may not have end user license agreements (EULAs), they impose a one-size-fits-all policy, and nobody reads the EULAs anyway because they are complicated, and each one so is different. Doctors in the USA mention HIPAA, and folks from other countries snicker. Governments roll out an eHealth HIV project and the data ends up in some intern’s laptop in California because he happened to help with the database system. And as you see this information flow rarely involves the consent and opt-in of the population and health providers in whom the population places their trust.

Imagine this situation: a mom shows up at a clinic and gets a diagnostic for her child. Who has which rights on the data? What about the kid? Her mom? What about the doctor who takes the test, the manufacturer of the diagnostics machine, the clinic where the doctor works, the NGO that implemented the diagnostic program, the funder that funded the NGO and bought the diagnostic machine, the government of the country, WHO?

Imagine a mother taking her child to take a test. Today, a wide mix of people and organizations beieve they have some rights to the data; but there is no common framework to make it flow respecting the child & mothers' desires.

I was recently a part of the annual AAAS Annual Meeting on a panel about Surveillance. It was a good chance to catch up with Nigel Collier from Biocaster and get to hear some poignant questions from Vint Cerf, one of the ‘fathers of the internet’. We had representatives of all sorts of surveillance work from anti-terrorism to meme propagation to infectious disease tracking; and there I presented a sketch of an idea:


What if we created a simple licensing framework that made it clear what rights and constraints go with different bits of your health data as it gets stored, aggregated, and analyzed?

If Creative Commons licensing helps a wide sharing of creative work under predictable terms that respect the intent of the creators; could a “Health Commons” do the same thing for health data? What can we learn from the evolution of sharing of information on the web and apply it to this critical space?

I would like to one day be able to share information about my health on some mobile app, a wellness site, or a diagnostic procedure, and specify that I am sharing it with the following restrictions:


What if I could assign privileges to how my data will be used? What if it was based on a legal framework shared by researchers, practitioners, clinicians, and commercial organizations?


Sometimes I would say it is OK to link the data to my other records, sometimes not: it all depends on the context and what it is that I am sharing. The important thing is that I am in control of data about my health.

Or, conversely, if I am participating in some survey, taking a diagnostic, or going to a new health care provider I would like to know if my data is going to be used with a forced license on it, so I can make an informed decision about whether to actually participate or not.

How would it work?

The idea roughly sketched would be to:

  1. Treat personal information as data covered under copyright law, with the patient/originator as the original copyright holder.
  2. Build a licensing scheme that grants explicit rights and restrictions to receivers of that data.
  3. Make sure the rights and restrictions are termed right so that re-licensing and aggregation have clear and simple rules.
  4. Embed licensing options into all relevant diagnostic and medical record platforms, as well as wellness websites, social networking sites, and so on.
  5. Communicate & advocate the framework especially building conscience in the public.

I don’t know if the license example I invented for the example above (linking to other personal information, aggregating, and use for health, science, and commerce) are ‘the right ones’. I would love to hear more ideas for the sort of constraints and freedoms a simple license would allow.

Maybe other terms would be more important. Are there levels of anonymization I could specify for my data in aggregate form? Are there clauses for natural disasters or crisis that would allow me to temporarily bypass privacy concerns in order to help me reunite with my family? The nice thing about the model is that it provides a framework in which to resolve these questions.

The genius of Creative Commons was to choose a few simple rules that would be easy to understand for many, instead of trying to make it a comprehensive license for all cases and preferences; a Health Commons would have to emulate that approach. Each time you see the Creative Commons icon it carries beneath it a smart and legally sound set of terms and licenses.



Next Steps?

If anyone feels inclined to develop this further please let me know. The idea needs work from copyright attorneys, IP wonks, IRB data geeks, healthcare providers – and most importantly, anyone in the general population who would like to have a tool like this. I am especially interested in the licensing framework required for safe sharing of personal health information. I have seen “Health Commons” used to describe a knowledge commons with intellectual property such as genetic sequences, but I think much more focus is needed on the incoming tidal wave of integrated personal data from electronic records, sensors, and surveillance.

I think especially large funders and companies who are at the intersection of humanitarian field work and scientific investments need to improve their frameworks to make sure their programs have an ethical approach to protecting rights of their beneficiaries. In the meantime, maybe they should get into the mindset that they are just storing borrowed copyrighted information…

Please leave comments if you have an opinion on the topic.

More about Creative Commons

We use Creative Commons extensively in our work at InSTEDD. Most of our presentations are explicitly licensed under CC BY-NC-SA 3.0 (Attribution, Noncommercial, Share Alike), as is the material of this blog.


Like InSTEDD, Creative Commons is a non-profit organization that can always use your support: consider donating to them here.



Comments are closed.

View more of InSTEDD's blog posts.