Excerpt from the new book Big Data of Complex Networks:
Big Data and data protection law provide for a number of mutual conflicts: from the perspective of Big Data analytics, a strict application of data protection law as we know it today would set an immediate end to most Big Data applications. From the perspective of the law, Big Data is either a big threat … or a major challenge for international and national lawmakers to adopt today’s data protection laws to the latest technological and economic developments.
Emphasis added.
The author of the chapter on legal matters is Swiss and writes primarily in a European context, though all countries face similar problems.
I’m not a lawyer, though I sometimes work with lawyers as a technical expert, and sometimes help companies with the statistical aspects of HIPAA law. But as a layman the observation above sounds reasonable to me, that strict application of the law could bring many applications to a halt, for better and for worse.
In my opinion the regulations around HIPAA and de-identification are mostly reasonable. The things it prohibits mostly should be prohibited. And it has a common sense provision in the form of expert determination. If your data uses fall outside the regulation’s specific recommendations but don’t endanger privacy, you can have an expert can certify that this is the case.
Related:
I would like to see a uniform standard of enforcement.
I worked as a contractor at a major health care insurance company for a time. It struck me that, despite the need to stand back when people are picking up Rx at a local pharmacy, here, at this company, anyone, including a contractor, could stand around a FAX machine which was receiving copy after copy of information from doctors, from others, regarding intimate details of patients health care, and NOTHING was done to secure this information from being taken and copied, or just looked at in morbid curiosity. There were no agreements I had to sign, either, securing from me a promise to treat this information with any special care.
Yet people go ballistic about such information possibly being available to companies via Internet or otherwise …
While we could all benefit from proper use of big data, it is now clear that the misuse of public data, tracking, ect. will tend to limit our ability to reap the fruits in full. Sad that greed will poison the well yet again.
I know HIPAA and friends are well-intentioned and carefully crafted. What too many of these things are (I’m looking at you, HIPAA) is too complex for mere mortals.
Consider the doctor’s office sign-in: some have an open pad; some have a pad with plastic covers that can be flipped over previous names (but can just as easily be lifted); some have stickers, which are whisked away as soon as you sign on; some are entirely electronic (surface-secure, anyway).
Either some of these folks are violating HIPAA or some are doing far more than is required. And the point is, NONE OF THEM ARE SURE, because HIPAA is too hard to understand (well, too long, anyway).
Similar: Many auditors say “birth dates must be protected, period”. Yet clearly if you protect the rest of the PHI, the birth dates (which seem to be primary keys for most healthcare uses) aren’t sensitive: the fact that someone was born on February 6, 1971, isn’t interesting if the rest of the record is encrypted.
More proof that compliance and security have little to do with each other, alas…