Beware the data grab

Hello! In the first Normal Deviance column after an extended break, two recent stories remind us that where the data is, there is the temptation to use it for other purposes.

First, in Western Australia, police were investigating two crimes; a shooting murder and a stabbing, and issued warrants to access venue check-in data for potential witnesses to the events. The data had been collected by the state SafeWA app. Previously people had been promised that the app data would “only be accessible by authorised Department of Health contact tracing personnel, should COVID-19 contact tracing be necessary’”. However, this protection was not legislated and so police were entitled to access the data via warrant.

Second, there is an ongoing debate in England about the General Practice Data for Planning and Research (GPDPR) program. This new rule mandates that unless people opt-out, the entire history of their GP visits would be submitted to a central repository, which would have a broad remit to use the data to “support the planning and commissioning of health and care services, the development of health and care policy, public health monitoring and interventions (including COVID-19) and enable many different areas of research.”

In both cases subsets of the community have raised issue; data that had been collected for one purpose was being used for another. More interesting still is the government response to these concerns. While the WA Police Commissioner Chris Dawson stands by the decision, citing the serious nature of a murder investigation, the WA government deemed the use undesirable and have quickly moved to legislate on the use of SafeWA data. They decided that community trust in the app was more important than the benefits of the secondary use.

In the UK, the government has dug in, mounting a strong defence of the benefits from the pooled data, under the banner ‘data saves lives’. The rollout has been delayed for three months while discussions take place.

The principles are clear – in both cases the datasets at stake are demonstrably valuable. The UK’s arguments that effective use of a centralised repository will save lives are largely right – large patient history datasets are a powerful tool for policy makers and researchers. And people want definitely want justice for serious crimes, and expect police to use the tools they have been provided with to do so. However, these arguments push us in the direction of less privacy and heightened surveillance. At some stage we need to decide how to balance this against the right to privacy.

The issue is a live one more broadly too. Australia had a similar discussion about the use of e-health data with the rollout of the My Health Record system. That data can be used for research purposes, but is more heavily restricted than the UK GPDPR program, such as restrictions on commercial use or insurance. And people are able to opt out of secondary use via the MyGov portal. Debates around data retention in the era of Big Tech have also been abundant.

Two thoughts occur. First, the transparency of the ongoing use of the data is important. Potential use of data is often too intangible for many to debate sensibly, however if we are able to see the specific applications as they occur, we are in a much better position to offer opinions on the appropriateness of secondary data use. The SafeWA app incident was a case in point – the government chose to disclose on the use in a transparent way.

Second, we should not underestimate the cost of breaking community trust. Ongoing discussions around data privacy mean that people are increasingly informed about how their data is being collected. If there are doubts around the appropriateness of data use, people may elect to change their behaviour, to our collective detriment. We can already see this in the context of life or compensation insurance; patients can be judicious in what they disclose to their doctor, or what tests are taken (including genetic tests), knowing that there are potentially insurance implications attached to the information. To the extent that such concerns push a patient journey away from optimal care, this is a concern.

I like data – a lot. But privacy and consent count too.

CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.