What Does a Five-Year-Old Know that Our Privacy Laws Don't?

I have three children: twins Rachel and Abby, both age 16 and Jacob, age 14. While in my second year at Eli Lilly and Company nearly a decade ago, my wife, Melisa, had a medical procedure. Jake and I drove Melisa to the doctor’s office for the colonoscopy (although HIPAA does not apply, rules of matrimonial harmony do, so I have received a verbal consent for this disclosure).

When Melisa had safely exited the car, Jake began the interrogation: Is mama getting a shot? No. Then why is she going to the doctor? To get a picture of her tummy. The outside? (Pause, and fatal decision to be honest.) No, the inside. How? (Longer pause.) A camera. How do they get it inside? (Faint awareness of a prior bad decision, but plowing ahead.) It’s a tiny camera and it goes into her bottom.

Absolute silence.

Fast forward to picking up mama and the girls. As they entered the sliding door of the van, Jake unbuckled his car seat (when did he learn that skill and why have I been jumping out and racing to unbuckle him at every destination all day??) and jumped down, he said, “guess what? Mama had a camera put up her bottom!” Then he added the fatal blow: “BUT DON’T TELL ANYONE!”

At that moment, Melisa, herself an Indiana University Law graduate, looked at me from the front passenger seat and said to me, the CPO of a major multi-national corporation, “Well, at least someone knows something about privacy.”

And that’s the point, isn’t it? Even a five year old has the basic wisdom to understand the idea of human dignity and those things that should be held privately. The concept of privacy is intuitive. It is pure.

I am a privacy advocate, but privacy laws and regulations are not intuitive. In the data privacy space, we adults have royally screwed this up. We’ve taken a basically intuitive and practical principle and turned it into a labyrinth of thousands of national and local laws, regulations, rulings and opinions. We’ve turned the clear into muddy, the pure into politics.

And despite my story, in healthcare—an area in which I’ve spent my entire career—it isn’t funny. Not even remotely. People are suffering and people are dying.

We restrict health data flows, not from fear of human indignity or harm, but because the regulations say we need a piece of paper with specific words signed by someone who can’t possibly hope to understand the complexities of data analytics. And people continue to suffer and die.

That’s not overly dramatic. It’s a fact.

The National Institute of Health has published data on deaths due to information error. Errors that could be erased with better sharing of information that we’ve had in our possession for as long as records have been kept. And we could share it with technology that’s been available for 20 years. The numbers are staggering: 100,000 deaths a year from healthcare errors.

Of course, privacy regulations are not the sole cause of the reluctance to share data – probably not even the primary reason data is not shared more widely. But there. See. That’s the trap.

We’ve laid our wisdom at the doorstep and instead of saying, “how can we prevent 100,000 deaths a year,” we say, “not our fault, we have to protect privacy of patients and this really doesn’t have a negative impact.” But the regulations aren’t designed to protect privacy, they’re designed to restrict data flows so that privacy can’t be assailed. They’re not the same thing.

If someone robs an ATM, you don’t restrict the money flow to stop it. You construct measures to catch the bad guys and prosecute them.

But in health data, when bad guys steal data, we construct massive regulations designed to constrict data flow to a small enough trickle so we can protect a regulatory definition of privacy – not the pure intuitive concept of privacy. And by abdicating our intuition, we require consent from people who don’t understand what they’re consenting to. We force “covered entities” to spend billions of dollars to put in place privacy policies that no one reads.

We’ve lost our way. Our wisdom has given way to regulation.

I think it’s time our profession steps back into the ring and makes a real difference in the lives of patients. Either you believe in the vision of trying to make people better or you don’t. If you believe in that vision, then we need to find a way to enable it and not sacrifice our privacy wisdom for the next round of data stultifying regulations. We understand what matters intuitively.

First, secure the data. Everywhere, not just in magic entities that fit some contrived notion of regulatory jurisdiction gerrymandering. Everywhere by everyone. Then we need to undertake the very difficult task of figuring out what data use is good and appropriate and worthy and what uses are not. Then we can figure out how to inform people. Not through ridiculous consent processes that no one understands but through real education and outreach.

It’s a siren call for our profession. It is the difference between being a traffic cop in your company and a visionary leader.

photo credit: Nina Matthews Photography via photopin cc

Written By

Stanley Crosley, CIPM, CIPP/US


If you want to comment on this post, you need to login.
  • Regina Clark Vehrs Apr 11, 2013

    Love your post... couldn't agree more.

  • Damon Greer Apr 11, 2013

    Great points Stan. It's past time to inject a little common sense and thought into the discussion on privacy in all sectors.

  • Jennifer Kotlarczyk Apr 13, 2013

    Spot On!

  • Chris Zoladz Apr 14, 2013

    Well said Stan !


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»