What Does a Five-Year-Old Know that Our Privacy Laws Don't?

I have three children: twins Rachel and Abby, both age 16 and Jacob, age 14. While in my second year at Eli Lilly and Company nearly a decade ago, my wife, Melisa, had a medical procedure. Jake and I drove Melisa to the doctor’s office for the colonoscopy (although HIPAA does not apply, rules of matrimonial harmony do, so I have received a verbal consent for this disclosure).

When Melisa had safely exited the car, Jake began the interrogation: Is mama getting a shot? No. Then why is she going to the doctor? To get a picture of her tummy. The outside? (Pause, and fatal decision to be honest.) No, the inside. How? (Longer pause.) A camera. How do they get it inside? (Faint awareness of a prior bad decision, but plowing ahead.) It’s a tiny camera and it goes into her bottom.

Absolute silence.

Fast forward to picking up mama and the girls. As they entered the sliding door of the van, Jake unbuckled his car seat (when did he learn that skill and why have I been jumping out and racing to unbuckle him at every destination all day??) and jumped down, he said, “guess what? Mama had a camera put up her bottom!” Then he added the fatal blow: “BUT DON’T TELL ANYONE!”

At that moment, Melisa, herself an Indiana University Law graduate, looked at me from the front passenger seat and said to me, the CPO of a major multi-national corporation, “Well, at least someone knows something about privacy.”

And that’s the point, isn’t it? Even a five year old has the basic wisdom to understand the idea of human dignity and those things that should be held privately. The concept of privacy is intuitive. It is pure.

I am a privacy advocate, but privacy laws and regulations are not intuitive. In the data privacy space, we adults have royally screwed this up. We’ve taken a basically intuitive and practical principle and turned it into a labyrinth of thousands of national and local laws, regulations, rulings and opinions. We’ve turned the clear into muddy, the pure into politics.

And despite my story, in healthcare—an area in which I’ve spent my entire career—it isn’t funny. Not even remotely. People are suffering and people are dying.

We restrict health data flows, not from fear of human indignity or harm, but because the regulations say we need a piece of paper with specific words signed by someone who can’t possibly hope to understand the complexities of data analytics. And people continue to suffer and die.

That’s not overly dramatic. It’s a fact.

The National Institute of Health has published data on deaths due to information error. Errors that could be erased with better sharing of information that we’ve had in our possession for as long as records have been kept. And we could share it with technology that’s been available for 20 years. The numbers are staggering: 100,000 deaths a year from healthcare errors.

Of course, privacy regulations are not the sole cause of the reluctance to share data – probably not even the primary reason data is not shared more widely. But there. See. That’s the trap.

We’ve laid our wisdom at the doorstep and instead of saying, “how can we prevent 100,000 deaths a year,” we say, “not our fault, we have to protect privacy of patients and this really doesn’t have a negative impact.” But the regulations aren’t designed to protect privacy, they’re designed to restrict data flows so that privacy can’t be assailed. They’re not the same thing.

If someone robs an ATM, you don’t restrict the money flow to stop it. You construct measures to catch the bad guys and prosecute them.

But in health data, when bad guys steal data, we construct massive regulations designed to constrict data flow to a small enough trickle so we can protect a regulatory definition of privacy – not the pure intuitive concept of privacy. And by abdicating our intuition, we require consent from people who don’t understand what they’re consenting to. We force “covered entities” to spend billions of dollars to put in place privacy policies that no one reads.

We’ve lost our way. Our wisdom has given way to regulation.

I think it’s time our profession steps back into the ring and makes a real difference in the lives of patients. Either you believe in the vision of trying to make people better or you don’t. If you believe in that vision, then we need to find a way to enable it and not sacrifice our privacy wisdom for the next round of data stultifying regulations. We understand what matters intuitively.

First, secure the data. Everywhere, not just in magic entities that fit some contrived notion of regulatory jurisdiction gerrymandering. Everywhere by everyone. Then we need to undertake the very difficult task of figuring out what data use is good and appropriate and worthy and what uses are not. Then we can figure out how to inform people. Not through ridiculous consent processes that no one understands but through real education and outreach.

It’s a siren call for our profession. It is the difference between being a traffic cop in your company and a visionary leader.

photo credit: Nina Matthews Photography via photopin cc

Written By

Stanley Crosley, CIPM, CIPP/US


If you want to comment on this post, you need to login.

  • Regina Clark Vehrs Apr 11, 2013

    Love your post...  couldn't agree more.  
  • Damon Greer Apr 11, 2013

    Great points Stan. It's past time to inject a little common sense and thought into the discussion on privacy in all sectors.
  • Jennifer Kotlarczyk Apr 13, 2013

    Spot On!
  • Chris Zoladz Apr 14, 2013

    Well said Stan ! 


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities. Early Bird ends TODAY.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»