GDPR16_London_Web_300x250-FRENCH-v2
OneTrust_GDPRCompliance_square-banner1
IAPP_GPS17_CFP_300x250_v1
What Does a Five-Year-Old Know that Our Privacy Laws Don't?

I have three children: twins Rachel and Abby, both age 16 and Jacob, age 14. While in my second year at Eli Lilly and Company nearly a decade ago, my wife, Melisa, had a medical procedure. Jake and I drove Melisa to the doctor’s office for the colonoscopy (although HIPAA does not apply, rules of matrimonial harmony do, so I have received a verbal consent for this disclosure).

When Melisa had safely exited the car, Jake began the interrogation: Is mama getting a shot? No. Then why is she going to the doctor? To get a picture of her tummy. The outside? (Pause, and fatal decision to be honest.) No, the inside. How? (Longer pause.) A camera. How do they get it inside? (Faint awareness of a prior bad decision, but plowing ahead.) It’s a tiny camera and it goes into her bottom.

Absolute silence.

Fast forward to picking up mama and the girls. As they entered the sliding door of the van, Jake unbuckled his car seat (when did he learn that skill and why have I been jumping out and racing to unbuckle him at every destination all day??) and jumped down, he said, “guess what? Mama had a camera put up her bottom!” Then he added the fatal blow: “BUT DON’T TELL ANYONE!”

At that moment, Melisa, herself an Indiana University Law graduate, looked at me from the front passenger seat and said to me, the CPO of a major multi-national corporation, “Well, at least someone knows something about privacy.”

And that’s the point, isn’t it? Even a five year old has the basic wisdom to understand the idea of human dignity and those things that should be held privately. The concept of privacy is intuitive. It is pure.

I am a privacy advocate, but privacy laws and regulations are not intuitive. In the data privacy space, we adults have royally screwed this up. We’ve taken a basically intuitive and practical principle and turned it into a labyrinth of thousands of national and local laws, regulations, rulings and opinions. We’ve turned the clear into muddy, the pure into politics.

And despite my story, in healthcare—an area in which I’ve spent my entire career—it isn’t funny. Not even remotely. People are suffering and people are dying.

We restrict health data flows, not from fear of human indignity or harm, but because the regulations say we need a piece of paper with specific words signed by someone who can’t possibly hope to understand the complexities of data analytics. And people continue to suffer and die.

That’s not overly dramatic. It’s a fact.

The National Institute of Health has published data on deaths due to information error. Errors that could be erased with better sharing of information that we’ve had in our possession for as long as records have been kept. And we could share it with technology that’s been available for 20 years. The numbers are staggering: 100,000 deaths a year from healthcare errors.

Of course, privacy regulations are not the sole cause of the reluctance to share data – probably not even the primary reason data is not shared more widely. But there. See. That’s the trap.

We’ve laid our wisdom at the doorstep and instead of saying, “how can we prevent 100,000 deaths a year,” we say, “not our fault, we have to protect privacy of patients and this really doesn’t have a negative impact.” But the regulations aren’t designed to protect privacy, they’re designed to restrict data flows so that privacy can’t be assailed. They’re not the same thing.

If someone robs an ATM, you don’t restrict the money flow to stop it. You construct measures to catch the bad guys and prosecute them.

But in health data, when bad guys steal data, we construct massive regulations designed to constrict data flow to a small enough trickle so we can protect a regulatory definition of privacy – not the pure intuitive concept of privacy. And by abdicating our intuition, we require consent from people who don’t understand what they’re consenting to. We force “covered entities” to spend billions of dollars to put in place privacy policies that no one reads.

We’ve lost our way. Our wisdom has given way to regulation.

I think it’s time our profession steps back into the ring and makes a real difference in the lives of patients. Either you believe in the vision of trying to make people better or you don’t. If you believe in that vision, then we need to find a way to enable it and not sacrifice our privacy wisdom for the next round of data stultifying regulations. We understand what matters intuitively.

First, secure the data. Everywhere, not just in magic entities that fit some contrived notion of regulatory jurisdiction gerrymandering. Everywhere by everyone. Then we need to undertake the very difficult task of figuring out what data use is good and appropriate and worthy and what uses are not. Then we can figure out how to inform people. Not through ridiculous consent processes that no one understands but through real education and outreach.

It’s a siren call for our profession. It is the difference between being a traffic cop in your company and a visionary leader.

photo credit: Nina Matthews Photography via photopin cc

Written By

Stanley Crosley, CIPM, CIPP/US

4 Comments

If you want to comment on this post, you need to login.

  • Regina Clark Vehrs Apr 11, 2013

    Love your post...  couldn't agree more.  
  • Damon Greer Apr 11, 2013

    Great points Stan. It's past time to inject a little common sense and thought into the discussion on privacy in all sectors.
  • Jennifer Kotlarczyk Apr 13, 2013

    Spot On!
  • Chris Zoladz Apr 14, 2013

    Well said Stan ! 

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with other privacy pros, dive deep into a specialized topic or simply share a common interest, IAPP Communities are for you.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

NEW! FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Schooled in Privacy

Looking to get some higher-ed in privacy? Check out these schools that include data privacy courses in their curricula.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

The Industry of Privacy

Take stock, compare your practices to those of other organizations, and get budget with these studies on the industry of privacy.

More Resources »

Time to Get to Work at the Congress

Thought leadership, a thriving community and unrivaled education...the Congress prepares you for the challenges ahead. Register today.

GDPR Comprehensive London: Register Onsite for In-Person or Online for Virtual

Online registration for in-person attendance is now closed. For in-person, register onsite the day of. For virtual, register online throughout the programme.

Call for Speakers at Summit 2017

Are you an engaging speaker with privacy expertise to share? We want you! Submit a proposal today! The Call for Speakers closes Oct. 2, 2016.

GDPR's Top Impacts - Webcon Delivered in French

Rejoignez des experts pour en savoir plus : Les 10 conséquences pratiques les plus importantes du RGPD. S’inscrire maintenant.

Intensive Education at the Practical Privacy Series

The Series is returning to DC, this year spotlighting Data Breach, FTC and Consumer Privacy, GDPR and Government privacy issues. It’s the education you need now!

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»