Planning for sharing data is a way to enforce MSF Medical Data Protection Principles.

Imagine that you are using a free email service. Let’s call it C-mail.

One day the company that runs C-mail makes a publication based on your emails. You were not informed and never gave consent. Your personal information is used to identify and publish trends about hot topics you discussed with your friends. Moreover, it was not you that discovered this publication; instead, a friend of yours read it and was able to re-identify you through the information the company running C-mail chose to publish. Your friend is livid because he read that you went to see Beyoncé and didn’t tell him. You know he loves Beyoncé! Why didn’t you invite him?!

You find yourself with your data publicly available and one friend less. Moreover, if you live somewhere where liking Beyoncé is heavily stigmatised or considered treasonous, you might find yourself in serious danger.

How would you feel?

Let’s relate that feeling to the data practices of humanitarians – a specialisation here at the MSF Japan Innovation Unit. Imagine a medical aid worker who has a great idea to write an academic article-based data s/he have collected as part of their humanitarian work. That aid worker returns home after the end of his/her contract with a copy of the data, and published the article, all without informing any of the patients who are the subjects of that data.

While the second story has more serious implications on individual dignity (patients are generally in a disempowered situation when they come to ask for health care, particularly in the places MSF works), both stories have exactly the same issue. They both contain an implicit question: “To whom does personal data belong?”. In both stories, both the company running C-mail and the doctor acted as if they were the “owners” of the data. But is data really something that can be owned? Is it analogous to property?

Both private corporations and humanitarians tend to work as though it is. If data can be owned, then rights over it can be alienated – i.e. they can be transferred, just as rights over a car can be transferred. By viewing data in this way private corporations are free to transfer it in pursuit of their principle objective – profit – by selling it for a price. Similarly, humanitarians can transfer the data they collect as they see fit in the pursuit of their goal – alleviating suffering and protecting dignity.

But several ethicists question this view of data. They suggest instead that data are an extension of the person about whom they are collected. Our name, surname, phone number and health status: all of these are parts of us as human beings. The components of our human-ness are, by definition, inalienable. Like human rights, they cannot be surrendered and given to someone else, and any attempt to do so is considered immediately invalid.

What does this mean for sharing data?

If an organisation or other entity owns the data it has collected, then it shares it when it transfers it to a different entity. Thus, it is during the transfer of data to a separate entity that the ethical constraints around sharing become relevant. Both the company running C-mail and the aid worker appear to have acted according to this understanding; since the same entity that gained consent to collect the data is also the one reusing it, then, according to this argument, no sharing occurred.

However, if data is inalienable, then sharing is not about data crossing the boundary between one organisation or entity and another. Instead, it becomes about the pact that is reached between the data subject and the data collector on how data can be used. That agreement constitutes the boundary beyond which sharing occurs. The moment data is used for purposes beyond that agreement, it has been shared and so the ethics around sharing kick in. As such, when the aid worker and the company running C-mail used the data they collected for a new purpose, they shared that data (albeit with themselves). At that moment, an ongoing ethical obligation owed to the data subject kicked in, and a new and different pact became necessary.

If we can share data with ourselves, then data can be shared without ever leaving an organisation. This has implications on organisational data management processes, consent taking, and even the role of Ethical Review Boards. It also has implications on operational and reputational risk management (see here and here).

To go back to Beyoncé, she might say: humanitarians already share a lot of data, “now let’s get in formation!” We need to plan for sharing data from the moment it is collected. It is the best way to ask ourselves appropriate, fundamental questions before risking harm to patients, communities and our organizations, and our sector.