Medical Data: The Prophecy of Phunsukh Wangdoo |

Medical Data: The Prophecy of Phunsukh Wangdoo

With medical records worth their weight in gold, the time isn’t far when unscrupulous internet companies could be trading in healthcare data, ostensibly for research, but really for money


There was an adorable scene in Raj Kumar Hirani’s blockbuster 3 Idiots where Chanchad, a.k.a. Phunsukh Wangdoo asks an exasperated Viru Sahasrabuddhe how he’d like to have his medical records posted on the notice board instead of doctors detailing a course of treatment. The scene evoked mirth way back in 2009 when Aamir Khan and gang came calling.

Ten years later, Wangdoo’s words appear prophetic though now it isn’t about putting medical records on the notice board. The joke is on the patients today as medical records appear to be worth their weight in gold and when there’s wealth around, make no mistake that there would be a gang seeking to acquire all of it, legally or otherwise.

And it’s none else than the world’s biggest data hoarder Google that’s once again in the line of fire. A series of scandals broke in recent times as the internet behemoth was found using data from one of America’s largest healthcare providers for one of its projects. Of course, Google owned up via a blog post but that wasn’t the issue. The question is how did Google get its hands on the data?

A report published on quotes Prof. Sandra Wachter teaching law, data and AI at Oxford’s Internet Institute to suggest that each time our data gets collected, we leave something of ourselves behind where anyone can use this online behaviour to infer sensitive aspects about our lives such as ethnicity, gender, sexual orientation and health status.

Internet companies have been using these inferences to serve targeted ads for close to two decades (more specifically since Google created this business model) but things get murky when they enter our deeply private space. Imagine how you’d react if Google serves you Viagra or condom ads just because you happened to watch a soft-porn video? Or one gets ads for fertility treatments based on the hospital’s email or through access to one’s browser history?

Google actually acknowledged that they had access to un-redacted and non-anonymous data from healthcare provider Ascension that included test results, prognosis, hospital records and a whole lot of similar information. While the company claimed it was meant for researchers into a project that seeks to build software to enhance healthcare ecosystem, the fact is this data was meant to be sacred.

The US Government has since opened investigations into the deal between Google and Ascension as officials said the data accessed by the search giant was accessible only to healthcare staff. In the United States, getting hold of data without specific consent is legal under the HIPAA, which incidentally is what Indian healthcare enterprises now swear by.

The story goes on to elaborate that such a scenario cannot be ruled out in other parts of the world, including in Europe where in spite of stricter rules under the GDPR, experts claim there are no absolute prohibitions on data transfer across enterprises. And the problem is explained quite simply by Wachter: “We don’t have time to read a 600-page privacy policy. Nobody has the time to do that, and everybody knows that nobody has the time to do that.”

In other words, so long as there are long-winding conditions tagged to everything on internet, there is no way an individual can hope to remain private on cyber space. Because, none has time to read the note before accepting it and a few that may read could find it tough to fathom, given that these have been drafted by legal hoodlums who’s only interest is in those that pay them.

With more such instances likely to hit the headlines in the future, the only way around this mess appears to be actual reform around the tool called “consent”, given the above problem. Another challenge, according to Wachter is that data protection laws focus on the data collection moment and not what is done with it thereafter.

While GDPR resolves this to some extent by minimising data that companies can hold on people, it still doesn’t allow users to access the data that they are giving away or to the conclusions that an enterprise draws by massaging it. Data security experts feel that one way of resolving this could be to stop perceiving a one-size-fits-all model on privacy.

Simply put, enterprises should accept responsibility for the data they own and share it with the owner so that erroneous assumptions are checked and corrected. In addition, it would also make sense to have different levels of privacy for data sets. For e.g. one’s financial data needs higher security compared to the medical prescriptions that one had over the past year, assuming of course, that such data has been made anonymous.

While GDPR has built in a “right to be forgotten” as part of its privacy rules, there is also a need to push for a “right to the right inference” which currently does exist in social platforms where users can manually control the ads that get served up by individually responding to their first appearance. Painstaking? Of course! But, in today’s world there’s hardly a choice.

Till date, the companies have operated in the grey areas around compliance by suggesting that the data they siphon off is for scientific research and for the ultimate good of humanity. So, what if it means some of us having our ailments published on the notice board?

Phunsukh Wangdoo may be right, but then in the murky cyber world, who cares?


TAGS: Data, Security, Privacy, Google, Healthcare, Ascension