A hospital with one patient
The hardest data privacy use case
Part 1 of 5
The Privacy Enhancing Technology (PET) landscape is littered with use cases, some unusual. Privacy is a riddle wrapped in a conundrum, often requiring Olympic-level mental gymnastics to grasp.
Does the right to be forgotten include the request to be forgotten? How do we simultaneously increase service personalization while hiding personal identification information (PII)?
Use cases are important for navigating complex ideas and achieving consensus for broad market objectives. They can provide a simple and conversational framework to better understand PET. Privacy as a topic should be a wakeup call to all enterprises. It's all fun and games until someone gets sued by the EU.
The challenge with PET, however, is that we never seem to move past use cases. PET use cases often become rabbit holes that lead from one burrow to another. One PET analogy that leads to another, which leads to a PET metaphor, until we are all floating on a sea of random assumptions.
At Devr we've had countless discussions with customers across many industries. General patterns we see with PET conversations can be summarized as follows:
- What does privacy mean?
- How does privacy help me?
- What can I do with privacy?
Each of these questions leads down the use-case rabbit hole and an endless series of 'what if' burrows. A sales presentation evolves at breakneck speed into a 'Choose your own adventure' novel.
The problem with foundational questions is the proportional distance to the value proposition.
We've found that positioning the value of privacy around 'continuous compliance' seems to narrow the field of dreams into a more manageable rabbit hole, but still a rabbit hole. The reason for this, of course, is that compliance is like a fingerprint. Every enterprise has a unique and personal definition of what compliance means.
Though more manageable, PET-compliance conversations are riddled with as many use cases and 'what-ifs' as generic PET conversations. As an industry we need to get off the use-case merry-go-round.
It is the complexity of PET that leads us down this pathological path, searching for that singularity: one privacy use case to rule them all.
The harsh reality is that not all Privacy use cases are created equal. Some are terrible, comical distractions. The best way to defeat a useless use case is with a better one. Like the Highlander, in the end there can be only one.
We need a single privacy use case that represents the broad challenges to solve; a use case that resonates with non-technical stakeholders, one that borders on the absurd, not drawn to scale, but which allows us to establish those critical beachheads necessary to bound the privacy spectrum.
Devr's proposal for this use case is 'A hospital with one patient'. The challenge here is simple, but not easy: how can PET enable a hospital with one patient to participate in a Smart Health ecosystem without violating the patient's PII? The patient has two, almost contradictory, rights: the right to privacy and the right to the best health care possible.
The solution to this challenge is also simple and also not easy: sometimes you have to anonymize the patient and sometimes you have to anonymize the hospital.
This is part one of a five-part series of articles that will explore this use case, to identify the challenges and pitfalls we need to overcome to bring PET into the mainstream.
We hope these articles will be informative, and we hope you'll join us on this endeavor to explore and resolve this unique privacy use case.