Generating evidence on privacy outcomes to inform privacy risk management: A way forward?

D. Strech, T. Haven, V.I. Madai, T. Meurers, F. Prasser*

*Corresponding author for this work

Research output: Contribution to journalArticleScientificpeer-review

Abstract

Effective and efficient privacy risk management (PRM) is a necessary condition to support digitalization in health care and secondary use of patient data in research. To reduce privacy risks, current PRM frameworks are rooted in an approach trying to reduce undesired technical/organizational outcomes such as broken encryption or unintentional data disclosure. Comparing this with risk management in preventive or therapeutic medicine, a key difference becomes apparent: in health-related risk management, medicine focuses on person-specific health outcomes, whereas PRM mostly targets more indirect, technical/organizational outcomes. In this paper, we illustrate and discuss how a PRM approach based on evidence of person-specific privacy outcomes might look using three consecutive steps: i) a specification of undesired person-specific privacy outcomes, ii) empirical assessments of their frequency and severity, and iii) empirical studies on how effectively the available PRM interventions reduce their frequency or severity. After an introduction of these three steps, we cover their status quo and outline open questions and PRM-specific challenges in need of further conceptual clarification and feasibility studies. Specific challenges of an outcome-oriented approach to PRM include the potential delays between concrete threats manifesting and the resulting person/group-specific privacy outcomes. Moreover, new ways of exploiting privacy-sensitive information to harm individuals could be developed in the future. The challenges described are of technical, legal, ethical, financial and resource-oriented nature. In health research, however, there is explicit discussion about how to overcome such challenges to make important outcome-based assessments as feasible as possible. This paper concludes that it might be the time to have this discussion in the PRM field as well.
Original languageEnglish
Article number104257
Number of pages6
JournalJournal of Biomedical Informatics
Volume137
DOIs
Publication statusPublished - 2023

Keywords

  • Data sharing
  • Evidence
  • Privacy
  • Risk management
  • Confidentiality
  • Humans

Fingerprint

Dive into the research topics of 'Generating evidence on privacy outcomes to inform privacy risk management: A way forward?'. Together they form a unique fingerprint.

Cite this