A standardized label for apps and services that seek to use personal data would be beneficial to data subjects in the same way standardized nutrition labels are. They would not replace privacy policies but would complement them by reducing the opportunity to wordsmith and confuse. Benefits would accrue to platforms as well. App store operators could take the presence of a standardized label in consideration when ranking search results or otherwise labeling the apps. This would reduce their exposure in a case like Facebook / Cambridge Analytica.

The relevance to UMA is clear with item 4, and somewhat with item 5. Overall, UMA is the best way I know of outsourcing GDPR. In healthcare, where HIPAA gives patients a clear right of access but allows data holders some discretion on labeling the clients of Requesting Parties, the label would be helpful. 

This initiative is designed around the PPR non-profit to avoid a lengthy standards process and because the key stakeholders in this case are consumers rather than institutions. I’m thinking in terms of FTC enforcement, copyright, and Creative Commons on the legal side.

Comments, please!


PPR Information Governance Label


▢  1. No sharing: The data is never shared with any external entities. It is not even shared in de-identified form.

▢  2. No aggregation: The data is never aggregated with other types of input or data from external sources. This includes mixing the data gathered via The Device¹ with other data, such as patient-reported outcomes.

▢  3. Always voluntary self-identification: The user of The Service is able to choose their own identity, the user does not need to have their identity verified unless required by law.

▢  4. Digital agent support: The user is able to specify a digital agent, trustee, or equivalent information manager, and this specified agent will not be subject to certification or censorship.

▢  5. No vendor lock-in: This service is easily and conveniently substitutable, so the user can easily move their data to another vendor providing a similar service. This prevents vendor lock-in and is often accomplished using Open Standards.


Indications for Use: The five separately self-asserted statements on the PPR Information Governance Label are subject to legal enforcement as would the privacy policy associated with The Service.


Copyright © 2018, Patient Privacy Rights Foundation.

Anyone may copy and redistribute unmodified copies of this work under the terms of the Create Commons CC-BY-ND-SA license, see link for full terms.


—-

Adrian



--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.