Making a Human Rights Based Approach to Personal Data Work
We (Mydex CIC) have just published a new Paper on how to practically implement a human rights approach to personal data. It’s important because implementing a human rights to personal data does two things: it involves implementing a human rights approach to the person that the data relates to and to the service that the data is being used to deliver. It’s key to actually making human rights happen on the ground, day-to-day rather than just talk about it (which tends to happen quite often).
You might think that peoples’ rights in relation to their data is already covered, dealt with by legislation such as GDPR. To be sure, GDPR lays important foundations creating a number of rights such as the right to access, to data portability, to transparency, to object to processing and to be forgotten.
But in many ways these are just formal rights which have very little impact on what happens day to day. We think a human rights approach to personal data goes much further than formal compliance to GDPR. It should extend into the nitty gritty of how themes such as Control, Agency and Guardianship work (hence the title of the Paper). Here are some of its key points.
Is user-centricity a good thing?
First off, almost always, slogans like ‘user centric service design’ are a sure-fire sign that a human rights approach to personal data is not being implemented. This is because of the way ‘user centric’ logic works. By definition, a ‘user’ is a person using a particular service. In focusing solely on the interface between the organisation and the individual, ‘user-centricity’ actually ignores the context and circumstances of the individual’s life, quickly turning the organisation’s attention back to itself — its interface with the user.
‘User-centric’ thus becomes a way in which organisations keep examining themselves in their own mirrors: high-sounding rhetoric for their continued focus on their own needs in relation to their users.
Here is a simple example: a user-centric approach to designing forms will focus on one particular organisation’s attempts to make filling in its particular forms easier, clearer and simpler. This is fine as far as it goes. But it’s not very far, because most individuals need many different services and therefore need to fill in lots of different forms, many of them completely different in their design, presentation and so on.
Time and time again we have seen projects where ‘user-centric’ service design loses sight of the people it is supposed to serve: the human beings whose lives are much richer, more complicated and difficult than just one single interface with one particular organisation and one particular service.
So, for example, a service that is person-centric rather than user-centric might ask ‘how to eliminate the need to fill in forms at all?’ (by, for example, enabling automated API-based processes of data sharing). Or, failing that, how to design forms so that they all look and feel the same no matter what organisation they come from, so that we as human beings don’t have to learn how to navigate our way through each different form, starting from scratch every time?
Is ‘control’ a good thing?
‘Control’ over data is another word to be suspicious about. That’s because service providers usually interpret ‘control’ in a very narrow, organisation-centric way. ‘Control’ is interpreted as an individual being able to exercise a little more control over the data that that particular organisation collects about them. This is very different to an individual having genuine, full control over the data by, for example, being able to aggregate data from all the different organisations they deal with in their own database (such as a personal data store), and to use and share this data as they wish, outside of the systems, restrictions and controls placed upon this data by the organisation concerned.
A truly human rights approach to data embraces the second, genuine, full interpretation of ‘control’; something that, after 16 years of development, we are now implementing in a number of projects, particularly in health and care.
Why agency is critical
‘Agency’ is another key concept when it comes to the practical implementation of a human rights approach to personal data. If you can’t actually access and use your data to actually get stuff done in your life then your ‘rights’ are just formal, not real; and ‘control’ is close to meaningless.
The locus of such agency isn’t within the systems of this or that organisation; it is within the individual’s life, when they are trying to access, use and share data to better manage the issues that matter to them. This, we believe, is creating a completely different agenda.
What’s really needed to enhance and enable citizen agency is a personalised experience layer that enables individuals to interoperate with many different schemes and ecosystems via a familiar, consistent interface that becomes second nature to them. Like driving a car.
Practically speaking, this means each individual should have their own personalised cockpits or dashboards that display the data about their life, their transactions, their accumulated proof points and so on, in the ways that they find intuitive and easy to use.
Within this, agency means being able to use your data where and when you want, and being able to share it easily with whomever you want, safely and securely. Seen from this perspective, our society has hardly even begun adopting or implementing a human rights approach to personal data: we have a long way to go.
Agency and guardianship: two sides of the same coin
Finally, ‘guardianship’ is crucial to both real life control and agency. There are millions of people in the UK today, such as the old, frail or ill, who are not able to act fully and completely on their own behalf: who need help; someone to act for them in ways big and small.
Perhaps ironically, it is precisely in such situations of real or threatened loss of control and agency that, very often, they become all the more important to the person concerned. They want, as it were, to exercise control over what others are doing for them, when and how.
This is complex to manage and current ways of handling this complexity struggle with a chasm between highly formal, legal and bureaucratic powers of attorney and the myriad of informal ways that powers are delegated in real life: “Oh love, when you go to the shops, could you buy these items for me? Here’s my card!”
People need systems and infrastructure that let them handle this formal/informal spectrum quickly, simply and safely. Our Paper explains some of the mechanisms, such as Circles of Support, that we have developed to deal with these issues in a practical way.
This underlines a key point about most current debates on human rights. What’s needed above all is infrastructure, tools and capabilities that make it possible to embed and crystallise a human rights approach to data in a way that works at the level of daily, practical details. The focus needs to be on practical implementation, not just rhetoric.
To conclude, change is in the air. Our (Mydex’s) day-to-day work is showing that it is possible to build a personal data ecosystem that is interoperable, flexible, certifiable, scalable and that is also safe, secure and consensual, taking a human rights based approach that results in genuine personal, social and economic benefits. The opportunity is to make a human rights approach to personal data — and therefore to all data-driven services — something that actually does happen, every day.
P.S. For a fully rounded view, this Paper should be read in conjunction with this Paper on the profound potential economic impact of empowering citizens with their data, and this Paper on the design principles needed to safely and sustainably implement such an approach at scale.
