The story is told about a company who wanted to noticed a large proportion of its employees had not joined it pension plan. This meant the employees were missing out on an important benefit, which did not cost the employee any money. The company’s onboarding process required the employee’s to opt in to the pension benefit and many did not. A little research was conducted with some of the employees to understand more. Most employees did not know the pension was an option or did not realise they needed to ‘opt in’. Almost all employees wanted the benefit. So the company changed their process to be opt out rather than opt in.
The book ‘Nudge‘ is full of stories like the above. Some worry it is social engineering, but keeping the setting as ‘opt in’ is also social engineering, just a different type. But this isn’t a post about that.
Currently most of data sharing happens because we have given some sort of ‘blanket’ consent to sharing our data. This is post GDPR; pre-GDPR consent was rarely asked for. Consent is likely buried somewhere in a long legal terms of service of many of the ‘free’ services we use (e.g. Facebook, Google, etc.) or the within the accepting of cookies on websites. The argument can now be made that we opted in.
At the other end of the spectrum is a world in which every time companies would share our data, they would have to contact us asking us for permission first. For example, most of the banks that we use are not single companies. Most of them are hundreds of different companies working providing different services. To us they may appear as one, but they rarely are. Therefore, within the ‘bank’ before one part of it could share your information with another part of it, they would need to contact you first. The same is true about airlines, supermarkets, health care providers (even the NHS in the UK), and so on. Our phones would be constantly ringing and our inboxes overflowing with requests.
Some of us might like this, but also some of us will be super annoyed. We may want to choose where on the spectrum we want to be.
We do this is the humanitarian space too. When we ask for consent to share the data of those affected, it is almost always ‘blanket’ consent. We tend to ask for consent to share data with other humanitarian agencies or other actors involved in the response. We don’t name the agencies or actors because we don’t always know at the start. Neither, do we define terms too much as we want to decide this.
There is a practicality to this – we want to getting on with providing aid. We also don’t always know how we could get back in contact with the person due to challenging contexts aid works in. We also tend to think we know best. One of the most challenging aspects of this is that an individual may consent to organisation X sharing her data with organisation Y, but doesn’t realise that then organisation Y is sharing her data with a whole bunch of other entities.
So what do we do?
First off, we should acknowledge it is a spectrum, not only two options. One end of the spectrum is blanket consent (‘opt in’) for all data sharing. The other end, no data sharing allowed without first contacting and asking the individual each time.
Secondly, we also need to acknowledge there are some legal requirements that organisations need to adhere which affect where they can operate on the spectrum. (As an aside, this does not include organisational policies which can be changed).
Then we need to make an intentional choice. Choose where we want to operate on the spectrum, especially as organisations.