Home » Blog

Licensing, ethics and patient privacy

8 November 2016 4 Comments

Following one of “those” conversations on twitter, the ones where the 140 character limit just isn’t enough it seemed worth writing up a quick post. It’s that or follow the US election after all…

Richard Sever of Cold Spring Harbour Press posed the following question on:

…to which my answer was:

You can follow the conversation via the links above but here I just wanted to flesh out the disagreement and why I think this matters. This is a general class of a problem that we often see, where we reach for licensing as a tool to reassure or solve some sort of complex normative, and often ethical, issue. I’ve always had a problem with this because normative issues are ones of community, and therefore ones that we need to take responsibility for. Licensing (and other legal tools) place responsibility elsewhere, granting control to another community, in this case judges and the courts. Sometimes this is necessary, when there is an expectation that the interests of different communities will need to be arbitrated, but in the case of ethical issues I feel these are internal issues and ones that should be determined (and if necessary sanctioned) internally.

In the specific case here we’re talking about an identifiable image of a child, where the parents had apparently given permission for the image to appear “in a scientific journal” but hadn’t realised that this would be widely available. When they did realise this some years later they withdrew permission and the article was retracted, with the image blacked out in the retracted version. This is unfortunate and there are issues with the specific story but in some ways its a story of things working well. Permission was sought and given, when it was revoked the image was removed and the issue noted.

For me, what is at core here is the issue of informed consent and the degree of assurance that can offered to participants that the commitments made to them, particularly on issues of privacy, can be met. If there is data, including images, that should be restricted from public access then that needs to be made clear, but above and beyond that there needs to be clear communication about the risks of the access control that are put in place breaking down.

Why am I focussed on access control when this was an Open Access article? For me, the issue was a lack of appropriate clarity in the consenting for the use of the image. If the participant’s expectation is that an image or data will only be made available to professional medical staff or to researchers, then it should never go in a journal article of any kind. Journal articles are publicly accessible, in different ways, we cannot guarantee to prevent a journalist who has access to a research library taking a copy of an image from a print subscription journal and using that in an article. If the concern is public view or commercial use then once its in a journal we cannot guarantee that will not happen.

You might argue that the risk is much higher with online CC BY licensed article but ethical judgements err (sometimes radically) on the side of caution for good reason, because they are intended to deal with low probability events that can lead to substantial harm. I would argue that unless a participant explicitly consents to allowing liberal re-use then such data (including images) needs to be properly access controlled.

As John Wilbanks has argued for many years, copyright licenses are a very poor means of protecting participant privacy. There are far too many ways for it to fail, from people ignoring it, to technical systems failing to recognise a separate license for an image in a larger work, to the many conditions under which the license simply doesn’t apply because a use falls under Fair Use or Fair Dealing. Both to establish trust and meet ethical standards it is necessary to link access to contractual requirements that bind the user to limit their downstream uses in ways that licensing can not.

Now Richard was arguing from a different end. Without presuming to put words in his mouth his concern as I understood it was “given that key data needs to go in ‘the paper’ how can we best give participants assurances that make them comfortable with providing consent”. In the end I think we agree that access to sensitive material needs to be limited. My view is that copyright licensing provides little to no assurance of the type needed. Licensing is also implemented by players outside the control of the organisations responsible for consent.

Richard, I think would argue that having open licenses could be discouraging. In both cases I think we end at the point that where material is sensitive and where access controls are deemed necessary, whether by an IRB or by the participants themselves then an ethical approach requires appropriate safeguards. And for me that means robust access controls.

There might be a case in which participants consented to use for publishing, but only under a restricted license. I actually find this a little implausible. The consenting should be based on clear limitations on use, not on copyright licensing, for the reasons noted above about the limitations on enforcing licenses. Nonetheless its at least a theoretical possibility. For me, the importance of having a cleanly and consistently liberally licensed public record is enough to say that under these circumstances such materials should be kept separate to the formal public record, linked from it but not formally part of it.

At scale, re-use requires reasonable certainty and at the moment the wholescale re-use of images, even from Open Access literature runs into problems due to the embedding of differently licensed images and no consistent way of marking this. This is actually an inverse of the problem as above. Just as licensing can’t give sufficient assurances that inappropriate uses will be blocked, poorly expressed licensing doesn’t give clear assurance to users, particularly at scale that use is appropriate.

For me the argument from both ends, that a consistently licensed clean corpus has enormous value, and that licensing is not the right tool for carrying out ethical responsibilities, reaches the same point. If participant consent does not include liberal re-use then material should be maintained separately to the public, published record under appropriate access controls that limit uses to those that have been consented.



  • Richard Sever said:

    Hi Cameron

    Thanks for the longer-form response. Let just clarify that I’m not really arguing a particular view here, more just posing a question to which I’m not sure the answer is clear. It is an issue we considered when launching our open access journal in precision medicine, CSH Molecular Case Studies, ultimately deciding to offer authors the option of CC BY or CC BY-NC in case this was an issue for patients/physicians (most of the medical literature covering this area is by contrast under more restrictive copyright licenses so the issue does not arise).

    It is not ethical issues as such that made me pose the question but more how to maximize the likelihood that a parent of a child patient (or a patient him/herself) would consent for an image to be published for the benefit of science. I guess the question I’m asking is whether there is a category of patient/parent who would gladly consent to the image being published and made freely available in, say, PLOS Medicine or CSH Molecular Case Studies but would rather that did not mean that, as a necessary consequence, something like a tabloid newspaper did not need to ask for permission. Framed another way, the question is whether a different/new open license could be considered in these specific cases that both empowers the patient/parent and incentivizes them to make their data available without resorting to controlled access (databases) or access control (journals).

    Finally, you make a good point about the practicality of embedded licenses. But one would hope that better tagging and a more granular approach to organizing information will ultimately make this less problematic. And since one can invoke fair use for text/data mining of bulk content in the US, this may be less of an issue.

  • Cameron Neylon said:

    Hi Richard

    So I’m going to stick with my original point. A copyright license is the wrong tool to use here to give the right kind of (credible) assurances to a participant about use of sensitive data (of any kind). I don’t doubt that such restrictions might be comforting, but they’re ultimately not really enforceable.

    For instance, the authors (as copyright holders) would have to contract with the patient, to pursue the matter in court just as a start. And in many cases there may not be a credible copyright case to make. That combined with the risks of contaminating an open corpus with variant licenses is a slam dunk for me. Even going down this route isn’t really ethical because its misrepresenting the situation to participants.

    And in the end given that the risks are not clear, even to us who are notionally experts, informed consent is on shakey grounds and safeguarding and precautionary principle would suggest that erring on side of caution and using access controlled data repositories is the way forward. And that’s before the additional issue of parents giving consent for children is raised as well.

    So in the end, wanting to maximise the chances of consent *is* an ethical issue and one I think we should step away from as it implies guarantees that we can’t make.

  • Richard Sever said:

    Maybe we have to agree to disagree here. I don’t think I can get behind controlled access as a generalized solution for patient images because it puts another barrier in the way of scientific discovery, particularly where matching disease phenotypes will be critical and ultimately computational. Controlled access is (currently) a necessity for certain data, but I think anyone who’s used dbGaP would be dismayed at the notion that something similar would be needed for photographs.

    Finally I’d just add that all (except one) flavors of CC licenses provide some restriction/condition. Surely, if (re)use of an open corpus is the over-riding concern, then shouldn’t we be agreeing that CC BY is inappropriate (my original query) and that CC0 should be mandated? If that is not the case then I don’t see a dedicated hypothetical CC BY-related license created for medical images being that different from CC BY in terms of reuse.

  • Cameron Neylon said:

    Well I would say that’s an ethical question (and I’m no professional ethicist, and this ain’t ethics advice). Ultimately its a consent and commitment question for me. I think you’re posing the question the wrong way around (and that’s why John had such a strong view on it, he’s dug deep into this). I’d also note that the Portable Consent work that John’s done addresses a lot of the technical barriers to making access control work in these settings.

    And to the scientist’s being dismayed I’d say stiff. We seem to be getting a few messages to maybe listen a little harder to the concerns of others at the moment, instead of focussing on our own issues.

    In terms of licensing yes, the end point of my view is that we should remove legal barriers and use norms to enforce community requirements on eg attribution (and contracts in the limited cases where limiting specific uses is required). That’s why this blog is cc0. Not widely know but PLOS almost went with a public domain dedication at the beginning. But it’s not now a viable political argument to make at the moment and we’ve built a good corpus of CC BY and it has limited (but real) interop and scale problems.

    The problem with any variant license is that they just don’t work. Using copyright to restrict specified uses just fails in practice. It’s not the right legal tool. If you must use a variant license then use one of the existing CC ones (they’re tested), I guess NC-ND. But probably All Rights Reserved would be a better fit for the aims you have anyway, as it reduces the liability risk (which is a serious issue here, researchers – and possibly the publisher – would be taking on an ill-defined liability in using a (c) license for this).

    The historical evidence I’d give is that all of these issues have come up before with software licensing in various forms. A million and one F/OSS licenses grew up creating massive confusion. Today in practice they’re mostly gone and there are three or four, and still massive confusion (and people just ignoring them). Bespoke licenses offer some local comfort but rarely succeed at actually addressing the core problem.

    Maybe its time for a new post on what (c) licensing can and can’t do and the difference between that and what people want it to do…