Why we trust dynamic consent to deliver on privacy

Abstract

Dynamic consent has been discussed in theory as a way to show user preferences being taken into account when data is accessed and shared for research purposes. The mechanism is grounded in principles of revocation and engagement – participants may withdraw or edit their permissions at any time, and they receive feedback on the project they are contributing to if they have chosen to do so. The level of granular control offered by dynamic consent means that individuals have informational control over what they are sharing with the study, and to what extent that data can be used further. Rather than attempt to redefine privacy, this paper takes the position that data controllers have certain obligations to protect a data subject’s information and must show trustworthy behaviour to encourage research participation. Our model of privacy is grounded in normative, transaction-based requirements. We argue that dynamic consent is a mechanism that offers data controllers a way to evidence compliance with individual privacy preferences, and data subjects with control as and when they require it. The key difference between dynamic consent and a “rich” database consisting of a dataset with the ability for a subject to revoke access is human engagement, or relations of trust. We must re-think how consent is implemented from the top-down (policy-based) and bottom up (technical architecture) to develop useful privacy controls.