Sunday, January 25, 2015

xAPI Privacy Questions: Who Should Own My Experience Data?

Years ago I was involved with a company that dealt with medical informatics. Among other things, this small firm was building an innovative Electronic Health Record (EHR); this was not too many years after the passage of the Health Insurance Portability and Accountability Act (HIPAA), and the design team faced some interesting questions about the data they would be capturing. While the need to manage the privacy of the data was not in question, the ownership of the data was.

Think about it: I'm a patient. The data is just representations of my health, so in a sense, I generated the data. Shouldn't it belong to me, almost in the sense of a unique composition of music belonging to the author?

Experience data is or can be as personal as health information. It is, after all, a reflection of life choices, thoughts, and performance. While a company paying me to take an e-learning course may have some de facto right to use the captured scores from assessments, as we move toward a more distributed model of experience information capture, who else should have the right to see that information?

Does a prospective employer have the right to scan my xAPI records and infer certain thinking patterns and qualities based on an analysis of my choices, learning outcomes, and other experiences? Could that be part of the application process they require of prospective employees? Will they need a waiver from me--a HIPAA-like consent document?

A simple illustration of experience data in action:

Google is capturing a lot of information about my behavior. Here's a map of where I traveled one Saturday, courtesy of Google location services on my Android phone and Google Location History (

Between the timestamp, GPS, and distance information, I can quickly see a picture of how "fast" I rode my bike in the morning. And there's pretty good evidence here that I went to watch the Norfolk Tides beat Pawtucket 3 to 1.

I choose to share this information with Google. I see a fair exchange. I'm getting value from their network collecting detailed information about my activities when they turn that into information I can use. And they extract insight from my data that enables them, on a grander scale, to identify patterns of human behavior, which they use to generate revenue through targeted ad sales, marketing insights, services, and much, much more. Information is the currency that fuels their business model. I'm sure they'd like to get their hands on the details of performance that will someday be generated by my xAPI data. And yours.

The questions that linger with me are: Who will be able to sell them that information? And in the end, who has the right to decide if and how they can use it?

Other thoughts on data ownership:

My friend, Aaron Silvers has been quite involved in xAPI for years; you can read some of his recent thoughts on this topic here.