Afghanistan Pilot Program

07 — Data Ethics & Privacy

Privacy as a structural commitment

In the settings Welnote serves, a data breach is not an inconvenience—it can endanger lives. Privacy is built into the architecture, not bolted on as a policy.

Last updated June 18, 2026All sections

1The stakes

Health data is sensitive everywhere. In conflict-affected and politically fragile settings, it can be dangerous: knowing who received what care, where, and from whom can expose patients, health workers, and families to real harm. We design as if the worst case is realistic, because sometimes it is.

2Principles

  • Data minimization — collect only what care requires, and keep identifying data off the network entirely
  • Patient dignity — patients are people, not records; data exists to serve their care, not to expose them
  • Local ownership — communities and local partners retain ownership of and authority over their data
  • Informed consent — people understand what is collected and why, in terms they can act on
  • Security by design — protection is a property of the architecture, not an optional configuration
  • Least-privilege access — each role sees only what its responsibility requires

3Identity model

The clearest expression of these principles is the identity model: patients are pseudonymous by default, and real-world identity is shared only when a program deliberately enables it.

LayerIdentity type
DevicePseudonymous ID + optional real identity
CloudPseudonymous ID; optional real identity (RLS)
DoctorPseudonymous by default; names if program-enabled
Supervisor / NGOAggregated data only

By default the cloud stores only pseudonymous identifiers, age bands, and administrative area codes—enough to coordinate care, not enough to identify a person. When a program enables real names, dates of birth, addresses, and phone numbers, those fields sync into a protected store where row-level security exposes them only to that program's own members.

Real-world identity is never the default and never shared across programs. Privacy that depends on people behaving correctly is fragile; privacy enforced by architecture—row-level security and program isolation—survives mistakes.

The technical mechanics of pseudonymization, encryption, and audit logging are detailed in the Platform Thesis.

4Future governance topics

As Welnote operates across more jurisdictions, its data governance will mature toward recognized frameworks. These are directions of travel, adopted with local counsel rather than claimed as certifications.

  • HIPAA-inspired controls for handling health information
  • GDPR-inspired principles for consent, minimization, and data-subject rights
  • Humanitarian data governance aligned with established do-no-harm standards
  • AI governance defining where automated assistance is and is not permitted