My last post sat with me for a while. I wrote about moving from technical privacy to ethical auditing, and it felt like a start. But I kept coming back to a single, stubborn question: what good is a perfectly private system if no one actually trusts what it says?
This has been the quiet focus of my recent work. I've come to believe that trust is not a feature you can bolt onto a health registry. It is not a checklist item for compliance. Real trust is earned when people believe the knowledge a system produces is credible, careful, and just. This moves the conversation into unfamiliar territory for many engineers. We are used to auditing data. We must learn to audit knowledge.
Epistemic Responsibility Defined:
This is what I mean by epistemic responsibility. It is the duty we have as builders and stewards to ensure the insights we generate are not only statistically valid, but also socially sound and transparent about their own limits. It asks us to be accountable for the truthfulness of the story our data tells.
This is what I mean by epistemic responsibility. It is the duty we have as builders and stewards to ensure the insights we generate are not only statistically valid, but also socially sound and transparent about their own limits. It asks us to be accountable for the truthfulness of the story our data tells.
When Compliance Is Not Enough
The Compliant but Flawed System:
Let's picture a model trusted research environment. It uses federated learning so data never leaves the hospital. It applies differential privacy, adding mathematical noise to protect individual identities. A standard audit passes it with high marks. The technical boxes are checked.
But what if the combined data from all those hospitals holds very little information from patients over eighty? Or from communities with limited healthcare access? The model trained on this data will develop a view of disease that is, quite literally, blind to these groups. The privacy is impeccable. The knowledge is impoverished, and worse, it presents a distorted reality as fact. This creates a quiet harm, what philosophers call an epistemic injustice. The system itself prevents certain groups from being seen and understood in our shared pool of medical knowledge.
Let's picture a model trusted research environment. It uses federated learning so data never leaves the hospital. It applies differential privacy, adding mathematical noise to protect individual identities. A standard audit passes it with high marks. The technical boxes are checked.
But what if the combined data from all those hospitals holds very little information from patients over eighty? Or from communities with limited healthcare access? The model trained on this data will develop a view of disease that is, quite literally, blind to these groups. The privacy is impeccable. The knowledge is impoverished, and worse, it presents a distorted reality as fact. This creates a quiet harm, what philosophers call an epistemic injustice. The system itself prevents certain groups from being seen and understood in our shared pool of medical knowledge.
A Practical Framework: Two Questions to Ask
So how do we build an audit for this? In my own work, I've found it helpful to structure the process around two parallel lines of questioning.
The Two Pillars of Epistemic Auditing
- Interrogate Multidimensional Fairness: We look beyond a single accuracy number. We slice the model's performance across every demographic axis we can responsibly track: sex, ethnicity, age, postal code. My work analyzing ECG signals was a blunt lesson here. A model could achieve impressive overall accuracy while failing systematically for women. An audit must use tools like disparity metrics to force these gaps into the open. It asks: for whom does this system work, and for whom does it fail?
- Formalize and Report Uncertainty: Every prediction, every statistic from a registry comes with a shadow of doubt. This doubt comes from the noise we add for privacy, from sparse data for rare conditions, from the inherent messiness of biology. An epistemically responsible system does not hide this doubt. It measures it and reports it alongside the result.
Transforming Output into Knowledge Claims:
The output should never be "The readmission risk is 15%." It should be: "The estimated readmission risk is 15%. Given the data sparsity for this patient group and the privacy safeguards applied, we are 90% confident the true value lies between 11% and 19%."
This transforms a bare fact into a careful knowledge claim. It tells the clinician not just what we think, but how sure we are. That honesty is the seed of real trust.
The output should never be "The readmission risk is 15%." It should be: "The estimated readmission risk is 15%. Given the data sparsity for this patient group and the privacy safeguards applied, we are 90% confident the true value lies between 11% and 19%."
This transforms a bare fact into a careful knowledge claim. It tells the clinician not just what we think, but how sure we are. That honesty is the seed of real trust.
Navigating the Inevitable Trade Off
This process forces us to confront a difficult balance, especially with tools like differential privacy. There is a direct and unavoidable tension between privacy strength and knowledge clarity.
| Privacy Setting | Effect on Data Fidelity | What the Audit Must Emphasize |
|---|---|---|
| Strong Privacy (High noise) |
Insights become blurry. Fine details are lost. | Communicating uncertainty. We must be explicit that findings are broad estimates, not precise truths. |
| Moderate Privacy | A balance. Clear patterns for common cases, fuzzier for rare ones. | Vigilance for bias. Clearer patterns could accidentally cement existing inequities if not scrutinized. |
| Minimal Privacy | Sharp, detailed outputs. High fidelity. | Rigorous validation. High precision risks lending false authority to flawed or biased conclusions. |
There is no perfect point on this spectrum. Our audit framework must therefore be adaptive. It tightens its focus on uncertainty when privacy is high, and on bias detection when privacy is lower.
Putting It Into Practice: Lessons from an ECG
Beyond Technical Audits:
Let me make this concrete with the ECG project I mentioned. A technical audit validated the federated learning protocol. A fairness check found a performance gap.
An audit for epistemic responsibility would dig deeper. It would ask why the gap exists. Was it due to how the sensors were placed? To historical under enrollment of certain groups in studies? More importantly, it would require that any paper or tool released from this work includes what I've started calling a Limitations Appendix. This appendix would plainly state: "Performance was lower for female patients. Our training consortium had limited data from rural clinics. The confidence intervals for subgroup X are widened by 5% due to applied privacy measures."
This does not make the work seem weaker. It makes it more honest, more usable, and ultimately, more trustworthy.
Let me make this concrete with the ECG project I mentioned. A technical audit validated the federated learning protocol. A fairness check found a performance gap.
An audit for epistemic responsibility would dig deeper. It would ask why the gap exists. Was it due to how the sensors were placed? To historical under enrollment of certain groups in studies? More importantly, it would require that any paper or tool released from this work includes what I've started calling a Limitations Appendix. This appendix would plainly state: "Performance was lower for female patients. Our training consortium had limited data from rural clinics. The confidence intervals for subgroup X are widened by 5% due to applied privacy measures."
This does not make the work seem weaker. It makes it more honest, more usable, and ultimately, more trustworthy.
The Deeper Duty of Stewardship
This view connects with a broader shift in thinking about data stewardship. A steward is not just a guardian against data leaks. A steward is a guardian against misleading knowledge. Their duty is to ensure the registry's outputs are legitimate contributions to our understanding of health.
Building Lasting Trust Through Honesty:
As I wrote about in my piece on explainability tools, techniques that help us understand model decisions are just one part of this. They are like a doctor's diagnostic kit. But we need the broader governance equivalent of medical ethics, a framework that mandates transparency about the origins and limits of the knowledge we create.
This is the path forward. It asks for humility from those of us who build these systems. It requires that we design our audits not as proofs of perfection, but as testaments to our thoroughness and our honesty. The goal is a system that speaks about what it knows, and also about what it does not. That kind of careful, truthful conversation is, I believe, the only real foundation for lasting trust.
As I wrote about in my piece on explainability tools, techniques that help us understand model decisions are just one part of this. They are like a doctor's diagnostic kit. But we need the broader governance equivalent of medical ethics, a framework that mandates transparency about the origins and limits of the knowledge we create.
This is the path forward. It asks for humility from those of us who build these systems. It requires that we design our audits not as proofs of perfection, but as testaments to our thoroughness and our honesty. The goal is a system that speaks about what it knows, and also about what it does not. That kind of careful, truthful conversation is, I believe, the only real foundation for lasting trust.