Health Information Privacy

4th Annual Health Information Privacy Conference

January 17, 2005
Toronto, Ontario

Address by Patricia Kosseim
General Counsel, Office of the Privacy Commissioner of Canada

---

Introduction

I am delighted to be here today and indeed honoured to have been invited to participate in this important program. Although I would be pleased to share with you my experience as General Counsel for the Office of the Privacy Commissioner, I am afraid that would be a very short speech, since I only joined the Office ten days ago.

I have spent quite a bit of time in my professional career thinking about health information privacy from the perspective of health researchers and health professionals. You would expect the OPC's perspective on such policy matters to be quite different. Or would you? As interested stakeholders, if we listen to the views of others in an open and inclusive policy debate aimed at striking a reasonable balance of the underlying public values, then no matter what the perspective assumed at the start, the end positions of organizations need not be so different after all.

On Day 10 in my new job, I do not purport to represent my new employer with a well-seasoned legal position on the many complex privacy issues that arise in the health sector. Rather than get quickly entrenched in any particular track, I am seizing this time of transition as a unique opportunity to think conceptually outside the box, bring forth fresh ideas, and join past experiences with new challenges. As a senior partner taught me during my articles, the hallmark of a good lawyer is one who can think laterally across different contexts, one who is able to draw analogies and distinctions as appropriate.

It is in that frame of mind that I would like to take a more conceptual approach and challenge all of us to do some lateral thinking in the next 20 minutes. I would like to reflect on recent developments in four different areas to help inform our thinking about health information privacy: "Government On-Line" (E-Government), electronic health records (EHRs); commercial uses of personal listing information and longitudinal health research.

I. Government On-Line and Electronic Health Records

A recent Supreme Court decision, R. v. Tessling, examined whether thermal imaging technology used by aircraft to detect heat emanating from homes suspected of running marijuana grow operations contravened the right to be free from unreasonable search and seizure under section 8 of the Charter. Mr. Justice Binnie reminded us of the fundamental importance of protecting individual privacy from the state.

"The midnight knock on the door is the nightmare image of the police State. Thus it was in 1763 that in a speech before the British Parliament, William Pitt (the Elder) famously extolled the right of everyone to exclude from his private domain the forces of the King:

'The poorest man may in his cottage bid defiance to all the forces of the crown. It may be frail, its roof may shake, the wind may blow through it, the storm may enter, the rain may enter, but the King of England cannot enter! All his force dares not cross the threshold of the ruined tenement!'" ¹

We have evolved a long way since 1763, and though Canadians do not typically fear physical intrusion into our homes by the modern Queen of England, we do remain vigilant and expect to be guarded against unauthorized state intrusion into our lives. At the same time, we have also become more demanding of the state to protect our national security, to provide us with timely, efficient and quality services, and to involve us more actively as engaged participants in our society.

Government on-line, or E-Government, has emerged as a modern-day response and potential promise for delivering on those citizens' expectations. In a recent article on the benefits and challenges of e-government, Professor Pierre Trudel of the Université de Montréal² describes Quebec's growing interest in moving away from a system of personal information contained in isolated silos held by public organizations which are separated by bureaucratic borders, spatially and organizationally distinct from one another. He spoke of a move towards an electronic government network promoting greater circulation of personal information across public organizations and allowing authorized access by a plurality of actors with a view to offering more integrated services to its citizens.

The advantages of pooling personal information in an e-based public administration are described by Trudel as follows:

• better collaboration and cooperation between public organizations, and more flexible specializations dependent on mutual exchange and interaction between users;
• improved quality and timeliness of services;
• less redundancy by avoiding repeated collection of the same personal information by different organizations, resulting in greater efficiency and productivity gains;
• possibility for citizens to interact more meaningfully with the state and receive more personalized services, attendant to their individual needs, based on relevant and accurate information about them, available in real-time.

Interestingly, these advantages of e-government are not unlike those you would expect to find in the business case for electronic health records. In fact, similar advantages were identified in the visionary document articulated by the Advisory Council on Health Infostructure in 1999. This led to a First Minister's Agreement in 2000, the creation of Canada Health Infoway Inc. in 2001, and additional investments by the Federal Government in 2003 and 2004 totaling more than $1 billion for the development of pan-Canadian, interoperable electronic health record systems. Those advantages of EHRs for the health sector included:

• more informed decisions by health care providers, administrators and policy-makers able to exchange information among each other and determine best possible evidence;
• improved quality, accessibility, portability and efficiency of health services across the whole spectrum of integrated care;
• more empowered members of the general public able to make better choices about their own health, their health care and health policy.

Just as the vision and potential advantages of E-government and EHRs are similar, so too are the associated privacy challenges. Indeed, Trudel examines some of the challenges inherent in the current legal regime, whose privacy principles are premised on the traditional concept of data silos. Data silos have long been regarded as an important way to protect against the misuse of personal information. Compartmentalizing information makes it more difficult for users to access it. Contrast this with interoperable electronic databases which pool together more information, increasing the possibility for linkage and rendering it potentially accessible to a larger number of users.

To elaborate on but three examples, I would like to focus on the notions of "openness", "purpose" and "accountability" as articulated in the privacy principles of the current legal regime, and suggest how they might be re-examined and better adapted to accommodate the "new" challenges associated with the concept of E-government, and similarly, EHRs.

Openness
The "openness" principle, as originally conceptualized, requires an individual organization to be open and transparent about its privacy practices and policies. However, in the context of E-Government or EHRs, the openness principle would seem to require much more. As Trudel puts it, success is critically dependent on the "trust imperative". To earn legitimacy in the eyes of the public, the broader social benefits and risks of E-Government, as with EHRs, must be evaluated and debated openly and transparently. The public must have its questions answered and be given a meaningful opportunity to participate in an informed debate about the benefits and risks of pooling data before we can assume public acceptance of what are, essentially, fundamental changes to our existing social contract - with the public sector, in the case of E-Government, - and with the health sector, in the case of EHRs.

Purpose
The central notion of "purpose" critical to limiting collection, use and retention, may be understood in the sense of specific transactions. However, in the context of E-Government or EHRs, "purpose" must be re-conceptualized to encompass the multiplicity of purposes for which these pooled data sources may be used. Individuals to whom the information relates must be informed of the full range of possible, compatible purposes. In that sense, purpose becomes less determinative in limiting collection and retention, since the cumulative personal information that is "rolled up" and retained in Government On-Line or an EHR necessarily extends beyond the personal information required at any given time for a single transaction. Where purpose is most critical now, however, is in stringently controlling access to personal information by authorized users of the shared network in very specific circumstances and in accordance with their recognized status and role as a user.

Accountability
Whereas accountability in a world populated by data silos is conferred on each individual organization responsible for that silo alone, accountability in a world where data is pooled effectively rests with all organizations participating in the shared network. Professor Trudel argues that each organization which may have access to the pooled information should be considered the legal holder of the information. As a result, these organizations should be solidarily responsible for protecting the confidentiality of the information to prevent responsibility from "falling between the cracks" of multiple users. The respective rights and obligations of each organization participating in a shared network must be worked out as part of a carefully regulated regime governing common access to pooled data. This will help ensure that information flows unimpeded as intended, and that responsibility is properly assigned among participating organizations, and/or any trustee acting on their behalf, under terms and conditions clearly agreed upon in advance.

In keeping with my theme of lateral thinking, I would propose that our reflections and experiences in testing concepts and attempting to address privacy challenges in the E-Government context can help inform our approach in the context of EHRs, and vice-versa.

II. Commercial Context vs. Health Research

This brings me to the second parallel I would like to draw for you today — that between commercial uses of personal listing information and longitudinal health research studies. In this case, I will posit that experiences gleaned from one setting are not readily transferable to the other, and I caution against the ready application of common reasoning and conclusions.

Let me give you a recent example that illustrates the importance of context and the need to draw clear distinctions. In Englander v. Telus Communications Inc., decided just over two months ago, the Federal Court of Appeal had to consider whether the consent TELUS obtained from its first time customers was sufficiently informed to allow not only inclusion of their personal information in telephone directories ("White Pages"), but also, all of the secondary uses made thereafter by TELUS and other third party users.

First, it should be noted that in interpreting the relevant provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA), and in particular Schedule 1, the Court of Appeal held that "flexibility, common sense and pragmatism" will prevail.

In the specific context of this case, the Federal Court of Appeal found that TELUS had failed to discharge its full obligation to identify, specify and explain to its first-time customers all of the primary and secondary purposes that will be made of their personal information at or before the time of collection. The timing of TELUS' explanation to its customers in this case was key. Despite all the efforts undertaken by TELUS to provide information to any first-time customers who expressed concern about privacy (in the form of a welcoming letter and accompanying brochure that explains all the purposes for which the company collects, uses and discloses personal information, informs customers of their right to be de-listed, provides them with a 1-800 number for more information and a website dedicated to describing the company's privacy practices, availability and access to the company's Privacy Officer, etc.), the company failed in its obligation to inform its first-time customers, at the time of enrolment, of the primary and secondary purposes for which their personal information was collected. All the company's tools for complying with the privacy principle of Openness, generally came too late for complying with the principle of Informed Consent.

This restrictive interpretation of the consent requirement by the Court may be appropriate in a commercial context. The various marketing purposes to which customer's personal information will be put are generally known at the time of collection and the case turns on the extent to which the organization takes honest and reasonable steps to disclose those purposes to its customers in a meaningful way while enrolling them for a service or into a program. However, such reasoning is very difficult to apply in the context of health research, particularly longitudinal research studies. With such studies, all future research purposes cannot reasonably be known or even anticipated at the time of collection. We might on the one hand identify extremely broad purposes, which would permit a broad variety of research using this personal information, but which would greatly water down the principle of finality. We might on the other hand be too finely detailed in our description of the purposes for which information is to be used, and thereby frustrate important future research initiatives that could not have been contemplated at the time the personal information was first collected.

In the context of a longitudinal study, perhaps continuing efforts to inform research participants of the various research uses being made of their personal information as those become known over time, using the kinds of tools that TELUS did in Englander, should be regarded as part of a valid, ongoing consent process, provided that certain conditions are met, including:

• participants are told as much information as can be reasonably known up front in an open and transparent manner and are aware of the limitations of that information; they have a meaningful opportunity to withdraw their information at any time;
• there is an effective governance regime in place (Research Ethics Boards (REBs) and National Oversight Bodies) to protect the interest of individuals;
• they are regularly informed through public means of research studies proposing to make use of their personal information and are given reasonable time to object to that use;
• those research studies are generally consistent with the original purpose for which the information was collected into the database in the first place; otherwise, new and express consent must be sought before any research not consistent with the original explanation can begin.

I hope that this second parallel shows that strict rules on disclosing purposes may be appropriate in a commercial context involving narrow profit-making interests accruing to a small group of shareholders. However, these rules do not apply so readily in the context of longitudinal research involving broader health interests accruing to society at large. Both contexts must be critically examined and distinguished as appropriate, having regard to special considerations pertaining to each.

To illustrate my point, in Australia, the Sydney Morning Herald reported on January 8 that cancer researchers cannot gain access to vital government-held information for studies on cancer and the workplace because of fears that releasing the data will breach privacy laws. However, the same report suggests that those privacy laws do not seem to prevent unscrupulous organizations from extracting names from company share registries in their search for potential targets.

Although it is important to think laterally and creatively, and to learn from the experiences in one area of privacy to inform another (as in the case of E-government and EHRs for example), we must also be mindful of the need for a contextual approach. We must recognize the different social values and interests at stake (as in the case of a commercial context for marketing purposes, as contrasted with longitudinal health research for broader health purposes).

The Supreme Court of Canada called for a contextual approach in R. v. Plant³, concluding that the context in which the information is being sought and used helps determine the privacy protections that will be afforded that information. In short, while the privacy rules applied in one context can suggest how they might be applied in another, one cannot uncritically transpose privacy approaches without considering the context. That is why public consultation and the engagement of stakeholders are so essential to the analysis and understanding of what a "reasonable person would consider appropriate in the circumstances".

Conclusion

I would like to leave you with a few key messages on behalf of the OPC. First, issues of health information privacy are of high priority for the Office. Second, the Office remains committed to working with multiple stakeholders, including ministries of health, health organizations, professionals and health research groups. We want to engage in meaningful discussions aimed at determining what a reasonable person considers appropriate in different contexts. Third, the Office is very committed to working and sharing knowledge with its provincial and territorial counterparts as we move towards harmonizing the implementation of privacy regimes across sectors and jurisdictions. Finally, I would like to underscore the openness of the Office and my own willingness to hear your views on how we can improve our efforts to enforce a privacy oversight regime that addresses the legitimate interests of all parties amidst the complexities of the modern health sector.

¹ R. v. Tessling, [ 2004] S.C.C. 67 at para.14.
² Pierre Trudel, « Renforcer la protection de la vie privée dans l'État en réseau : l'aire de partage de données personelles, » Revue française d'administration publique n° 110, 2004, pp. 257-266.
³ [1993] 3 S.C.R 281.