Privacy and Health Information
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Address to the Canadian Medical Association
November 24, 2000
Privacy Commissioner of Canada
(Check Against Delivery)
The Canadian Medical Association is a strong and credible advocate for the protection of our personal health information. This conference is another demonstration of its commitment.
I hope I can contribute this morning by giving you a few things to think about, and perhaps help you get your discussions rolling. I'm going to talk about some of the specific issues affecting the privacy of our health information.
But before I do that, I'd like to spend a little time on privacy in general, and give you some background on how the Privacy Commissioner fits into all of this.
I believe privacy will be the defining issue of the next decade.
The steps we take to address this issue over the next few months and years will play a key role in determining the individual's place in society for many, many years to come.
That's because we have come to a kind of crossroads. Until recently, privacy really was protected mainly by default.
Unless you were very famous, or very important or had committed a crime, your personal information was scattered here and there, and kept in hard copy files.
Assembling any kind of dossier on any one of us meant quite a bit of legwork. So someone would have to go to a fair amount of trouble to find out about you.
But today, information that just a few years ago might have taken weeks or months to dig out can be compiled literally in minutes at a computer keyboard.
It used to be someone had to go out of their way to access our private data - now we must go out of our way to ensure our private data stays private.
All of us want to be able to go about the business of our lives without having someone looking over our shoulder, demanding to know what we're doing, and why we're doing it. In that context, you might say privacy means having the right to say "none of your damn business".
But privacy is really much more than that. I would define privacy as the right to control access to one's person, and to information about oneself.
That right is under threat as never before. This is the information age, and an awful lot of the information is about us.
From the surveillance camera at the corner store to the security check on a minor hockey coach, information about us is being gathered up - and shared around - at a tremendous rate.
And let's be clear: it is our information. That we should retain control over how it is used and distributed is essential to our personal privacy.
Ask yourself: how many times have you given your phone number or address to a clerk in a store? Did you ask why? Did you make them promise to ask your permission before they gave any information about you or your purchasing habits to the company that does their marketing? Did you ask whether the marketing company would sell the information to anyone else?
It has become impossible to keep up with who knows what about us, let alone what they're doing with the information.
Against these odds, there is a need for a strong voice to argue the case for privacy on behalf of all Canadians.
That voice is the Privacy Commissioner, an officer of parliament, appointed to ensure Canadians enjoy their right to privacy as set out in the law.
The Privacy Comissioner does this in a number of ways, by acting as an ombudsman, as a watchdog, and as a sort of 'resident expert' on privacy issues.
As ombudsman, the Privacy Commissioner investigates complaints of privacy abuse, and works to resolve them through mediation and negotiation. If need be, the commissioner can seek remedy in the courts. I am pleased to say that of the thousands of complaints filed since the Privacy Act was passed in 1983, only a handful has ended up in court.
The commissioner is also free to make privacy abuses known to the media. The court of public opinion can be a powerful force.
In the role of watchdog, the Privacy Commissioner ensures that the government lives up to its obligations under the Privacy Act.
Another part of my job is advising parliament about privacy. To support this advisory role, I aim to make my office a centre of excellence and a national resource centre for research, education and information on privacy issues.
Until now, these activities have been confined to the federal government. This will change dramatically in a few weeks, when the Personal Information Protection and Electronic Documents Act, formerly known as bill C-6, comes into effect January 1st.
This new law will extend the protection of canadians' privacy rights to include commercial activities. The Privacy Commissioner's job will expand enormously from the federal public sector to take in a large part of the private sector.
Now, having rights is one thing, but if you don't know what they are or how to use them, they're not going to do you much good. The new law recognizes that, and gives me a new responsibility: raising public awareness about privacy issues on a wide scale.
This is something the office has never had before, and I intend to pursue this part of the job with great vigour and enthusiasm.
If individuals are to take an active role in defending their rights to privacy, and they must, it is vital that they know exactly what those rights are, and why they are so important.
To ensure proper protection and keep disputes to a minimum, institutions must be just as clear on their responsibilities under the law.
For example, if your organization rents or trades names and addresses for fundraising purposes across any borders, the new Act may apply to those activities starting in January 2001.
If these lists contain personal health information, however, the Act doesn't apply until January 2002.
But whether it is a few weeks or a whole year away, it's important to start asking permission. To be in compliance with the Act, you need to get the consent of the people on your list to use or share the information for fundraising. Until you ask them, you shouldn't use it for that purpose. I would make a point of asking their consent at your next point of contact.
These protections are all the more critical when the privacy and confidentiality of our personal medical information is involved. I can think of few others areas of our lives where we would want greater control than over our health information.
When we talk about confidentiality, we are talking about trust. When we take someone into our confidence and share something personal about ourselves, we do so in the belief that we can trust that person not to divulge the secret to anyone else.
This concept of trust is at the very heart of the doctor-patient relationship. Even though we may not know our physicians especially well on a personal level, we know they have taken an oath to respect our privacy. We trust them to respect that oath. We tell our doctors things about ourselves we might not share even with our spouses.
As with so many other aspects of our privacy, the security of this most personal of trust relationships is threatened. There is a powerful and steadily-increasing demand for our personal health information from any number of secondary users. Much of the time, we don't even know who they are.
This is not the Privacy Commissioner of Canada being paranoid. The canadian medical association has recognized the threat, and has taken strong action.
I offer my most sincere congratulations to the CMA for the diligence of its efforts in developing the health information privacy code.
The code is founded on the belief that privacy is a right, and a fundamental value in any society that aspires to be free and democratic. It is dedicated to the need to preserve and protect the sanctity of the doctor-patient relationship.
If we cannot have total confidence in the sanctity of this relationship, we are taking a substantial risk as a society.
It is not extremism to believe this could lead some people to avoid seeking treatment.
If you knew your insurance company or your employer, or even the police, might have access to what it could reveal about you, would you be more or less likely to submit to the blood test recommended by your doctor? Think of the assumptions people might make about us based on the medications we have been prescribed.
Yes, we have laws to protect us against discrimination in employment. But if we have no idea whether and to what extent an employer has access to our personal health information, or even if the information is accurate, how can we know whether we have been discriminated against?
The consequences of a violation of health care privacy can be catastrophic for the individual. It could cost you the chance at a new job, a promotion or even the job you have now.
Suppose your genetic profile were revealed to an especially interested party. Your entire family could be stigmatized for generations to come.
We are staring at the possibility of a user fee no one could have imagined: we cannot allow loss of privacy to become the price of admission to any health-care system.
Patients have a right to expect and be entirely confident that health information about them will not be collected beyond what is necessary for their care. They must be confident the information will not be used for any purpose other than their care, or disclosed for any reason other than their care. Certainly they must be confident it will not be put to any use that could do them harm.
The debate over those rights is far from over, but we cannot delay making our voices heard.
The new Act becomes law January 1st, but the section dealing with the protection of health information does not come into effect until the following year.
A number of national health organizations - representing doctors, dentists, hospitals, pharmacists and other professional and interest groups - have formed a working group to examine privacy issues related to health information.
I encourage patient representatives to be involved in this process.
One of the biggest threats to health information privacy comes from the drive to establish a national health info-structure. Projects such as establishing electronic patient records and expanding so-called "surveillance" activities are proceeding without adequate privacy protection.
Supporters of these initiatives say it they will be valuable tools for the promotion of good health. They say steps will be taken to protect privacy.
I am happy to hear that. But I get the impression the impact on privacy comes as a bit of an afterthought, rather than the fundamental design consideration it must be.
It does not matter whether our health information is revealed by accident or by intent. The result is the same.
Putting personal medical information from each and every one of us into one, easy-to-use database will only add to the temptation to juggle and sort it for purposes far beyond patient care.
If W.P. Kinsella had been writing about health information instead of baseball, he might well have said , "if you build it, they will think of uses for it you never imaginedz".
Patient groups would do well to examine these plans very carefully from a privacy perspective.
As I explained earlier, part of my role as Privacy Commissioner is to educate Canadians about their privacy rights, and to encourage them to be active participants in debating privacy issues.
Bringing Canadians into the debate over the privacy of health care information will be a strong focus of my office over the next year, as we approach the implementation of the new law as it applies to health care information as part of a larger focus on health information privacy in general.
Before any of us we can play a meaningful part in the debate about where we go from here, we must be clear on exactly where "here" is.
As a first step, we have been asking the health sector for some time to improve the transparency of the flow of health information. Few patients are aware their health information is travelling well beyond the walls of their doctor's office already.
We have received little information to date. Our objective is to make all of the flows of information visible to patients. This applies especially to things like using patient information for research or patient registries - uses and disclosures not directly related to their care.
We have yet to see a great demand from the public for better control over personal health information. I am not surprised. I believe it is a direct result of how little knowledge patients have about the extent to which their private information is not as private as they might think.
Once we have that transparency in the health system, I think the public will develop a much more active interest in these issues.
I can assure you the Office of the Privacy Commissioner will take an active part in the debate. Our office will consult with experts in the health privacy field, and ensure their views are widely known.
We will be developing clear policies positions on a variety of health privacy issues. We want to make sure patient advocates have the tools they need to keep their constituencies informed on the issues, so those individuals can join the debate from a position of strength.
I also plan to maintain an ongoing dialogue with patient and consumer groups to obtain their input on these important questions firsthand. I must again commend the cma for having taken the lead in this area by putting this conference together.
This conference, and the follow-up meeting, are a vital part of the process of sharing and building knowledge and expertise. The protection of the individual's right to privacy is the cornerstone of a free, democratic society. I look forward in the years ahead to all of us working together to reinforce that cornerstone.
Thank you for your attention, and best wishes for a productive conference.
- Date modified: