Research Ethics Board
May 7, 2003
Privacy Commissioner of Canada
(Check against delivery)
I'm very interested in the work of research ethics boards, because I believe that privacy is among the highest of ethical obligations. It's good to see that Health Canada has taken such vigorous steps to ensure the protection of personal health information in the research activities in which it's involved.
The timing of this meeting is important. The Personal Information Protection and Electronic Documents Act, which regulates how organizations can collect, use and disclose personal information, will soon provide comprehensive protection against unwarranted invasions of people's privacy. Because of the way that modern research is structured and financed in Canada, many research activities will be captured by the Act when its purview expands in January 2004 to include all organizations engaged in commercial activities.
Many people in health research are understandably concerned about the potential impact of the Act on their studies. We all have an obvious interest in ensuring that researchers have access to the data they need to conduct high-quality research. On the other hand, it is important that researchers, data custodians and research ethics boards understand and comply with the law.
Let me be clear right from the outset: I have absolutely no intention as Privacy Commissioner of being an obstacle to health research, which plays such a vital role in saving lives and improving lives. I don't believe that respect for privacy is an impediment to health research - in fact, in today's world it's a condition essential to its success. And I am confident that the PIPED Act is entirely compatible with the successful carrying out of health research.
In my remarks this morning, I'd like to explain my position on privacy rights as they relate to health research. But first, I want to say a few words about the nature of privacy and the purpose of the Act.
Privacy is a fundamental human right, recognized as such in the United Nations declaration of human rights. It is, as Justice La Forest of the Supreme Court of Canada so eloquently put it, "at the heart of liberty in a modern state."
But it's not only a fundamental human right, it's also an innate human need. When you go home at night, you probably close the curtains, draw the blinds - not because you're doing something bad, but because you need your privacy.
If you're on an airplane or a bus reading a book and someone starts reading over your shoulder, it probably makes you uncomfortable. It's not that what you're reading is secret or embarrassing - it's just that your privacy is being invaded.
If you've ever had the misfortune of having your home or even your car broken into, you know that the sense of intrusion - of having your privacy violated - can be even more painful than the loss of whatever was actually stolen.
I define privacy as the right to control access to one's person and to information about oneself. And nowhere is that fundamental human right, that innate human need, the right of privacy, more important than with regard to personal health information - information about the state of our own bodies and minds.
The Personal Information Protection and Electronic Documents Act, or the PIPED Act as we call it, attempts to balance the privacy rights of individuals against the needs of organizations to collect, use or disclose personal information. Enacted under the federal government's trade and commerce power, it is a truly modern statute designed to address a thoroughly modern problem.
The problem is this. Until relatively recently, privacy was protected pretty much by default. As long as information about us was in paper records, and scattered over a whole lot of locations, someone would have had to go to a lot of trouble to compile a detailed dossier on any individual. But now the move to electronic record keeping is eating away at the barriers of time, distance and cost that once guarded our privacy. Advances in information management have made it possible to collect, warehouse, link and cross-reference information as never before. This has increased efficiency in record keeping and multiplied the possibilities for combining data in ways likely to lead to new scientific discoveries. But it has also increased the risks of mismanagement and misuse of information, with all the potential harm that this can entail.
That's why we need the Act. It sets up a regime to regulate collection, use and disclosure of personal information, recognizing that not all reasons for using and disclosing personal information are equally valid, and that privacy is not an absolute right.
Here's what the Act says, in a nutshell:
Apart from a few limited exceptions, no organization can collect, use, or disclose personal information about an individual without that individual's consent.
The only purpose to which such information can be put is the purpose for which the consent was given.
Even with consent, an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
Everyone has the right to see what personal information an organization has about them, and to correct any inaccuracies.
There is independent oversight - that's me and my Office - to ensure that the law is respected. And there is redress if people's rights are violated.
Right now, the Act applies to all personal information, including personal health information, that's collected, used or disclosed in the course of commercial activities by federal works, undertakings, and businesses, including information held about employees. The Act also applies to personal information that's held by provincially regulated organizations when it's sold, leased or bartered across provincial or national boundaries.
Beginning in January 2004, the Act will apply to all personal information collected, used or disclosed in the course of commercial activities by all organizations in Canada. And this is where research activities get captured.
But the Act does not apply in one special circumstance. In provinces that have passed privacy legislation that is "substantially similar" to the federal Act, the Governor in Council can exempt all or part of the provincially regulated private sector from the application of the Act for commercial activities that take place within the province's boundaries. The Act will continue to apply to federal works, undertakings and businesses in all provinces. And it will also continue to apply to personal information when it's collected, used or disclosed across provincial or national boundaries.
That's the statute in a nutshell.
I mentioned earlier that the Act does not treat all reasons for using or disclosing personal information the same. For example, section 7 exempts organizations from seeking consent for the disclosure and use of information for certain purposes, one of which is scholarly research.
Specifically, paragraphs 7(2)(c) and 7(3)(f) of the Act permit an organization to use or disclose personal information without the knowledge or consent of the individual to whom it pertains if each of the following five conditions are met.
First, the disclosure or use must be strictly for statistical or scholarly study or research.
Second, the purposes cannot be achieved without using or disclosing the information.
Third, the information must be used in a manner that safeguards its confidentiality.
Fourth, obtaining consent must be impracticable.
And finally, the organization seeking exemption under section 7 of the Act must inform me - the Privacy Commissioner - of the proposed use or disclosure beforehand.
In short, the Act recognizes that purposes such as scholarly research need different rules, but demands that safeguards be built into the researcher's information handling systems so that the individuals whose personal information is being used are not inadvertently harmed in the process.
Clearly, the Act was never intended to deter or impede legitimate health research that uses information in ways that can have no possible impact on the individuals to whom it pertains.
As I formally stated in my Annual Report of December 2001, I therefore intend to interpret very broadly the definition of statistical or scholarly study or "research" in the Act.
Any bona fide health research, undertaken by legitimate organizations under appropriate safeguards, will, in my view, constitute "statistical or scholarly study or research" even if there is an element of pecuniary interest involved.
Second, I accept that health research, by its nature, requires personal information, although researchers should use the least identifiable information that will accomplish the desired purpose. As for the impracticability of obtaining consent, I accept as a general principle that cost factors and the difficulty of obtaining consent from 100 percent of a target population may make it impracticable to obtain individual consent for many health research studies. I therefore intend to take an expansive and liberal view on the question of impracticability of consent.
As for the requirement to inform me beforehand of any research for which an exemption under section 7 is sought, this too is something on which I intend to take a very liberal - I should say, reasonable and practical - approach. I and my Office have neither the resources nor the wish to be kept apprised of every single health research project taking place across Canada. Rather, I would want to be made aware of all the organizations carrying out such research, and the safeguards under which they operate.
And that brings me to the final condition for an exemption, and it's a crucial one. All this liberal interpretation on my part comes with an absolutely inflexible requirement: the information used for health research must remain strictly within the confines of the research project and it must be used in a manner that cannot in any way harm the individual to whom it pertains.
Under no circumstances whatsoever can it find its way to the individual's employers, insurers, relatives or acquaintances, governmental or law enforcement authorities, marketers or any other third parties. And the individual must not be contacted as a result of this information by anyone other than his or her own physician, or other primary health care provider, as the case may be. I will regard any breach whatsoever of this condition as an extremely grave violation of the Act.
In other words, when it comes to secondary uses of personal health information for health research projects, rule No. 1 is Do No Harm. You will recognize this as the principal ethic of the Hippocratic oath, which has been the cornerstone of medical ethics for the past 2 1/2 millennia, and which, not coincidentally, considers privacy the linchpin of the doctor-patient relationship!
Privacy and health care are inextricably linked. If people cannot feel confident that their personal information is safe with their doctor, the consequences will be dire. We know that many diseases have a better prognosis if they're caught and treated early. We also know that treating illness is more costly than preventive approaches. If people are reluctant to seek treatment, or if patients stop confiding in their doctors, both public health and the public purse will suffer.
But ethics and sound fiscal management aside, health researchers have their own pragmatic reasons for safeguarding privacy rights where personal health information is concerned. If people fear going to the doctor, even research samples will be skewed. Can you imagine how rapidly the quality and availability of data would deteriorate if patients began withholding information from their doctors or decided to forgo routine tests and visits to doctors in all but life-threatening situations?
Perhaps that's why privacy and confidentiality concerns have figured so prominently in the guidelines for screening scientific research projects in Canada. For example, Section 3 of the Tri-Council Policy Statement on Ethical Conduct for Research Involving Humans requires researchers to identify the purposes for which they will use information; it also places limits on information use, disclosure and retention. The Statement's position on avoiding harm is consistent with my own; it notes that individuals should be protected from harm caused by unauthorized use of personal information that they have reason to believe will remain private.
Research ethics boards have also played an important role in the health research community, helping ensure that Canadian research projects meet high ethical standards. Although a green light from a research ethics board can't trump the Act, I think that ethics boards can help researchers comply with the Act by incorporating the principles of fair information practices into their screening guidelines.
But the statute gives me the final word. Parliament has entrusted me with the duty of overseeing compliance with the Act. So let me say a few words about interpretation, particularly since people in the health research community have often sought greater clarity in the provisions of the PIPED Act.
In 2001, the Canadian Institutes for Health Research proposed that the Act incorporate regulations offering guidance on several points that would prevent researchers from running afoul of the Act. As you probably know, I and my Office opposed such regulations - but not necessarily because I disagreed with their content. Rather, I feared that certainty would come at too great a cost, that the law would lose the flexibility needed to cope with both the accelerating pace of changing information technologies and the evolving nature of privacy. For example, although a certain piece of personal information may be entirely anonymous based on today's technology, tomorrow the same piece of information may be easy to trace instantly back to its source. Also, I thought that dotting every "i" and crossing every "t" would invite people to look for loopholes.
On the other hand, putting a watchdog with wide powers of discretion in charge of administering privacy protection affords a much more nuanced approach than relying on a narrowly legalistic view of the law. Although I have a law degree and a deep respect for the courts, black-letter law just can't always cope with the subtleties of privacy. It doesn't permit the level of discretion, sensitivity, and flexibility required to give effect to privacy as a right.
We've seen a lot of instances over the last few years where something that's deeply offensive and privacy-invasive is in fact not a violation of the letter of the law. The routine opening of international mail by Customs agents, for example, was not a violation of the law. But it was a grave privacy infringement nonetheless. It would have been difficult to challenge in court. But persuasion, flexibility, and reasonableness led to victories for privacy, and for all the parties concerned.
That kind of outcome, where you look beyond the letter of the law to better capture its spirit, is specific to the ombudsman model. And it works best when a privacy commissioner has some discretion to read the law in a sensitive, purposive way.
The same holds for the other side of the equation. Rigid regulations could backfire on their proponents, restricting research in ways that a common sense approach could avoid.
Which brings me to another concern that has been raised in the health research community. When a particular use or disclosure of personal information is brought to my attention and I have to decide whether it violates the Act, I have to ask whether a reasonable person would consider the use or disclosure of the information for such purposes appropriate in the circumstances.
That's what section 3 says. What does it mean?
The reasonable person test is a long-standing feature of the common law that has been imported into many statutes. Its premise is that common sense, rather than advanced learning or high-level intellect, is all it takes to interpret the law.
Who is this hypothetical reasonable person? For the purposes of the PIPED Act, it's me. It's my job, on behalf of Canadians, to look at all the facts from the perspective of a reasonable person and determine whether the reasons for using, collecting or disclosing personal information were appropriate in the circumstances.
The PIPED Act gives the Privacy Commissioner a great deal of discretion to interpret the Act and to seek out violators without waiting for a complaint to be filed. Some people have expressed concern about these wide powers of discretion and about the potential chilling effect that uncertainty will have on health research.
Let me attempt to put this fear to rest. Similar alarms were sounded by some health groups while the Act was in Committee and even after it came into force in 2001. These groups lobbied for further delays in the application of the Act believing that it would have a dramatically negative impact on the health system. More than a year later, it's clear that their fears were unfounded. From where I sit, there has been no negative impact on the health system, nor any apparent inconvenience to business.
And I predict that the health research community will experience essentially the same smooth transition when the purview of the Act expands to encompass the entire private sector in January of next year.
So, if you've been among those who had concerns, I hope that I have managed to allay some of them. The essence of my approach will be to allow health researchers to peer discreetly over the shoulder of the physician or primary health care provider. But with this privileged access will come the added responsibility of keeping information securely inside this larger circle.
It goes almost without saying that health research has a highly respected place in our society. We place great store in the new vaccines, new treatments and new medical technologies that have eliminated diseases and saved lives. Recently, there has also been a growing interest in health promotion research, research directed not only at combating illness or prolonging life, but at improving health and well being. Once content to prolong life, we now want to improve its quality, to live better.
I raise this point in the context of a talk about privacy because many people in the health sector have argued that we may need to accept certain infringements on our privacy today in return for the benefits we will derive from medical research tomorrow.
I don't think that this is a necessary or appropriate trade-off. In every speech I've given since I was appointed Privacy Commissioner, I've made a point of emphasizing the importance of privacy to individuals and to society. Privacy is a critical element in the basic freedoms that make our society worth living in. I rank it right up there with freedom of speech, freedom of association and freedom of conscience. If medical knowledge and lifesaving treatments come at a cost of our fundamental freedoms, how much joy will we derive from our prolonged lives and better health? We say that health is priceless. But is it really? Or does the world you live in have something to do with how much you can enjoy your good health. And isn't that why modern societies created human rights?
Earlier I mentioned the policy dialogue that has grown up around the PIPED Act. Public policy development in Canada is a strangely adversarial process that becomes increasingly polarized the longer the debate continues. Sometimes the race to distance ourselves from one another obscures how much we have in common.
But instinct tells me I, as Privacy Commissioner, and you as proponents of health research share much common ground. Health researchers in fact almost always frame their case for access to data in terms that recognize the importance of protecting personal health information, given its fundamental and intimate connection with the right to dignity, integrity and autonomy. I know that they recognize the compelling need to address public concerns for privacy and confidentiality of personal health information, as technological advances have made increasingly sophisticated data manipulation possible. And I'm confident that they recognize that policies and guidelines need to evolve in tandem with technology, to ensure that appropriate safeguards are in place and that fundamental rights to privacy and confidentiality are respected.
Although scientists and privacy commissioners come at the issue of privacy with different lenses and different analytical tools, I think that we share a common concern for human dignity and the quality of people's lives. I look forward to a continued lively dialogue with Canada's health research community.