Ann Cavoukian, Ph.D. Information and Privacy Commissioner

Ontario

The Data Effect October 19, 2012

Big Data Requires Big Privacy

Presentation Outline

1.  Importance of Protecting Personal Health Information 2.  Importance of Health Research and Analysis 3.  Consequences if Inadequate Attention to Privacy 4.  Personal Health Information Protection Act (PHIPA) 4.  Legislative Safeguards 5.  Additional Safeguards that Should be Implemented 6.  Privacy by Design: The Gold Standard 7.  Conclusions

Importance of Protecting Personal Health Information

Unique Characteristics of Personal Health Information

•  Highly sensitive and personal in nature; •  Must be shared immediately and accurately among a range

of health care providers for the benefit of the individual; •  Widely used and disclosed for secondary purposes seen

to be in the public interest (e.g., research, health system planning and evaluation, quality assurance);

•  Dual nature of personal health information is reflected in the health privacy legislation in Ontario.

Importance of Health Research and Analysis

“Big Data”

• Each day we create 2.5 quintillion bytes of data – 90% of the data today has been created in the past 2 years;

• Big data analysis and data analytics promises new opportunities to gain valuable insights and benefits;

• However, it can also enable expanded surveillance and increase the risk of unauthorized use and disclosure, on a scale previously unimaginable.

The Case for Health Research and Analysis

Health research and analytics are vital in: •  Understanding the determinants of health; •  Informing and improving clinical practice guidelines; •  Identifying and achieving cost efficiencies; •  Facilitating health promotion and disease prevention; •  Assessing the need for health services; •  Evaluating the services provided; •  Allocating resources to the health system; •  Educating the public how to improve their health.

Consequences if Inadequate Attention to Privacy

Consequences if Inadequate Attention to Privacy

•  Individuals may suffer discrimination, stigmatization and economic or psychological harm;

•  Individuals may be deterred from seeking testing or treatment or may engage in multiple doctoring;

•  Individuals may withhold or falsify information provided; •  Loss of trust or confidence in the health system; •  Damage to the reputation of the health care provider; •  Lost time and expenditure of resources needed to contain,

investigate and remediate privacy breaches; •  Costs of legal liabilities and ensuing proceedings.

Personal Health Information Protection Act

(PHIPA)

Recognition of the Value of Health Research and Analysis

•  The Personal Health Information Protection Act (PHIPA) came into effect on November 1, 2004;

•  It recognizes the value of health research and analysis; •  PHIPA permits health care providers to collect, use and

disclose personal health information for purposes beyond the provision of health care, in appropriate circumstances;

•  PHIPA attempts to ensure that these other purposes are achieved in a manner that minimizes the impact on privacy.

Legislative Safeguards

Legislative Framework with Oversight

• A legislative framework, PHIPA, governs the collection, use and disclosure of personal health information in the health sector;

• Section 16 of PHIPA requires health care providers to be transparent about their information practices, including their information practices related to research and analysis;

• Section 12 of PHIPA requires health care providers to notify individuals at the first reasonable opportunity about privacy breaches – mandatory breach notification;

• Section 56 of PHIPA provides individuals with the right to complain to my office about contraventions of PHIPA.

Order-Making Powers and Offence Provisions

•  My office has broad order-making powers; •  A person affected by a final order issued by my office

may commence a lawsuit for damages for actual harm suffered as a result of a breach of PHIPA;

•  PHIPA also creates offences, such as for wilfully collecting, using or disclosing personal health information in contravention of PHIPA;

•  On conviction, an individual may be liable for a fine of up to $50,000 and corporations face fines of up to $250,000.

Data Minimization

•  Data minimization is the most important safeguard in protecting personal health information, including for purposes for health research and analysis;

•  PHIPA prohibits health care providers from collecting, using or disclosing personal health information if other information (such as de-identified or anonymized information) will serve the purpose;

•  It also prohibits health care providers from collecting, using or disclosing more personal health information than is reasonably necessary to meet the purpose.

Dispelling the Myths about De-Identification…

•  The claim that de-identification has no value in protecting privacy due to the ease of re-identification, is a myth;

•  If proper de-identification techniques and re-identification risk management procedures are used, re-identification becomes a very difficult task;

•  While there may be a residual risk of re-identification, in the vast majority of cases, de-identification will strongly protect the privacy of individuals when additional safeguards are in place.

www.ipc.on.ca/English/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=1084

Data De-Identification Tool •  Developed by Dr. Khaled El Emam,

a leading investigator at the Children’s Hospital of Eastern Ont. Research Institute;

•  De-identification tool that minimizes the risk of re-identification based on: -  The low probability of re-identification; -  Whether mitigation controls are in place; -  Motives and capacity of the recipient; -  The extent a breach invades privacy;

•  Simultaneously maximizes privacy and data quality while minimizing distortion to the original database.

www.ipc.on.ca/images/Resources/positive-sum-khalid.pdf

Evidence that the Tool Works

• Dr. El Emam was approached to create a longitudinal public use dataset using his de-identification tool for the purposes of a global data mining competition – the Heritage Health Prize;

• Participants in the Heritage Health Prize competition were asked to predict, using de-identified claims data, the number of days patients would be hospitalized in a subsequent year;

• Dr. El Emam won the competition, but before awarding him the prize, his de-identified dataset was subjected to a strong re-identification attack by a highly skilled expert;

• The expert concluded the dataset could not be re-identified – Dr. El Emam's de-identification tool was highly successful!

Evidence that Re-Identification is Extremely Difficult

• A literature search by Dr. El Emam et al. identified 14 published accounts of re-identification attacks on de-identified data;

• A review of these attacks revealed that one quarter of all records and roughly one-third of health records were re-identified;

• However, Dr. El Emam found that only 2 out of the 14 attacks were made on records that had been properly de-identified using existing standards;

• Further, only 1 of the 2 attacks had been made on health data, resulting in a very low re-identification success rate of 0.013%.

Data Minimization for Record Linkages

•  Dr. El Emam has also developed a protocol for securely linking databases without sharing any identifying information;

•  The protocol uses an encryption system to identify and locate records relating to an individual, existing in multiple datasets;

•  This involves encrypting personal identifiers in each dataset and comparing only the encrypted identifiers, using mathematical operations, resulting in a list of matched records, without revealing any personal identifiers;

•  The protocol promotes compliance with existing prohibition in PHIPA by allowing linkages of datasets without the disclosure of any identifying information – a win/win solution – positive-sum!

Additional Safeguards that

Should be Implemented

The Decade of Privacy by Design

Privacy by Design: The 7 Foundational Principles

www.ipc.on.ca/images/Resources/7foundationalprinciples.pdf

1. Proactive not Reactive: Preventative, not Remedial;

2.  Privacy as the Default setting; 3.  Privacy Embedded into Design; 4. Full Functionality:

Positive-Sum, not Zero-Sum; 5.  End-to-End Security:

Full Lifecycle Protection; 6.  Visibility and Transparency:

Keep it Open; 7.  Respect for User Privacy:

Keep it User-Centric.

Landmark Resolution Passed to Preserve the Future of Privacy By Anna Ohlden – October 29th 2010 - http://www.science20.com/newswire/landmark_resolution_passed_preserve_future_privacy

JERUSALEM, October 29, 2010 – A landmark Resolution by Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, was unanimously passed by International Data Protection and Privacy Commissioners in Jerusalem today at their annual conference. The resolution ensures that privacy is embedded into new technologies and business practices, right from the outset – as an essential component of fundamental privacy protection.

Full Article: http://www.science20.com/newswire/landmark_resolution_passed_preserve_future_privacy

Adoption of “Privacy by Design” as an International Standard

1. English 2. French 3. German 4. Spanish 5. Italian 6. Czech 7. Dutch 8. Estonian

9. Hebrew 10. Hindi 11.  Chinese 12. Japanese 13. Arabic 14. Armenian 15. Ukrainian 16. Korean

17. Russian 18. Romanian 19. Portuguese 20. Maltese 21. Greek 22. Macedonian 23. Bulgarian 24. Croatian 25. Polish

Privacy by Design: Proactive in 25 Languages!

Conclusions •  Big Data promises new opportunities to gain valuable insights

and benefits for the health system;

•  However, Big Data may also enable expanded surveillance and increase the risk of unauthorized use;

•  PHIPA permits the use and disclosure of personal health information for health research and analysis with safeguards such as data minimization and privacy oversight built directly into the legislation;

•  But compliance with legislative safeguards is not enough – to reap the benefits of big data, we must get smart about privacy and lead with Privacy by Design;

•  Big Data needs Big Privacy – you can achieve both goals in a positive-sum paradigm through Privacy by Design.

How to Contact Us

Ann Cavoukian, Ph.D. Information & Privacy Commissioner of Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario, Canada M4W 1A8

Phone: (416) 326-3948 / 1-800-387-0073 Web: www.ipc.on.ca E-mail: info@ipc.on.ca

For more information on Privacy by Design, please visit: www.privacybydesign.ca