Big Data Requires Big Privacy Ann Cavoukian, Ph.D.Information and Privacy Commissioner Ontario The Data Effect October 19, 2012
Presentation Outline1. Importance of Protecting Personal Health Information2. Importance of Health Research and Analysis3. Consequences if Inadequate Attention to Privacy4. Personal Health Information Protection Act (PHIPA)4. Legislative Safeguards5. Additional Safeguards that Should be Implemented6. Privacy by Design: The Gold Standard7. Conclusions
Importance of ProtectingPersonal Health Information
Unique Characteristics of Personal Health Information• Highly sensitive and personal in nature;• Must be shared immediately and accurately among a range of health care providers for the benefit of the individual;• Widely used and disclosed for secondary purposes seen to be in the public interest (e.g., research, health system planning and evaluation, quality assurance);• Dual nature of personal health information is reflected in the health privacy legislation in Ontario.
“Big Data”• Each day we create 2.5 quintillion bytes of data – 90% of the data today has been created in the past 2 years;• Big data analysis and data analytics promises new opportunities to gain valuable insights and benefits;• However, it can also enable expanded surveillance and increase the risk of unauthorized use and disclosure, on a scale previously unimaginable.
The Case for Health Research and AnalysisHealth research and analytics are vital in: • Understanding the determinants of health; • Informing and improving clinical practice guidelines; • Identifying and achieving cost efficiencies; • Facilitating health promotion and disease prevention; • Assessing the need for health services; • Evaluating the services provided; • Allocating resources to the health system; • Educating the public how to improve their health.
Consequences if Inadequate Attention to Privacy
Consequences if Inadequate Attention to Privacy• Individuals may suffer discrimination, stigmatization and economic or psychological harm;• Individuals may be deterred from seeking testing or treatment or may engage in multiple doctoring;• Individuals may withhold or falsify information provided;• Loss of trust or confidence in the health system;• Damage to the reputation of the health care provider;• Lost time and expenditure of resources needed to contain, investigate and remediate privacy breaches;• Costs of legal liabilities and ensuing proceedings.
Personal HealthInformation Protection Act (PHIPA)
Recognition of the Value of Health Research and Analysis• The Personal Health Information Protection Act (PHIPA) came into effect on November 1, 2004;• It recognizes the value of health research and analysis;• PHIPA permits health care providers to collect, use and disclose personal health information for purposes beyond the provision of health care, in appropriate circumstances;• PHIPA attempts to ensure that these other purposes are achieved in a manner that minimizes the impact on privacy.
Legislative Framework with Oversight• A legislative framework, PHIPA, governs the collection, use and disclosure of personal health information in the health sector;• Section 16 of PHIPA requires health care providers to be transparent about their information practices, including their information practices related to research and analysis;• Section 12 of PHIPA requires health care providers to notify individuals at the first reasonable opportunity about privacy breaches – mandatory breach notification;• Section 56 of PHIPA provides individuals with the right to complain to my office about contraventions of PHIPA.
Order-Making Powers and Offence Provisions• My office has broad order-making powers;• A person affected by a final order issued by my office may commence a lawsuit for damages for actual harm suffered as a result of a breach of PHIPA;• PHIPA also creates offences, such as for wilfully collecting, using or disclosing personal health information in contravention of PHIPA;• On conviction, an individual may be liable for a fine of up to $50,000 and corporations face fines of up to $250,000.
Data Minimization• Data minimization is the most important safeguard in protecting personal health information, including for purposes for health research and analysis;• PHIPA prohibits health care providers from collecting, using or disclosing personal health information if other information (such as de-identified or anonymized information) will serve the purpose;• It also prohibits health care providers from collecting, using or disclosing more personal health information than is reasonably necessary to meet the purpose.
Dispelling the Myths about De-Identification…• The claim that de-identification has no value in protecting privacy due to the ease of re-identification, is a myth;• If proper de-identification techniques and re-identification risk management procedures are used, re-identification becomes a very difficult task;• While there may be a residual risk of re-identification, in the vast majority of cases, de-identification will strongly protect the privacy of individuals when additional safeguards are in place. www.ipc.on.ca/English/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=1084
Data De-Identification Tool• Developed by Dr. Khaled El Emam, a leading investigator at the Children s Hospital of Eastern Ont. Research Institute;• De-identification tool that minimizes the risk of re-identification based on: - The low probability of re-identification; - Whether mitigation controls are in place; - Motives and capacity of the recipient; - The extent a breach invades privacy;• Simultaneously maximizes privacy and data quality while minimizing distortion to the original database. www.ipc.on.ca/images/Resources/positive-sum-khalid.pdf
Evidence that the Tool Works• Dr. El Emam was approached to create a longitudinal public use dataset using his de-identification tool for the purposes of a global data mining competition – the Heritage Health Prize;• Participants in the Heritage Health Prize competition were asked to predict, using de-identified claims data, the number of days patients would be hospitalized in a subsequent year;• Dr. El Emam won the competition, but before awarding him the prize, his de-identified dataset was subjected to a strong re-identification attack by a highly skilled expert;• The expert concluded the dataset could not be re-identified – Dr. El Emams de-identification tool was highly successful!
Evidence that Re-Identification is Extremely Difficult• A literature search by Dr. El Emam et al. identified 14 published accounts of re-identification attacks on de-identified data;• A review of these attacks revealed that one quarter of all records and roughly one-third of health records were re-identified;• However, Dr. El Emam found that only 2 out of the 14 attacks were made on records that had been properly de-identified using existing standards;• Further, only 1 of the 2 attacks had been made on health data, resulting in a very low re-identification success rate of 0.013%.
Data Minimization for Record Linkages• Dr. El Emam has also developed a protocol for securely linking databases without sharing any identifying information;• The protocol uses an encryption system to identify and locate records relating to an individual, existing in multiple datasets;• This involves encrypting personal identifiers in each dataset and comparing only the encrypted identifiers, using mathematical operations, resulting in a list of matched records, without revealing any personal identifiers;• The protocol promotes compliance with existing prohibition in PHIPA by allowing linkages of datasets without the disclosure of any identifying information – a win/win solution – positive-sum!
Additional Safeguards that Should be Implemented
Privacy by Design: The 7 Foundational Principles1. Proactive not Reactive: Preventative, not Remedial;2. Privacy as the Default setting;3. Privacy Embedded into Design;4. Full Functionality: Positive-Sum, not Zero-Sum;5. End-to-End Security: Full Lifecycle Protection;6. Visibility and Transparency: Keep it Open;7. Respect for User Privacy: Keep it User-Centric. www.ipc.on.ca/images/Resources/7foundationalprinciples.pdf
Adoption of “Privacy by Design” as an International StandardLandmark Resolution Passed to Preservethe Future of PrivacyBy Anna Ohlden – October 29th 2010 - http://www.science20.com/newswire/landmark_resolution_passed_preserve_future_privacyJERUSALEM, October 29, 2010 – A landmark Resolution byOntarios Information and Privacy Commissioner, Dr. Ann Cavoukian,was unanimously passed by International Data Protection and PrivacyCommissioners in Jerusalem today at their annual conference.The resolution ensures that privacy is embedded into new technologiesand business practices, right from the outset – as an essentialcomponent of fundamental privacy protection. Full Article: http://www.science20.com/newswire/landmark_resolution_passed_preserve_future_privacy
Privacy by Design: Proactive in 25 Languages!1. English 9. Hebrew 17. Russian2. French 10. Hindi 18. Romanian3. German 11. Chinese 19. Portuguese4. Spanish 12. Japanese 20. Maltese5. Italian 13. Arabic 21. Greek6. Czech 14. Armenian 22. Macedonian7. Dutch 15. Ukrainian 23. Bulgarian8. Estonian 16. Korean 24. Croatian 25. Polish
Conclusions• Big Data promises new opportunities to gain valuable insights and benefits for the health system;• However, Big Data may also enable expanded surveillance and increase the risk of unauthorized use;• PHIPA permits the use and disclosure of personal health information for health research and analysis with safeguards such as data minimization and privacy oversight built directly into the legislation;• But compliance with legislative safeguards is not enough – to reap the benefits of big data, we must get smart about privacy and lead with Privacy by Design;• Big Data needs Big Privacy – you can achieve both goals in a positive-sum paradigm through Privacy by Design.
How to Contact Us Ann Cavoukian, Ph.D. Information & Privacy Commissioner of Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario, Canada M4W 1A8 Phone: (416) 326-3948 / 1-800-387-0073 Web: www.ipc.on.ca E-mail: firstname.lastname@example.orgFor more information on Privacy by Design, please visit: www.privacybydesign.ca