A Strong Canada Depends on Strong Wireless Networks - Bernard Lord
Ann Cavoukian Presentation
1. Big Data Requires Big Privacy
Ann Cavoukian, Ph.D.
Information and Privacy Commissioner
Ontario
The Data Effect
October 19, 2012
2. Presentation Outline
1. Importance of Protecting Personal Health Information
2. Importance of Health Research and Analysis
3. Consequences if Inadequate Attention to Privacy
4. Personal Health Information Protection Act (PHIPA)
4. Legislative Safeguards
5. Additional Safeguards that Should be Implemented
6. Privacy by Design: The Gold Standard
7. Conclusions
4. Unique Characteristics of
Personal Health Information
• Highly sensitive and personal in nature;
• Must be shared immediately and accurately among a range
of health care providers for the benefit of the individual;
• Widely used and disclosed for secondary purposes seen
to be in the public interest (e.g., research, health system
planning and evaluation, quality assurance);
• Dual nature of personal health information is reflected
in the health privacy legislation in Ontario.
6. “Big Data”
• Each day we create 2.5 quintillion bytes of data
– 90% of the data today has been created in the past
2 years;
• Big data analysis and data analytics promises new
opportunities to gain valuable insights and benefits;
• However, it can also enable expanded surveillance
and increase the risk of unauthorized use and
disclosure, on a scale previously unimaginable.
7. The Case for Health Research
and Analysis
Health research and analytics are vital in:
• Understanding the determinants of health;
• Informing and improving clinical practice guidelines;
• Identifying and achieving cost efficiencies;
• Facilitating health promotion and disease prevention;
• Assessing the need for health services;
• Evaluating the services provided;
• Allocating resources to the health system;
• Educating the public how to improve their health.
9. Consequences if Inadequate
Attention to Privacy
• Individuals may suffer discrimination, stigmatization
and economic or psychological harm;
• Individuals may be deterred from seeking testing or
treatment or may engage in multiple doctoring;
• Individuals may withhold or falsify information provided;
• Loss of trust or confidence in the health system;
• Damage to the reputation of the health care provider;
• Lost time and expenditure of resources needed to contain,
investigate and remediate privacy breaches;
• Costs of legal liabilities and ensuing proceedings.
11. Recognition of the Value of
Health Research and Analysis
• The Personal Health Information Protection Act (PHIPA)
came into effect on November 1, 2004;
• It recognizes the value of health research and analysis;
• PHIPA permits health care providers to collect, use and
disclose personal health information for purposes beyond
the provision of health care, in appropriate circumstances;
• PHIPA attempts to ensure that these other purposes are
achieved in a manner that minimizes the impact on
privacy.
13. Legislative Framework
with Oversight
• A legislative framework, PHIPA, governs the collection,
use and disclosure of personal health information in the
health sector;
• Section 16 of PHIPA requires health care providers to be
transparent about their information practices, including
their information practices related to research and analysis;
• Section 12 of PHIPA requires health care providers to
notify individuals at the first reasonable opportunity about
privacy breaches – mandatory breach notification;
• Section 56 of PHIPA provides individuals with the right
to complain to my office about contraventions of PHIPA.
14. Order-Making Powers and
Offence Provisions
• My office has broad order-making powers;
• A person affected by a final order issued by my office
may commence a lawsuit for damages for actual harm
suffered as a result of a breach of PHIPA;
• PHIPA also creates offences, such as for wilfully
collecting, using or disclosing personal health
information in contravention of PHIPA;
• On conviction, an individual may be liable for a fine
of up to $50,000 and corporations face fines of up to
$250,000.
15. Data Minimization
• Data minimization is the most important safeguard in
protecting personal health information, including for
purposes for health research and analysis;
• PHIPA prohibits health care providers from collecting,
using or disclosing personal health information if other
information (such as de-identified or anonymized
information) will serve the purpose;
• It also prohibits health care providers from collecting,
using or disclosing more personal health information
than is reasonably necessary to meet the purpose.
16. Dispelling the Myths about
De-Identification…
• The claim that de-identification has no
value in protecting privacy due to the
ease of re-identification, is a myth;
• If proper de-identification techniques
and re-identification risk management
procedures are used, re-identification
becomes a very difficult task;
• While there may be a residual risk of
re-identification, in the vast majority of
cases, de-identification will strongly
protect the privacy of individuals when
additional safeguards are in place.
www.ipc.on.ca/English/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=1084
17. Data De-Identification Tool
• Developed by Dr. Khaled El Emam,
a leading investigator at the
Children s Hospital of Eastern Ont.
Research Institute;
• De-identification tool that minimizes
the risk of re-identification based on:
- The low probability of re-identification;
- Whether mitigation controls are in place;
- Motives and capacity of the recipient;
- The extent a breach invades privacy;
• Simultaneously maximizes privacy
and data quality while minimizing
distortion to the original database.
www.ipc.on.ca/images/Resources/positive-sum-khalid.pdf
18. Evidence that the Tool Works
• Dr. El Emam was approached to create a longitudinal public use
dataset using his de-identification tool for the purposes of a global
data mining competition – the Heritage Health Prize;
• Participants in the Heritage Health Prize competition were asked
to predict, using de-identified claims data, the number of days
patients would be hospitalized in a subsequent year;
• Dr. El Emam won the competition, but before awarding him
the prize, his de-identified dataset was subjected to a strong
re-identification attack by a highly skilled expert;
• The expert concluded the dataset could not be re-identified –
Dr. El Emam's de-identification tool was highly successful!
19. Evidence that Re-Identification
is Extremely Difficult
• A literature search by Dr. El Emam et al. identified 14 published
accounts of re-identification attacks on de-identified data;
• A review of these attacks revealed that one quarter of all records
and roughly one-third of health records were re-identified;
• However, Dr. El Emam found that only 2 out of the 14 attacks
were made on records that had been properly de-identified
using existing standards;
• Further, only 1 of the 2 attacks had been made on health data,
resulting in a very low re-identification success rate of 0.013%.
20. Data Minimization for Record Linkages
• Dr. El Emam has also developed a protocol for securely linking
databases without sharing any identifying information;
• The protocol uses an encryption system to identify and locate
records relating to an individual, existing in multiple datasets;
• This involves encrypting personal identifiers in each dataset and
comparing only the encrypted identifiers, using mathematical
operations, resulting in a list of matched records, without
revealing any personal identifiers;
• The protocol promotes compliance with existing prohibition in
PHIPA by allowing linkages of datasets without the disclosure of
any identifying information – a win/win solution – positive-sum!
23. Privacy by Design:
The 7 Foundational Principles
1. Proactive not Reactive:
Preventative, not Remedial;
2. Privacy as the Default setting;
3. Privacy Embedded into Design;
4. Full Functionality:
Positive-Sum, not Zero-Sum;
5. End-to-End Security:
Full Lifecycle Protection;
6. Visibility and Transparency:
Keep it Open;
7. Respect for User Privacy:
Keep it User-Centric.
www.ipc.on.ca/images/Resources/7foundationalprinciples.pdf
24. Adoption of “Privacy by Design”
as an International Standard
Landmark Resolution Passed to Preserve
the Future of Privacy
By Anna Ohlden – October 29th 2010 - http://www.science20.com/newswire/landmark_resolution_passed_preserve_future_privacy
JERUSALEM, October 29, 2010 – A landmark Resolution by
Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian,
was unanimously passed by International Data Protection and Privacy
Commissioners in Jerusalem today at their annual conference.
The resolution ensures that privacy is embedded into new technologies
and business practices, right from the outset – as an essential
component of fundamental privacy protection.
Full Article:
http://www.science20.com/newswire/landmark_resolution_passed_preserve_future_privacy
25. Privacy by Design:
Proactive in 25 Languages!
1. English 9. Hebrew 17. Russian
2. French 10. Hindi 18. Romanian
3. German 11. Chinese 19. Portuguese
4. Spanish 12. Japanese 20. Maltese
5. Italian 13. Arabic 21. Greek
6. Czech 14. Armenian 22. Macedonian
7. Dutch 15. Ukrainian 23. Bulgarian
8. Estonian 16. Korean 24. Croatian
25. Polish
26. Conclusions
• Big Data promises new opportunities to gain valuable insights
and benefits for the health system;
• However, Big Data may also enable expanded surveillance
and increase the risk of unauthorized use;
• PHIPA permits the use and disclosure of personal health
information for health research and analysis with safeguards
such as data minimization and privacy oversight built directly
into the legislation;
• But compliance with legislative safeguards is not enough –
to reap the benefits of big data, we must get smart about
privacy and lead with Privacy by Design;
• Big Data needs Big Privacy – you can achieve both goals
in a positive-sum paradigm through Privacy by Design.
27. How to Contact Us
Ann Cavoukian, Ph.D.
Information & Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario, Canada
M4W 1A8
Phone: (416) 326-3948 / 1-800-387-0073
Web: www.ipc.on.ca
E-mail: info@ipc.on.ca
For more information on Privacy by Design, please
visit: www.privacybydesign.ca