Data Privacy by Design
In 2013, Dr. Ann Cavoukian, Ontario's Information and Privacy Commissioner, presented a presentation titled “Avoiding Privacy by Disaster” in a televised event called Breakfast with the Chiefs (Longwoods TV, 2013). This was a broad discussion of privacy topics focusing on electronic healthcare records. The attendees were senior doctors associated with hospitals in Ontario, Canada.
Dr. Cavoukian discusses a misconception that privacy is “a thing of the past” due to the pervasiveness of data gathering occurring in the modern world. However, this is considered a defeatist attitude due to an improper understanding of how privacy can be built into modern systems. The intent behind Privacy by Design is to prevent harm by the way the process is built. Ideally, privacy is embedded in the process such that the default configuration allows for privacy.
As the audience for the discussion is doctors, Dr. Cavoukian proposes electronic medical records as a way to describe Privacy by Design principles. Tools such as electronic health records perform privacy collections which require an initial Privacy by Design consideration to ensure that privacy is maintained. Quick access to health data is required during medical events. For example, emergencies during medical transfers where hospitals do not have data sharing agreements may result in hours of delay. As a result, establishing a common set of requirements for data sharing is necessary to ensure patients can receive the care they need as soon as possible.
Dr. Cavoukian discusses how critics may consider privacy advocates to be overly paranoid. However, the primary goal is to protect information that belongs to the subject. Dr. Cavoukian points out that “free and democratic societies [have an] essence of freedoms arises from a base of privacy.” This is further emphasized by historical trends showing that the first risk to freedom is privacy. For example, as a country formerly run as a totalitarian state, Germany has focused heavily on ensuring privacy is a top priority. Germany ensures this is maintained by requiring “informational self-determination” in the German Constitution. In the US especially, there is a concern about insurance agencies getting private information to raise premiums. By focusing on privacy as a national interest, Dr. Cavoukian hopes to improve overall privacy regulations across the globe.
Dr. Cavoukian describes several methods of data protection using Privacy by Design. She strongly recommends investing time in securing the disposal stage of the information lifecycle. She recommends encrypting data at rest. Dr. Cavoukian also recommends ensuring that only authorized individuals can access records and that records are anonymized when possible.
Insecure disposal of records is a top cause of data theft and loss. There was a case where a hospital shipped patient records to a recycling center instead of a shred center. The recycling center then sold what they believed to be crates of paper to a training company to run a mass casualty drill with. Passersby observing health records spread across the street discovered the data loss. This was likely a costly event, considering that $214 per record per data breach is the average fine.
Storing privacy data unencrypted on USB may be against the law. This may require training individuals on safely performing USB data transfers using encryption technology. Even explaining what encryption is to users may be necessary.
Data minimization strips the personal identifier from the data and enables the data to be used for research or marketing as required. This has eliminated the privacy harm since unique identifiers are no longer present. This is essentially removing the “P” from the “PII”. While some have published papers on data reidentification, this is much more difficult in practice. Reidentification of data requires extensive skills and computational resources. Even then, reidentification of data can often prove impossible. Even weak deidentification can be computationally intensive to perform a partially successful attack. Reidentifying more than a few percentage points of a dataset may be impossible (Yigzaw et al., 2017).
Overall, Dr. Cavoukian provided an excellent analysis of how to adopt privacy practices in healthcare records. Her use of examples such as the improper recycling of health records helped demonstrate the overall risk of improper privacy data handling. The response from the audience supported the idea that this was an engaging and informative presentation.
Longwoods TV (Director). (2013, November 22). Avoiding Privacy by Disaster with Dr. Ann Cavoukian. https://www.youtube.com/watch?v=c2Vw3UiJTEo
Yigzaw, K. Y., Michalas, A., & Bellika, J. G. (2017). Secure and scalable deduplication of horizontally partitioned health data for privacy-preserving distributed statistical computation. BMC Medical Informatics and Decision Making, 17(1), 1. https://doi.org/10.1186/s12911-016-0389-x
Member discussion