Every once in a while, there are privacy investigation decisions that stand out because of their precedent setting nature.
One such decision is PHIPA Decision 175, which details an investigation into the sale of de-identified data by a health information custodian to a third-party corporation. My office initially became aware of the situation through an article in the Toronto Star, and we launched an investigation under the Personal Health Information Protection Act (PHIPA).
There are three main takeaways from this investigation. First is that de-identification (the process of removing personal information from a record or data set) is considered to be a use under PHIPA. PHIPA defines the term “use” as meaning to “view, handle, or otherwise deal” with personal health information. Moreover, the use of personal health information for the purpose of de-identification is permitted without the consent of the individual, subject to certain conditions that must be met. This includes the requirement for health information custodians, who have custody and control of personal health information, to be transparent with the public about their information practices by describing them in a written public notice.
This brings us to the decision’s second key finding. If custodians are planning to de-identify and sell the de-identified data to a third party for a number of purposes, including for health-related research, they must clearly and explicitly reflect this in their public notice. Patients must be aware of what is being done with their health data, and why, in order for custodians to be held accountable for their actions under PHIPA.
The third key takeaway touches on a custodian’s security obligations. PHIPA requires custodians to take reasonable steps to ensure the personal health information they hold is protected and kept secure, including during the process of de-identifying it. Moreover, any sale agreement between a health information custodian and third party must include additional privacy and security controls to ensure the de-identified data remains just that, de-identified.
Ultimately, de-identification must be of the highest standard to ensure data cannot be re-identified and the privacy of individuals is protected. A robust de-identification governance process should include ongoing and regular re-identification risk assessments.
I urge custodians and public institutions to consult our De-identification Guidelines for Structured Data. These award-winning guidelines introduce the basic concepts and techniques of de-identification and key issues to consider when de-identifying personal information.
Interestingly, there are a number of parallels between the main findings of PHIPA Decision 175 and some of the recommendations made by the House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI) in its recent report concerning the federal government’s collection and use of de-identified mobility data obtained from private sector companies during the pandemic.
Among its recommendations, the ETHI committee urges the federal government to be transparent and inform Canadians on an ongoing basis of mobility data collection programs by explicitly outlining the nature and purpose of the program. Similarly, we underscored in PHIPA Decision 175 that custodians must be transparent by clearly and explicitly reflecting the purposes of de-identifying personal health information and its intended destiny in their written public statement.
The ETHI report also recommends prohibiting the re-identification of de-identified data and introducing a corresponding penalty for doing so. This is something that PHIPA has already done since 2019 by not permitting the re-identification of de-identified information (subject to certain exceptions) and making it an explicit offence for anyone who willfully re-identifies data in contravention of PHIPA.
Finally, the ETHI report ushers in a number of recommendations for federal privacy law reform to address the risks inherent with the collection, use, and disclosure of de-identified data. Here in Ontario, the government amended PHIPA in 2020 to allow for the eventual development of regulations under PHIPA that would more explicitly define the expectations around the process and standards for de-identifying data.
PHIPA was also amended to pave the way for regulations that would set out the requirements of consumer electronic service providers, which might cover digital health apps that seek to commercialize data. But most urgent of all, are the regulations needed to enable the implementation of administrative penalties aimed at preventing any bad actors out there from deriving, directly or indirectly, any economic benefit as a result of a contravening the act.
While the focus of PHIPA Decision 175 is on compliance with PHIPA, as it existed at the time of the investigation, the broader ethical questions inherent in selling or disclosing even properly de-identified personal health information are ripe for public debate. Inferences made or derived from de-identified personal health information can have significant impacts on groups that share similar characteristics, exposing individual members of those groups to potential harms, such as stigmatization and discrimination, unfair distribution of services or benefits, loss of jobs, or denial of insurance coverage. Even in good hands, and for appropriate purposes, the sale or disclosure of de-identified data without clear and meaningful transparency can seriously undermine public trust.
In today’s digital world where health data is an increasingly valuable commodity, the stakes have never been higher. In a digital economy that’s becoming increasingly opaque, the need for transparency has never been greater. And in a context where the differences between research and commercialization, and public and private goods, get progressively murkier, the time for public debate has never been more pressing.
Regardless of how the broader ethical discussion shapes up, there must at a minimum be greater transparency around the sale or disclosure of de-identified health data and greater accountability for what happens to that data after its release. This will serve to protect both individuals and health information custodians, by supporting trust between them, and upholding general confidence in the health care system.
On a final note, I would be remiss were I not to mention that Trust in Digital Health is one of the four strategic priorities my office identified to guide our work for the next several years. Our goal is to promote confidence in the digital health care system by guiding custodians to respect the privacy and access rights of Ontarians and supporting the pioneering use of personal health information for research and analytics to the extent it serves the public good.
Our hope is that PHIPA Decision 175 contributes to that goal, adding to the rapidly expanding body of knowledge around technology, privacy, and health data.
This post is also available in: French