Is it possible for researchers to come together and collaborate in order to approach problems and find solutions during the COVID-19 pandemic? It is—and the National Institutes of Health suggests that bringing together experts with complementary skills, knowledge and experience can speed up the research. For instance, the National COVID Cohort Collaborative (N3C) has dedicated collaborators who are contributing and using COVID‑19 clinical data to answer critical research questions to address the pandemic.
Likewise, Microsoft has highlighted that sharing data is advancing health care and has taken a look at various collaborative efforts that are being used to tackle some of the most complicated health challenges, where the pandemic has been referred to as a tipping point for this type of collaboration. It is no wonder that Microsoft has previously encouraged closing the data divide by opening and sharing data so that organizations can unlock value, share expertise, and make data more useful for all.
But how can we achieve this goal in a way that protects the privacy of individuals? Indeed, the N3C has acknowledged that this is a serious concern and states that it takes multiple precautions for security and privacy to keep the data safe within its protected cloud infrastructure. This is in response to public concern over misuse of data—there are several key questions that are raised, including how long the data can be retained and used, whether the data can be downloaded or removed from the platform, what researchers can access and use the data inside and outside the country, and who to contact with any questions. These apprehensions are pervasive, as can be seen, for example, in the low rates of public adoption of COVID-19 exposure notification apps.
A law in Ontario— where I live— provides an example of how privacy can be protected during data collaboration in the public health context, and inspires recommendations for further steps government and the private sector should take toward benefiting the public good.
The Ontario Model: Protecting Health Privacy When Collaborating with Data
Focusing on the health context, what becomes clear is that the world has benefited from several collaborative efforts. And this appears to be just the beginning of a new normal where organizations come together, look at problems from different perspectives, and use their strengths to tackle challenging problems.
These efforts must be made while simultaneously protecting the privacy of patients so that trust can be established and maintained. How is this accomplished? Different jurisdictions have privacy rules that must be complied with; for example, in the United States, the Health Insurance Portability and Accountability Act applies, and in the European Union, the General Data Protection Regulation applies.
But I would like to provide a Canadian example: the privacy rules that would apply in Ontario, Canada. I would like to suggest that other jurisdictions may find this approach to be useful since it could provide individuals with the feeling of trust that they need and deserve.
In Ontario, the Personal Health Information Protection Act, 2004 (PHIPA) provides a framework for addressing the collection, use and disclosure of personal health information by health information custodians. The legislation aims to provide a healthy balance between patient privacy and the need to have and use some information for socially important health reasons.
In fact, the Office of the Information and Privacy Commissioner of Ontario (IPC) has recently released a guide that specifically deals with the use and disclosure of personal health information for broader health purposes. The guide describes some of the ways in which PHIPA allows personal health information to be used or disclosed to improve the health care system and the health of the general public. There are several permitted purposes: conducting research; planning, evaluating, and managing the health system; maintaining a registry of personal health information to improve the provision of health care; and protecting and promoting public health.
The IPC’s guide points out that Ontario’s privacy laws do not prevent de-identified information from being shared for broader public health purposes such as helping to control disease outbreaks, keeping the public safe, and allowing the public to assess the public health response.
Indeed, de-identification was referred to by the collaborative medical professionals in Microsoft’s article; that is, those who were interviewed mentioned that sensitive patient data was de-identified to protect patients while allowing the researchers to use the data for the greater good. Additionally, researchers accessing the data had to sign a data use agreement stating that they would not attempt to re-identify any of the patients whose samples had been shared.
In Ontario, section 2 of PHIPA states that de-identification means removing any information that identifies the individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify the individual.
More specifically, section 37(1) states that health information custodians may use personal health information about an individual for the purpose of modifying the information in order to conceal the identity of the individual—to de-identify it—without consent.
And most importantly for privacy purposes, section 11.2(1) of PHIPA indicates that no one is allowed to use or attempt to use information that has been de-identified to identify an individual, either alone or with other information, unless permitted by law. Those who wilfully contravene this rule face some stiff penalties under sections 72(1) and 72(2) of PHIPA to the tune of up to $1,000,000 for corporations, and a fine of up to $200,000 and/or up to a year in prison for individuals.
What Can We Do Going Forward?
Clearly, sharing open data and engaging in data collaboration seem to be the way of the future when it comes to solving complex problems, especially in the health context. It may be helpful to note strategies that are being used in the N3C collaboration, some of which include ensuring that the data remains in one environment and only within the platform, that all data is encrypted both in transit and at rest, and that data is only used for specific research-related purposes.
More broadly, to enable sharing open data and engaging in data collaboration for the broader public good, organizations are recommended to examine the rules set forth in Ontario’s PHIPA and learn from the strategies in place to simultaneously protect the privacy of patients to establish trust and enable researchers to collaboratively tackle broader health challenges. It is, of course, critical for organizations to determine what privacy rules apply to them, and comply with those relevant statutes and regulations in order to protect the privacy of individuals who are touched by data collaborations. And creating protocols that are congruent with these principles may help prepare for a more collaborative future.
Christina Catenacci, BA, LLB, LLM, PhD, was called to the Ontario Bar in 2002 and has since been a member of the Law Society of Ontario. Christina worked as an editor with First Reference between 2005 and 2015 working on publications including The Human Resources Advisor (Ontario, Western and Atlantic editions), HRinfodesk, and First Reference Talks blog discussing topics in Canadian Employment Law. She continues to contribute to First Reference Talks as a regular guest blogger, where she writes on privacy and surveillance topics. Christina has also appeared in the International Association of Privacy Professionals’ Privacy Advisor and in Slaw – Canada’s online legal magazine. Christina obtained her Masters in Law from Osgoode Hall Law School of York University in 2013, and recently earned her PhD in Law at the University of Western Ontario in 2020 in the area of Privacy and Employment Law. More specifically, Christina’s PhD dissertation proposed closing the electronic surveillance gap with novel legislative data protection provisions in a new workplace privacy regime by modifying the federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).