Notes for Presentation by David H. Flaherty, Information and Privacy Commissioner, to the 8th World Congress on Medical Informatics



I am particularly interested in the privacy and confidentiality issues in the health and medical field. I am fortunate that in British Columbia since last November, the one hundred provincial hospitals are regulated by the Freedom of Information and Protection of Privacy Act, so I have a laboratory to test some of my notions and theories in practice. I am enjoying it, although my experience so far is rather short.

There are several themes I would like to emphasize in this presentation:

1. Concern for privacy and confidentiality in the health field should be regarded as a matter for fundamental human rights.

It is not a basic frill; we are talking about peoples' rights to informational self-determination (which is even more of a mouthful in the original German). This is the concept that people, you and I as individuals, have the right to control our own personal information. Obviously, there is a large gap between talking about the right to informational self-determination and actually executing it in the daily life of one's work as a health care professional. Nevertheless, that is the fundamental goal. Giving people the right to control their own information is part of an international concern for human rights. This was most visibly evidenced this week by the fact that the European Union has finally approved the draft directive on data protection. No longer a DRAFT, it is an actual directive on data protection, which will have a binding impact on all members of the European Union. It means that for every aspect of human existence involving the collection of personal data in the European Union, there is a set of fair information practices that will be put in place, that will strengthen existing national legislation in France, Germany, and the UK, and will bring, for the first time, mandatory data protection in countries like Italy and Greece, which do not have data protection laws or privacy protection laws yet. This Directive illustrates the fact that in the European community there is a commitment to protecting privacy as a human right; it is not simply having the European Union as a nation of shopkeepers, among whom that the mercantile or commercial or capitalistic inclinations will be dominant over such interests as privacy as a human right.

2. My second theme is the absolute necessity for integrating privacy and data protection into system and software designs.

I find it hard to believe that anyone building software in 1995 would not think about fair information practices. But I am constantly encountering individuals who are building systems that do not take account of the fundamental concern for personal privacy. In practical terms, when you take this concept of privacy, you apply it in the form of data protection; the bottom line here is the need to practically and consistently apply fair information practices. And of course the issue of what the protection of privacy means, or such questions as what are fair information practices, or how does one balance efficiency and concern for human rights, are all very difficult and complicated questions. The kind of presentation I am giving today does not go into all the nitty-gritty of exactly how one should do all of these things that are so important.

I believe that operators of information systems in hospitals and physicians in their private practices ignore fair information practices at their peril. As someone who has something to do with the media on a regular basis, I can assure you that there is a substantial anxiety or angst, indeed almost paranoia, in Western Europe, Australasia and certainly in Canada and the United States, about the preservation of something that people call privacy. They may have difficulty defining it in detail, but everybody is concerned about it.

3. Is medical privacy a dead issue?

Is it even possible today to contemplate the achievement of medical privacy or confidentiality in the health and medical fields, where studies reveal that dozens of, sometimes as many as 75 to 100, people will see your medical information and health information if you are in a clinic or hospital setting. I think that there is significant concern, not only among privacy advocates, but among the general public, for medical privacy. People are very anxious about what happens when they go into a clinical or hospital setting and allow information about them to be collected. They worry about how long it will be kept, who is going to see it, what is going to be done with it, and what other forms of data sharing are going to take place. I am here to remind you that I believe people have a fundamental right to see that their personal information is treated in accordance with rules that are explained to them as much as possible at the point of entry into the medical and health care system.

Some of you may say, is there a problem? Here is another speaker trying to tell us that something is important. Let me give you some examples here in beautiful British Columbia of four privacy disasters in the medical and health field that have occurred in the last twelve months. It has gotten to the point where I am beginning to wonder what is going on in British Columbia. I am the first Information and Privacy Commissioner. I have been here two years and the Act has applied to hospitals for almost a year, and yet these events keep happening. People somehow think it is my fault! Am I the one causing all of this? Essentially, what we have is a situation where the media are extremely interested in what happens in these cases. My office gets a lot of phone calls and half the time there are demands for the resignation of the Minister of Health. That may entertain the general public, but it certainly does not entertain the Minister of Health, nor the staff who work with him in attempting to find out what went on in these episodes.


A. The Bella Bella Beach Bonfire: A Hospital Records Event

The Bella Bella beach bonfire occurred on August 8, 1994. Bella Bella is up the coast. A large volume of medical records from a hospital were moved to a beach adjacent to the hospital. The intention was to destroy them by a fire. All of you from sophisticated industrial societies might be surprised that in British Columbia we are still getting rid of medical records on a beach by a bonfire. So the fire was lit, but the bad news was that fires are prohibited on the beach. Along came the volunteer fire department and put out the fire. Then the fire was relit after consultation with the fire chief. In mid-afternoon, the tide came in, then a big British Columbia ferry boat went past and there were some big waves. Guess what happened? Some of the records were only partially destroyed and started going out to sea and some came back on shore, and local people out for an evening stroll in Bella Bella were picking up their medical records on the beach. Not a very sophisticated event, yet one of the results after an investigation by the Ministry of Health is that the head of that hospital is no longer the head of that hospital.

B. A Physician's Records Event

Shaugnessy is a rich part of Vancouver. A physician (gynecologist, obstetrician) was storing old medical records and those of his ex-partner in the basement of his home. He was planning to move to a new house and take down the current house. The moving truck arrived, but there was not enough room in the truck to take the old medical records which were stored in a filing cabinet. An individual expressed an interest in having the filing cabinet for another purpose. The records were unloaded from the filing cabinet in the back yard where they remained for a week. Well, the inevitable happened - a box of records was delivered to the Vancouver Sun. The media had a field day with the story. All those records could have been destroyed for sixty bucks on the spot. Instead, this physician was then subject to an investigation and subsequent reprimand by the College of Physicians and Surgeons of British Columbia.

C. A Health Unit's Records Event: Prince George

In April 1995, health records, including birth notices and post-natal notes for the years 1983 and 1985, were left in a filing cabinet in the Prince George Health Unit, which was subsequently sold to the general public throughout the government disposal process. A staff member had placed records in a filing cabinet without being aware that the cabinet in question was due for disposal.

D. A Computer Disks Event: Langley

In December, 1994, medical information was found on used computer disks purchased from Value Village Stores Ltd. in Langley. The common denominator for all this information was that the material was typed by individuals working for a commercial typing service. The commercial typing service had apparently gone out of business and the computer disks on which the health care information had been installed eventually ended up for sale in the Langley Value Village five years later.

Again, all of these episodes have led to investigations by the Ministry of Health, significant concerns in newspapers, public outcries, and the Minister of Health demanding that these sorts of things not happen. Now I am a realist, I expect accidents to happen. But we are trying, at least in the area of privacy and data protection, to minimize these kinds of occurrences. What we need to do is implement sound data protection.


There are several basic principles, not even written out in law, that as a privacy advocate, (and I think that I represent people who are in this business in various countries, wherever you are from), I think need to be remembered when you are talking about privacy and data protection.

The first point is that I recognize that data sharing takes place in the medical and health field. I recognize that data sharing should take place in the medical and heath field. So what is the principle that we want to incorporate here? It is the need to know principle. It is most briefly summarized as my belief that the right information should get to the right people at the right time for the right purpose. For those of you who are health care professionals, data protectors are not attempting to make it impossible for you to do your work. What we ask is whether there is a legitimate need to know. If the answer is yes, then the data that should be transferred or made accessible to an individual, should be what he or she needs to know to do his or her actual job. And it is fortunate that automated patient information systems make it easier and easier to ensure that information is accessible only to those who have a need to know.

The second principle, if I may elevate it to that level, is the chain of accountability. The head of a hospital in British Columbia, subject also to the Minister of Health, is ultimately responsible for compliance with the Freedom of Information and Protection of Privacy Act. The head of the hospital is responsible if terminals are put into an individual physician's waiting room or office. If the head of the hospital is going to authorize data sharing or record linkages, he or she has to establish a chain of accountability. As health care professionals transfer information to physicians, head nurses, dietitians, nutritionists, or whomever, the chain of accountability has to be passed along, and recipients have to be made aware that as they acquire and use and link and enrich and transfer personal information, that they are involved in a chain of accountability, that they are also responsible for data protection and that there will be sanctions, particularly in the form of disciplinary proceedings if they make mistakes, as happened in the episodes in British Columbia which I described to you earlier.

The third so-called principle, is the whole idea of fair information practices. But then how do you that? How do you apply fair information practices? It is rather extraordinary that in the 20 or 30 countries that have initiated data protection in the last 20 or 30 years, all have followed the same types of fair information practices. I published a book in 1989 entitled Protecting Privacy in Surveillance Societies, which is a look at how data protection is implemented and/or conducted in five countries in North America and Western Europe. On page 380, in Appendix I, I list all of these particular principles and they are culled from the various provisions and laws. The book is available in paperback from the University of North Carolina Press.

Fair information practices concern collecting only accurate, timely, relevant information; telling people what you are going to do with it; establishing the principle of finality as Europeans are so good at doing; deciding more or less what you are going to do with that personal information; establishing responsible keepers for the personal information; engaging in as much informed consent and subject notification as possible; and ensuring special means of treatment and protection of personal information. In France there is an emphasis on the right to be forgotten. I am very much in favour of the ultimate anonymization and destruction of as much personal data as possible. I am also a university professor and researcher so I am hardly hostile to research interest. In fact, I have a reputation among data protectors internationally of being almost an apologist for the research and statistical community. But I will give you a little reminder of what the risks are in this field. I have written about the French National Commission on Informatics and Freedoms. It has just been given the mandate and authority to approve the use of personal data in every research project in the health and medical information field in France. I regard that as bureaucratic to an extreme. It is in some ways a consequence for the research community of not being sensitive enough to some of these issues of privacy and data protection and not taking some of these issues more carefully than they may have been taken in the past. I am well aware of the fact that academic professors tend to believe we are "holier than thou," and we should not be subject to all these rules. The reality is that university professors in the research community in British Columbia are subject to the full provisions of the Freedom of Information and Protection of Privacy Act, a law that was enacted by a unanimous legislature and will require legislative change to alter it.


I believe that all of our countries need an independent regulatory body of a small, pragmatic, cost-effective sort, to see that data protection is done properly. I believe in the first instance that heads of hospitals should be the ones who are primarily responsible for compliance with fair information practices, but there also needs to be a privacy watchdog to whom people can complain, who can do site visits, who can do audits, and who can verify that fair information practices are being complied with. I think that the Canadian system of ensuring privacy and data protection at the provincial and federal level is a reasonably effective way of doing this. As an observer of the American scene, I find it appalling that data protection in the USA does not enjoy any of these independent, functioning watchdog agencies (except for the Internal Revenue Service). The state of Wisconsin was the first state to set up a privacy watchdog a couple of years ago and it was just abolished by a crusading governor trying to save $500,000. I regard that as a rather pathetic event.

In addition to having some kind of privacy watchdog, I emphasize to you in the privacy and health care field the importance of setting up what we call audit trails in information systems. Audit trails are absolutely essential in this day and age. If you are tracking personal information, there have to be systems which will allow you to know where the information came from, who it is going to, who is getting access to it. There should be as much up-front verification as possible as to who is getting access to information and, certainly, ex post facto verification has to be possible as well. In other words, to protect privacy, you have to be able to monitor how personal information is being used in the health care field. We have to use the technologies that are available to us today to protect personal privacy, not just to enhance medical and health care, even though I recognize that this is the fundamental purpose of establishing these systems in the first place.

So the use of encryption, for example, for records that are moving on a network, the use of encryption for stored records so they cannot be easily accessed for unauthorized purposes, these are the kinds of technological tools that are available to us and that I believe need to be used. In my own work in British Columbia, I have been attempting to consciousness-raise about privacy by doing site visits to hospitals. I go by prearrangement, I visit the hospital, I am shown the employee records systems, have the right to look at any record held by any public body in the province, whether it is a medical record or not, and generally find out about the flows of personal information in the institution.

Obviously, I follow a need to know principle myself. I do not just go and look at records to satisfy my curiosity. I visit psychiatric hospitals and psychiatric outpatient clinics. I do not have jurisdiction over private practices, but I soon will have jurisdiction over the College of Physicians and Surgeons, and one of my expectations is that I want to see every medical practice in British Columbia have a self-regulatory privacy code that can be used as a guide by the people working in that setting about how medical information should be treated and kept. I did a site visit to a major university in this province and in student health services I found to my distress that health records on students were being kept on open shelving, practically at the place where students waited for their appointment with physicians, and the only records that were locked up in a cupboard were those of psychiatric patients. That is a completely unacceptable privacy situation from my point of view. Certainly the authorities that were showing me around were shocked at how these records were being kept. So a lot of what I am doing on a site visit as privacy commissioner is a kind of elementary consciousness-raising of this sort.


There are a whole series of technological imperatives at work. There is even "technological creep" at work in this area. I welcome the advent of health smart cards. I am on a European Union Working Group in this area and am very impressed with the kind of data protection that can be built into the health smart card. On the other hand, the province of British Columbia is very innovative, unfortunately from my point of view, in now installing in the province a Pharmanet prescription profile system, which is a mandatory data base for everybody in the province. Everyone who buys a prescription in this province, as of this fall, has to be in this database. While there are some major benefits to this system, there are also substantial risks of unauthorized disclosure of personal information. Even though I worked carefully with the College of Pharmacists and the Ministry of Health for the last 18 months to 2 years to get as much security and data protection built into the system as possible, I am still, at the end of the day, unhappy with the fact that it is a mandatory data base. That is more than a privacy issue; it is a human rights, civil liberties issue. I think it is unfortunate that you have to be in that database whether you like it or not. The number of drugs that people take (such as Prozac) that are stigmatizing drugs will have some unfortunate consequences for people in the fullness of time, because of unauthorized disclosures.

I regret that I do not have more time to talk to you about some of these things, but I simply close by leaving you with this particular notion. The talk that I have given to you this morning about the general importance of privacy and data protection is one thing, but I think in 1995 it is far past the time to talk. Now we are down to the business of the need for practical action to implement these concerns for fundamental human rights in our daily activities in the health and medical field.

Appendix 1 Data Protection Principles and Practices for Government Personal Information Systems


1. The principles of publicity and transparency (openness) concerning government personal information systems (no secret data banks).

2. The principles of necessity and relevance governing the collection and storage of personal information.

3. The principles of reducing the collection, use, and storage of personal information to the maximum extent possible.

4. The principle of finality (the purpose and ultimate administrative uses for personal information need to be established in advance).

5. The principle of establishing and requiring responsible keepers for personal information systems.

6. The principle of controlling linkages, transfers, and interconnections involving personal information.

7. The principle of requiring informed consent for the collection of personal information.

8. The principle of requiring accuracy and completeness impersonal information systems.

9. The principle of data trespass, including civil and criminal penalties for unlawful abuses of personal information.

10. The requirements of special rules for protection sensitive personal information.

11. The right of access to, and correction of, personal information systems.

12. The right to be forgotten, including the ultimate anonymization or destruction of almost all personal information.