The world’s latest development in data privacy law is Canada’s new C-51 law. There are many parallels with the U.K.’s Snooper Law, which many say goes too far against the right to privacy. Nowhere in the world is this debate more relevant right now than in health care.
A long time ago, it seemed only marketers were interested in the personal data of everyday citizens. But in this new era of global terrorism, government departments charged with keeping our data secure and safe from terrorism have taken an interest in data collection as well. And while that caters to our collective fear of terrorism, it doesn’t bode well for our privacy.
One of the biggest concerns is how the healthcare industry, which has made such impressive strides in digitizing records, will cope with new legislation. With the passage of laws like Canada’s C-51, balancing patient privacy with government compliance is about to get even tougher.
And it could get even worse. We have only to look at C-51 and U.K.’s even stronger Snooper Law to see where the rest of the world may be headed. That’s why much attention has been given to the passage of C-51 in Canada, sparking a massive debate over whether the new law goes too far and endangers Canadian citizens’ privacy. The debate is global, since as goes Canada, so could the rest of us.
Protection from Terrorism vs. Protection from Invasion of Privacy
One problem for many countries has been the boundary-crossing arm of national intelligence. In Canada, the U.K., the U.S. and to some degree in other nations, much of the debate at the moment centers on the struggle between government agencies designed to protect citizens and laws designed to protect privacy.
For example, the Canadian Security Intelligence Service (CSIS) has been problematic in this regard, even before the passage of C-51. Some believe CSIS has too little oversight. This may in part be due to their stagnant budget.
This past November, Federal Courts in Canada concluded that CSIS has been accessing the metadata of Canadian citizens for more than ten years, illegally. (If you’re not familiar with “metadata”, it’s the supposedly innocuous information that telecommunications companies collect from their customers. It may include, for example, email sender and receiver names but not the contents of emails.)
This may seem like small potatoes but in the era of Big Data, of course, it’s not.
Plus, it’s not just a Canadian problem. The overreaching arm of national intelligence agencies is infringing on privacy everywhere. One main way this is carried out is the collection and retention of ‘associated data’.
At Issue: Collection and Retention of ‘Associated Data’
Once again, we’ll use Canadian events to illustrate a global problem. A CSIS program called the Operational Data Analysis Centre (ODAC) collected and retained information in secret: without even notifying the courts until 2016. Considered from a human intellectual point of view, this is seemingly unimportant data. However, in the hands of powerful computers capable of processing zillions of megabytes of data on millions of citizens, and through careful analysis, important information on private citizens can be gleaned quickly and easily. The Canadian court put it this way:
“The program is capable of drawing links between various sources and enormous amounts of data that no human being would be capable of.”
-Canadian Federal Court Ruling
Worse: the ODAC program also collected data on people who weren’t even under investigation. This is “associated data” on third parties who aren’t even deemed to be threats to security, and for whom there were no warrants to surveil. Then, they retained the associated data, which is one step more serious than merely collecting it.
People’s fears over Canada’s new law are well-grounded: C-51 extends the powers of CSIS, which, come to find out, was already illegally extending its own reach into the privacy of Canadian citizens. This has civil liberties groups and privacy advocates up in arms.
The ‘Snooper Law’ in the U.K.
Some are likening C-51 to the U.K.’s Snooper Law, which World Wide Web inventor Sir Tim Berners-Lee tweeted was “dark, dark days”.
In the U.K., the collection of metadata has just been made legal by the IP Bill, which recently passed and become the “Snooper Law”, or the Investigatory Powers Act 2016. As a result, ISPs and phone companies in that country will now be forced to retain metadata on their customers for one year.
The British government may now also hack into the emails of private citizens by gaining access to their electronic devices. The law also allows for bulk collection of data from everyone in the U.K.
At Issue: Inter-Governmental Sharing of Data
The Snooper Law has significantly extended the power of British governmental agencies to access U.K. citizens’ data in the name of security, much like the provisions of C-51. What this means for medical privacy is that local U.K. police forces, for example, will be able to look into private records.
Canada’s law allows for the sharing of personal data between governmental agencies. That means local police could view medical records, even for people who are not under investigation.
Electronic Medical Records (EMRs) make all sorts of improvements in health care possible. With better coordination of health records comes truer analysis, more accuracy, and faster access when health care providers need it most: i.e. emergency situations.
But it’s a trade-off, of course: and what’s been called “the tyranny of convenience” comes to a head when counter-terrorism laws clash with medical privacy rights.
Keep in mind, the metadata collected by governments includes web browsing history, too. And that brings us to another particularly worrisome element of new surveillance laws when it comes to health records: web browsing history, among other types of metadata, is incredibly revealing about an individual’s health status.
Some recent events in Canada have had security leaders calling for “mandatory sharing” of data between departments, and it can happen anywhere in the world, especially in countries where privacy rights aren’t as protected as they are in Canada.
It’s a security nightmare and if such measures were ever to be applied to medical records, a serious invasion of privacy of the worst kind, too.
“This radical expansion of national security powers is not sound security policy and presents a real danger to Canadians,”
-Micheal Vonn, Policy Director of the BC Civil Liberties Association
Patient Privacy in the Era of Big Data
Around the world, doctors must handle patients who are terrified their records are not secure, while simultaneously complying with national counter-terrorism laws aimed at ferreting out terrorism before it happens. How do various countries stack up when it comes to patient privacy? Take a look:
HIPPA protects medical data collected by health care providers, insurers, and businesses who handle protected health information. Any other entity to whom medical data is revealed is not protected. Plus, privay around substance abuse and mental health treatment applies only at the federal level. There are exemptions across the board, too, for law enforcement, subpoena, and criminal investigations. Otherwise there is a hodgepodge collection of laws across states and government agencies. As a result, Americans in the U.S. have very little control over how their medical data is treated.¹
China has privacy laws, but there is reluctance to litigate. They have, since 2009, been in process of digitalizing their health records. In principle, the Chinese government is for data protection but pragmatically speaking have not pushed legislation for rights of privacy.
EU. As medical digital records were adopted, the EU simultaneously adopted strong patient privacy laws. They are stronger than in the U.S. and most other areas of the world.
There are privacy laws, but there is also strong collaboration between judicial and police agencies. Also, exclusions to their privacy laws include, among others, the exchange of medical information.
Very outdated privacy laws.
Their data protection laws are relatively new, and written since the Cloud has come into existence. Therefore, they’re pretty good. They go to great lengths to protect “sensitive personal data”, including medical condition, in a way that’s similar to the EU. However, enforcement may be a sticking point.
Around the world, with the passage of C-51 and laws like it, we can assume our digitized medical records are potentially share-able with a number of government agencies, even though there may be medical privacy statues on the books.
Given governments’ urgent need to combat terrorism, and their reliance upon access to personal data to do so, medical privacy may be in jeopardy unless strict laws are passed protecting patients’ rights. Finding the right balance between safety and privacy has never been so complex yet so vital to our well-being, no matter where you live in the world.