Language selection


Privacy and Health Information Networks — Can we have both?

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Notes of the Privacy Commissioner of Canada to the Canadian Medical Association's National Physician Workshop

April 3, 1998
Ottawa, Ontario

Bruce Phillips
Privacy Commissioner of Canada
(Check Against Delivery)


First, may I offer the CMA my congratulations and whatever support I can usefully provide to your work on drafting a health privacy code. It almost seems presumptuous to be talking to physicians about privacy,the value is so integral to the practice of your profession. You may also wonder how a former journalist, of all people, could have the brass to stand here and discuss this issue with you.

Journalists certainly don't stand on firm ground, at least not nowadays. Perhaps this is more a function of the type of business,and I underline business,that journalism has become, rather than what it should be. I will illustrate.

The very first day that I ever spent at a newspaper, 46 years ago, now that I think about it,I was about to roll a sheet of paper into my typewriter carriage, and the editor came over and said, "What are you about to do, Phillips?"

"Well, Mr. McKay, I'm going to write an obituary." That's what cub reporters in those days did as their first assignments.

McKay replied, "every time you put a piece of paper into that typewriter carriage, and you're about to put somebody's name on it, you bear the responsibility for anything that happens to the reputation of that person thereafter. Remember that."

It is a lesson that I tried to live by,not always successfully, I admit.

Although mistakes or excesses in journalism were not matters of life and death, nevertheless they carried a potential for serious harm. It is a lesson I hope I learned.

It is also a lesson that seven years as Privacy Commissioner, and the technological explosion that Tom spoke about, have driven home. Information technology has as someone put it, made the practice of medicine into a spectator sport in the United States. Now, I realize that our system does not put quite so much power in the hands of insurance companies but it certainly puts it into the hands of health bureaucrats. I suppose it's a question of political persuasion whether you find an all-knowing health bureaucracy benign,or whether it scares the living daylights out of you.

I confess there is an aspect of state control that does make me nervous, and that is a view that a public health system justifies greater intrusions. As the links between life style, poverty and health become clearer, so grow the temptations to follow, assess, and then influence our choices so that we will not become a burden on the system. While understandable, this is the first step to a loss of autonomy. Education is one thing, coercion quite another.

There are three key messages I would like to offer as you consider drafting a health information privacy code:

  • First, privacy, security and confidentiality are three distinct concepts; protecting one does not necessarily take care of the others;
  • Second, privacy is a social value that must not be viewed as amenable to a trade-off against other benefits to society such as an efficient health care system, and
  • Third, meaningful privacy guarantees are a prerequisite to public confidence in the health network, and thus a foundation for its construction.

Let's consider for a moment those three different concepts.


Privacy is a fundamental human right that is both inherent and inalienable. It cannot, under the norms of international and constitutional law, be taken away without justification. That is the backdrop against which the discussion about health care information structures must occur. Respect for privacy must be central to the discussion of health information structures. It should not be an afterthought or an issue at the periphery of the discussion.

Protecting personal health care information is more than an airless academic debate about the right to be let alone. The treatment of health care information has significant real life implications for Canadians. Despite laws that seek to protect against discrimination, loss of control of personal health information can mean loss of employment opportunities, loss of access to health care, loss of social status, and marginalization. Fear of losing control of personal health information may also drive people away from beneficial health care.

Consider a recent story in the New York Times which describes an apparently growing practice by psychotherapy patients to pay the cost of therapy sessions out of their own pockets, or forgo the treatment altogether, rather than have detailed counselling information finding its way into the hands of insurance administrators and perhaps eventually their employers. The threat may be enough for patients to withhold vital information from the person who most needs it,the doctor.


The concept of confidentiality implies the existence of a trust relationship between the person who provides information and the person or persons who collect the information. In a confidential relationship, personal information is shared with the assurance that the information will not be disclosed, or not be disclosed without authorization. This is the heart of the doctor-patient relationship and the doctor's oath that you will keep such things to be sacred secrets. However, it is unreasonable to suggest that a confidential relationship can exist between a patient and the health care industry, as if the health care industry were a monolithic entity.


Of the three concepts, security is the term used most often when discussing the health information network because it is the means by which technology can control the information. The purpose of security is to protect both the system and the information it contains from unauthorized access from without and from misuse from within. It can encompass any or all of the safeguards in an information system, including hardware, software, personnel policies, information practice policies, disaster preparedness, and oversight of all of these areas.

Loss of privacy should not be the quid pro quo of access to Canada's health care system. Patients have a right to expect and must be entirely confident that health care information about them will not be:

  • collected beyond what is necessary for their health care;
  • used for purposes other than their health care;
  • disclosed other than for their health care;
  • kept from them or, generally;
  • used in ways that will harm them.

Some limited exceptions to this principle can be made for medical research, provided that the research uses every reasonable means to protect the confidentiality of the information, both through rules and through the use of measures to enhance the security of the information.

Devising adequate protection for personal health care information requires a multi-faceted strategy:

  • Specific legislation on the collection, use and disclosure of personal information in the private sector and on rights of access to that information for the person affected.

The federal government has begun moving in that direction. It has issued a discussion paper on drafting a new privacy law, at least at the federal level. The proposals build on the Canadian Standards Association Code but would have the force of law. There would be some type of independent oversight of industry compliance and mediation of individual's complaints.

However, the law will apply only to the federally-regulated private sector. While this includes such major information handlers as the financial institutions, it will not cover those major players in the health care industry; pharmacies and health insurance companies.

Bringing everyone under a privacy protection umbrella requires each province to legislate in its own jurisdiction. Whether that is best done by general comprehensive private sector law, or a specific health privacy law which covers all the players is a matter beyond my competence. Certainly the former will demand sustained lobbying to overcome the special interests,a lobbying that I encourage you to become part of. And the latter will require substantial education by health care professionals and patient advocates if we are to avoid repeats of the situations in Ontario and Alberta where flawed legislation had to be withdrawn.

  • Effective industry-specific codes to deal with the particular interests and nuances of their personal information handling.

It is here that a personal health privacy code is essential. If there is no law, then the code will guide. And if a province opts for health privacy law, then a national health privacy code can serve as the benchmark against which any provincial legislation can be measured. I think patients would take some comfort from knowing that their doctors could endorse such a law.

Any code should:

  • carefully define "health care information"
  • define who "owns" the information
  • permit individuals to identify specific aspects of records as sensitive, thereby restricting or prohibiting access to that information for purposes other than the patient's care
  • require the structuring of health care records to allow different levels of access, depending on both the sensitivity of the information involved, and the use of the information (administrative or research, for example)
  • require electronic health care records to separate out the fields that can be used to identify individuals
  • establish a uniform consent form releasing personal information
  • require the keeping of audit trails
  • impose obligations respecting the security of the information
  • develop protocols for third party access to personal information
  • establish oversight mechanisms, or use existing data protection oversight bodies, to review legislative and policy issues relating to health care information and privacy, approve secondary databases and computer linkages, examine new technologies and their impact on health care information, advise on legislative amendments and, generally, carry out oversight to protect privacy
  • ensure transparency of the collection, use and disclosure of personal information
  • require those holding personal health care information to inform individual patients of their rights relating to that information
  • provide civil rights of redress and statutory penalties for misuse of information.
  • Education: helping people to understand the value of privacy in a democratic society.

Education is not about fear mongering; it is about informing people of the consequences of the collection and sharing of information about them, both the benefits (better medical practices) and the drawbacks (adverse effect on employment, insurability, social status, sense of self-worth). Physicians are vital to the education process, you are the linchpin in the health information system.

Whatever we decide, the discussion over health care information must not be framed as a balance between the benefit to the individual of preserving privacy and the benefit to society of intruding on privacy. Privacy is not simply a right that benefits the individual, to the detriment of society as a whole. Privacy has a very real social benefit and is integral to the values of democratic society. Sometimes privacy intrusions can have an individual benefit, of course; the knowledge acquired through research using personal health information may well benefit individuals. But much of that research does not need to identify the patients.

Nor is the discussion of privacy and health care information one of consumers and producers. It is a discussion about individuals and their rights, and the social benefits of privacy, and should not be couched in other terms that debase the strong privacy issues associated with health care information. The handling of personal health information cannot be reduced to a business transaction.

Your draft code clearly builds on the value of privacy, not just on confidentiality and security. By doing so it, it improves on the CSA code itself. The workbook asks all the right questions. It is a remarkable effort. You and your staff are to be congratulated.

Report a problem or mistake on this page
Error 1: No selection was made. You must choose at least 1 answer.
Please select all that apply (required):


Date modified: