A double-edged sword

For inherently social beasts that crave the latest gossip, humans demonstrate an entirely different attitude toward personal privacy. Though technology in general, and the database in particular, has made information gathering a breeze, it has been hell on personal privacy. There are megabytes of information on each and every one of us. From medical records, which may show a propensity to high blood pressure and obesity, to supermarket loyalty cards which demonstrate our inability to resolve the apparent dietary hypocrisy between our love of junk food and buying of tofu.

For the most part, Canadians agree that technological advances have improved their lives. Many societal advances can be directly attributed to computers, such as safer air travel and improved medical diagnostics. But the potential for privacy abuse grows exponentially as the terabytes of data accumulate. It is not that technology is to blame, it has just made privacy abuse that much easier.

This is something that IT departments across the country are going to have to start worrying about, if they haven’t already. In January 2004, all Canadian companies will have to comply to the Personal Information Protection and Electronic Documents Act (PIPEDA). The act will apply to all personal information collected, used or disclosed in the course of commercial activities by all. This is all occurring as hypothetical worst case scenarios are slowly, but inexorably, becoming reality.

It might only be a matter of time before police start trolling for suspects in a database knowing an assailant has AB+ blood, suffers from arthritis and is between the age of 43 and 52. For many this seems Orwellian.

Recently police in Iowa caused a privacy furor. Attempting to solve the murder of a newborn, they subpoenaed the names of women who had undergone pregnancy tests at a nearby Planned Parenthood.

The case involved hundreds of medical records. Obviously the data matching could be done by hand. But what if it was in Toronto or Montreal and the list contained tens of thousands? Since databases would be needed, technology would come to the forefront.

“Technology can bring some efficiencies to the abuse of privacy,” said Peter Hope-Tindall, chief privacy architect with Oakville, Ont.-based dataPrivacy Partners Ltd. “It is becoming cheaper and more efficient to do nefarious things with databases.”

While it is debatable whether use of a database in such a way is nefarious by definition, it is an unquestionably intimidating event for those who fear Big Brother.

“Technology has removed the economic barriers,” said Latanya Sweeney, a professor of computer science, technology and policy at the School of Computer Science, Carnegie Melon University in Pittsburgh. She was referring specifically to the fact that epidemiological medical data available from the world-renowned Mayo Clinic no longer requires travel to Minnesota to view it. Now it can be done online in a matter of minutes, at relatively little cost. What was a complex, difficult and time consuming task has been reduced to the click of a mouse.

“It was never our policies and practices that gave us privacy in the past – it was the absence of this kind of technology,” she said.

don’t blame the technology

Herein lies the dilemma. No one is out to blame privacy abuses on technology, but there is no question technology has made abusing one’s privacy that much easier.

Sweeney, while a graduate student at the Massachusetts Institute of Technology in Cambridge, Mass., took ostensibly private medical information (in the form of hospital discharge data, research information collected by 40 of the 50 U.S. states), combined it with publicly available voter registration data and was able to match records to patients. Sweeney was able to determine everything from severity of illness to payment method. All of this was done with the help of database technology.

“That’s frightening…we would not release any [data] like that,” said Miyo Yamashita, corporate privacy officer with the University Health Network (UHN) in Toronto. It appears this method of patient re-identification cannot be duplicated in Canada.

Medical researchers need to go through one of three research ethics boards to get access to patient information, Yamashita said. Even then, the data is aggregate. Also, Canadian voter registration data is neither public nor particularly invasive. Where American voter data will often contain date of birth and party affiliation, ours has nothing more than name and address.

Regardless, most experts say it is going to take a large scale privacy abuse case to hit the headlines before Canadians shake off their apparent apathy. Though we admonish those who invade our privacy, we also have a propensity to join loyalty programs and freely hand out personal information. In fact, Canadians readily give out personal information without ever realizing it. Unbeknownst to most, giving your postal code to a salesperson can provide a fairly accurate estimation of your household income.

“What privacy Chernobyl is going to generate concern?” asked Stephanie Perrin chief privacy officer with Zero-Knowledge Systems Inc. in Montreal.

“My hope is that in Ontario, that will not need to happen,” said Ann Cavoukian, the information and privacy commissioner of Ontario.

It has certainly happened south of the border. More than once.

Eli Lilly, the pharmaceutical giant and maker of Prozac, sent out a mass e-mail to 669 Prozac users. Unfortunately the sender was ignorant of the blind carbon copy concept. All 669 messages included everyone else’s e-mail address.

In Minnesota, several hundred organ donor recipients received an e-mail which accidentally included the name of the donor. Until this time they were blissfully unaware who had generously prolonged their life.

And here in Canada?

We aren’t immune to technological foibles. The Province of Ontario Savings Office (POSO) was unresponsive to concerns that it had released private financial information. Cavoukian’s office wished to solve the matter privately but once it was apparent “they would not co-operate despite repeated attempts,” her office went public with the matter. The organization released personal information of account holders, including account numbers and financial balances to Wood Gundy and Angus Reid, which were doing research on the viability of privatizing the POSO.

A public reprimand was a last resort, and one which Cavoukian was not pleased to have to do. “When an incident happens, I don’t want it to happen again,” she said. “The best way to do that is for them to buy into the solution.” When it can be done without media and public scrutiny, there tends to be greater success.

“[It is] generally not difficult to sell privacy, [you] just need to come up with a few fictitious headlines,” said Drew McArthur, CPO of

Burnaby, B.C.-based Telus Corp. You just need to make people aware of the consequences in terms of bad publicity.

“I don’t think, in any instances, I’ve had to go to the CEO…(to) get people to go the highroad.”

The key to avoiding headlines is to make sure corporate policy and technology reduces the possibility of these occurrences happening to your company.

technology, education and law

The UHN was recently in the news. It was not a story Yamashita was proud of. But there was a silver lining: the technology did its job.

Six individuals – three medical residents and three staff – accessed the records of certain well-known patients. They did not have the authority to do so, and they were caught.

Because of the unique nature of medicine, denial of access to data can actually be life threatening. In an emergency situation, knowledge of a patient’s allergy to penicillin or insulin dependency can be critical. It is for this reason broad access to the hospitals’ critical information system is granted.

“Technology has been a wonderful enabler in health care in terms of improving access to information and expanding the scope of information that one can have access to,” Yamashita said.

Technology also gives administrators the ability to audit who has had access. This is how the inquisitive six were caught.

“We consider [the critical information system] superior to the old paper-based health record system,” Yamashita said. With the paper-based system a doctor could request a chart and there would be no record of who had looked at it, she explained.

Since all well known patients’ information access is audited, it is a little surprising the residents accessed it since they must have known they would leave an audit trail. All other patient’s charts are randomly audited and an individual has the right to go to the UHN and ask that his or her chart access be audited. There is no charge for the service.

Banks also take privacy seriously. They randomly audit customer information access to make sure there is corporate privacy policy compliance. But whereas doctors need to have broad information access, bankers do not. Here banks use technology to limit access, thus helping to increase privacy.

Peter Cullen is the chief privacy officer with the Royal Bank of Canada in Toronto. Though he is a senior executive at the bank he has no access to customer financial data since his job does not require it.

Regardless of how a company chooses to use technology to guard customer data, education still remains the key to successful policy implementation.

Yamashita illustrates how important privacy policy education is to corporate compliance.

“[Say] you are a nurse in ER and your neighbour comes in and you want to find out how they are doing,” she said. “So you check on the critical information system even though the patient is not yours.

It is not an act that is motivated by any kind of maliciousness, it is genuine care…but it is those types of behaviours that we try to educate users are inappropriate,” she said.

If a company does have a privacy breach, having policies and processes in place goes a long way to rectifying the situation.

In the case of the UHN, the CEO personally contacted the patients to explain the breach, apologized for it and gave them a copy of the audit report.

The Royal Bank also has a multi-pronged plan in place if a privacy breach were to occur. The team includes everything from technology experts to close it, to representatives in place to answer media and customer queries.

If people treat privacy as a business issue they will take it seriously since it enhances the bottom line,” Cavoukian said. “Don’t treat it as a compliance issue.”

Cullen agrees. If you lose customer trust, you will lose those customers for life.