29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Dr. Ann Cavoukian Information and Privacy Commissioner of Ontario

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive De-identification Risk and Resolution Bradley Malin, Ph.D. Assistant Professor Vanderbilt University

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive De-identified is not Anonymous (Sweeney 1998, 2000) Zip Birthdate Sex Name Address Date registered Party affiliation Date last voted Voter List Ethnicity Visit date Diagnosis Procedure Medication Total charge Hospital Discharge Data 87% of the United States is RE-IDENTIFIABLE

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive DNA Re-identification Many deployed genomic privacy technologies leave DNA susceptible to re-identification (Malin 2005) DNA is re-identified by automated methods, such as: –Genotype – Phenotype Inference (Malin & Sweeney, 2000, 2002)

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Genealogy Re-identification (Malin 2006) IdentiFamily: –software that links de- identified pedigrees to named individuals –Uses publicly available information, such as obituaries, death records, and the Social Security Death Index database to build genealogies

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Genealogy Re-identification (Malin 2006)

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive System Susceptibility (Malin, JAMIA 2005) Privacy Protection Systems What Trusted Third Party Semi-Trusted Third Party DenominalizationDe-identification Where deCode Genetics Inc. University of Gent, Custodix University of Montreal University of Utah, University of Sydney, Australian National University Susceptibility to Attack Family Structures Trails Genotype-Phenotype Dictionary SusceptibleNot Susceptible

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Altering Data Does not Guarantee Protection Science Magazine (Lin et al, 2004) –< 100 SNPs make DNA unique –Proposed protection: perturb DNA i.e., change A with T, etc. aaaact atacct –Increase perturbation, decrease internal correlations (see graph) –Conclusions Too much perturbation needed to prevent linkage Keep records under lock and key Privacy (Perturbation) Utility (Correlations) DISCLAIMER: Uniqueness Does not Guarantee Privacy will be Compromised

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Formal Re-identification Model De-identified Biobank Data Identified Data aaactaaga cacaccatg tatatgatgt John Doe Jane Doe Jeremiah Doe Necessary Condition UNIQUENESS 1. Make Data Non-unique Necessary Condition LINKAGE MODELC 2. Certify No Linkage Route Already Public Necessary Condition UNIQUENESS Necessary Condition UNIQUENESS

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Formal Protection k-Map (Sweeney, 2002) –Each shared record refers to at least k entities in the population k-Anonymity (Sweeney, 2002) –Each shared record is equivalent to at least k-1 other records k-Unlinkability (Malin 2006) –Each shared record links to at least k identities via its trail –Satisfies k-Map protection model

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Beyond Ad hoc Protections Perturbation does not guarantee privacy Alternative: Generalization of data (Malin 2005) (Lin et al 2004)

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Learning Who You Are From Where You Have Been (Trails) (Malin & Sweeney, 2001; 2004, Malin & Airoldi 2006)

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Preventing Trails: Cystic Fibrosis Population (1149 samples) BEFORE STRANON 100% Samples In Repository AFTER STRANON 0% Samples k-Re-identified

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Benefit: Quantified Risk Change in re- identification risk Shift burden of increased risk to requesting analyst Ties together legal and computational models Initial Setting Requested Quantity Forced Setting

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Measuring and Managing Re-identification Risk by Khaled El Emam University of Ottawa

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Managing Re-id Risk- I Before data is collected: –Scenarios When preparing a protocol For review by ethics boards When formulating new policies and procedures When writing data sharing agreements –Tools Heuristics Simulations

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Managing Re-id Risk - II After data is collected: –Scenarios Providing data to administrators, researchers or government departments Responding to an access to information request –Tools Masking Risk-based anonymization

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Heuristics, Masking, Anon The 20k rule, 70k rule, 100k rule …. Decision tools from matching experiments Around 18 tools for masking on the market Deciding on a risk threshold for anonymization

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Acceptable Re-id Risk What databases does an attacker have access to for record linkage ? What does an attacker know beforehand ? What is the verification cost ? How do we account for privacy tradeoffs by the public ? What is the impact of consent model ?

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Databases Public information and registries Commercial but generally available databases Confidential and proprietary databases

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Verification Cost At some point the verification cost becomes too high compared to the benefit for the attacker The proportion of data that is population unique is important The extent of overall matching success is also important You can control both through anonymization

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Tradeoffs The public is willing to trade their privacy for personal benefits/gains What they tell us is not necessarily how they will behave To what extent is the public willing to trade their privacy for societal gain ?

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Consent Models Is the impact on recruitment rates and bias a function of the consent model or how it is implemented ? There are many factors that influence consent – were all of these controlled for when comparing consent models ?

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Workshop 4 Protecting Privacy Through De-Identification: Reality or Fallacy Part 1: Discussion

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Dr. Debra Grant Senior Health Privacy Specialist Information and Privacy Commission of Ontario

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive De-identification challenges raised by genetic and genomic data William W. Lowrance, PhD September 26, 2007

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive The physical basis of the challenges The human genome: is extensive and very fine-grained influences many personal attributes is intrinsic to the body doesn't change during the lifetime is unique to the individual. The full genome is carried by the DNA in every cell of the body (except red blood cells).

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive What genomic data look like...tttccgtatgcgtagccagacttaccctcctagtag... through 3,000,000,000 "data-cells," each carrying a/t/g/c. Altering or inserting just a few a/t/g/c can make a big difference, whether the genome is being considered: as a dynamic program-tape, or as an intrinsic "barcode."

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive What genetic data look like at sequence scale: ctag...ctccca at gene scale: "Diabetes-factor gene SLC308A" at body scale: "red hair," "heritable renal dysplasia" at family scale: pedigree, family health history, other indicators.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive The most useful construal of identifiability for genomic data, in my view "Identifiability" is the potential associability of data with persons.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Paths through which genomic data can become identified (a) matching genotype to identifiable reference genotype data (such as police, military, or blood-relatives') (b) linking genomic+associated data (health, social, etc) with other data (c) profiling, i.e. probabilistically describing likely appearance, health factors, or other traits.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Tactics for de-identifying genomic data (a) limiting the proportion of genome released (b) statistically degrading the data before releasing (c) irreversibly de-identifying (d) separating the identifiers and key-coding.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Tactic (a): limiting the proportion of genome released is done, and can protect but often limits usefulness, because often it isn't known in advance which portions of genome are relevant difficult to judge how much is "not too much" to release.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Tactic (b): statistically degrading the data before releasing can be done, such as by randomly substituting some a/t/g/c almost always degrades usefulness, because most analyses depend on precise fine details.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Tactic (c): irreversibly de-identifying is occasionally done, such as when the purpose is to survey the background occurrence of some phenomenon, or to provide data for educational use.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Tactic (d): separating the identifiers and key-coding works well if performed carefully, the key is properly safeguarded, and use of the key to reconnect is strictly controlled is increasingly being used in activities such as health research.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive To de-identify, or not? Whether and in what ways to de-identify genomic data depends on the: character of the data consent intended uses potential for linking to reference genotype or other data protections.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Alternatives and complements to de-identification Provide access via controlled release (governed by contract, overseen by a stewardship committee, etc) Sanction against misuse of the data (such as improper re-identifying) or abuse using the data (such as negative discrimination).

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Closing sermon De-identification is a crucial, practical protection for both genomic and other kinds of data and its use must be strongly encouraged! General ref: Lowrance and Collins, "Identifiability in genomic research," Science 317, (August 3, 2007).

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Consent and Access to Personal Information for Health Research – public perspective Don Willison, Sc.D. Centre for Evaluation of Medicines, St. Josephs Healthcare, Dept of Clinical Epidemiology & Biostatistics, McMaster University,

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Research team: –McMaster University Don Willison (P.I. – privacy, policy, research methods) Lisa Schwartz (philosophy, bioethics) Julia Abelson (public engagement) Cathy Charles (public engagement, qualitative methods) Lehana Thabane (statistician, quantitative methods) Marilyn Swinton (research coordinator, qualitative methods) –York University David Northrup (survey methods) –Canadian Policy Research Networks Mary Pat MacKinnon, Judy Watling (dialogue) Funding: Canadian Institutes of Health Research Publication: JAMIA – November 2007

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Context: Expanding Use of personal information for health research Increase in scope and complexity of data use –Data linkage administrative and clinical data survey and genetic information –Single time-limited studies registries and biobanks –EHR: expanded access to health information for: population / public health research pragmatic trials Researchers need individual-level data –Challenge: masking of identity –Debate: treat data as identifiable?

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Issues Around Consent Patient/public perspective: –How to obtain meaningful and valid consent? Researchers perspective: –practicability of obtaining consent potential selection biases in a consent-based system –If consent is waived, limitations: Cannot contact patient / Who may screen charts? General: –Must we be limited to the binary option of consent / no consent?

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Our survey: Cross-Canada telephone survey, random-digit dialled –March-April 2005 –n=1230 (58% response rate) Structure: –General questions Demographics, altruism Placing health and privacy in context of other priorities –Questions in abstract attitudes re: privacy and research trust in institutions use of medical records for different types of research –Specific scenarios. Role of consent in: medical record research electronic health record record linkage

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive WHAT DID WE FIND? Attitudes to privacy High support for privacy in principle: –97% felt protection of the privacy of their personal information was important 74% very important / 23% somewhat important. –91% agreed that more effort needs to be made to protect our privacy 59% strongly agreed / 32% somewhat agreed –92% agreed that everyone benefits if the privacy of individuals is respected 66% strongly agreed / 26% somewhat agreed

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Privacy vs. Research

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Research Scenarios 4 scenarios: –Abstraction of information from health record for research –Use of electronic health information for research –Linkage of education with EHR –Linkage of income with electronic health record Data have direct identifiers removed –Makes it difficult but not impossible to re-identify

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Opinion regarding consent and alternatives across scenarios ScenarionConsent Choice Do not use Ask permission first Notify / opt out Just use Every time General renewing General once Manual extraction of data from medical record 12074% 32%23%5% 24%12% 60% Automated extraction of data from EHR 9419%36%28%27% Link education with EHR 85810%41%26%23% Link income with EHR 85327%40%16%17%

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Public Dialogues Key messages: –High sense of altruism, but contingent on benefit being accrued to public –Desire for greater control when there is a commercial element. –Importance of trust of the researcher beneficence / non-maleficence –Consent choice little different between identifiable and non-identifiable information A matter of respect for the individual

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Conclusions Public values both health research and privacy –If pressed, privacy tends to give way to research –Support is there for research use of personal information, Much of this support is qualified Researchers need to be careful to maintain public trust Importance of paying attention to safeguards Individuals differ in the amount of control that want to exercise over use of their personal information. –Majority (~65%) open to alternatives to express consent on a study-by-study basis –Only 12-27% willing to allow use of their information without their knowledge or consent

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Policy Implications: Insufficient public support for across-the-board assumed or deemed consent for research uses of personal information for health research Document individuals consent choices for 2° uses of personal information – authorization model. –Embrace the range of consent alternatives –How best to approach this? Track choices through common inter-operable EHR (Canada Health Infoway) Need infrastructures for ascertaining and managing consent choices Safeguards and governance structures

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive