Sunday, 9 March 2008

Additional Information

Why should we care with whom the medical system shares our information?
(not necessarily in order of concern; what is most important will vary with individuals)

1. Rights
If we don't fight for our rights, if we don't stand up for them, we won't have them and, quite frankly, we won't deserve to have then. We either go uphill or we go downhill, we rarely have the option to stay in same place (think about the change in information technology).
It appalls me that we do not, or no longer, have the right to know with whom our information is being shared, except in terms so general as to be useless. The one reason I kept hearing, as I stood outside the hospitals handing out information sheets, was that the hospitals save lives therefore:
a. isn't that enough
b. give them everything they want
Well, a lot of other people save lives as well. That's their job. That's what they get paid to do. Police, firefighters, life guards, snow patrols, armed forces, etc. Does that mean we should give them everything they want, and we should not expect to have rights. Do you want these people showing up on your doorstep, or stopping you on the street and demanding information, knowing that you have no right to say no, no right to know why they want it, no right to know what they will do with it, no right to know with whom it will be shared? I don't.
I think that most people have learned what happens when you treat people, or they treat themselves, as gods or demi-gods, above the law, better than the average person. Catholic priests “molested” children for decades, and probably centuries, because people refused to believe they were capable of it, refused to believe that they were just average people with the strengths, and weaknesses, of average people. There was no one to hear the children, no one to take action, or at least, not enough people, for a very long time.
Medical people do save lives. But, as we have heard many times, they also do not “save lives”. It has been fairly recent that I have heard reports of estimates of the number of preventable deaths. Since the reports have been made public (i.e. actions in the medical system made more transparent), some steps are being taken to end these preventable deaths (i.e. make the medical system more accountable). Without transparency there is no accountability.

As mentioned, if we don't stand up for our rights we won't have any. This is supported by an article in the Vancouver Sun (a paper which I never buy), by Gail Bellward, John Russell and William Sullivan, January 22, 2008, pg. A9. Researchers (apparently any researchers, from wherever), want the US corporation which runs MSP, and Pharmacare, “to release information for the purpose of contacting potential research participants”. And the government is supportive. I assume this means that if a “researcher” wants information on women who have just had a miscarriage, they could contact MSP and/or Pharmacare, get a list of this people's names, addresses and other information and contact them. Please note, there was no mention of offering the patients the right to say no to sharing this information.
I am not against research, per se. But I am against anyone deciding that people have no rights. Destroying people's rights is not in the public interest. If they contacted me, under these circumstances, I would not be providing them with the information they would want. In fact, I doubt that most of what I would say to them would be printable. If the government allows these companies access to our information, what will we lose next. Read the “Foreign Connection” below for additional concerns. The ends do not justify the means.

Another article in the same paper, same date and page, by Barbara Yaffe is titled “What a Concept: The patient as a health care consumer”. She discusses the “Euro-Canada Health Consumer Index” on which “we placed 23rd of 30”. Among other things, Barabara Yaffe writes that the report notes that Canada tends to be “disdainful of the rights of health care consumers”.

2. The Foreign Connection

The following points are from:
ID Theft - PIPEDA and Identity Theft – Solutions for Protecting Canadians
From 2006, BC Freedom of Information and Privacy Association (FIPA)

Although this “book” refers to federal privacy legislation (PIPEDA), the BC privacy legislation is required to be substantially similar.
PIPEDA is the private sector legislation but why should the government institutions provide less protection, less transparency, and less accountability regarding our privacy. Logically, one would think that the government institutions would be at the forefront of privacy protection.
Also, the “book” refers specifically to identity theft. However, the information is pertinent to theft for other purposes.
Any information in comic sans MS are my notes. Any bolding is my emphasis.

- pg. vi - ...Canadian data overwhelmingly flows to the United States
- pg. 1 – The problem has grown, aided by the Internet and the fact that so few individuals are ever charged and convicted of ID theft.
- pg. 15 – The growing black market for identity information is one of the most worrying aspects of the problem, because it provides a secondary market after a thief has perpetrated his primary theft.
- pg. 15 – Identity thieves often turn to corporate and government databases to gather information, usually involving employees. Their level of access and knowledge of passwords provides them with significant amounts of personal and financial information, particularly if access controls are set too broadly, which is often the case.
- pg. 17 – One possible way for identity thieves to obtain information is through insecure e-commerce transactions or lax corporate practices.
- pg. 19 – One of the reasons that ID theft has become epidemic is that the law has not responded quickly to defend the rights of victims. Another is that prosecution is difficult, for a variety of reasons. Possession of identity documents that do not belong to you has not hitherto been illegal, so police have to catch ID thieves in the middle of a fraudulent act. Operations now can be set up and closed down quickly, as much of the data necessary for large scale scams can fit on a laptop, sometimes even a datakey, and thieves are highly mobile, going from state to state or province to province.
- pg. 19 – One survey stated that only 1 in 700 cases is brought to justice (I believe these are US figures)
- pg. 36 – ChoicePoint is one of a type of company known as data brokers who gather and analyze public records and sell the data to corporations, employment firms, marketers, the police, national security agencies and other government agencies. In a sense, these companies act as privatized intelligence agencies since they not only gather the information, they also analyze it. ChoicePoint is among the largest and most powerful of these data service providers in part because the company has bought out several of its competitors in recent years. Many of these companies have close ties to the government (referring to U.S.). The EPIC (Electronic Privacy Information Center) website reports that ChoicePoint sells a wide range of information to the government (referring to U.S.) including:
- Credit headers, a list of identifying information that appears at the top of a credit report. This information includes name, spouse's name, address, previous address, phone number, Social Security number, and employer.
- Workplace Solutions Pre-Employment Screening, “which includes financial reports, education verification, reference verification, felony check, motor vehicle record, SSN verification, and professional credential verification.
- Asset Location Services.
- The ability to engage in “wildcard searches,” which allows law enforcement to “obtain a comprehensive personal profile in a matter of minutes” with only a first name or partial address.
- The use of “Soundex” queries, which allow searches on personal information based on how names sound, rather than how they are spelled.
- Information on neighbours and family members of a suspect.

In the post 9/11 era, commercial information services are playing a central role in government intelligence services now clustered in the Department of Homeland Security. The agencies now united at DHS rely on these services for public records, identity verification, and automated analysis. In fact, ChoicePoint currently employs a team of homeland security advisors, many of whom were previously government officials.

As journalist Robert O'Harrow has pointed out:
ChoicePoint and other private companies increasingly occupy a special place in homeland security and crime-fighting efforts (as defined by the U.S. government), in part because they can compile information and use it in ways government (referring to U.S.) officials sometimes cannot because of privacy and information laws.

While government authorities have claimed that the services provided by companies such as ChoicePoint are essential for national security in the current climate, privacy advocates argue that there is a lack of regulations, restrictions and oversight in place to ensure that individuals' civil liberties are protected. In fact, there are virtually no restrictions in the private sector in the US that address the collection, use, and disclosure of this personal information.

pg. 38 – What does this have to do with a Canadian report on ID theft? Firstly, we are uncertain whether ChoicePoint or any of its subsidiaries holds data about Canadians. This is true for other giant data brokers as well. It seems highly unlikely that they do not, since the border is utterly transparent for the financial, telecommunications, and retail sector, i.e. Canadian traffic on these networks is seamless with that of the United States. Secondly, ChoicePoint now has the distinction of being the site of the biggest case of ID theft in history. The way this theft was perpetrated should give pause to all who think we are making headway in fighting this scourge.
ChoicePoint made the news on February 18, 2005 when the Wall Street Journal reported that the company had sold private information of about 145,000 U.S. residents to criminals who posed as legitimate businesses. The reason the company went public on the breach, long after learning of it, is that California's law requiring notification of security breaches to the individuals whose data was compromised came into effect in January 2005. The company rather cavalierly responded to the press that they did not intend to extend the notification to victims outside California, and the story has rolled downhill since then.

- pg. 39 – The central problems in the free flow of personal information throughout public
records and the private sector in the United States will be extremely difficult to combat. While PIPEDA may have its problems, Canadians should be thankful that we are not in quite as bad a situation as our friends in the United States. However, because Canadian data is now flowing across the border through airline and custom systems, and data brokers such as ChoicePoint have a mandate from the government (U.S.) to collect data for security purposes, these issues demand our attention.
...the ill-defined industry of data brokers whose activities largely fall outside the regulatory scheme of the Fair Credit Reporting Act, a law that regulates narrowly defined consumer reporting agencies or credit bureaus. ...the government is increasingly relying on data brokers to supply and analyze personal data for intelligence and law enforcement purposes. Federal agencies operate under the privacy restraints of the Privacy Act of 1974, but the government's use of data brokers appears to fall largely outside the scope of the Privacy Act. As a result, a major activity affecting individuals and their privacy interests and involving both the federal government and significant private sector data processors does not appear to be covered by any existing U.S. privacy law. Recourse to such data brokers has replaced collection by government itself, and has been explicitly noted by the Office of Management and Budget as falling outside the scope of the Privacy Act because it is not a “collection”.
In general, data brokers operate without any legal requirement to:
- provide data subjects with information about their data activities
- obtain any form of consent for processing of personal data
- permit opt-out of processing by data brokers
- offer rights of access or correction
- assume liability for errors that harm individuals

Is some of our personal/health care information going to U.S. companies and thereby becoming accessible to companies such as Choice Point, who then sells it to other companies and the U.S. government? Is this part of what the health care system is trying to hide?

- pg. 48 – PIPEDA Section 4.3.5 – In obtaining consent, the reasonable expectations of the individual are also relevant. individual would not reasonably expect that personal information given to a healthcare professional would be given to a company selling health-care products, unless consent were obtained. Consent shall not be obtained through deception.

- pg. 48 – One of the problems here is that society as a whole has not caught up with the information industry. Even extremely well educated people working in the field were not aware of the existence of ChoicePoint, or how the database industry functions. Most people have no clue how the insurance industry works or credit reporting (or hospitals). Therefore the reasonableness test is a bit problematic; the fact is the general population cannot pass a basic facts test on what is happening with their information. This is an area that needs to be rectified through consumer education. In the meantime, it would be helpful if people used the rights available to them under the openness principles and insisted on knowing where their data is going, who it is being shared with, and how long it is being kept. Then they can evaluate whether this meets their expectations.
Unfortunately, in BC, people are being denied this right.

- pg. 49 – the law can certainly, in our view, be read to require organizations to be absolutely explicit about what they are doing with information, in order that consumers (and patients) are not deceived into giving information when it could be exposed to risk.

- pg. 49 – PIPEDA Section 4.4.2 – The requirement that personal information be collected by fair and lawful means is intended to prevent organizations from collecting information by misleading or deceiving individuals about the purpose for which information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception. (Yet, hospitals ask patients for permission to share their information with researchers, without telling the patients that the hospitals could share information without their consent. Isn't that misleading?).

- pg. 50 – If a company collects too much information, and keeps it all in one place, the risk of ID theft goes up tremendously. Process control would dictate that not all information be collected at once, lest there be a leak in that chain, and indeed in some of our examples, companies lost tapes or databases but there was no risk to consumers because the files were incomplete and had to be matched with other critical elements kept separately. (think about the Provincial database with potentially all your medical information in one location, accessible provincially/federally and possibly world-wide)
- pg. 52 – Most data protection statutes are vague about security measures. The Health Insurance Portability and Accountability Act (HIPAA) of the U.S., authorized regulations for security of health records which just took effect in April 2005. It is difficult to be more precise than PIPEDA in a general privacy statute, and certainly lawyers have been reluctant to stride into the arena of the IT security experts. However, more precision is required if companies are to understand what is expected of them in terms of a duty of care to their customers and individuals who become victims of ID theft through their carelessness.
- pg. 54 – Principle 8 – Openness
- 4.8 An organization shall make readily available to individuals specific information
about its policies and practices relating to the management of personal information.
Again, quoting Perrin:
This obligation is transformative and far-reaching but has received very little publicity. The principle states the obligation to make specific information available about policies and practices relating to the management of personal information. ...this provision goes much further by imposing an obligation to document policies and procedures concerning the handling of personal information, and make those policies available to the individual.
Individuals have not taken full advantage of this clause... Consumer groups, especially those offering services to victims, ought to systematically ask for the policies and procedures with respect to:
- ...
- Contract clauses with third parties which stipulate obligations to protect information as it is
protected in Canada under PIPEDA. It is unlikely that companies will release this information, but in the course of investigating a complaint, at least the Privacy Commissioner would have the opportunity to see if they have any specific language about protection, recognizing the risk of ID theft.
- The chain of sharing for their personal information (which companies and why, which

- pg. 55 – 4.8.1 – Organizations shall be open about their policies and practices with
respect to the management of personal information. Individuals shall be able to acquire information about an organization's policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.
- 4.8.2 – the information made available shall include:
- (e) what personal information is made available to related organizations (e.g., subsidiaries).
- pg. 56 - 4.9.3 – In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization shall provide a list of organizations to which it may have disclosed information about the individual. (The hospitals I contacted refused to provide this information. Why?)

Companies have argued that telling the individual who has their data amounts to releasing a customer list, and they argue that rival companies will use their employees to file access requests and find out who their customers are (would this not be their vendor list?). This may be true, but it is certainly a lesser evil than having a citizenry who do not have the right to find out who has their personal information.

- pg. 57 – Principle 10 – Challenging Compliance
- 4.10 – An individual shall be able to address a challenge concerning compliance with
the above principles to the designated individual or individuals accountable for the organization's compliance.

The right to challenge compliance with the standard and the law is available to all individuals, not just a person whose information is at play. This effectively means that consumer advocates or security experts could complain when they find practices to be sub-standard. An ID theft resource centre could encourage victims to take cases to Court where the facts warrant it, after complaining to the Privacy Commissioner. A few damage awards might have the effect of improving adherence to best practice. (The BC Privacy Commissioner's office refused to take action against hospitals who I believed were asking illegal questions because I had not gone to the hospitals and had my rights violated).

- pg. 60 – There has been quite a bit of controversy in Canada already on the subject of “naming names” and on publishing the details of each investigation. B.C.FIPA has come out strongly in favour of publishing the details and the names of the companies, in the interests of motivating parties to achieve better compliance with the law, and where ID theft is at play, it seems obvious that there is a public interest in disclosure to protect other individuals from exposing themselves to risk.
- pg. 61 – Obviously the ability of the Court to award damages has considerable interest for victims and for organizations such as the BCFIPA who would be interested in setting up victim assistance centres. At the very least, information on how to take a case to Federal Court could be made available to victims of ID theft (I would hope this would be expanded to include all people whose privacy rights have been violated).
- pg. 61 – Finally, the Commissioner has extensive audit powers which have not been used in the private sector. Auditing of security practices in particular would be useful, and publishing the results and recommendations stemming from such an audit would be educational for business. (Hospitals audit themselves. How much value do you place in a self-audit?)
- pg. 64 – One of the central problems in investigating and prosecuting ID theft at the moment is the lack of criminal code provisions, which hampers the ability of law enforcement to act. Using the powers of the Commissioner to investigate personal information breaches and complaints is not substitute for necessary legislation, but it could help to put pressure on the situation at the moment.
- If the office (Privacy Commissioner's) were to perform a few security audits of companies and develop recommendations for detailed codes of practice, this could assist in raising the bar for company practices.
- pg. 67 – The overwhelming impression we get when viewing the situation, particularly in the United States, is that absent any form of liability for companies, fundamental and effective change may be difficult to achieve.
- pg. 69 – The prosecution of certain types of ID theft is further complicated by the fact that the perpetrators can do the work from outside the jurisdiction where the individual resides. Because the transborder dataflow provisions of PIPEDA are weaker than those of, for instance, the European Union, it is difficult if not impossible to do anything once data has left the country. Consumers have no effective redress where the data breaches take place outside the country, other than to sue a company in a foreign jurisdiction, a proposition which is too onerous for the average individual to undertake. Most contractual provisions in subcontracting or outsourcing arrangements do not provide consumer rights, they mostly transfer liability from one company to another without granting status to individual consumers.
Think about all the outsourcing being conducted by the hospitals.
Also, MSP, run by a U.S. corporation, can, under certain circumstances, transfer our personal/medical data outside of Canada. Why? Why can't other arrangements be made. How safe is our data once it is outside Canada, or is it safe at all? I doubt that Canadian laws apply to this information once it is outside Canada.

3. Blackmail, harassment, ridicule, discrimination, etc.
One of the health authorities admits that we “own our information”, so why don't we have control over who sees it? What does “own” mean in the health system? Do you want your family, your boss, your co-workers, your neighbours, your insurance company, a lawyer, to know your medical history, that you had a heart attack, a past drinking problem, a hysterectomy, a vasectomy, a gall bladder operation, were raped, lost a child, etc. Don't you think that you should be the person to determine with whom that information is shared. For example, do you want the people from food services (which has been outsourced) accessing this information? According to Providence Health Authority and the Privacy Commissioners Office service providers do have access to this information, as do volunteers, etc.

The Legislative Assembly is currently reviewing the provisions of the province's private sector privacy act. The legislation is almost 4 years old. Submissions were requested by February 29, 2008.

Why not review the public sector privacy act? It is more than 13 years old.

If you google hospital privacy breach, you will find many more examples of hospitals violating patients privacy.

No comments: