We all recognize how crucial privacy is in today’s world. For decades, we’ve faced an onslaught of privacy breaches, class action lawsuits, and cases where healthcare workers have been reprimanded for accessing confidential files without permission. We’ve even seen legal actions taken against those involved in these breaches recently. As a result, healthcare organizations and health tech vendors are under increasing pressure to prove that privacy is integrated into their systems and their business and clinical operations.
With the surge of Internet-enabled technologies entering the Canadian healthcare system, privacy once again emerges as a major concern, often viewed as a hurdle to innovation and progress. It prompts the question: How can we turn privacy into a competitive advantage and leverage it to drive digital change?
The answer lies in Privacy by Design (PbD). PbD is a philosophy that advocates for embedding privacy into the design specifications of various technologies. This approach can be applied across technology, business practices, and physical design, ensuring privacy is considered from the beginning of product and service development.
Privacy by Design (PbD) is a concept introduced by Dr. Ann Cavoukian, the former Ontario Information Privacy Commissioner, in the 1990s. This framework was developed to address the widespread and systemic impacts of Information and Communication Technologies and large-scale networked data systems. PbD emphasizes that ensuring privacy in the future cannot rely solely on compliance with existing laws and regulations. Instead, organizations should integrate privacy as their default operating mode.
The goals of Privacy by Design include protecting individual privacy and empowering people to control their personal information while enabling organizations to achieve a sustainable competitive edge. Adhering to the 7 Foundational Principles of PbD can meet these objectives.
Although these principles offer a valuable foundation for incorporating privacy into products and services, system developers need more than just a framework. They require clear and precise requirements, an understanding of available privacy and security controls, and a risk-based approach to safeguarding personal health information.
Fortunately, numerous resources are available to support HIT developers in ensuring the privacy of their applications. The following steps can guide developers in applying Privacy by Design principles effectively in real-world scenarios.
First, outline your privacy and security requirements. Good development practices always begin with clearly defined objectives, including privacy and security specifications. Start with the privacy laws that apply in all regions where the system will be implemented. These regulations dictate your and your customers’ actions to manage consent and facilitate patient access to their personal information. They also outline how to handle the collection, use, and disclosure of personal data, as well as the requirements for notifying individuals in case of a breach and fulfilling other essential business processes.
Developers creating products and services for multiple jurisdictions should exercise caution, as privacy legislation can vary. While Provincial and Territorial privacy laws in Canada share similarities, they are not identical. App developers marketing directly to consumers may find themselves subject to both federal and provincial private sector legislation, potentially leading to different applications or configurations for consent management, breach notifications, and other features at the design level.
One notable area where legislation tends to be intentionally vague is in the realm of security safeguards. Terms like “reasonable” or “appropriate” safeguards are frequently used. This flexibility acknowledges the ever-changing landscape of security; what constitutes a robust safeguard today might be deemed insufficient tomorrow.
Deploying Privacy and Security Controls Based on Risk
When implementing privacy and security controls, developers have access to a wealth of excellent resources that can guide their decisions. For privacy, the CSA Model Code for the Protection of Personal Information is a gold standard, laying out key principles and controls within a Canadian context. Additionally, the Trust Services Criteria and Principles, created by the American Institute for Certified Public Accountants (AICPA) and CPA/Canada, is another valuable resource, particularly if your product or service will be offered in Canada and the United States.
On the security front, ISO/IEC 27002:2022, which focuses on Information Security Management best practices, is widely recognized as a key standard across various sectors globally. Complementing this, ISO 27799 offers guidance on how to apply 27002 specifically within healthcare environments. For those looking to release solutions in the United States, the National Institute for Standards and Technology (NIST) has put together an Introductory Resources Guide to assist developers in implementing the HIPAA Security Rule.
When it comes to AI projects, developers have valuable resources at their disposal, such as the OECD AI principles and the ISO 42001 standards. These frameworks provide comprehensive guidelines to help address potential risks associated with artificial intelligence. Specifically, they emphasize the importance of privacy and security measures, ensuring that developers can create AI systems that are not only innovative but also responsible and trustworthy. By following these principles and standards, developers can effectively navigate the challenges surrounding AI implementation and foster a safeguarding environment for users’ data and privacy.
Developers should use tools such as the Privacy Impact Assessment (PIA) and Threat and Risk Assessment (TRA) to prioritize the effective application of privacy and security controls. Since it’s impossible to implement every control available, the PIA and TRA help developers discern what is “reasonable” and “appropriate” for each specific application or solution.
Privacy by Design in Legislation
In recent years, the Privacy by Design (PbD) principle has evolved from a mere buzzword to a legal requirement. The European Union’s General Data Protection Regulation (GDPR), which took effect in 2017 for all EU member countries, mandates PbD as a vital data protection component. We’re also witnessing a growing acknowledgment of PbD within the United States, and it’s only a matter of time before Canadian regulations incorporate these principles.
Turning Privacy into a Competitive Advantage with PbD
Adopting Privacy by Design (PbD) reinforces a company’s commitment to safeguarding customer data and transforms privacy into a competitive advantage. Businesses can foster strong relationships with customers, partners, and regulators by promoting trust through transparency and accountability. Enhancing the customer experience by prioritizing privacy ensures seamless interactions and empowers users with control over their personal information. Furthermore, integrating PbD into innovation and digital transformation efforts supports compliance with evolving regulations while mitigating risks. As companies develop AI systems, a privacy-first approach aligns with ethical guidelines and builds trust in technology. Overall, PbD serves as a crucial strategy for organizations looking to thrive in a privacy-conscious marketplace.
If information technology is to truly revolutionize healthcare, PbD must be seamlessly integrated into our innovation strategies. While disruption can lead to positive changes, it should never come at the cost of patients’ privacy rights or safety. PbD allows for digital transformation in healthcare without compromising these essential rights. As Dr. Ann Cavoukian has emphasized, privacy is a positive-sum game, benefiting everyone involved.
Authors:
Patrick Lo, CEO, Privacy Horizon Inc.
Brendan Seaton, Principal, eHealthRisk Group