Freedom of Information and Protection of Privacy (FOIPPA) legislation was not intended to hamstring data scientists and policy workers. It was not intended to cause a culture of fear that inhibits the pursuit of knowledge in the public’s interest. It was not intended to cause the sharing of data and information to grind to a near halt. It was not intended to squander resources to ensure adherence to the letter of the law. It was not intended to result in the gutting of capacity to do valuable research on the efficacy and safety of drugs.
Yet, those are the very real unintended consequences – consequences that are difficult to cope with and understand unless you have attempted to grapple with them first hand.
When it comes to data and government’s use of data – many in British Columbia and Canada are in the dark about how it works and why it critically matters. Many are incredibly fearful of the use of their personal information, and the words “Data Privacy Breech” often elicit a tremendous fear of identity theft. Further, personal medical information is sensitive information that needs to be kept confidential as it has the potential to negatively impact an individual’s personal life. Protection of privacy and the mitigation of risks associated with sensitive personal information needs to be a priority. Those trusted with access to that information have a responsibility and a duty not to violate the privacy of individuals by accessing information to satisfy “personal curiosities” as was recently the case in Vancouver Island Health Authority (http://www.timescolonist.com/news/local/curiosity-of-island-health-employees-led-to-privacy-breach-probe-reveals-1.1622518#) or to sell that information for personal gain as was the case in Ontario a little while ago when a Rouge Valley Centenary Hospital clerk sold the information of birthing mothers to financial companies (http://www.thestar.com/news/crime/2014/11/24/hospital_clerk_charged_with_misusing_records_after_confidential_patient_files_were_sold.html).
The collection of data (either directly or indirectly), use and disclosure of that information are all governed by FOIPPA legislation – collection, use or disclosure that does not meet the needs of the legislation are subject to significant sanctions including termination of employment, substantial fines or even jail time.
So what does that mean?
It means that every time Ministry A wishes to link individual record level data with Ministry B or to share information with the health authorities, there has to be a Privacy Impact Assessment (PIA) and an Information Sharing Agreement in place. As a result significant resources are used to undertake Privacy Impact Assessments and to draft Information Sharing Agreements. As a result, far less information sharing between different organizations that are publicly funded occurs than what might be optimal, simply because sharing data is an onerous activity. As an example, consider a program that is being tailored to improve upon the health status of “at-risk” families. It is suspected that families who receive welfare, families who are newly arrived, families who have a history of domestic violence, families who have low income are “at-risk” of poor health outcomes. However, much of the needed information is not collected by the Ministry of Health – but is collected through a variety of other ministries and organizations including Revenue Canada, the Ministry of Justice, the Department of Corrections, the Ministry of Social Development, the Ministry of Children and Families, etc.. Much of that information was not collected with the purpose of evaluating or developing health policies or programs. As such, even though “the Government” collects the information, it might be severely limited in the sharing of that information and its use and at a minimum would need to undertake a Privacy Impact Assessment and enter into one or more Information Sharing Agreements. If it is an outside researcher needing the information there would significant costs (thousands of dollars) and delays in the production of information. This would need to happen not just once, but for every project that requires information to be shared between ministries or outside researchers – and every project would have to specify the use and disclosure of the information collected.
Further, it means that once those charged with analysing the information have the data in hand – they are limited in the kinds of analysis and explorations that they may undertake. They are able to undertake the analysis for which they have been granted permission under the Privacy Impact Assessment and the Information Sharing Agreement (or via other legislation) only. Unfortunately, this often means that there is a tremendous opportunity cost that is incurred.
As an analogy, imagine for a moment, that a chef has been given the ingredients for a meal, but rather than enabling and empowering the chef to make the “best meal possible” with the ingredients that they have been given, the chef has also been given a precise recipe to follow and have been told that if they deviate from that recipe that they will be fired. If the chef wants to do something different with the ingredients that they have been given (and retain their job), the chef must first submit a revised recipe to their superior and only after that recipe has been approved by a joint board will the chef be allowed to make the revised dish – however, when the chef has suggested revisions to the recipe before, the suggestions are often dismissed out of hand either because of lack of time, or fear that the chef will produce something that is not palatable.
Imagine what that does for innovation?
Imagine what that does for job satisfaction?
Imagine how hard it would be to keep the best and brightest interested in public data?
Imagine the difference between what is done and what could be done?
Those who work with health data need to be empowered and enabled to make the most of the information resources that are available. They need to be free to explore the data and to make potentially profound discoveries about how the public can be served better. There needs to be a better way to protect the privacy and interests of individuals without sacrificing the potential to develop, implement and evaluate the policies and programs that are publicly funded.
Working with data is not just a science, it is also an art – and unless we are willing to enable and empower those who work with data to make the most out of the information resources available – the gap between what is and what could be will remain.