The Information and Privacy Commissioner of Ontario ("IPC") recently released Decision 175, which considers the appropriateness of de-identifying personal health information.

This decision expands on the IPC's De-identification Guidelines for Structured Data [PDF] (the "Guidelines"), which outline the basic concepts and methods of de-identification and key issues to consider when de-identifying personal information. Decision 175 complements the Guidelines by offering commentary on the process of de-identifying personal health information in compliance with Ontario's Personal Health Information Protection Act, 2004 ("PHIPA").

De-identification Under PHIPA

PHIPA defines de-identification as the process of removing any personal information that (i) identifies an individual, or (ii) for which there is a reasonable expectation that the information could be used, either alone or with other information, to identify an individual. With limited exceptions, PHIPA prohibits persons from using or attempting to use information that has been de-identified to identify an individual, either alone or with other information.

In addition, in 2020, amendments to PHIPA were introduced that contemplate future regulations that may set standards and requirements for de-identification. Draft regulations have not yet been proposed, leaving the Guidelines and IPC investigation decisions as the main sources of guidance on de-identification.

The IPC's Investigation

The IPC commenced an investigation following the publication of a newspaper article that alleged that an electronic medical record (EMR) service provider was anonymizing health data and selling it to a third-party. The IPC identified several respondents, including the medical clinic that was the custodian of the data at issue and the related entity that had acted as an agent of the custodian and entered into a sale agreement with the data purchaser.

The IPC concluded its investigation without proceeding to the adjudication stage or issuing an Order, given that the respondent medical clinic amended its privacy practices during the investigation and therefore met its obligations under PHIPA. Still, the IPC's Decision provides three significant takeaways for custodians about the de-identification of personal health information.

1. De-identification Is a Permitted "Use" of Personal Health Information

PHIPA governs the collection, use and disclosure of personal health information. In Decision 175, the IPC determined that the act or process of de-identifying personal health information is a "use" of such information, thus bringing it within the scope of PHIPA.

PHIPA broadly defines "use" as, in relation to personal health information in the custody or control of a person, "to view, handle or otherwise deal with the information ... but does not include to disclose the information." PHIPA explicitly permits the use of personal health information "for the purpose of disposing of the information or modifying the information in order to conceal the identity of the individual." The IPC noted that the process of de-identification should be considered a "use" of personal health information because it furthers the public interest of ensuring that personal health information is afforded protection under PHIPA at all stages of the de-identification process.

After establishing that de-identification is a use of personal health information, the IPC considered whether such use is permitted without an individual's consent. In the case at hand, the respondent medical clinic had de-identified personal health information and then sold it without patient consent. The IPC concluded that consent is not required if de-identification is done in a manner consistent with the entirety of Part II of PHIPA. Part II is entitled, "Practices to Protect Personal Health Information" and contains requirements relating to security, accuracy, handling of records and openness and transparency.

2. De-identification Practices Must Be Clearly Disclosed to Individuals

Part II of PHIPA requires that, among other things, a custodian have in place a written public-facing privacy statement that describes their information practices. Information practices include when, how and the purposes for which the custodian collects, uses, modifies, discloses, retains or disposes of personal health information. Those practices also include the administrative, technical and physical safeguards and practices that the custodian maintains regarding the information. While PHIPA does not require that this privacy statement comprehensively describe every information practice, it must include general descriptions of routine or wide-ranging practices that are significant or that affect all, most or a substantial number of individuals.

In Decision 175, the respondent medical clinic had been routinely de-identifying the personal health information of a significant number of patients over many years and then selling the de-identified data to a third-party. However, the clinic's privacy statement only informed individuals that their personal health information may be used for "research, statistics and where permitted or required by law." The IPC found that this description did not meet the transparency requirements under Part II of PHIPA.

A custodian's public-facing privacy statement must inform individuals about the custodian's routine de-identification practices, including the purposes for de-identification. Such purposes may include research by the custodian or third parties, sale or licensing to a third party, or the ability to retain data in a more secure manner.

3. De-identification Requires Robust Security Measures

Finally, the IPC considered whether the clinic had put in place appropriate measures to protect the personal health information that it used and modified for the purpose of de-identification and sale. PHIPA requires that custodians take steps that are "reasonable in the circumstances" to ensure personal health information within their custody or control is protected against theft, loss and unauthorized use or disclosure and that health records are protected against unauthorized copying, modification or disposal.

In the case at hand, the respondent medical clinic had loaded the personal health information onto a separate secure server and used third-party software to apply de-identification algorithms. The software used de-identification techniques such as masking (replacing the data with random data), suppression (replacing data with a "null" value), and generalization (reducing the level of specificity of the data). The software provider also conducted a risk analysis assessment and concluded that overall risk of re-identification was below the acceptable risk threshold, based on the data purchaser's security safeguards, contractual protections in the data sale agreement, the motive and capability of the data purchaser to re-identify the data and the sensitivity of the information and potential injury to individuals in case of re-identification.

The respondent medical clinic had also used contractual mechanisms to safeguard the de-identified information. The IPC looked favourably upon the following requirements that the clinic imposed on the data purchaser in the data sale agreement:

  • having all employees, consultants, and sub-contractors sign confidentiality contracts prohibiting data linking and/or re-identification;
  • only allowing authorized staff to access and use data on a "need-to-know" basis;
  • ensuring all employees, consultants, and sub-contractors working with the data receive adequate privacy and security training;
  • developing and maintaining data privacy, security, and usage standard operating procedures that specifically prohibit re-identification;
  • developing and maintaining strictly enforced retention, destruction and storage policies;
  • developing and maintaining role-based data access policies and processes, which are enforced and periodically audited;
  • maintaining records of all signed data-sharing agreements and confidentiality agreements, and making those available to the data custodian on request;
  • maintaining a proactive program for monitoring privacy, confidentiality and security polices and procedures, a mandatory and on-going training program for all individuals, and a breach protocol that is regularly updated and tested;
  • ensuring that external and internal privacy reviews and audits are regularly conducted and that any identified gaps are mitigated; and
  • prohibiting data linking and re-identification.

The IPC concluded that the respondent medical clinic had put in place reasonable technical and contractual safeguards to ensure that the information that was sold had been properly de-identified and that it was sufficiently unlikely that the information could be re-identified.

Decision 175 confirms that custodians may de-identify personal health information without patient consent if they comply with PHIPA's general requirements relating to security, accuracy, handling of records and openness and transparency. Custodians who de-identify personal health information should ensure they clearly describe any routine de-identification practices in a public-facing privacy statement and take reasonable steps to protect personal health information during the process of de-identification – including imposing certain contractual obligations on any recipient of the de-identified health data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.