Musings on privacy issues in health research involving disaggregate geographic data about individuals

This paper offers a state-of-the-art overview of the intertwined privacy, confidentiality, and security issues that are commonly encountered in health research involving disaggregate geographic data about individuals. Key definitions are provided, along with some examples of actual and potential security and confidentiality breaches and related incidents that captured mainstream media and public interest in recent months and years. The paper then goes on to present a brief survey of the research literature on location privacy/confidentiality concerns and on privacy-preserving solutions in conventional health research and beyond, touching on the emerging privacy issues associated with online consumer geoinformatics and location-based services. The 'missing ring' (in many treatments of the topic) of data security is also discussed. Personal information and privacy legislations in two countries, Canada and the UK, are covered, as well as some examples of recent research projects and events about the subject. Select highlights from a June 2009 URISA (Urban and Regional Information Systems Association) workshop entitled 'Protecting Privacy and Confidentiality of Geographic Data in Health Research' are then presented. The paper concludes by briefly charting the complexity of the domain and the many challenges associated with it, and proposing a novel, 'one stop shop' case-based reasoning framework to streamline the provision of clear and individualised guidance for the design and approval of new research projects (involving geographical identifiers about individuals), including crisp recommendations on which specific privacy-preserving solutions and approaches would be suitable in each case.

The UK has three legal jurisdictions: England and Wales, Scotland and Northern Ireland. However, it itself is also part of a larger community -the European Union (EU). European Union legislation is generally intended to "direct" that of its member states, and takes precedence in cases where there is no concurrence; the UK is obligated to align itself with EU law (referred to as Community law) [7] or else give way in a court of law to the latter [8]. Let us therefore begin with the EU.
The concepts of privacy and personal information are captured in core EU legislative documents as fundamental rights. The European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), building on the 1948 Universal Declaration of Human Rights [9], includes a "Right to respect for private and family life" in Article 8 [10]. The Charter of Fundamental Rights of the European Union, proclaimed in 2000, builds on the ECHR [11]. Updated in 2007, the Charter includes two particularly relevant articles. Article 7 reiterates the ECHR's position on the respect for private and family life, whereas Article 8 explicitly limits the processing of personal data to specified purposes, requiring either individual consent or legislated "permission".
Recognising the importance of data sharing and the threats and benefits of developing technologies, the EU introduced a number of legislative pieces to harmonise, regulate and facilitate the flow of personal information. In 1995, Directive 95/46/EC was adopted for the protection of personal data [12] -the core directive at the heart of data protection in EU member states. It does not, however, apply, to personal information used solely for personal reasons, household activities, public security, national defence or criminal law enforcement, and falls short when dealing with issues around communication. Two years later, the EU adopted Directive 97/66/EC for protecting privacy and confidentiality in telecommunications [13]. As technology and the web became increasingly ubiquitous, this directive quickly became limited in scope.  [16] ensures the protection of personal information in EU institutions and bodies, such as the European Parliament, for example, and accountability to a governing body, the European Data Protection Supervisor.
In the UK, the Data Protection Act was first enacted on July 12, 1984, thereby preceding the Directive on Data Protection adopted by the European Union (EU) by more than a decade. Upon adoption of the EU directive, however, the Act was amended in 1998. Though simpler than Canadian legislation in the sense that it applies to both public and private entities, it is none-the-less a complex document. In 2003, Lord Phillips of the Supreme Court of Judicature, Court of Appeal (Civil Division) in the UK referred to it as "…a cumbersome and inelegant piece of legislation" [17]. Other UK health-related Acts have been amended to reference the Data Protection Act 1998, including the Access to Health Records Act 1990, the Access to Medical Reports Act 1988 and the Access to Personal Files and Medical Reports (Northern Ireland). The UK also has a Health and Social Care Act 2008 [18], which replaced its 2001 predecessor and legislated the creation of a Care Quality Commission for the protection and promotion of the health, safety and welfare of the public. The Act makes it an offence to recklessly disclose confidential personal information obtained by the Commission that "relates to and identifies an individual." (S. 76) Scotland has a Freedom of Information Act 2002, but a search on the UK Office of Public Sector Information website [19] yielded no specific data protection legislation for either Scotland or Northern Ireland. Scotland also has a Public Health Act enacted just last year, in 2008 [20], which obligates Scottish Ministers, health boards and local authorities to protect public health. It allows for the disclosure of information to facilitate its directives despite any other legal prohibition or restriction, except, interestingly, the Data Protection Act 1998 (S. 117 (6)). Northern Ireland's Health and Social Care (Reform) Act 2009 [21] has a similar clause (S. 13 (8)).
Both Canada and the UK have a tapestry of legislative documents in place to protect the privacy of personal information "…as something worth protecting as an aspect of human autonomy and dignity." [22] But what, exactly, constitutes personal information?

Definitions
There is no consistent definition for "personal information" in Canadian legislation. Where a definition is included, it ranges from "information about an identifiable individual" in Alberta's Personal Information Protection Act [23] to very well-defined and explicit components in Manitoba's Freedom of Information and Protection of Privacy Act [24]. Of the 30 acts and regulations reviewed, four include health information in their definition of personal information, three include location information, 14 include both and nine include neither (Table 1).
This definition of personal information as pertaining to an "identifiable individual" appears quite often in legislation, including in Directive 95/46/EC. However, the Directive goes one step further to clarify: "…an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity" [12]. Health information is defined as a "special" category of personal information (S. III, Article 8 (1)), but there is no specific mention of location information in the Directive.
In the UK, the Data Protection Act 1998 defines "personal data" vaguely as any information that, in isolation or in concert with other data available to the data controller, can identify a living individual. The Act also includes health in the definition of "sensitive personal data", but does not capture location information specifically. As mentioned previously, the Health and Social Care Act 2008 also identifies confidential personal information as that which "relates to and identifies and individual", but does not specifically identify location as part of that definition.
As recent as April 2009, the Supreme Court of Canada stated that "Privacy analysis is laden with value judgements that are made from the independent perspective of the reasonable and informed person who is concerned about the long-term consequences of government action for the protection of privacy" [25]. As described, the definition of "personal information" in most cases casts a wide net, capturing anything and everything that can subjectively be argued as identifying. This has obvious implications on the use of disaggregate geographic data in health research. Or does it? The answer depends on the applications and exceptions made in the legislation.

Application and exceptions
Legislation in Canada, the EU and the UK specifically limits the processing of personal information. What constitutes "processing", however, is not consistently defined across legislation. The broadest definition to capture what this means is found in EU Directive 95/46/EC: "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction". Generally, any such processing of personal information is prohibited in the absence of the individual's informed consent, unless it is first stripped of all identifying information (thereby ceasing to be personal information according to the legal definition).
In public health research, however, it is often impossible or impractical to pursue informed consent. Despite being incredibly information and data-rich, health researchers in both Canada and the UK have often expressed frustration over their inability to use existing data due to privacy concerns [1]. Is the prohibition based on the legislation?
Generally, in the absence of an individual's consent, the legislation does explicitly allow for some exceptions, particularly in the interests of national security. However, there is a lack of clarity and consistency, specifically around processing for public health purposes. Article 35 of the Charter of Fundamental Rights of the European Union emphasises the right to health care, and states "A high level of human health protection shall be ensured in the definition and implementation of all Union policies and activities" [11]. In almost all cases, exceptions are also made for research, as long as the individuals whose data is processed are not identified in the results. Generally, the individual whose information has been disclosed should be informed; however, provisions are also made for cases where doing so is impossible or unreasonable.
The decision around whether or not the processing of the information is permitted under these exceptions is somewhat vague and inconsistent. In Canada, for example, the four provinces with health information legislation delegate the decision making authority to research ethics boards; otherwise, it is generally delegated to the head of the data-holding organisation. In the case of EU institutions, processing is only permissible after consultation with the European Data Protection Supervisor [16], whereas the UK Data Protection Act 1998 exception for research (S. 4(33)) is unclear as to the decision-making authority. This leads to issues around governance.

Governance
In Canada, the Office of the Privacy Commissioner (OPC) is responsible for protecting and promoting the privacy rights of Canadians by overseeing compliance with Canadian federal privacy legislation. Each province and territory also has its own privacy commissioners who oversee their respective jurisdictions. As previously noted, health information legislation in Alberta, Saskatchewan, Manitoba and Ontario also delegates decision-making authority on these matters to research ethics boards.
The EU, as previously mentioned, has established the office of the European Data Protection Supervisor [26] for oversight of EU institution activities. The UK's equivalent of Canada's Office of the Privacy Commissioner is the Information Commissioner's Office (ICO) [27]. The legislation does not specifically mention research ethics boards or committees, and is unclear as to decision-making authorityin most cases, it seems to lie with the data controllers.

Implications and final thoughts
The privacy of personal information is a recognised and important human right, protected through multiple intertwined acts and regulations in Canada, the EU and the UK. In the absence of informed consent, the legislation generally allows for the processing of an individual's personal informationwhich is any information that can identify the individual, and therefore includes health and disaggregate location informationfor research purposes, subject to approval by the appropriate authority. However, guidelines are lacking, and authorities tend to err on the conservative side, resulting in much expressed frustration by health researchers. In the absence of frameworks to inform the processing of personal information, the only other alternative (besides seeking informed consent from every individual) for health researchers is the use of de-identification techniques, such as might be applied through privacy-preserving solutions involving disaggregate geographic data.
It has been suggested that privacy in the United States, Canada and the European Union have their bases in slightly different philosophical constructs: in the United States, privacy is anchored in protection from the government; in Canada, in principles of autonomy and control; and in the European Union, the focus is more on dignity and public image [28]. The argument is made that the Canadian model offers the appropriate "middle-ground"after all, if individuals truly do have control over their own personal information, then they can choose to protect it from the government and others, and their dignity as far as public image is concerned is in their own hands. If we accept this definition of privacythat is, having control over one's own personal informationthen one might ask whether de-identification really solves the issue. Perhaps what is really needed is public health specific clarification in the legislation, public and practitioner education, and clear and concise frameworks and guidelines.
Public health practitioners around the world are increasingly recognising the importance of having some understanding of the legal system, and a working relationship with the legal profession [29]. Unfortunately, the relationship typically tends to be unidirectional. Just as privacy is a multifaceted and complex concept, so too is the required collaboration resulting from the interdependency of public health and legislation. And yet, the legal profession has not fully recognised the interdependence of the two fields [29]. While the privacy debate in public health may be fuelled in part by misperceptions of public health practitioners, it is very much coupled with a lack of understanding of the requirements of public health by legal practitioners. "Privacy laws are most burdensome and least effective when they apply broadly, without proper concern for the settings in which they operate, the types of information that they cover, the obligations that they impose and the purposes they were designed to serve" [30]. The issue can only be truly addressed through interdisciplinary collaboration. Until that happens, and until we recognise the importance and value of public health research and its implications on the health of individuals, we will continue to grapple with alternate de-identification solutions and sub-optimal data.