The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Sunday, August 27, 2006
I'm back from vacation, CBA, etc and clearing out my backlog of developments in the privacy field. Here is one interesting item that I missed from ten days ago ....
It appears that the Canada Health Infoway group is contracting with a CIA-funded company to provide software for managing electronic health records here in Canada. This, not surprisingly, has some privacy folks concerned. I would be wary about selecting this vendor, but it raises an important general issue about the procurement of software and systems for managing sensitive personal information: if you do not have access to the source code, how can you know whether there is a back-door or a "phone home" function built into the system? Most contracts have covenants that there are no such functions, but these promises may be inadequate if the risks related to data is very high. Even if the company does not intend to use them for nefarious purposes, once-hidden "defects" (or features) are too easily discovered by those with nefarious intent and can completely destroy the credibility of the whole system. And when the system is a unified elecronic health records, the consequences of such a loss of trust could be devastating.
Privacy groups slam use of CIA-backed software to index Canadian health files:
OTTAWA (CP) - Software that will help sort millions of Canadian health records was developed by a company funded through the CIA's venture capital partner, sparking concerns about the confidentiality of patient data.
Privacy advocates are raising questions about Canadian use of the Initiate Systems indexing program given its creator's financial connection to In-Q-Tel - a private firm that helps the U.S. Central Intelligence Agency zero in on promising technology.
"There's a smell test that happens here, and it doesn't smell right," said David Fewer, general counsel for the Canadian Internet Policy and Public Interest Clinic.
"The optics require that foreign intelligence services stay well away from the delivery of health care services in Canada."
Initiate Systems of Chicago has sold the indexing software to Alberta, British Columbia, Manitoba, Newfoundland, Saskatchewan and Ontario for use in a national initiative to better manage health records.
Canada Health Infoway, a non-profit corporation accountable to the federal, provincial and territorial governments, aims to create compatible electronic health information systems across the country.
In-Q-Tel was established seven years ago as a private company to help the CIA and the broader U.S. intelligence community identify, acquire and use cutting-edge technologies.
Though not part of the CIA, In-Q-Tel consults with the intelligence agency on the strategic value of potential transactions.
The venture capital firm made an investment in Initiate Systems earlier this year.
The intelligence connection, first reported by U.S.-based Government Health IT magazine, prompted Canada Health Infoway staff to ask participating provinces about potential problems.
Infoway spokesman Kirk Fergusson said preliminary inquiries indicate Initiate doesn't have access to any client health data held by the provinces. "Thus far, that seems to be the story."
Gina Sandon, vice-president marketing for Initiate Systems, said the company will not see patient files of any description.
"At no point do we house data, access data or move data from our customers. Our customers control their data behind their firewalls and manage the security of that data."
Sandon said Initiate has worked with each province to ensure compliance with "all Canadian laws and privacy compliance requirements."
The software company adds that In-Q-Tel has no member on Initiate's board of directors, nor any decision-making power.
Despite the assurances, Darrell Evans of the B.C. Freedom of Information and Privacy Association remains skeptical Initiate Systems will not see patient data.
"I simply don't believe they will never have access," he said.
"I think there's reason to be concerned about this."
Evans contends the arrangement with a U.S. firm with intelligence ties increases the vulnerability of such files in an era when security agencies are keenly interested in personal dossiers to fight terrorism.
"Governments want this information. There's no question. If they see the need for it, they will get it."
In-Q-Tel spokesman Donald Tighe insisted there's nothing to worry about.
Tighe said In-Q-Tel, which has offices in northern Virginia and California's Silicon Valley, is solely interested in cultivating "best-of-breed" technologies of use to the intelligence community.
"Our job is to help create this connectivity between innovations and government agencies."
Anne-Marie Hayden, a spokeswoman for Privacy Commissioner Jennifer Stoddart, said the watchdog is discussing the issue with Canada Health Infoway.
"At this time, there's nothing that leads us to believe that Canadians' personal health information is at risk," Hayden said. "However, we are monitoring this issue very closely."
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.