Canadian research ethics: Caught in a quagmire of privacy legislation?
This article, from the National Post (September 24) revisits, again, the cry from researchers that overzealous privacy legislation, at both federal and provincial levels, are preventing researchers from accessing individuals and databases. This quick overview of an article originally in the Canadian Journal of Public Health (July- August 2008, A. Harris et al) illuminates two important points that researchers and REBs continue to agonize over.
First, privacy legislation is making it difficult, if not impossible to access data that previously was available to researchers, even anonymized data stripped of all possible identifiers.
Second, and most importantly, the privacy legislation is difficult for many to understand and therefore, is applied and interpreted very differently by different agencies, data stewards and, I would add, REBs and researchers, who are obligated to understand the legislation as applied to specific situations, agencies, information across a variety of contexts.
True enough, the legislation is more than difficult for even smart people to interpret. The “basic reader” on Canadian privacy laws published by the Canadian government that I keep on my desk is thick and heavy with enough very small print to make it a daunting task to try to find an answer to the simplest question. It makes a great paperweight but is not overly helpful in my own interpretation and application of the Acts.
According to the Canadian government, Canada has the most comprehensive privacy legislation in the world. Few would argue with that. At a federal level, there is PIPEDA and the Privacy Act. In addition, provinces and territories have their own privacy legislation statutes, and even the most educated persons are not always quite sure whether federal legislation trumps provincial or vice versa, on an ad hoc basis.
Ontario, interestingly enough, has both PHIPA (The Personal Health Information Protection Act) and FIPPA (The Freedom of Information and Protection of Privacy Act). PHIPA allows for the protection of the privacy of persons and the confidentiality of their personal health information. FIPPA is designed in part to protect individuals’ identifiable information held by institutions, guide institutions on how to handle information and allow individuals access to the information that an institution holds about them.
Most REBs in Ontario are involved with applying both PHIPA and FIPPA when reviewing researchers’ plans on accessing personal data and health information. Most researchers have to work within the constraints of FIPPA and/or PHIPA to access individuals and information. But it is a laborious task for all concerned. And many people aren’t even sure which act is which if they aren’t engaged with privacy issues on a daily basis.
I was also amused to find that while everyone refers to FIPPA phonetically, some also pronounce the acronym for the Personal Health Information Act (PHIPA) exactly the same, correctly pronouncing the “ph” as a “f”. Yet more confusion, no doubt, probably quite unknowingly, in many conversations….
While there are certainly clear distinctions between the Privacy Act, PIPEDA, PHIPA, FIPPA and other provincial statutes, it remains that the legislation created with the laudable aim of protecting Canadian citizens is unclear, the separate Acts can be difficult for both lay persons and academics to untangle and many institutions and agencies are either not applying the Acts at all, or interpreting and thereby applying them in an incorrect way. The valuable objectives and good intentions of protecting private information and those most vulnerable to a breach in privacy are obscured against a backdrop of confusion and a lack of guidance and clarity by governing bodies.