Privacy is challenging. It is both ancient and modern. It challenges the status quo and it also frustrates change. It is progressive and regressive. Yet in the provision of healthcare it is essential. Ensuring that information is processed lawfully and fairly, and is kept secure, is a common value of everyone involved in healthcare.
In every country with strong legal traditions and safeguards, privacy is already mandated even though the risks may be low. In every advanced technological society and context, privacy is near the top of policy and technological agendas, with varying levels of success.
In developing countries and humanitarian operations, information on patients is often essential. Public health surveillance relies on collection and sharing protocols. Multiple points of access and care providers must be able to gain access to information about patients in order to ensure continuity of care. Researchers require this information to study these situations and to improve processes, and save lives.
Now that eHealth is high on the agendas of governments, the international community (including funding agencies), industry, and civil society, the application of new technologies will disrupt this unstable ecosystem even more so. The deployment of technologies as diverse as mobile devices and national data processing centres will result in the collection and processing of even greater amounts of information. The ongoing drive to increase the interoperability of once discrete health systems further complicated the dynamcis of healthcare provision. Yet this need not conflict with privacy. Privacy and eHealth may even complement one another.
The purpose of this study is to identify the current dynamics regarding eHealth privacy and security in developing countries and humanitarian operations. In this report, we understand eHealth to cover a wide range of information and communication technologies, from electronic medical records to systems for managing and tracking patients, test results, medications, diseases and so forth. Through extensive discussions with practitioners, developers, industry, health specialists, regulators, civil society and academics we have developed an understanding of the risks and value of new forms of managing medical information.
As a result, this report is therefore not trying to preach on why privacy is important, nor to debate its value. This report has three audiences:
- IDRC: As an active organisation in this field, it enables and partners with those who are deploying eHealth solutions. More than that, IDRC prides itself on its applied research focus. It must therefore be aware of the privacy and security concerns emerging from the introduction of information and communication technologies to improve health outcomes and health equity. Being a Canadian Crown Corporation, it also reflects Canadian traditions and values, with its respect for rights and freedoms. In fact Canada has one of the most advanced legal regimes for the protection of privacy, with a multi-layered regulatory framework, all of which has been reflected in Canada’s own work on medical informatics.1 In turn, we recommend methods and mechanisms by which IDRC can ensure that the best available techniques are considered in its work abroad.
- The international development community: As the enablers of much of the technological change in eHealth, members of this community must be made aware of the risks of failing to attend to privacy and security. After all, why should the international community fund the development of a system in an African or Asian country with weaker safeguards and more fallible procedures than a system installed in an American or European hospital? Of course values and resources may differ, but the exclusion of safeguards and procedures must be done deliberately rather than through expediency.
- Practitioners and developers: While practitioners and developers may represent a variety of communities, they are working closely to develop new systems and practices that manage personal information under the rubric of eHealth. In our discussions with general practitioners their awareness of privacy and confidentiality was quite high, but the awareness of technological options to protect privacy was low. Meanwhile our discussions with developers had mixed results: while some understood information security and medical confidentiality quite well, the majority did not, and sometimes perceived it as a hindrance. The two communities now have a shared set of challenges in privacy and security that they must consider within the variety of conditions in developing countries and humanitarian and relief operations. Just as security and privacy cannot be ignored, we equally cannot transplant security and privacy techniques from abroad that may not be adaptable, particularly as legal frameworks may be lacking.
Beyond these targeted audiences, we expect other actors in the public health and eHealth communities to benefit from the report’s findings. These other players might find certain aspects of the report enlightening or instructive, but for whatever reason (e.g., they are outside the report’s sphere of influence) are not expected to alter their behaviours or actions.
- 1. Cf. ‘Electronic Health Records and the Personal Information Protection and Electronic Documents Act’, a report funded by the Office of the Privacy Commissioner of Canada, by the University of Alberta Health Law Institute and the University of Victoria School of Information Science, April 2005.