It goes without saying that cloud computing is fast becoming the preferred delivery model for ICT services. Gone are the days when vendors would sell hardware and software packages bundled with technical support. Today cloud service providers are selling comprehensive information management services that must include privacy and the protection of personal health information (PHI).
Over the past ten years, most governments across the country have passed health privacy laws (with the exception of Quebec and Nunavut whose public and private sector legislation covers the health sector). These laws define the responsibilities and accountabilities of health information custodians and others that handle PHI.
While most privacy laws look the same at fifty thousand feet, on the ground they are very different. There are significant variations in how consent is managed, requirements for notification of privacy breaches and powers of the information and privacy commissioners, to mention a few of the differences. Vendors are variously defined in legislation as Information Managers (Alberta, Manitoba, New Brunswick, Newfoundland & Labrador, Prince Edward Island, Northwest Territories, Yukon), Service Providers (British Columbia), Agents (Nova Scotia, Quebec), Health Information Network Providers (Ontario), Information Management Service Providers (Saskatchewan) or Third Parties (Nunavut, Federal Government).
Its unrealistic to think that Canadian privacy legislation is going to be harmonized in our lifetimes. By and large, the various privacy regimes are serving their constituencies well. Health care organizations (our customers) are maturing, implementing privacy programs that conform to their jurisdictional laws. The challenge for vendors is how to integrate the requirements of privacy legislation into their cloud service offerings.
From the vendor point of view, knowledge and understanding of privacy legislation must extend beyond Canada’s borders. The cloud breaks down barriers. In order to thrive, vendors must export their products and services, meaning that they must not only be aware of privacy laws in Canada, but the privacy and data protection laws of any country in which they do business.
In addressing the requirements of privacy legislation, vendors must consider two things: the privacy features that must be built into their offerings to help clients meet their obligations under privacy legislation, and the privacy obligations that they as Information Managers or Service Providers must meet with respect to their own operations.
In the first case, the cloud service offering needs to deliver the functionality needed to support the role of the Health Information Custodian. This includes consent management, monitoring and audit, identity and access management, authentication, and secure communications (e.g. encryption).
In the second case, the vendor must have its own privacy program in place. This includes a designated privacy officer, privacy policies and procedures, privacy training, confidentiality agreements for staff and agents, monitoring and audit of access to PHI by vendor staff and agents, breach management protocols, privacy impact assessments and contracts with clients and subcontractors that address privacy obligations.
There are several good references and certification strategies to guide vendors with the development of their cloud service offerings. “Privacy by Design” is a concept first coined by former Ontario Information and Privacy Commissioner, Dr. Ann Cavoukian to ensure that privacy is baked into ICT products and services. In her new role as the Executive Director of Ryerson University’s Institute for Privacy and Big Data, Dr. Cavoukian is developing a certification program to confirm compliance with the Privacy by Design principles.
On the international front, ISO and the IEC have recently published a standard ISO/IEC 27018 – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. Vendors can certify their cloud offerings to this standard through an accredited ISO registrar. Microsoft was one of the first companies off-the-mark in certifying its Azure, Office 365 and Dynamics CRM Online cloud offerings by ISO registrar BSI (British Standards Institute).
Specifically for the Canadian health market, Canada Health Infoway is updating its software certification program, with the support of ITAC Health, which includes certification for privacy and security.
The good news about privacy is that for the most part, it is just good common sense. Organizations that have good business practices and good information management practices in place are well on their way to compliance with privacy laws, in spite of the variations.
We’re also seeing efforts to establish international standards for privacy that will go a long way to moving provincial, national and international jurisdictions towards common practices for privacy management.
Privacy by design asserts that privacy should be an integral component of our cloud service offerings, not an add-on. Privacy is an essential value for Canadians and the Canadian health system. As Canadian healthcare organizations adopt cloud computing, the adequacy and effectiveness of privacy controls will be key factors in selection. Advantage will go to those vendors who commit to strong privacy in their cloud solutions.