In formulations around the world there is agreement on the broad principles of "information fairness." The details vary, but the objectives are common.

In the US, the 1974 federal Privacy Act (5 USC 552a) provisions were built on a set of five fair information practices, first published in a Department of Health, Education and Welfare report (Advisory Committee on Automated Personal Data Systems, 1973).

Per the five, there must be:

• no personal-data record-keeping systems whose existence is a secret;

• a way for individuals to find out what information about them is collected, and how it is used;

• a way for individuals to prevent information obtained for one purpose from being used for other purposes without consent;

• a way for individuals to correct or amend identifiable information about themselves; and

• policies and procedures by organizations creating, maintaining, using or disseminating identifiable personal information to assure the reliability of the data for its intended use, and reasonable precautions to prevent misuse.

Similar enumerations can be found in 1970s and early 1980s declarations in Britain, Canada, France, Germany and Sweden, and in reports by the Council of Europe and the Organization for Economic Cooperation and Development.

The various international renderings can be condensed into a generic four:

• openness -- that is, anti-secrecy or transparency;

• access and correction -- to/of information about oneself;

• security -- anti-access protections appropriate to the data in the system; and

• minimalism -- no more collection, use or disclosure of data than necessary to achieve the system’s goals.

To these one can add a overarching fifth principle that flows from democratic values -- consent:

• individuals must consent to practices that apply to them; or

• society as a whole must consent, via a regime of data protection legislation and regulation that sets the rules that will apply to all.

Rendered as generalities, the principles are mostly unexceptionable. The specifics are obviously a different matter.

The principles of openness and access/correction are perhaps the least controversial. But even they are not without disagreement. Pro-secrecy arguments are commonly made to promote the public goals of law enforcement and national security. Some level of secrecy is also in the interests of private institutions, for whom the corporate data store has competitive value.

In health care, secrecy is sometimes advocated to protect vulnerable patients (such as the mentally ill); innocent third parties (who may have contributed data on a patient, or are implicated by data the patient has provided); and on behalf of providers (who may come to fear making candid comments in a health record).

Security is harder still. Constructing "appropriate" security controls requires a clear sense of potential attackers and modes of attack, and of the abilities of various technologies to resist intrusions. It also requires a consensus on the "value" of keeping the data secure. Empirical data sufficient to articulate a clear "threat model" is largely lacking for health care. So is agreement on the precise value of confidentiality in particular health settings.

Security regimes also require a clear sense of the privileges appropriately accorded to various classes of users. It is precisely the demands for data made by large numbers of individuals, in large numbers of organizations not directly involved in the provision of care, that makes health care data policy so difficult.

Even inside care-providing institutions, large numbers of persons may need access to records. Balancing security provisions while promoting easy access for appropriate uses is a constant challenge.

Minimalism is perhaps the hardest principle of the four. It requires a clear sense of appropriate goals, and the link between data practices and the achievement of those goals, to judge what it truly "minimal."

The information systems goals for health care -- for administration, clinical care, research and public health -- are quite expansive and open-ended. Read broadly, they would "justify" systems of almost any scale and intrusiveness to achieve socially-valued ends.

Finally, we come to consent. In a democratic society, every public data system is at least nominally subject to the consent of a majority (provided that representatives elected by that majority have not opted to keep it secret). Private data systems are subject to democratic approval as well, again by the majority that selected the representatives that make the rules.

Ideally, a society that elevates individual autonomy would provide for individual rather than collective consent to the maximum practical degree. Reasonable persons tend to differ on practicality, unfortunately.

See also:

• privacy and confidentiality
• security and data protection

Last modified: 14-May-2005 [RC]