Pandemics in a connected world: integrating privacy with public health surveillance.

• Author: Bernier, Chantal
• Position: An Update in the Law of Privacy

1. Context

   In the 21st century, public health policies and interventions must contend with high human mobility, cross-border data sharing, and unprecedented data analytics capability, all while expectations of privacy continue to evolve. Data surveillance has become a key component of pandemic response plans. Experts predict that the future of public health data surveillance will involve the automatic collection of patient data from electronic health records, which may include the patient's name, address, risk factors, previous immunizations, and treatment. (1) Data collection for pandemics intervention would therefore become a by-product of electronic health record systems used in clinical care. One can imagine the pressure to share information across state borders for even more effective global surveillance.

   While public health objectives are imperative during a pandemic, patients and suspected patients will be quick to highlight the privacy risks of pandemic response measures such as the public and institutional dissemination of personal information. At the individual level, these risks include ostracism, stigmatization, exposure of lifestyle, and restriction of freedom. At the collective level, intrusive measures may lead to discrimination, the erosion of medical support through the alienation of potential workers, and the subversion of containment efforts due to the reluctance of patients to seek treatment for fear of the consequences.

   Therefore, in the context of electronic global information sharing and analysis, the full realization of public health surveillance goals to prevent and control pandemics requires commensurate safeguards to protect individual privacy and information security. Policy makers must aim to develop a framework that balances individual and collective interests. As discussed below, this will require both technological and administrative safeguards that arc commensurate with the serious risks.

2. A few facts to ground our legal analysis

   A pandemic is defined as the global outbreak of a disease, entailing, by definition, cross-border manifestations. (2) Public health surveillance is described as the "continuous, systematic collection, analysis and interpretation of health- related data needed for the planning, implementation, and evaluation of public health practice." (3) The information exchange is ideally multi-institutional and multidisciplinary. Personal health information relates to the individual, while aggregate health data is population-level data reflecting collective trends. Some interventions require personal record-level data, while others require merely population-level data. (4) In addition to personal health data, public health surveillance may also need to rely on other personal information such as cell phone data or other geographical location systems. Mobile phone data (in the form of call data records) are viewed as important mechanisms for providing researchers with the ability to map outbreaks and track population flows so as to anticipate future areas of outbreaks and implement preventative measures. (5) In Mexico, for example, analysis of call data records has helped to measure how effective government mobility restrictions on citizens were in controlling the spread of the H1N1 flu epidemic. (6) In many cases, population- level data may simply be insufficient when dealing with serious virulent diseases that may require contact tracing and isolation measures to control spread of the illness.

   Personal health information can be eponymous (where the individual's name is included), pseudonymous (where the name is replaced by a code number), or anonymous, de-identified, or anonymized (where the identifiers have been removed from the health information). (7) Technologists remind us regularly that even anonymized information can be linked back to identifiers with lesser or greater effort depending on numerous factors, such as the size of the sample and the nature of the information that is not de-identified. (8) However, a practical approach would favour the deployment of anonymization where the process to re-identify would be so arduous to make it remote and unlikely.

   Intervention in pandemics includes several forms of personal health data collection, dissemination, and analysis. For example, pandemic response plans will call for reporting the identity of ill or suspected ill individuals to front line health workers and to multi-jurisdictional and multi-disciplinary authorities. These plans may also enable authorities to employ such methods as active surveillance of symptoms, isolation, quarantine, and contact tracing--including "aggressive contact tracing," i.e., tracing persons who have been in contact with the ill individual. (9)

   In the event that human-to-human transmission of the disease is possible, privacy issues affect not only the person who is directly affected by a pandemic illness but also his or her contacts. In these cases, many individuals may be swept up into the public health care surveillance system prior to diagnosis. Serious illnesses that are easily transmitted may require isolation for a lengthy period of time until the likelihood that the person is a carrier can be ruled out or eliminated. Even if the person is not a carrier, the mere fact of isolation will most certainly involve revealing intimate details and sensitive information to friends, neighbours, family, employers, and social and religious affinity groups. Certainly, circumstances may require efforts such as isolation. However, mere knowledge that the person has come into contact with the illness may result in social isolation and stigmatization.

   Without question, clinical care and pandemics control require a certain degree of collection, disclosure, and analysis of personal information. The test for legitimacy of this use of personal information is one of proportionality and security. Privacy and security challenges arise from the difficulties around consent, the possible duty to disclose, the scope of dissemination--including across borders--the vulnerability of electronic platforms, the determination of consistent use, and balancing respect for individual privacy with the collective benefits of data analytics.

3. Privacy Implications

   (A) Duty to Disclose

   Whether patients suffering from an illness in a state of pandemic have a freestanding duty to disclose their infection or suspected infection has not been widely tested on a general basis in Canada. However, disclosure obligations can be imposed through legislation. Certain provincial health acts require persons who suspect that they are infected with a specified communicable disease to place themselves under the care of a medical practitioner or direction of a public health official. (10)

   In relation to pandemics, the closest situation to the duty to disclose is the legislative designation of reportable illnesses. During the 2003 SARS outbreak in Toronto, public health authorities took the voluntary quarantine and compliance approach. When the Ontario government designated SARS as a reportable, communicable, and vimlent disease under the Ontario Health Protection Promotion Act ("HPPA"), public health authorities received the legislative authority to issue orders to detain and isolate individuals. (11) During the outbreak, almost all patients who were asked accepted the request for quarantine voluntarily. Only 27 written orders mandating quarantine under the Ontario HPPA were issued. (12)

   The federal Quarantine Act, which is intended to restrict the spread of communicable disease in Canada, also imposes a duty to disclose in certain circumstances. (13) The Act imposes a requirement on travelers to disclose to a border screening officer or quarantine officer if they have "reasonable grounds" to believe they have been exposed to specific communicable diseases or have been in close proximity to a person who is likely to have a specified communicable disease. (14) Following a medical examination by a quarantine officer, a traveler may be required to comply with treatment or any other measure for preventing the introduction and spread of the communicable disease. (15) When the Quarantine Act was introduced in 2005 to repeal and update the previous version of the Act, the Office of the Privacy Commissioner of Canada ("OPC") generally supported its introduction, finding that the Act struck a balance between public health and privacy rights. (16)

   Beyond the immediate pandemic crisis, restrictions upon privacy may linger even where the disease or disorder becomes a chronic, manageable illness that nevertheless remains potentially infectious. We see this distinctly with H1V/AIDS. Although initially nearly unmanageable and frequently deadly, HIV is becoming increasingly manageable, yet it continues to carry significant stigma and disclosure obligations. These disclosure obligations can continue even when the risk of transmission is nearly scientifically negligible but is, in the view of the law, still realistically possible. In R v Cuerrier, the Supreme Court of Canada ("SCC") held that failure to disclose an HIV positive status to a sexual partner is fraud, thus vitiating consent to a sexual activity and constituting aggravated assault. (17) Subsequent cases used this analysis to form the elements of aggravated assault or aggravated sexual assault. (18) Over a decade later, in R v Mabior, the SCC further clarified this standard when it set out that consent is vitiated if there is a "realistic possibility that HIV will be transmitted." (19) Where the person uses a condom and has a low viral load, the realistic possibility of transmission is negated. (20)

   In Mabior, the SCC declined to consider whether other sexually transmitted diseases would constitute "serious bodily harm" to meet the requirement for aggravated sexual assault, and stated: "where the line should be drawn with respect to diseases other than HIV is not before us."...