Privacy and Health Research. Privacy, Confidentiality, Security

05/01/1997

Privacy is a deeply felt but elusive concept. Everyone is sensitive to having his privacy violated. The concepts of "personal matters" and "intimate knowledge" are familiar, as is the notion that individuals live in a "private sphere" over which they are to be granted autonomy. The right to private life was proclaimed in the Universal Declaration of Human Rights and has been reaffirmed in every other human rights declaration since 1945.

But defining privacy in a way that is applicable to all persons and situations is impossible. Everyone believes that some, indeed many, core aspects of his life "are nobody else's business." Yet what one person is fiercely secretive about, another may openly reveal.

Privacy is not an ersatz notion, just an elusive and relative one. It is a concept difficult to formalize. Philosophically it tends to be derived from, or gain force by being associated with, other societal goods, such as freedom of self-determination.1

Informational privacy is not explicitly protected by the U.S. Constitution. Nonetheless, many aspects of personal life that can be considered "private" are protected under a patchwork of Federal and State laws, and by interpretations derived from such Constitutional principles as due process or restriction on unreasonable searches and seizures. Obligations to respect confidentiality of shared information are standard elements in the law of contracts. Some U.S. Federal agencies' statutes, such as those governing the scientific work of the National Center for Health Statistics, set firm constraints on the redisclosure of personally identifiable data. So do the State laws on confidentiality of medical records.

One of the few widely cited legal expressions in this area is that of Louis Brandeis and Samuel Warren in 1890, who, themselves quoting an authority on tort law, defended the privacy "right to be let alone."2 Yet that doesn't carry much compulsion in the modern world (if indeed it did in the good jurists' era).

In his 1967 book, Privacy and Freedom, Alan Westin defined informational privacy as meaning "the claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others.""Privacy," according to Lawrence Gostin, "is the right of individuals to limit access by others to some aspect of their persons."4 The U.S. National Information Infrastructure Task Force, in 1995, formulated it this way:5

Information privacy is an individual's claim to control the terms under which personal information—information identifiable to an individual—is acquired, disclosed, and used.

Obviously, privacy is a highly relative matter—relative to personal and societal values, and relative to the context.

Obviously too, in the contemporary world it is easy for people, even at great remove, to know things about others without the subjects being aware of the knowing, which adds much more difficulty to the definitional problem.

Privacy can be demanded, and sometimes obedience to that demand can be compelled. But privacy, at essence, is something that we grant to others out of basic human respect.

Privacy and confidentiality are related to each other but are not identical notions. Privacy is much broader and is closer to moral fundamentals. Alan Westin, again, made a useful distinction:6

Privacy is the question of what personal information should be collected or stored at all for a given function. It involves issues concerning the legitimacy and legality of organizational demands for disclosures from individuals and groups, and setting of balances between the individual's control over the disclosure of personal information and the needs of society for the data on which to base decisions about individual situations and formulate public policies.

Confidentiality is the question of how personal data collected for approved social purposes shall be held and used by the organization that originally collected it, what other secondary or further uses may be made of it, and when consent by the individual will be required for such uses. It is to further the patient's willing disclosure of confidential information to doctors that the law of privileged communications developed.

Such distinctions are implied in the opening sentence of the "Information Practices" form that is discussed with patients entering the hospital at the U.S. National Institutes of Health: "We, here at the Clinical Center, strive to provide privacy for all our patients and to maintain the confidentiality of the sensitive personal information they share during the course of treatment."7

The U.S. Office for Protection from Research Risks asserts that "Confidentiality pertains to the treatment of information that an individual has disclosed in a relationship of trust and with the expectation that it will not be divulged to others in ways that are inconsistent with the understanding of the original disclosure without permission."8

Relating to privacy and confidentiality is "security." In a disturbing, constructive recent report on protection of computerized health records, a panel of the National Research Council construed it this way:9

Security consists of a number of measures that organizations implement to protect information and systems. It includes efforts not only to maintain the confidentiality of information, but also to ensure the integrity and availability of that information and the information systems used to access it.

As Alan Westin put it, "Security of data involves an organization's ability to keep its promises of confidentiality."10 Willis Ware once combined the three terms in one sentence: "If the security safeguards in an automated system fail or are penetrated, a breach of confidentiality can occur and the privacy of data subjects be invaded."11

Often issues are cast as "fair information practice" rather than as "privacy or confidentiality protection," to acknowledge that privacy is relative, not absolute; to convey the expectation that in complex modern societies most data will be put to multiple uses; and to imply the weighing-off of different interests, under considerations of fairness.

Fair information practices that are invoked include:12

  • Being open about the existence and purposes of data collections
  • Allowing individuals to inspect data about themselves and request corrections or amendments
  • Following lawful and proper procedures when collecting data
  • Only collecting or keeping data that are relevant, correct, and timely
  • Limiting uses of data
  • Limiting disclosures of data
  • Protecting data against unauthorized access, use, alteration, and destruction
  • Maintaining accountability of the data holders.

(1) Philosophical and ethical sources on privacy include Ferdinand David Schoeman, editor, Philosophical Dimensions of Privacy: An Anthology (Cambridge University Press, Cambridge, 1984); and David H. Flaherty,Protecting Privacy in Surveillance Societies (University of North Carolina Press, Chapel Hill, 1989).

(2) Louis D. Brandeis and Samuel D. Warren, "The right to privacy," 4 Harvard Law Review 193–197 (1890), quoting from Thomas Cooley'sTreatise on the Law of Torts of 1878. The authors were addressing the new privacy threat from unannounced photography.

(3) Alan F. Westin, Privacy and Freedom, p. 7 (Atheneum, New York, 1967).

(4) Lawrence O. Gostin, p. 454 of "Health information privacy," Cornell Law Review 80, 451–528 (1995).

(5) U.S. Information Infrastructure Task Force, Privacy Working Group, Information Policy Committee, "Privacy and the National Information Infrastructure: Principles for providing and using personal information," § I.A.2 (National Telecommunications and Information Administration, U.S. Department of Commerce, Washington, DC, June 6, 1995). Available on the Internet at <http://www.iitf.nist.gov/ipc/ipc-pubs/niiprivprin_final.html >.

(6) Alan F. Westin, Computers, Health Records, and Citizen Rights, National Bureau of Standards Monograph 157, p. 6 (U.S. Government Printing Office, Washington, DC, 1976).

(7) Form NIH-2753 (10-94).

(8) U.S. National Institutes of Health, Office for Protection from Research Risks, Protecting Human Research Subjects: Institutional Review Board Guidebook, p. 3-27 (U.S. National Institutes of Health, Bethesda, Maryland, 1993 with later addenda).

(9) National Research Council, Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure, Computer Science and Telecommunications Board, For the Record: Protecting Electronic Health Information, p. 1-1 (National Academy Press, Washington, DC, March 1997).

(10) Alan F. Westin, as cited in endnote (6).

(11) Willis Ware, "Lessons for the future: Privacy dimensions of medical record keeping," Proceedings, Conference on Health Records: Social Needs and Personal Privacy, sponsored by the Department of Health and Human Services, p. 44 (U.S. Government Printing Office, Washington, DC, 1993).

(12) An early formulation of such principles as a list was U.S. Department of Health, Education, and Welfare, Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens (U.S. Government Printing Office, Washington, DC, 1973). For history and commentary on fair information practices see U.S. Congress, House of Representatives, Committee on Government Operations, "Health Security Act Report," H.R. Report No. 103–601, pp. 81–82 (1994), in which the hand of Robert M. Gellman is clearly discernable.