Last Updated on April 29, 2020
Will COVID-19 Data Platform Endanger Your Online Anonymity?
COVID-19 is shaping up to be a truly modern pandemic. It was our interconnected and globalised world that caused it to spread so fast, and now it might also be that interconnectivity that is used to fight it.
Or that is how the Ontario provincial government hopes it will go. Their newly implemented system would use AI and machine learning to cover large datasets of public and private health data. The measures would represent a new interpretation of patient confidentiality, using de-identified data to create a better picture of the spread of COVID-19. Despite the potential use in combating the pandemic, many have raised the concern that it represents a worrying development in the realm of data privacy.
With the punchy title of PANTHR (Pandemic Threat Response), this system is designed to use AI to interpret province-wide healthcare data. By analysing broad datasets about the COVID-19 outbreak, it can hopefully notice patterns and allow the hospitals and health-planners to increase their responsiveness.
Though the legislation used to enact the program possibly goes further (more on that later), the data currently being used includes:
- Clinical data directly from hospitals, public health offices and labs
- Emergency department data, such as discharge summaries
- Claims on the Ontario Health Insurance Plan (OHIP)
- Claims on the Ontario Drug Benefit Program
- Homecare and Long term care claims
Armed with the tools to evaluate this data as an integrated whole, the Ontario government hopes not only to be able to better allocate resources and equipment but even to predict where outbreaks will next occur. There is little doubt that if all works as planned, then PANTHR will help save lives and lessen the strain on the healthcare system, but there are notable concerns over its effects on data-privacy.
What Does This Mean for You?
The official Ontario government website describes the policy as “[breaking] down long-standing barriers”, but what exactly are these barriers? To understand the implications of PANTHR, it’s best to look to last month’s amendments to Ontario’s Personal Health Information Protection Act (PHIPA).
In short, the barriers that are now ‘broken’ by these amendments are the abilities of healthcare providers, private or public, to refuse government access to electronic data logs; of which all such providers are now mandated to keep in addition to their physical copies. This laid the groundwork for PANTHR, giving the Ontario government the data access needed to carry out such a vast analysis.
PANTHR is run by numerous ‘extra-ministerial units’ (another PHIPA innovation), including non-profits such as Compute Ontario, university departments from Queen’s University, and think tanks such as Vector Institute for Artificial Intelligence. These extra-ministerial units are certainly a great asset in such a data-heavy system, cutting back on government bureaucracy and taking advantage of expert-driven efficiency.
However, this might be worrying for some, as often private interests are handling their (albeit de-identified) Health data. Fortunately, it appears the recent PHIPA amendments pre-empted this concern, and have introduced harsh new measures for any commercial or inappropriate use/study of this data. The penalties for misuse (including snooping) range from a minimum of $200,000 for a person to $1,000,000 for a company.
This is coupled with stricter legal de-identification standards. Meaning whilst your medical data is widely available to the Ontario government, it is extremely difficult to trace it to you, and there are significant deterrents to misuse of even the raw, unidentifiable data.
What About Other Data?
All that said, there has been a more concerning implication discussed. According to certain government documents, the PANTHR platform could eventually grow to include non-health data related to the COVID-19 pandemic.
This could include location data from mobile phones, vehicles, and other connective devices. This is a big concern to data (and even physical) privacy, as it would imply that without an effective VPN the Ontario government (and associated extra-ministerial units) could have virtually unlimited access to all your location data.
Amendments to PHIPA such as the ability for the government to impose an “administrative [monetary] penalty for the purposes of encouraging compliance” -whilst reasonable measures for the health-data side- are concerning in the light of the expanded data pool plans. Whilst it should be stressed that the gathering of non-health or location data has not been implemented, and as of now there is no official timeline to do so, the fact it was suggested at all should raise a few eyebrows.
Overall, the PANTHR system as it stands has the potential to be an effective and well thought out tool for fighting the pandemic; and regarding the issue of data privacy, it is relatively innocuous, having consciously considered Its implication. It is doubtless a vital tool in the fight against COVID-19, and if used effectively will certainly save lives in the province of Ontario without compromising data security.
However, the possible expansion of the system is a whole new step, one that will cause serious concern in anyone who holds their online anonymity and data privacy dear. For now, it remains to be seen both how effective the system will be, and how far it will go in the future.
Hi, I’m Ludovic. I created this site as a consumer resource to help fellow Canadians better understand the changing world of cybersecurity. Before creating this resource I saw two fundamental problems with the B2B consumer privacy industry. First, education – the majority of people don’t realize the importance of their own data. Second, nefarious marketing practices – there are a wide array of self-proclaimed security solutions that are doing nothing other than brokering user data without consent.