Keywords
cloud computing, health privacy issues
Abstract
This article presents results from a year-long research project reviewing health privacy issues in the cloud, funded by the Contributions Program of the Office of the Privacy Commissioner of Canada (OPC). Section I provides a brief primer on cloud computing and its applications in data-centric health research and health care. Section II reviews Canadian privacy and health privacy laws and how they apply to CSPs. Section III identifies privacy risks arising from the technological, organizational, and jurisdictional complexity of cloud computing. Section IV argues that Canadian health privacy laws fail to address difficulties custodians face in balancing responsibilities with CSPs, determining whether foreign laws offer comparable protection, and ensuring transparency is maintained as data migrates to the cloud. In Section V, we survey standard agreements (Terms of Service) and privacy policies of leading CSPs, arguing that cloud contracts do not sufficiently address gaps in legislative protection for privacy and security. In Section VI, we identify the discrepancies in Canadian laws that apply to PHI which threaten interoperability of cloud contracts across provinces. This review is the first comprehensive review of legal and contractual privacy protections in the Canadian health sector. By identifying potential gaps in protection, we aim to inform the business decisions and contractual practices of both custodians and CSPs in Canada. By identifying discrepancies across provinces, we also aim to stimulate cooperative reform and harmonization of health privacy governance across Canada.
Recommended Citation
Adrian Thorogood, Howard Simkevitz, Mark Phillips, Edward S. Dove, and Yann Joly, "Protecting the Privacy of Canadians' Health Information in the Cloud" (2016) 14:1 CJLT.
Included in
Computer Law Commons, Intellectual Property Law Commons, Internet Law Commons, Privacy Law Commons, Science and Technology Law Commons