Lockstep Blog

What stops Target telling you're pregnant?

Wed, 07 Mar 2012 07:43:00 +1100

Question: What stops Target from telling that you're pregnant?
Answer: In many parts the world, the law!

The recent New York Times feature How Companies Learn Your Secrets has caused a helluva stir. Investigative reporter Charles Duhigg details conversations he had with data analysts and statisticians about what marketing gold they can divine from shoppers' buying habits ... and how one department store then seemed to shut down the dialogue.

The case in point was pregnancy. Duhigg and his contacts looked into the enormous business potential for retailers if they could work out from what they're buying that individual customers were pregnant. One analyst said "We knew that if we could identify them in their second trimester, thereâ��s a good chance we could capture them for years".

Department store insiders admitted to developing and testing a "pregancy prediction" score but they seemed to duck the question of whether the stores actually use these tools. But a year after Duhigg's first inquiries, Target got into trouble for direct marketing new baby products to a teenager -- before she'd told her parents she was pregnant.

This is pretty heady stuff, at the leading edge of "big data" analytics, bringing into sharp relief the boundless commercial value of what big corporations know about us.

What kind of problem is this?

Duhigg's work ends on a note of resignation, and I get the impression from scanning blog posts on this matter that many people -- especially in the largely unregulated United States -- are feeling powerless to do anything about this.

Yet I take heart from existing privacy law. In places like Australia with OECD-based data protection legislation, it's pretty clear for anyone who actually reads the rules, that for a department store here to work out and record that someone is pregnant is likely be unlawful.

A look at how Australia regulates privacy

At state and federal level, Australia has several privacy acts and health records acts. For our purposes here, they are all much the same. And I repeat that the following analysis is likely to have parallels in many other countries. I will use the Victorian Health Records Act 2001 (the "Act") as a model; underlining in the quoted passages is added by me for emphasis.

Personal Information is defined in the Act as:

information or an opinion (including information or an opinion
forming part of a database), whether true or not, and whether
recorded in a material form or not, about an individual whose
identity is apparent, or can reasonably be ascertained
from the information or opinion

At this point, note that the definition is broad and unqualified by such matters as data ownership. In the Australian legal system, privacy rights attach to any information whatsoever that pertains to an identifiable individual, whether that information is explicitly collected from the person, or generated within some lights-out big data analytics engine.

Health Information is defined as, amongst other things:

[Personal Information] aboutâ��
(i) the physical, mental or psychological health
(at any time) of an individual; or
(ii) a disability (at any time) of an individual; or
(iii) an individual's expressed wishes about the
future provision of health services to him or her

The cornerstones of privacy in OECD-style data protection systems are Collection Limitation and Use Limitation. Here are the opening clauses of Victoria's Health Privacy Principle HPP 1 - Collection:

1.1 When health information may be collected
An organisation must not collect health information about an
individual unless the information is necessary for one or more
of its functions or activities and at least one of the following
applies â��
(a) the individual has consented;
(b) the collection is required, authorised or permitted,
whether expressly or impliedly, by or under law;
(c) the information is necessary to provide a health service ...

Note that consent is required in advance of collecting health information, whereas in the case of regular Personal Information, organisations have more latitude to give notice of collection after the fact.

And here are the opening clauses of Health Privacy Principle HPP 2 - Use & Disclosure:

2.1 An organisation may use or disclose health information about
an individual for the primary purpose for which the information was
collected in accordance with HPP 1.1.

2.2 An organisation must not use or disclose health information about
an individual for a purpose (the secondary purpose) other than the
primary purpose for which the information was collected unless
at least one of the following paragraphs applies â��
(a) both of the following applyâ��
(i) the secondary purpose is directly related to the primary purpose; and
(ii) the individual would reasonably expect the organisation to use or
disclose the information for the secondary purpose; or
(b) the individual has consented to the use or disclosure ...

HPP 1 goes on to sanction how individuals should be kept informed about the collection of health information about them:

How health information is to be collected
1.4 At or before the time (or, if that is not practicable,
as soon as practicable thereafter) an organisation collects
health information about an individual from the individual,
the organisation must take steps that are reasonable in the
circumstances to ensure that the individual is generally aware ofâ��
(a) the identity of the organisation and how to contact it; and
(b) the fact that he or she is able to gain access to the
information; and
(c) the purposes for which the information is collected; and
(d) to whom (or the types of individuals or organisations to which)
the organisation usually discloses information of that kind; and
(e) any law that requires the particular information to be
collected; and
(f) the main consequences (if any) for the individual if all or
part of the information is not provided.

1.5 If an organisation collects health information about an
individual from someone else, it must take any steps that are
reasonable in the circumstances to ensure that the individual
is or has been made aware of the matters listed in HPP 1.4 except
to the extent that making the individual aware of the matters
would pose a serious threat to the life or health of any
individual or would involve the disclosure of information
given in confidence.

Conclusion: Don't give up on privacy!

On my reading of the Act, we can be sure of the following:

If a department store mines its data on shopping habits, determines that a named woman is likely to be pregnant, and records that prediction in a database, then the store will have collected health information about her and is subject to health privacy legislation in several states (as well as the Sensitive Personal Information clauses of Australia's federal privacy law).

If the department store has not obtained the customer's consent to having the state of her pregnancy being determined, then the store will have breached HPP 1.1.

If the store uses information originally collected from customers to monitor their shopping habits to generate new information predicting their pregnancies, then it will have breached HPP 2.2.

If the store has not informed the woman that they have predicted she is pregnant, then it will have breached HPP 1.5.

Many commentators fear that the march of technology outpaces the law, but I for one am more optimistic. For the most part, it seems our current information privacy law actually copes well with the sorts of business actitivites we find so intuitively offensive. I am not a lawyer but it looks clearly unlawful to me if a department store in Australia purposefully works out its customers are pregnant. Technically, just recording that prediction even without acting upon it probably counts as a Collection of health information and as such it needs the consent of the customer.

The same legal principles apply -- with even more force -- in Europe. It remains to be seen whether information privacy can be better regulated in the US through the FIPPs or other mechanisms.

A software engineer's memoir (work in progress)

Fri, 09 Mar 2012 19:00:00 +1100

I'm an ex software "engineer" [I have reservations about that term] with some life experience of ultra high rel development practices. It's fascinating how much about software quality I learned in the 1980s and 90s is relevant to info sec today.

I've had a trip down memory lane triggered by Karen Sandler's presentation at LinuxConf12 in Ballarat http://t.co/xvUkkaGl and her paper "Killed by code".

The software in implantable defibrillators

I'm still working my way through Sandler's materials. So this post is a work in progress.

What's really stark on first viewing of Karen's talk is the culture she experienced and how it differs from the implantable defib industry I knew in its beginnings 25 years ago.

Sandler had an incredibly hard and very off-putting time getting any defib company to explain their software. But when we started in this field, every single person in the company -- and many of our doctors -- would have been able to answer the question "What software does this defib run on?" The answer was "ours". And moreover, the FDA were highly aware of software quality issues. The whole medical device industry was still on edge from the notorious Therac 25 episode [ADD REF], a watershed in software verification.

A personal story

I was part of the team that wrote the code for the world's first implantable defibrillator.

In 1990 Telectronics (a tragic legend of Australian technology) released the world's first software controlled implantable defib, the model 4210. The computing technology was severely restricted by several factors: ultra low power consumption, and a limited number of microprocessor vendors that would warrant their chips for use in medical devices. The 4210 defib used a semi-customised 8 bit microcontroller based on the 6502, and a 32 KB byte-organised SRAM chip that held the entire executable. It clocked at 128kHz. The software had to be efficient, not only to ensure it could make some very tough real time rendezvous, but to keep the power consumption down; the micro consumed about 30% of the device's power over its nominal five year lifetime.

We wrote mostly in C, with some assembly coding for the kernel and some performance sensitive routines. The kernel was of our own design, multi-tasking, with hard real time performance requirements (in particular, for obvious reasons the system had to respond within tight specs to heart beat interrupts and we had to show we weren't ever going to miss an interrupt!) We also wrote the C compiler.

The 4210's software was 40,000 lines of C, developed by a team of 5-6 over several years; the total effort was 25 person-years. Some of the testing and pre-release validation is described in my blog post http://lockstep.com.au/blog/2011/02/23/programming-is-like-playwriti.html. The final code inspection involved a team of five working five-to-six hour days for two months, reading aloud and understanding every single line. When occasion called for checking assembly instructions, sometimes we took turns with pencil and paper pretending to be the accumulators, the index registers, the program counter and so on. No stone was left unturned.

The final walkthrough was quite a personnel challenge. One of the senior engineers (a genius who wrote the kernel and compiler) lobbied for inspecting the whole executable because he didn't want to rely on the correctness of the compiler -- but that would have taken six months. So we compromised by walking through only the assembly code for the critical modules, like the tachycardia detector and the interrupt handlers.

We amassed several thousand implant-years of experience with the 4210 before it was superceded. After release, we found two or three minor bugs, which we fixed with software upgrades. None would have caused a misfire, neither false positive or false negative.

Yes, for the upgrade we could write into the RAM over a proprietary telemetry protocol. In fact the main reason for the one major software upgrade in the field was to add error correction because after hundreds of device-years we noticed higher than expected bit flips from natural background radiation. That's a helluva story in itself. It was observed that had the code been in ROM, we couldn't have changed it but we wouldn't have had to change it for bit flips either.

Morals of the story

Anyway, some of the morals of the story so far:

Software then was cool and topical, and the whole company knew how to talk about it. The real experts -- the dozen or so people in Sydney directly involved in the development -- were all well known worldwide by the executives, the sales reps, the field clinical engineers, and regulatory affairs. And we got lots of questions (in contrast to Karen Sandler's experience where all the caridologists and company people said nobody ever asked about the code).

Everything about the software was controlled by the company: the operating system, the chip platform, the compiler, the telemetry protocol.

We had a team of people that knew the code like the backs of their hands. Better in fact. It was reliable and, in hingsight, impregnable. Not that we worried about malware back in 1987-1990.

Where has software development gone?

So the sorts of issues that Karen Sandler is raising now, over two decades on, are astonishing on so many levels.

Why would anyone decide to write life support software on someone else's platform?

Why would they use wifi or Bluetooth for telemetry?

And if the medical device companies cut corners in software develeopment, one wonders what Westinghouse is doing with their cruise missile controllers.

[TO BE CONTINUED]

Facial recognition isn't creepy: it's dangerous

Sat, 18 Jun 2011 07:03:00 +1000

Why do people use soft, subjective words like "creepy" to criticise facial recognition in social networking sites? Eric Schmidt has said that facial recognition is 'Too creepy even for Google' but by not damning it more strongly, does he deliberately leave himself wiggle room?

We can and really should analyse facial recognition objectively:

Facial recognition converts vast drifts of hitherto anonymous image data into Personally Identifiable Information, and in so doing instantly creates obligations under black letter privacy law in Europe and elsewhere

Facebook appears evasive in the way it describes (or not) biometric templates. It proudly announces that members can remove tags yet it actually retains the biometric templates until an extra step is taken to have them deleted too (see http://www.facebook.com/help/?faq=225110000848463).

Facebook promotes as privacy enhancing the fact that only friends are allowed to suggest tags. Let's not be naive about this. Facebook are cleverly crowdsourcing the training of their biometric algorithms, and they wouldn't want too many guesses from strangers polluting their data.

And let's be plain about why Facebook and the other informopolies are so keen on facial recognition: it's to improve their ability to make connections. They will now be able to spot when two people are in the same place at the same time. And they will be able to tell what cars people like to drive, what movies they're watching, what devices they like to use -- without anyone needing to expressly "like" anything anymore. This is pure gold.

By maintaining emotive or intuitive descriptions of biometric concerns, technologists are leaving biometric critics in a soft corner. This might be an innocent side effect of trying to use plain language, or it could be cleverly calculated in order to keep their options open. But either way, dumbing down the debate won't help in the long run.

Niche is a better word for it

Sat, 25 Feb 2012 00:02:00 +1100

With the term "ecosystem" being bandied about so much, I started thinking ecologically last year. A two part particle on my new Ecological Theory of Identity is being published in SC Magazine Australia.

Here's a little extract of the next installment:

Extract

If we think ecologically, we can better explain the surprising power of context in identity management. It is ironic that the Laws of Identity emphasise the importance of context, and yet federated identity programs repeatedly underestimate how strongly IDs resist changing context.

The tight fit that evolves between each given identity and the setting in which it is intended to be used is best described as an ecological niche. As with real life ecology, characteristics that bestow fitness in one niche can work against the organism -- or digital identity -- in another.

Identity "silos" are much derided but we can see now they are a natural consequence of how all business rules are matched to particular contexts. The environmental conditions that shaped the particular identities issued by banks, credit card companies, employers, governments and professional bodies are not fundamentally changed by the Internet. As such, we should expect that when these identities transition from real world to digital, their properties -- especially their "interoperability" and liability arrangements -- cannot readily adapt.

So, taking a mature digital identity (like a university student ID) out of its natural niche and hoping it will interoperate in another context (like banking) is a lot like taking a salt water fish and dropping it into a fresh water tank.

On the other hand, the ecological frame neatly explains why the purely virtual identities like blogger names, OSN handles and gaming avatars are so highly interoperable: it's because their environmental niches are not so specific. Thinking about how quickly and widely social identities like Facebook Connect have spread, in a very real sense we can describe them as weeds!

My longer article on a new ecological theory of digital identity is available here.

More evidence of the gap between tech and policy

Fri, 17 Feb 2012 06:25:00 +1100

After the scandal broke of how the iPhone app "Path" was accessing users' address books and transmitting them back to base, many in the developer community said they thought this was pretty common. The good folks over at Veracode decided to check, so they built another app that simply scans all code on your device for signs that the address book is being accessed. Believe it or not, the Apple operating system has a standard call, available to every app, called "ABAddressBookCopyArrayOfAllPeople".

Mark Kriegsman at Veracode blogged about their results :

Talking to the Veracode Research team about this iOS address book madness, the consensus was that none of this should come to a surprise to anyone whoâ��s been following mobile development or security research for mobile platforms (emphasis added).

This is terrific work.

Despite the Veracode team's reaction, I'm sure most of the public â�� even the technologically informed public â�� would indeed be very surprised to know any old app can freely access their contact lists. If developers are not surprised, perhaps they look at privacy differently?

What probably will surprise many technologists is that under black letter privacy law in Australia, Europe and elsewhere, it would be an offence for the company deploying the app to access contact information on a phone without a good reason and/or user consent (let alone to do it without any notice at all as was the case with Path). As Kriegsman writes in the Veracode article, itâ��s hard to imagine why many of these apps have any cause to call ABAddressBookCopyArrayOfAllPeople.

Developers sometimes seem to think that if information is accessible to them, then itâ��s fair game for re-use or innocant "research". The classic example was the collection of wifi transmissions by Google Street View cars. Many said at the time that if data is in the â��public domainâ�� then itâ��s free to be collected and used. And they were very surprised indeed to learn that their presumption is simply wrong at law. Many privacy laws are generally blind to where Personally Identifiable Information is collected. If information is identifiable, and if you have no business collecting it, then youâ��re not allowed to. Itâ��s black and white.

That's what I call hype

Tue, 14 Feb 2012 12:44:00 +1100

A modest little quote from a biometrics expert caught my eye this week. Neil Fisher, VP of Global Security Solutions at Unisys was cited describing the False Acceptance Rate of iris scanning as "in the region of 0.1%". See Believing in biometrics, at "Airport Technology", http://www.airport-technology.com/features/featurebelieving-in-biometrics.

This figure is, to put it mildly, rather less than what weâ��ve been led to believe by iris scanning proponents over the years.

It is widely reported that the probability of two randomly selected irises matching is one in 10 to the power of 78 [1]. This is indeed a staggering denominator, far greater than the number of stars in all the galaxies in all the universe [Yet that number is near meaningless if the iris scanning equipments isn't perfect. Consider that there are 100 billion stars in the Milky Way but that figure doesn't predict the odds of two people picking out the same star with the naked eye, which is one in a few hundred or worse depending on the lighting conditions.]

Yet the recognised inventor of iris recognition, John Daugman of Cambridge University, never claimed his method was as good as all that. In 2000, Daugman published a technical paper [2] on iris detection decision thresholds. Based on data from an ophthalmology research database, his calculations implied [3] a False Match rate as low as one in 10 to the power of 14.

In 2005 Daugman experimentally verified his very low error rate claim using data on over 600,000 individuals sampled in the United Arab Emiratesâ�� immigration security system [4]. He reported that â��False Match rate is less than 1 in 200 billionâ�� or one in 10 to the power of 11. But it should have been clear to all that the result would be very best case, for border security biometrics systems impose tight control over image quality and lighting conditions for both enrolment and subsequent capture events; without such control, measurement fidelity suffers.

And indeed, independent government testing of iris biometrics, while impressive, show error rates millions of times worse than Daugmanâ��s estimates. For example, the UK Government in 2001 found a False Match rate of 0.0001% or one in a million [5].

And now we have a leading biometrics implementer say that in practice, the iris False Match Rate is typically 0.1% or a pretty ordinary one in 1,000. If thatâ��s the real life benchmark, then the folkloric figure of one in 10 to the power of 78 represents an exaggeration of one thousand, trillion, trillion, trillion, trillion, trillion, trillion times.

Literally.

[1] See e.g. http://www.aditech.co.uk/irisrecognitiontechnology.html. Or try Googling iris "1 in 10 to the power of 78".
[2] Biometric decision landscapes, Daugman, 2000; http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-482.pdf
[3] http://www.sans.org/reading_room/whitepapers/authentication/dont-blink-iris-recognition-biometric-identification_1341.
[4] Results from 200 billion iris cross-comparisons John Daugman, University of Cambridge Computer Laboratory, http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-635.pdf.
[5] Biometric Product Testing Final Report, Issue 1.0; Mansfield et al, Centre for Mathematics and Scientific Computing, National Physical Laboratory, for the UK Government Communications Electronics Security Group (CESG) Biometric Test Programme, 2001; http://www.cesg.gov.uk/publications/Documents/biometrictestreportpt1.pdf.

Farmers know about silos

Tue, 07 Feb 2012 16:35:00 +1100

Imagine this. Two grain growers are neighbours. One farms wheat and the other corn. Both have invested a lot of money in their silos and grain handling equipment, all of which continues to be a significant cost in their operations. The corn farmer is an innovator and comes up with a bright idea. She approaches her neighbour and gives him the following proposition: since their infrastructure is such an overhead, why not, in the name of efficiency, join up and share their silos?

What farmer wouldnâ��t reject this idea out of hand? If a grain grower needs more capacity, in theory they could re-engineer the entire storage and handling system to use someone else's silo, strike up new support arrangements with their equipment providers, and seek insurance to cover new risks of mixing up their grains. But it would be simpler, cheaper and quicker to just build themselves another silo!

"Break down the silos" is one of the catch cries of modern management practice, and itâ��s a special rallying call in the Federated Identity movement. Nobody denies that myriad passwords and security devices have become a huge headache, but attempts to solve what is really a technology and human facors challenge, by sharing identities and identity provisioning all too often come unstuck.

Itâ��s not for nothing that we call identity domains "silos". Grain silos are architecturally elegant, strong and safe; they are critical infrastructure for farmers.

Of all the metaphors in identity management, "silo" is actually one of the good ones. And you have to wonder when and why it became a dirty word in our industry. Identity silos are actually carefully constructed risk management arrangements and in IDAM, risk is the name of the game. As such, silos are not to be trifled with!

The end of standards

Thu, 23 Feb 2012 17:44:00 +1100

A colleague drew my attention to what he called "yet another management standard". Which got me thinking about where our preoccupation with standards might be heading and where it might end.

Most modern risk management standards allow for exception management. If a company has a formal procedure in place -- for example a Disaster Recovery Plan -- but something out of the ordinary comes up, then the latest standards provide management with flexibility to vary their response to suit their particular circumstances; in other words, management can generally waive regular procedures and "accept the risk". The company can remain in compliance with management systems and standards if it documents these exceptions carefully.

So ... what if a company says "the hell with this latest management standard, we don't want to have anything to do with it". If the standard allows for exceptions, then the company may still be in compliance with the standard by not being in compliance with it.

How about that: a standard you cannot help but comply with!

And then we wouldn't need auditors. We might even start to make some real progress.

Here's a less facetious analysis of the perils of over-standardisation: http://lockstep.com.au/blog/2010/12/21/no-algorithm-for-management.

Pseudonyms are for everyone!

Wed, 31 Aug 2011 13:55:00 +1000

Too many analyses of Google's and Facebook's Real Names policy take a narrow view of pseudonyms, conceding only that they may benefit for example "[dissidents] in Egypt, China, colonial America [and] whistle-blowers inside corporations and labour unions" (see Berin Szoka's "Whatâ��s in a Pseudo-name?").

There's evidently a belief that regular upstanding citzens have no need for pseudonyms, and a veiled suspicion that wanting one means you must have something to hide. Yet in truth, a great many ordinary Internet users have developed pseudonymous habits to protect themselves in the Wild West that is cyberspace today.

To frustrate the efforts of junk mailers and spammers, it's standard practice amongst many to use multiple e-mail addresses, or to fib about their location or their age when filling in forms. And where does the Real Names creed leave all the advice we've been giving our kids for years in social networking, to hide their age, their location and any identifying details?

It's important for everyone -- not just Mid-Eastern freedom fighters -- to have the autonomy to represent themselves how they like social settings.

What a twisted world is cyberspace these days! Think about it: Why the hell is the onus on users to defend their use of nicknames, when it ought to be the informopolies that justify imposing their self-serving rules on how we users refer to ourselves? We don't go around in public with our 'real names' tattooed on our foreheads! No "Social network" should be dictating how we socialise!

The ultimate opt-out

Sun, 04 Sep 2011 22:04:00 +1000

Multi-disciplined healthcare is standard practice today. Yet an important legal precedent to do with information sharing shows how important it is that practitioners do not presuppose how patients weigh health outcomes relative to privacy. As debate continues over opt-in and opt-out models for Patient Controlled Electronic Health Records, the lessons of this case should be re-visited, because it was sympathetic to a patientâ��s right to withhold certain information from their carers for privacy reasons.

In 2004, an oncology patient KJ was being treated at a hospital west of Sydney by a multi-disciplined care team. At one point she consulted with a psychiatrist. Sometime later, notes of her psychiatric sessions were shared with others in the oncology team. KJ objected and complained to the NSW Administrative Decisions Tribunal that her privacy had been violated. Hospital management defended the sharing on the basis that it was normal in modern multi-disciplined healthcare and that it therefore represented reasonable Use of personal information under privacy legislation. However, the tribunal agreed with KJ that she should have been informed in advance that her psychiatric file would be shared with others. That is, the tribunal found that sharing patient information even with other professionals in the same facility constituted Disclosure of Personal Information and not just Use.

In broad terms, under Australian privacy laws, the Disclosure of Sensitive Personal Information generally requires the consent of the individual concerned, whereas Use does not, because it is related to the primary purpose for collection and would be regarded as reasonable by the individual concerned.

There is no argument that the exchange of health information with colleagues caring for the same patient is inherent to most good medical practice. Sharing information would probably be universally regarded by healthcare providers, in the context of privacy legislation, as a reasonable use, closely related to the primary purpose of collecting that information. And yet KJ v Wentworth Area Health Service recognises that the attitudes of patients as to what is reasonable may differ from those of doctors. If there is a significant risk that a given patient would not think it reasonable for information to be shared, then privacy legislation in Australia (as typified by NSW law) requires that their express consent is sought beforehand.

Many healthcare facilities in NSW responded to this case by improving their Privacy Notices. At the time of admission (and hopefully also at other times during their treatment journey) patients should be informed that their Personal Information may be disclosed to other healthcare professionals in the facility. This gives the patient the opportunity to withhold details they do not want disclosed more widely.

The tribunal noted in KJ v Wentworth Area Health Service that "while generally speaking the expression â��disclosureâ�� refers to making personal information available to people outside an agency, in the case of large public sector agencies consisting of specialised units, the exchange of personal information between units may constitute disclosure".

In other words, lay people may perceive there to be greater â��distanceâ�� between different units in the health system, even within the one hospital, than do healthcare professionals. Legally, it appears that the understandable interests of healthcare professionals to work closely together do not trump a patientâ��s wishes to sometimes keep their Personal Information compartmentalised.

This precedent is important to the design of EHR systems, for it reminds us that the entirety of the record should not be automatically accessible by all providers. But more subtley, it also re-balances the argument often advanced by doctors that opt-in may be injurious because patients might not make the best decisions if they pick-and-choose what parts of their story to include in the EHR. Even if that clinical risk is real, the ruling in KJ vs Wentworth Area Health Service would appear to empower patients to do just that.

In my view, the resolution of this tension lies in better communication, and good faith. What matters above all in electronic health is trust and participation. We know that patients who fear for their privacy will actually decline treatment if they do not trust that their Personal Information will be safe. Whether an EHR is technically opt-in or opt-out doesnâ��t matter in the long run if patients exercise their ultimate right to just stay away. Privacy anxieties may be especially acute around mental health, sexual assault, drug and alcohol abuse and so on. It is imperative for the public health benefits expected from e-health that patients with these sorts of conditions have faith in EHRs and do not simply drop out.

Reference: Case Note: KJ v Wentworth Area Health Service, NSWADT 84, Privacy NSW; Date of Decision: 3 May 2004