Thursday, August 9, 2007

Is Privacy a Legal Issue or Management Issue?

There are at least two schools of thought about privacy; one school much larger than the other. The larger school says that privacy is essentially a legal issue... a subject best addressed by lawyers. The smaller school says that privacy is a management issue... those engaged in the management of the business should address privacy issues, consulting legal counsel only when necessary to understand the legal requirements and risks in a particular situation. This matter relates to my recent post Compliance vs. Risk Management.

I am clearly a member of the second school. My experience is that when lawyers get involved in an eHealth initiative, the result is overkill. Solutions are sometimes over-engineered. Complex functionality is created that addresses issues that are very low risk.

I pick on privacy here because privacy (and to a lesser extent - security) is the subject of comprehensive legislation. It seems that legislators and lawyers have little or no interest in the safety or business risks associated with eHealth. Even security issues outside of the privacy domain such as data and system availability and integrity, which can have massive legal and risk implications, are given little attention.

In their proper place legal counsel can be very useful. Privacy legislation is often complex. Health care managers need to understand the legal implications of their decisions. However, legal matters are only one piece of the risk equation that managers must consider.

It comes down to who is calling the shots: the manager or the organization's legal counsel. In my view it must always be the manager.

That said, I found a useful legal resource for Canadians on the web called the Canadian Privacy Law Blog published by Canadian privacy lawyer David Fraser. He has a very comprehensive privacy resource and links section. I'll keep my eyes open for similar resources in other countries.

Listen to your lawyer, then make your decision in the best interests of the patient, health care providers and your organization. Don't let your lawyer make your decision for you.

No comments: