A Notice Does Not Notify Unless It Can Be Understood

'Ontario has a law that protects your personal health information, including information about you kept at this hospital. We are required to keep your personal health information safe and secure. You have the right to know how we may use and give it out and how you can get access to it.'

These three sentences ' short, sweet, simple ' begin the text of a poster called 'Health Information Privacy in our Hospital.' This poster, one of three in a series (which includes 'in our facility' and 'in our office'), and the three accompanying brochures, are the result of an innovative collaboration that has taken an international consensus and turned it into printed products that are garnering great reviews.

The office of the Information and Privacy Commissioner of Ontario, along with the Ontario Bar Association's Privacy and Health Law sections and the Ontario Dental Association, spearheaded a team to develop short notices for the province's new Personal Health Information Protection Act ('PHIPA'), which launched the products earlier in June 2005.

'When you're dealing with the law of consent ' and PHIPA is a consent-based statute ' adequate notice is a required feature,' said Ken Anderson, Assistant Commissioner (Privacy) of the Information and Privacy Commission of Ontario ('IPC'). 'Ontario's new health privacy legislation was no exception in requiring custodians of personal health information to make available a statement of information practices. Often, lengthy notices have been used to comply with such requirements, with the result being a failure to communicate. Notices are too long, too complex, and, as research has shown, actually raise more doubts in people's minds than they allay.'

The short notices movement was born to address these inadequacies.

Background

Research on privacy policies conducted in the United States and elsewhere has provided persuasive evidence that a layered approach, with an emphasis on clear, short notices of information-handling policies and practices, is the most effective way of building consumer trust. For example, the Hunton & Williams Center for Information Policy Leadership, which has done pioneering work on short notices, conducted focus groups on privacy policies. The Center found that consumer trust in companies is eroded by long, legalistic privacy policies. Focus group participants preferred short privacy notices that clearly communicated how a company was using and sharing their personal information and expressed support for a common 'template' that could be used by different companies.

The Annenberg Public Policy Center of the University of Pennsylvania surveyed Americans in 2003 and found that even self-styled, savvy Internet users not only fail to understand how online companies typically compile information about visitors to Web sites, but also do not understand privacy notices and will not spend much time to learn more. For example, a majority believed that the very existence of a privacy policy meant that no information about them would be shared.

The European Union's Article 29 Data Protection Working Group has made consistent recommendations since 2000 (WP 37, 43, 100) calling for simple and understandable information being provided to online consumers prior to the collection of personal information. This would facilitate compliance with the EU Data Protection Directive's Article 10 requirements concerning information to be given to the data subject.

The growing movement to establish a global short privacy notice had its official birth at the 2003 International Conference of Data Protection and Privacy Commissioners in Sydney, Australia. At that conference, the Commissioners passed a resolution that endorsed the development and use of a condensed privacy notice format that would be standardized across the globe. Our resolution noted the importance of enabling individuals 'to be well informed and able to exercise choices when the organizations with which they are dealing operate globally' and called for 'development and use of a condensed format for presenting an overview of privacy information that is standardized world-wide across all organizations.' In addition, simple ways for the individual to locate further, more detailed (but still understandable) information (if desired) should be made available.

Since the Sydney conference, a working group of Commissioners, including the IPC, business leaders, lawyers, and privacy practitioners, has been hammering out solutions for developing and implementing a global privacy notice. The group met in Berlin in March 2004 and prepared a memorandum (the 'Berlin Memorandum') that emphasized that effective privacy notices should be multi-layered, with all layers using plain language. Other parts of the suggested framework included:

• Comprehension and plain language: All layers should be understandable so individuals can make an informed decision;
• Compliance: All layers taken together should comply with relevant law, and each individual layer must have information necessary for an informed decision;
• Format and consistency: All layers should have consistent format and layout;
• Brevity: The short layer should have no more than seven categories; and
• Public sector: The concepts are equally applicable to governmental and private sector collections of personal information.

The Berlin Memorandum also emphasized that a short notice should contain no more information than individuals can reasonably process. Calling for a consistent format, the memorandum noted that boxes with bold headings were preferred by consumer focus groups.

For the short notice in particular, the Berlin document listed the desired content:

• Who the notice covers (ie, the responsible person or entity);
• The types of information collected from the individual and from others;
• Uses or purposes for information processing;
• Who receives the information if it is shared;
• Information about choices the indi-vidual can make to limit use, or obtain access, or exercise other rights; and
• Contact information for the body or individual collecting the information, as well as information about complaints.

It was further suggested that short notices within sectors be formatted in a similar manner to facilitate comparisons.

The Win-Win of Short Notices

At first glance, it might seem that the short notices movement only benefits the consumer, client, or patient from whom information is being collected. While this is true, there are also considerable benefits for organizations and companies.

For individuals, short notices:

• provide an easy way to become well informed about what an organization does with their personal information;
• allow people to become empowered with a choice over what happens to their personal information; and
• provide a consistent look and feel for these messages in different contexts (ie, health, business, government).

While individuals are the main beneficiaries of improved communication of information about an organization's privacy practices, there are also benefits for organizations (both public and private-sector), such as:

• being able to communicate more effectively with the public, which allows for the growth of a relationship based on trust, through clearly expressed concepts in simple language;
• using the standardized format glo-bally to provide for economies of scale (IBM is presently doing this);
• reminding staff of various organizations of the privacy rules in place; and
• being able to effectively comply with any notice requirement of legislation.

From Theory to Practice in the Health Sector

In Ontario, the IPC has taken a leadership role in strongly promoting the use of short notices in the health sector. The Personal Health Information Protection Act ('PHIPA'), which came into effect on Nov. 1, 2004, sets out rules for the collection, use, and disclosure of personal health information. These rules apply to all health care providers (called health information custodians) operating within the province of Ontario and to individuals and organizations that receive personal health information from health information custodians. PHIPA requires custodians to take reasonable steps to inform the public about their information practices and how individuals may exercise their rights.

The IPC is the oversight body for PHIPA and has a mandate under the Act to educate the public about it. The approach taken for oversight and for public education is called 'The Three C's': Consultation, Cooperation, and Collaboration. The IPC has produced numerous guides, publications, and fact sheets about the new legislation, all available on its Web site (http://www.ipc.on.ca/), as well as in hard copy.

In addition, the required notices prepared by health professionals must serve as effective communication tools ' they must provide useful and understandable information to patients. The traditional notice, written in legalese, would not satisfy the obligation to provide notice under the Act. Thus, it was natural, early in the new Act's life, when questions began coming in about what needed to be included in the statement of information practices, for the IPC to form a working group to develop the short notices, in line with the guidelines being developed internationally. The project was a joint effort of the IPC and the Ontario Bar Association's Privacy Law and Health Law sections. The members brought expertise from various parts of the health care sector, such as the Ministry of Health; the Ontario Dental Association; and practitioners who advised hospitals, health care providers, and long-term care facilities.

The Short Notices Working Group was established in the fall of 2004 in order to develop notices under PHIPA. This project has been a conscious effort to develop and promote the use of short notices and, to the best of our knowledge, is one of only several projects around the world focusing on short notices in the health sector, most notably including the Hunton & Williams Center for Information Policy Leadership's work on notices for the U.S. Health Insurance Portability and Account-ability Act ('HIPAA').

'We started by looking at the model developed by Hunton & Williams for HIPAA, and using it as a springboard, branched out from there to make it applicable to the Ontario legislation,' said Mary O'Donoghue, Manager, Legal Services and Senior IPC Counsel.

The group's goals were twofold:

to ensure that patients are well informed of their rights and had the knowledge to exercise those rights; and to help Health Information Custodians (a defined term under the act; essentially the organization or individual who is responsible for health information), to effectively communicate with the public about their information practices and how patients may exercise their rights, as required by the legislation.

In line with the Berlin Memorandum, our PHIPA Short Notices Group has adopted a multi-layered approach, with an emphasis on developing separate short notices for each of the following health care groups:

• Primary care providers;
• Hospitals and facilities; and
• Long-term care facilities.

Primary Care Notices are not profession-specific, but can apply to all primary health care providers. The simple templates have a consistent layout and format and contain necessary but understandable information about the collection, use, and disclosure of personal health information. The first layer of the notices is in the form of bold, colorful wall or notice board posters. These PHIPA notices can be used in poster or handout form, or online, and include space for facility contact information. The accompanying brochures are varied in length, depending on whether they are for primary care or hospital use. They also are usable online as well as in hard copy; have a consistent look with the corresponding notice/poster; provide greater detail for issues raised in the notices; and include space for facility contact information.

The simple language used is both striking and refreshing. Here is another sample, from a complex section of PHIPA about a hospital's sharing of information for fundraising and marketing purposes:

In many communities, hospitals and other health care organizations raise funds for improving health care services, such as buying new medical equipment. To support these efforts, the law allows limited information about you to be shared for fundraising. Details about your health condition cannot be shared. But fundraisers do need your name and address, so that they can contact you or someone who is acting on your behalf. You can tell us at any time if you do not want to be contacted. Otherwise, you may receive a letter about donating once 60 days have passed from our last contact.

The three sets of documents (poster and brochure for hospitals, facilities and offices) condense 167 pages of legislation into a much shorter format that is eminently readable.

These notices are expected to have a fundamental impact on the way that privacy rights are communicated within Ontario's health sector. Affecting more than 12 million Ontarians, including a half-million health care workers, Short Notices promise nothing less than a shift in the culture of complicated language and privacy notices. The notice becomes far more than a tool for due diligence; it is a serious endeavor to reach the public, to communicate effectively with individuals, and to maintain a relationship between the patient and health care provider that is based on mutual understanding and trust. Everyone in the province, not just the lawyers and policy analysts, will now have access to understandable information about privacy rights in the health sector.

Ann Cavoukian, Ph.D., Information and Privacy Commissioner of Ontario, Canada, has been involved in a number of international committees focused on privacy, technology, and business. She has written extensively on advancing privacy protection through the pursuit of privacy-enhancing technologies. She is also the published author of groundbreaking books on privacy and frequently lectures at leading international forums.

'Ontario has a law that protects your personal health information, including information about you kept at this hospital. We are required to keep your personal health information safe and secure. You have the right to know how we may use and give it out and how you can get access to it.'

These three sentences ' short, sweet, simple ' begin the text of a poster called 'Health Information Privacy in our Hospital.' This poster, one of three in a series (which includes 'in our facility' and 'in our office'), and the three accompanying brochures, are the result of an innovative collaboration that has taken an international consensus and turned it into printed products that are garnering great reviews.

The office of the Information and Privacy Commissioner of Ontario, along with the Ontario Bar Association's Privacy and Health Law sections and the Ontario Dental Association, spearheaded a team to develop short notices for the province's new Personal Health Information Protection Act ('PHIPA'), which launched the products earlier in June 2005.

'When you're dealing with the law of consent ' and PHIPA is a consent-based statute ' adequate notice is a required feature,' said Ken Anderson, Assistant Commissioner (Privacy) of the Information and Privacy Commission of Ontario ('IPC'). 'Ontario's new health privacy legislation was no exception in requiring custodians of personal health information to make available a statement of information practices. Often, lengthy notices have been used to comply with such requirements, with the result being a failure to communicate. Notices are too long, too complex, and, as research has shown, actually raise more doubts in people's minds than they allay.'

The short notices movement was born to address these inadequacies.

Background

Research on privacy policies conducted in the United States and elsewhere has provided persuasive evidence that a layered approach, with an emphasis on clear, short notices of information-handling policies and practices, is the most effective way of building consumer trust. For example, the Hunton & Williams Center for Information Policy Leadership, which has done pioneering work on short notices, conducted focus groups on privacy policies. The Center found that consumer trust in companies is eroded by long, legalistic privacy policies. Focus group participants preferred short privacy notices that clearly communicated how a company was using and sharing their personal information and expressed support for a common 'template' that could be used by different companies.

The Annenberg Public Policy Center of the University of Pennsylvania surveyed Americans in 2003 and found that even self-styled, savvy Internet users not only fail to understand how online companies typically compile information about visitors to Web sites, but also do not understand privacy notices and will not spend much time to learn more. For example, a majority believed that the very existence of a privacy policy meant that no information about them would be shared.

The European Union's Article 29 Data Protection Working Group has made consistent recommendations since 2000 (WP 37, 43, 100) calling for simple and understandable information being provided to online consumers prior to the collection of personal information. This would facilitate compliance with the EU Data Protection Directive's Article 10 requirements concerning information to be given to the data subject.

The growing movement to establish a global short privacy notice had its official birth at the 2003 International Conference of Data Protection and Privacy Commissioners in Sydney, Australia. At that conference, the Commissioners passed a resolution that endorsed the development and use of a condensed privacy notice format that would be standardized across the globe. Our resolution noted the importance of enabling individuals 'to be well informed and able to exercise choices when the organizations with which they are dealing operate globally' and called for 'development and use of a condensed format for presenting an overview of privacy information that is standardized world-wide across all organizations.' In addition, simple ways for the individual to locate further, more detailed (but still understandable) information (if desired) should be made available.

Since the Sydney conference, a working group of Commissioners, including the IPC, business leaders, lawyers, and privacy practitioners, has been hammering out solutions for developing and implementing a global privacy notice. The group met in Berlin in March 2004 and prepared a memorandum (the 'Berlin Memorandum') that emphasized that effective privacy notices should be multi-layered, with all layers using plain language. Other parts of the suggested framework included:

• Comprehension and plain language: All layers should be understandable so individuals can make an informed decision;
• Compliance: All layers taken together should comply with relevant law, and each individual layer must have information necessary for an informed decision;
• Format and consistency: All layers should have consistent format and layout;
• Brevity: The short layer should have no more than seven categories; and
• Public sector: The concepts are equally applicable to governmental and private sector collections of personal information.

The Berlin Memorandum also emphasized that a short notice should contain no more information than individuals can reasonably process. Calling for a consistent format, the memorandum noted that boxes with bold headings were preferred by consumer focus groups.

For the short notice in particular, the Berlin document listed the desired content:

• Who the notice covers (ie, the responsible person or entity);
• The types of information collected from the individual and from others;
• Uses or purposes for information processing;
• Who receives the information if it is shared;
• Information about choices the indi-vidual can make to limit use, or obtain access, or exercise other rights; and
• Contact information for the body or individual collecting the information, as well as information about complaints.

It was further suggested that short notices within sectors be formatted in a similar manner to facilitate comparisons.

The Win-Win of Short Notices

At first glance, it might seem that the short notices movement only benefits the consumer, client, or patient from whom information is being collected. While this is true, there are also considerable benefits for organizations and companies.

For individuals, short notices:

• provide an easy way to become well informed about what an organization does with their personal information;
• allow people to become empowered with a choice over what happens to their personal information; and
• provide a consistent look and feel for these messages in different contexts (ie, health, business, government).

While individuals are the main beneficiaries of improved communication of information about an organization's privacy practices, there are also benefits for organizations (both public and private-sector), such as:

• being able to communicate more effectively with the public, which allows for the growth of a relationship based on trust, through clearly expressed concepts in simple language;
• using the standardized format glo-bally to provide for economies of scale (IBM is presently doing this);
• reminding staff of various organizations of the privacy rules in place; and
• being able to effectively comply with any notice requirement of legislation.

From Theory to Practice in the Health Sector

In Ontario, the IPC has taken a leadership role in strongly promoting the use of short notices in the health sector. The Personal Health Information Protection Act ('PHIPA'), which came into effect on Nov. 1, 2004, sets out rules for the collection, use, and disclosure of personal health information. These rules apply to all health care providers (called health information custodians) operating within the province of Ontario and to individuals and organizations that receive personal health information from health information custodians. PHIPA requires custodians to take reasonable steps to inform the public about their information practices and how individuals may exercise their rights.

The IPC is the oversight body for PHIPA and has a mandate under the Act to educate the public about it. The approach taken for oversight and for public education is called 'The Three C's': Consultation, Cooperation, and Collaboration. The IPC has produced numerous guides, publications, and fact sheets about the new legislation, all available on its Web site (http://www.ipc.on.ca/), as well as in hard copy.

In addition, the required notices prepared by health professionals must serve as effective communication tools ' they must provide useful and understandable information to patients. The traditional notice, written in legalese, would not satisfy the obligation to provide notice under the Act. Thus, it was natural, early in the new Act's life, when questions began coming in about what needed to be included in the statement of information practices, for the IPC to form a working group to develop the short notices, in line with the guidelines being developed internationally. The project was a joint effort of the IPC and the Ontario Bar Association's Privacy Law and Health Law sections. The members brought expertise from various parts of the health care sector, such as the Ministry of Health; the Ontario Dental Association; and practitioners who advised hospitals, health care providers, and long-term care facilities.

The Short Notices Working Group was established in the fall of 2004 in order to develop notices under PHIPA. This project has been a conscious effort to develop and promote the use of short notices and, to the best of our knowledge, is one of only several projects around the world focusing on short notices in the health sector, most notably including the Hunton & Williams Center for Information Policy Leadership's work on notices for the U.S. Health Insurance Portability and Account-ability Act ('HIPAA').

'We started by looking at the model developed by Hunton & Williams for HIPAA, and using it as a springboard, branched out from there to make it applicable to the Ontario legislation,' said Mary O'Donoghue, Manager, Legal Services and Senior IPC Counsel.

The group's goals were twofold:

to ensure that patients are well informed of their rights and had the knowledge to exercise those rights; and to help Health Information Custodians (a defined term under the act; essentially the organization or individual who is responsible for health information), to effectively communicate with the public about their information practices and how patients may exercise their rights, as required by the legislation.

In line with the Berlin Memorandum, our PHIPA Short Notices Group has adopted a multi-layered approach, with an emphasis on developing separate short notices for each of the following health care groups:

• Primary care providers;
• Hospitals and facilities; and
• Long-term care facilities.

Primary Care Notices are not profession-specific, but can apply to all primary health care providers. The simple templates have a consistent layout and format and contain necessary but understandable information about the collection, use, and disclosure of personal health information. The first layer of the notices is in the form of bold, colorful wall or notice board posters. These PHIPA notices can be used in poster or handout form, or online, and include space for facility contact information. The accompanying brochures are varied in length, depending on whether they are for primary care or hospital use. They also are usable online as well as in hard copy; have a consistent look with the corresponding notice/poster; provide greater detail for issues raised in the notices; and include space for facility contact information.

The simple language used is both striking and refreshing. Here is another sample, from a complex section of PHIPA about a hospital's sharing of information for fundraising and marketing purposes:

In many communities, hospitals and other health care organizations raise funds for improving health care services, such as buying new medical equipment. To support these efforts, the law allows limited information about you to be shared for fundraising. Details about your health condition cannot be shared. But fundraisers do need your name and address, so that they can contact you or someone who is acting on your behalf. You can tell us at any time if you do not want to be contacted. Otherwise, you may receive a letter about donating once 60 days have passed from our last contact.

The three sets of documents (poster and brochure for hospitals, facilities and offices) condense 167 pages of legislation into a much shorter format that is eminently readable.

These notices are expected to have a fundamental impact on the way that privacy rights are communicated within Ontario's health sector. Affecting more than 12 million Ontarians, including a half-million health care workers, Short Notices promise nothing less than a shift in the culture of complicated language and privacy notices. The notice becomes far more than a tool for due diligence; it is a serious endeavor to reach the public, to communicate effectively with individuals, and to maintain a relationship between the patient and health care provider that is based on mutual understanding and trust. Everyone in the province, not just the lawyers and policy analysts, will now have access to understandable information about privacy rights in the health sector.

Ann Cavoukian, Ph.D., Information and Privacy Commissioner of Ontario, Canada, has been involved in a number of international committees focused on privacy, technology, and business. She has written extensively on advancing privacy protection through the pursuit of privacy-enhancing technologies. She is also the published author of groundbreaking books on privacy and frequently lectures at leading international forums.