As part of a project funded by Canada’s Office of the Privacy Commissioner, the Electronic Health Information Laboratory has released a pair of online courses focusing on data privacy and anonymization. Issued in both English and French, they represent an excellent primer for those looking to get up to speed on how to operationalize anonymization as part of a privacy program in the private sector.
“There wasn’t much guidance around best practices in the marketplace,” said Khaled El Emam, who adapted content from his 2013 “Guide to the De-Identification of Personal Health Information” for the courses, which run almost seven hours in total. And while “the legal framework is obviously specific to Canada,” El Emam said the methods described should be valid anywhere in the world.
“We feel like this provides a baseline around what good practices are,” he said, “for both commercial and government organizations.”
The first course, intended to be more introductory in nature, focuses on the Canadian legal framework and the basic risks of not handling PII properly. It’s a good starter privacy professionals might use to educate the C-suite or to get peers on board with the privacy program.
The second course, running to five hours, is a deep dive intended for privacy professionals looking to use de-identification as part of regular operations, whether in applying big data analytics or simply reducing privacy risk. There are 12 modules, in total, and even a section on contractual and security controls.
Elizabeth Jonker, research coordinator at EHIL, which is part of the CHEO Research Institute, said the goal is to get these courses integrated into corporate training programs, but that they have usefulness beyond just internal training. “They can also use these,” she said, “to educate their vendors, who are receiving data, on how to properly handle and protect the privacy of the data.”
There’s the added bonus, too, that the content jibes with the de-identification guidelines published last summer by the Ontario commissioner’s office.
“Those have been very well received,” noted El Emam, “and what we’ve put together is very consistent with those guidelines.” That helps, he said, to build up a body of best practices, when privacy professionals are getting similar information from multiple vectors.
The best part, of course, is that the courses are free, and will be updated regularly. Look for an updated version in about six-to-12 months, and then annually after that.