The Ontario IPC and Hewlett-Packard have released a joint-paper entitled, “RFID and Privacy – Guidance for Health-Care Providers.” The report discusses the privacy issues associated with RFID health care applications as grouped into three types:
- those involving tagging things
- those involving tagging things linked to people and
- those involving tagging people.
It identifies the latter two types as being privacy sensitive, with tagging “things linked to people” being more sensitive if the the link is strong, as is the case with tags affixed to individually-prescribed vials of medicine. As with most IPC reports of this type, the authors have generally guarded against making potentially binding statements on specific issues. While the authors note many new applications and comment generally on their potential benefit, the report neither endorses nor denounces any specific application. The most strong statement in the report was made about an application totally unrelated to health care. On the use of contactless identification cards for employee identification purposes, the authors said:
RFID-embedded (“contactless”) Identification cards are a special category of health care RFID use. Here we must distinguish between employee identification (and access) cards (whether “smart” or not), and patient identification cards. Employee Identification cards are increasingly being equipped with RFID technologies in order to identify and authenticate the bearer and facilitate access to physical spaces and other (e.g. computer) resources, as well as for process control and audit purposes. Dual or multi-purpose employee identity cards can serve differing functions at different times, according to context. Such a multi-purpose card and the data it contains, if not properly controlled, invites over-identification for some functions, function creep, and unwanted employee profiling.
While making this strong statement on employee identification, the report said that an RFID patient identification program may be acceptable where it…
…responds to a defined problem or issue in a limited, proportional and effective manner, and is deployed in a way that minimizes privacy and security risks, at least as effectively as any alternative solution.
I sense the two pull quotes above were the subject of considerable discussion. And while employers in Ontario should take heed of the report’s warning, the IPC has a very limited jurisdiction to enforce employee privacy rights in Ontario, even on behalf of employees who work at hospitals.