The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Wednesday, September 02, 2009
The Information and Privacy Commissioner of Ontario has released written guidance on the "circle of care" under that province's Personal Health Information Protection Act, entitled Circle of Care: Sharing Personal Health Information for Health-Care Purposes.
Here's the news release:
Privacy Commissioner Cavoukian and seven health organizations team up to eliminate confusion over key element of health privacy law
TORONTO, Sept. 2 /CNW/ - Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, today released a new publication that includes specific practical examples to help clarify any confusion over when health information custodians can assume a patient's implied consent to collect, use or disclose personal health information.
The brochure, Circle of Care: Sharing Personal Health Information for Health-Care Purposes, was developed with the collaboration of seven health organizations. "This brochure cuts through the confusion surrounding the term circle of care," said the Commissioner. "We are using seven relevant examples from across the broader continuum of the health sector to provide such clarification."
"There had been some confusion in the health sector as to the meaning and scope of the circle of care concept," explained Commissioner Cavoukian. "In part, this may have been because the term does not appear in the Personal Health Information Protection Act, 2004. It is, however, commonly used in the health-care community to describe the provisions in the Act that permit health-care providers to assume a patient's implied consent to collect and use personal health information - and to share that information with other health-care providers - in order to provide health care to that patient, unless the patient expressly indicates otherwise."
The Act is based on the premise that privacy can be protected, without needless delays in the health system.
"Overall, the Act is working very well, but clarity needed to be brought to bear on the circle of care concept," said Commissioner Cavoukian.
The seven examples in the brochure address this. As a fictional 61-year-old patient is followed through much of the health-care system, the examples provide specific guidance relating to when a health provider can assume implied consent.
The seven health organizations that worked with the IPC include (in alphabetical order): the College of Physicians and Surgeons, the Ontario Association of Community Care Access Centres, the Ontario Association of Non-Profit Homes and Services for Seniors, the Ontario Hospital Association, the Ontario Long Term Care Association, the Ontario Medical Association and the Ontario Ministry of Health and Long-Term Care.
Here is a condensed version of one of the examples used in the brochure:A patient is sent by his family doctor to a laboratory for blood and urine testing. A geriatrician, a specialist whom the patient has been referred to by his family doctor, would like to obtain the results of those tests. He would also like to obtain a list of the patient's current prescriptions from the pharmacy where he fills all his prescriptions.
Can the laboratory and pharmacy disclose this personal health information and can the geriatrician collect information based on assumed implied consent?
Yes. The laboratory, pharmacy and geriatrician may assume implied consent. The personal health information was received by the laboratory and pharmacy - and will be received by the geriatrician - for the purpose of providing health care to this patient.
"Personal health information may be shared within the circle of care - among health-care providers who are providing health care to a specific patient - but not outside that circle," stressed Commissioner Cavoukian. "Any sharing of personal health information with other health-care providers for purposes other than the provision of health care - or the sharing of personal health information with persons or organizations that are not health-care providers, such as insurers and employers - requires the express consent of the patient."
To see a copy of the brochure, visit http://www.ipc.on.ca/.
Thursday, April 17, 2008
The Ontario Information and Privacy Commissioner is investigating after old medical records were found in a dumpster behind a coffee shop by a retiree. The affected patients will have to be notified as the information is subject to PHIPA, which contains Canada's only mandatory breach notification. See: TheSpec.com - Local - St. Joe's patient files found in dumpster.
Monday, March 31, 2008
Last week's New York Times had an editorial on Safeguarding Private Medical Data:
... These are good steps, but a larger solution is needed. There should be a federal law imposing strict privacy safeguards on all government and private entities handling medical data. Congress should pass a bill like the Trust Act, introduced by Representative Edward Markey, a Democrat of Massachusetts, imposing mandatory encryption requirements and deadlines for notifying patients when their privacy is breached. As the N.I.H. has shown, medical privacy is too important to be left up to the medical profession.
In today's edition, Ontario's Information and Privacy Commissioner responds:
Ontario’s Example on Privacy - New York Times
To the Editor:
Re: Editorial: Safeguarding Private Medical Data (March 26, 2008)
I couldn’t agree with you more. In Ontario, we take privacy very seriously, especially when it comes to medical data.
Four years ago, we passed the Personal Health Information Protection Act, or Phipa, and haven’t looked back. This law provides solid privacy protection for health data but doesn’t act as a barrier to the delivery of health services. It doesn’t interfere with health care but ensures that it comes wrapped in a layer of privacy.
As privacy commissioner of Ontario, I can investigate complaints and issue orders if Phipa is breached. One order I issued requires that any identifiable health data must be encrypted if removed from a health care facility on a laptop or any other medium.
Medical privacy is far too important to be left to chance, or to the well intentioned. Strong legislated safeguards are needed.
Take a look at Phipa, which could serve as an excellent model.
Toronto, March 27, 2008
Saturday, September 22, 2007
Earlier this week, the Ontario Court of Justice struck down the opening of adption records in that provice under the Adoption Information Disclosure Act. The decision is here.
The Information and Privacy Commissioner of Ontario has issued a press release about the decision:
IPC - Office of the Information and Privacy Commissioner/Ontario
News Release September 19, 2007
Court ruling strikes down privacy-invasive provisions of adoption disclosure law: Commissioner Cavoukian
TORONTO – Today’s court decision quashing the opening of past adoption records through Ontario’s Adoption Information Disclosure Act confirms the importance of an individual’s right to privacy, said Ontario Information and Privacy Commissioner, Ann Cavoukian.
The ruling declares that the law is unconstitutional – it breaches section 7 of the Canadian Charter of Rights and Freedoms and thus, the sections of the Act relating to access to birth registration information “are declared invalid and of no force and effect.” As the Court noted, the Charter, “… is intended primarily to protect individuals and minorities against the excesses of the majority.”
The Commissioner constantly urged the government to amend the legislation to protect the privacy of past adoptions, giving birth parents and adoptees the right to file a “disclosure veto,” which would allow them the option of blocking access to their birth registration information. While this would provide much-needed protection for the minority, it would, as the Court noted, “… in fact allow the vast majority to get the information they were seeking.”
“While I supported the overall thrust of this Act, I fought long and hard to convince the Ontario government to introduce a crucial amendment that would provide much-needed protection for a number of deeply worried birth mothers and adoptees. Some literally feared that the Act – without the amendment I proposed – would shatter their lives. Now their prayers have been answered.”
Commissioner Cavoukian did not object to the opening of future records, but repeatedly cautioned that changing the rules retroactively, and exposing the identities of birth parents who entered into the adoption process in an era when secrecy was the norm, could have major repercussions. Despite the passing of the Act last year, the Commissioner continues to receive heart-wrenching letters, e-mails and calls from birth parents and adoptees expressing their concern – and in some cases great fear and despondency.
This court ruling will mean that Ontario residents no longer have less privacy protection than persons in the three other Canadian provinces that have adoption disclosure laws where the legislation is applied retroactively. Each of those provinces – unlike Ontario – passed laws with a provision for a disclosure veto for those who were involved in adoptions prior to the new legislation. “This is what should have happened here” says Commissioner Cavoukian.
In the words of the Court, “People expect, and are entitled to expect, that the government will not share [confidential personal] information without their consent. The protection of privacy is undeniably a fundamental value in Canadian society, especially when aspects of one’s individual identity are at stake.”
The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, and the Personal Health Information Protection Act, and helping to educate the public about access and privacy issues.
Saturday, March 10, 2007
The Information and Privacy Commissioner of Ontario yesterday released order HO-004 under the Personal Health Information Protection Act following the theft of a laptop containing confidential personal health information on 2,900 patients at the Sick Kids hospital in Toronto.
The order requires the hospital
While the order directly relates to a hospital, it would applyl to all health information custodians in the province of Ontario and will likely serve as guidance to all health care providers in the country.
For more info, see TheStar.com - News - Sick Kids ordered to encrypt all electronic patient files.
Wednesday, January 24, 2007
The Winter 2007 edition of the Ontario Information and Privacy Commissioner's Perspectives was just released. It includes a look at some of the major projects relating to privacy or freedom of information that her office has been working on.
The newsletter also contains reviews of recent significant orders issued under the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, or the Personal Health Information Protection Act, information about recent IPC publications, upcoming presentations and more.
Tuesday, November 14, 2006
I spent yesterday in Ottawa at the Electronic Health Information and Privacy Conference. The speakers were very good and the topics covered a very wide range of sub-topics, including privacy enhancing technology, data masking, and research use of personal health information.
IT Business has some coverage of the conference here. What I found to be one of the most telling observations was made by Dr. Geiger of the Ottawa Hospital:
As Dr. Glen Geiger, the Ottawa Hospital’s medical director of clinical information systems told the conference, even hospital employees don’t want their personal health information loaded onto the electronic patient record. They flag their records to have them registered in special outpatient accounts so the results do not populate the electronic record, Geiger said.
“Treating personal health information for staff differently from that of everyone else creates two classes of citizens,” Geiger said. “That’s wrong. If our staff don’t trust us to keep their information private, why should anyone else?”
I continue to be puzzled about the assumption that PIPEDA allows "implied consent" within a mythical "circle of care". This assumption is expressed in a number of areas, but the prime example is in the PIPEDA Awareness Raising Tools (PARTs) Initiative for the Health Sector.
This may appear eminently reasonable, but I don't think it's a foregone conclusion that a judge would agree. The relevant provision in PIPEDA says that the form of the consent has to be based on the sensitivity of the information. If health information is among the most sensitive (not much debate on this topic), it follows that it requires robust consent. Implied consent doesn't really cut it. I've written about this before if you want to read about it in greater depth (see Focus on Privacy: The Application of PIPEDA to Personal Health Information).
40. Can consent be implied for the use and disclosure of personal health information under PIPEDA?
Yes, once patients are made aware of their privacy rights (see answer #38), consent is implied if the patient continues to seek care and treatment. Thus current practice of implied consent for the primary use of personal information in the direct care and treatment of an individual patient, as defined in a circle of care, will continue under PIPEDA. For example, a lab may infer consent because the individual would reasonably expect that the results be sent to the provider who ordered the lab work.
41. Is consent implied for the disclosure of personal health information to private insurance companies or third party payers for the purposes of reimbursement of health services rendered?
In certain circumstances, yes. In circumstances where the current practice is to obtain written consent by making the patient sign a reimbursement form, the practice should continue. Where no form is signed, implied consent is acceptable provided patients understand that this is happening and have not behaved in a way that may indicate a refusal of consent (see answer #38).
42. When does PIPEDA require express consent?
In commercial activities, the patient's oral or written consent is generally required for all uses and disclosures that are not directly related to the care and treatment of a patient.
This position is also adopted in the Pan-Canadian Health Information Privacy and Confidentiality Framework. Implied consent within the circle of care may be the rule in Ontario's PHIPA, but assuming it is also the rule in PIPEDA is more than a little bit risky.
Wednesday, October 18, 2006
As alluded to earlier this week, the Information and Privacy Commissioner of Ontario has released her whitepaper, 7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age. It's interesting reading but probably will not be comprehensible to lay readers. Here's the media release and links for more info:
IPC - Commissioner Ann Cavoukian unveils plan for privacy-embedded Internet identity
TORONTO – Consumers today are being spammed, phished, pharmed, hacked and otherwise defrauded out of their personal information in alarming numbers, in large part because there are few reliable ways for them to distinguish the “good guys” from the “bad” online.
Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario, today announced her support for a global online identity system framework by outlining seven far-reaching “privacy-embedded” laws, which would help consumers verify the identity of legitimate organizations before making online transactions.
These laws were inspired by the 7 Laws of Identity formulated through a global dialogue among security and privacy experts, headed by Kim Cameron, Chief Identity Architect at Microsoft. The 7 Laws of Identity propose the creation of a revolutionary “identity layer” for the Internet, providing a broad conceptual framework for a universal, interoperable identity system.
Dr. Cavoukian’s 7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age incorporates additional key insights from the privacy arena. An extension of the original 7 Laws, they encourage privacy-enhanced features to be embedded into the design of the IT architecture and be made available early in the emerging universal identity system.
The Internet was built without a way to know who and what individuals are connecting to. This limits what people can do and exposes computer users to potential fraud. If the IT industry and government do nothing, the result will be rapidly proliferating episodes of theft and deception that will cumulatively erode public trust. That confidence is already eroding as a result of spam, phishing and identity theft, which leaves online consumers vulnerable to the misuse of their personal information and minimizes the future potential of e-commerce. The Privacy-Embedded Laws of Identity support the global initiative to empower consumers to manage their own digital identities and personal information in a much more secure, verifiable and private manner.
“Just as the Internet saw explosive growth as it sprang from the connection of different proprietary networks, an ‘Identity Big Bang’ is expected to happen once an open, non-proprietary and universal method to connect identity systems and ensure user privacy is developed in accordance with privacy principles,” said Dr. Cavoukian. “Microsoft started a global privacy momentum. Already, there is a long and growing list of companies and individuals who now endorse the7 Laws of Identity and are working towards developing identity systems that conform to them.”
“We are honoured to work with Dr. Cavoukian on this project, who along with us and other IT companies are endorsing global privacy laws and fair information practices,” said Peter Cullen, Chief Privacy Strategist, Microsoft. “Best business practices that ensure both security and identity are what is needed to help keep the Internet’s integrity intact. These 7 Laws, with specific articulation of privacy protections, are a big step in that direction.”
Other privacy-enhanced laws will help to minimize the risk that one’s online identities and activities will be linked together, said Dr. Cavoukian. “We already expect this in the real world when we present a library card, for example, to check out a book, and present our passport to cross a national border. We don’t expect these to be linked together. Nor is the access card we use to enter our office the same as the transit pass we use to board a bus. In the physical world, different transactions require different identity credentials, but they need not be linked together. It should be no different in the online environment.”
The next generation of intelligent and interactive web services (“Web 2.0”) will require more, not fewer, verifiable identity credentials, and much greater mutual trust to succeed.
Identity systems that are consistent with the Privacy-Embedded Laws of Identity will help consumers verify the identity of legitimate organizations before they decide to continue with an online transaction.
These Privacy-Embedded Laws offer individuals:
- easier and more direct user control over their personal information when online;
- enhanced user ability to minimize the amount of identifying data revealed online;
- enhanced user ability to minimize the linkage between different identities and actions;
- enhanced user ability to detect fraudulent messages and websites, thereby minimizing the incidence of phishing and pharming.
Corresponding Privacy-Embedded Principles
Take, for example, Law #1, Personal Control and Consent, which emphasizes that individuals should be in full local control of their own identity information, and exercise informed consent over how their identity information is collected and used by others. One privacy benefit of applying this principle is that identity credentials could be stored locally and securely on a user’s own computer rather than in a centralized online database.
Another example: Law #2, Minimal Disclosure for Limited Use: Data Minimization, speaks to building technical identity systems that minimize the amount of identity information used and disclosed in a given online transaction. In the privacy world, a cardinal rule is that the identification provided should be proportional to the sensitivity of the transaction and its purpose. Why should a credit card number ever be used to verify one’s age? Put another way, why isn’t there a credential that allows people to prove they’re over 65 without revealing all of their other identity information? If someone can prove she is a bona fide university student to gain preferential access to online resources at other educational institutions, then why is her name needed? These privacy-enhanced solutions are all possible under the Privacy-Embedded Laws of Identity.
“We call upon software developers, the privacy community and public policymakers to consider the Privacy-Embedded Laws of Identity closely, to discuss them publicly, and take them to heart,” Dr. Cavoukian declared. “In joining with us to promote privacy-enhanced identity solutions at a critical time in the development of the Internet and e-commerce, both privacy and identity/security will more likely be strongly protected.”
The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act, as well as the Personal Health Information Protection Act, and helping to educate the public about access and privacy issues.
The LAWS OF IDENTITY The key to this site: an introduction to Digital Identity – the missing layer of the Internet.
The IDENTITY METASYSTEM A proposal for building an identity layer for the Internet
Monday, August 28, 2006
I blogged yesterday about the controversy surrounding an indirect CIA investee company providing services to Canadian health providers (Canadian Privacy Law Blog: Privacy groups slam use of CIA-backed software to index Canadian health files). The Information and Privacy Commissioner of Ontario just issued an investigation report ((PHIPA Report HI06-45) and the following media release in response:
Electronic health information strongly protected in Ontario: Commissioner Cavoukian
TORONTO, Aug. 28 /CNW/ - An investment in Initiate Systems Inc., a company providing software to an electronic health record application in Ontario, does not provide the CIA or anyone else with access to personal health information, says Dr. Ann Cavoukian, Ontario's Information and Privacy Commissioner.
In March 2006, In-Q-Tel, the venture capital arm of the CIA, invested in Initiate Systems Inc., whose software is being used in provincial electronic health record applications across Canada under an agreement with Canada Health Infoway, a federally funded, non-profit corporation that leads electronic health initiatives in Canada.
Prior to In-Q-Tel's investment, Initiate Systems' software was selected for use in one application in Ontario - the Enterprise Master Patient Index (EMPI). Although the EMPI contains health card numbers and other identifying information, it does not include diagnoses, prognoses, or other clinical information typically shared between health care providers and their patients. In Ontario, the Personal Health Information Protection Act establishes rules for the collection, use and disclosure of personal health information and designates the Office of the Information and Privacy Commissioner/Ontario as the body responsible for overseeing compliance with the legislation.
On August 11, 2006, privacy advocates expressed concerns that In-Q-Tel's investment in Initiate Systems may give the CIA access to provincial medical records. Commissioner Cavoukian immediately launched a privacy investigation into the allegations to determine if any personal health information was being disclosed in contravention of Ontario's health privacy legislation.
Among the Commissioner's findings in her investigation report:
- Cancer Care Ontario, which operates the EMPI on behalf of the Ministry of Health and Long-Term Care, allows Initiate Systems Inc. extremely narrow, on-site access to personal health information, under tightly controlled and limited conditions, and only as necessary to enable Initiate Systems Inc. to provide the services that it is contractually obligated to provide;
- No health information from the EMPI flows outside of Ontario;
- In-Q-Tel's investment in Initiate Systems Inc. does not allow In-Q- Tel to access any health information contained in the Ontario EMPI.
"Cancer Care Ontario, an organization that my office has worked with on privacy issues since the implementation of the Personal Health Information Protection Act nearly two years ago, has an extensive array of privacy safeguards in place," said Commissioner Cavoukian.
In addition to written privacy, confidentiality and security provisions in the Master Software License and Services Agreement with Initiate Systems Inc., other safeguards include:
- Initiate Systems does not have any remote access to EMPI data and performs all technical support for the EMPI in Ontario, with comprehensive security measures in place;
- Access to the EMPI by Initiate Systems' staff must be authorized and verified by CCO and may only occur on its Ontario premises; and
- Initiate Systems is prohibited from disclosing EMPI data to any party without the prior written consent of CCO, which has neither been sought nor granted.
Looking further ahead, Commissioner Cavoukian makes three recommendations in her investigation report, which is posted on the IPC's website: www.ipc.on.ca.
RECOMMENDATIONS1. The Commissioner should be consulted concerning any proposed amendments or changes to the confidentiality or privacy obligations contained in the agreement between CCO and Initiate Systems.
2. The MOHLTC or any other person who operates the EMPI in the future should advise the Commissioner if there is a breach of the confidentiality or privacy obligations of the agreement by Initiate Systems, and the steps taken to mitigate the breach, the measures taken to prevent subsequent breaches, and the manner and nature of the notification provided to individuals whose personal health information is contained in the EMPI.
3. The MOHLTC or any other person who operates the EMPI in the future using the Initiate Software should advise the Commissioner when changes will be made to the source code for the Initiate Software, as well as the nature and rationale for these changes.
The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, and the Personal Health Information Protection Act, and helping to educate the public about access and privacy issues.
For further information: Media Contact: Bob Spence, Communications Co-ordinator, Direct line: (416) 326-3939, Toll-free: 800-387-0073, Cell phone: (416) 873-9746, email@example.com
Tuesday, August 01, 2006
The Information and Privacy Commissioner of Ontario has issued her second order under the province's new Personal Health Information Protection Act.
The complaint concerns a pretty deplorable situation that took place at the Ottawa Hospital. The complainant was admitted to the hospital and advised that shd did not want her estranged husband and his girlfriend (both were employees of the hospital) to know of her admission or of her situation. Subsequent discussion with her husband demonstrated that he knew about her admission and the patient complained.
An investigation revealed that the girlfriend had accessed the complainant's electronic health record a number of times and disclosed it to the estranged husband. The Commissioner was less than impressed, as demonstrated by the postscript to the executive summary:
This was a truly regrettable situation in which a patient who was admitted to a hospital, made a specific request to prohibit her estranged husband and his girlfriend, a nurse at the hospital, from having any information regarding her hospitalization, only to learn that the exact opposite had occurred.
Despite having alerted the hospital to the possibility of harm, the harm nonetheless occurred. While the hospital had policies in place to safeguard health information, they were not followed completely, nor were they sufficient to prevent a breach of this nature from occurring. In addition, the fact that the nurse chose to disregard not only the hospital’s policies but her ethical obligations as a registered nurse, and continued to surreptitiously access a patient’s electronic health record, disregarding three warnings alerting her to the seriousness of her unauthorized access, is especially troubling. Protections against such blatant disregard for a patient’s privacy by an employee of a hospital must be built into the policies and practices of a health institution.
This speaks broadly to the culture of privacy that must be created in healthcare institutions across the province. Unless policies are inter-woven into the fabric of a hospital’s day-today operations, they will not work. Hospitals must ensure that they not only educate their staff about the Act and information policies and practices implemented by the hospital, but must also ensure that privacy becomes embedded into their institutional culture.
As one of the largest academic health sciences centres in Canada, the Ottawa Hospital had properly developed a number of policies and procedures; but yet, they were insufficient to prevent members of its staff from deliberately undermining them.
Friday, July 07, 2006
Tuesday, June 27, 2006
Anne Cavoukian has tabled her annual report for 2005 in the Ontario Provincial Parliament. I haven't had a chance to review it in detail, but it appears to be full of interesting information.
Here is the media release:
IPC - Government spending must be open to the public: Commissioner Cavoukian says greater transparency needed:
NEWS RELEASE : June 27, 2006
Government spending must be open to the public: Commissioner Cavoukian says greater transparency needed
While considerable gains have been made, government organizations nonetheless continue to use the Freedom of Information and Protection of Privacy Act as a shield to block the release of consultants’ contracts and the financial arrangements made with suppliers of goods and services, said Information and Privacy Commissioner Ann Cavoukian.
Since early 2005, the IPC has overturned 11 decisions made by provincial or municipal organizations that refused to disclose this type of information. The requesters seeking the information had to appeal those decisions to my office to obtain the desired records, said Commissioner Cavoukian. Other requesters may have just given up, not bothering to file an appeal. “This is a complete waste of the time and resources of all parties involved,” said the Commissioner, who is urging municipal and provincial government organizations in Ontario to make a concerted effort towards ensuring that the public has full access to government spending records.
In her 2005 annual report, which she released today, Commissioner Cavoukian is asking every government office planning to hire a consultant, contractor, or service provider to immediately make it clear to them that the information they submit will most likely be made available to the public. “The default position should be that financial and all other pertinent information related to a contract will be made publicly available,” said Commissioner Cavoukian. Only in exceptional circumstances will withholding the financial terms of government contracts be justified on the basis of prejudice to one’s competitive position or privacy.
“The right of citizens to access government-held information is essential in order to hold elected and appointed officials accountable to the people they serve,” said the Commissioner. “This is particularly true for details of government expenditures and the public’s right to scrutinize how tax dollars are being spent. When government organizations use the services of individuals or companies in the private sector, the public should not lose its right to access this information.”
The need for transparency and accountability for government spending goes beyond contractual arrangements. In Order MO-1947, the Commissioner ordered the disclosure of information relating to lawsuits settled by the City of Toronto with third parties, including the number of lawsuits, dates settled and dollar amounts. The Commissioner again emphasized the importance of the disclosure of this type of information based on the taxpayers’ right to know and the need to hold both politicians and bureaucrats accountable for their actions.
In her wide-ranging 84-page annual report, Commissioner Cavoukian identifies and addresses seven other key issues. Among these, the Commissioner:
- dispells some of the common misconceptions about radio frequency identification (RFID) and addresses when privacy issues need to be considered. “ Users of RFID technologies and information systems should address the privacy and security issues early in the design stage, with a particular emphasis on data minimization,” said the Commissioner. “This means that wherever possible, efforts should be made to minimize the identifiability, observability and linkability of RFID data.” (Further to this issue, the Commissioner released new RFID Privacy Guidelines just last week. Here is a direct link to the Guidelines on the IPC’s website: www.ipc.on.ca/docs/rfidgdlines.pdf.);
- outlines a highly successful collaboration between the Ontario College of Pharmacists, the Ontario Pharmacists’ Association and the IPC. Within days of a controversy erupting in the media over the screening of womenattempting to access the emergency contraceptive pill, commonly known as Plan B, the Ontario College of Pharmacists, after working with the Commissioner and the Association, issued new guidelines for pharmacists operating in Ontario;
- examines the issue of the secure destructionof personal information, emphasizing that such information “must be permanently destroyed or erased in an irreversible manner that ensures the record cannot be reconstructed in any way, as reflected in the IPC Fact Sheet issued on secure destruction;”
- advises that the IPC is closely watching the steps being taken towards the development of an interoperable electronic health record (EHR) system in Ontario. “Governance is a key issue in the implementation of an interoperable E HR,” said Commissioner Cavoukian. “One of the questions that needs to be addressed is how will accountability for patient privacy and information security be established in the context of a record that may eventually be shared throughout the entire health care system;”
- stresses that privacy should not be used as a shield to minimize disclosure of essential information in emergency situations. “While access and privacy laws underline the importance of protecting the privacy of individuals, they also recognize that, in certain circumstances, privacy should not be an impediment to the sharing of vital – and, in some cases, life-saving – information, even in the absence of consent,” says the Commissioner;
- addresses the issue of fingerprints, photos and other personal information of people who were charged with a crime, but never convicted, being kept by police. “Many people assume that when charges are dropped, stayed, withdrawn, or a finding of ‘not guilty’ is made, the name of the accused person is automatically cleared,” said the Commissioner. “However, while these and other non-conviction dispositions may leave a person without a criminal record, police services in Ontario retain most police records in perpetuity, even where a person is found not guilty by the courts. A fair expungement process must take into account both the legitimate interest of law enforcement and the fundamental rights of innocent citizens;” and
- emphasizes the importance of building a culture of openness and transparency in all provincial and municipal government organizations. “Leadership on openness and transparency must come from the top,” said the Commissioner. “Public servants are more apt to disclose information without claiming inapplicable exemptions if they feel that their decisions will be supported by both the politicians and senior executives who lead their ministry, agency, board, commission or local government.”
The annual report also includes a detailed review of the impact of the Personal Health Information Protection Act (PHIPA) – Ontario’s first new privacy law in nearly 14 years – during its first full year.
Provincial ministries were praised by the Commissioner for a dramatic improvement in their 30-day-response compliance rate. Overall, ministries achieved an 80.1 per cent compliance rate – a significant increase from 68.7 per cent in 2004 and the highest provincial compliance rate in 17 years.
Elsewhere, the annual report includes statistical analysis of requests for information filed across Ontario in 2005 under FOI and PHIPA (34,957, the highest number ever), appeals to the IPC regarding some of the decisions government organizations made in response to FOI requests, and privacy complaints filed to the IPC under the provincial and municipal Freedom of Information and Protection of Privacy Acts, or under PHIPA.
Key IPC orders and privacy investigations are profiled, decisions rendered by the courts regarding Ontario access cases are cited, IPC educational efforts outlined, and information about the 25 publications the IPC issued in 2005 provided.
The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act, as well as the Personal Health Information Protection Act, and helping to educate the public about access and privacy issues.
Thursday, March 23, 2006
The March 2006 edition of the Canadian Privacy Law Review is out and it includes the following article:
(Reprinted by permission of LexisNexis Canada. Inc., from Canadian Privacy Law Review,. edited by Michael Geist, Copyright 2006.)
With so much focus on PIPEDA, the PIPAs, the HIAs, PHIPA and others, the notion that there’s an independent tort of invasion of privacy has been somewhat lost in the shuffle as of late. Newfoundland, Manitoba, Saskatchewan and British Columbia, with their statutory torts for invasion of privacy have settled the debate in those provinces. Observers in the other common law provinces are left, from time to time, scratching their heads as to whether there even is an ability to bring a civil suit for invasion of privacy, independent of any wrong that is addressable under the personal information protection statutes or independent of another actionable wrong, such as trespass.
To use Newfoundland as an example, the Privacy Act makes it an actionable wrong if someone violates the privacy of another:
Violation of privacy
3. (1) It is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of an individual.
(2) The nature and degree of privacy to which an individual is entitled in a situation or in relation to a matter is that which is reasonable in the circumstances, regard being given to the lawful interests of others; and in determining whether the act or conduct of a person constitutes a violation of the privacy of an individual, regard shall be given to the nature, incidence, and occasion of the act or conduct and to the relationship, whether domestic or other, between the parties.
The Act further clarifies what circumstances are presumed to be an invasion of privacy and also establishes specific defenses to the tort.
In the remaining common law provinces, including Ontario and the Maritimes, the court decisions have gone both ways about whether there is an independent tort of invasion of privacy. The recent case of Somwar v. MacDonald’s Restaurants of Canada Ltd. opens the door further to this possibility in Ontario.
The facts in Somwar are relatively simple: The plaintiff, Mr. Somwar, was a MacDonald’s employee. The company carried out a credit check on Mr. Somwar without his knowledge or consent, and Mr. Somwar brought an action against MacDonald’s for invasion of privacy, seeking general damages and an award of punitive damages to dissuade the company from repeating this again with other employees. The defendant made an application under the Ontario Rules of Civil Procedure to have the plaintiff’s statement of claim struck out as it disclosed no reasonable cause of action. It was argued that the laws of Ontario do not include the common right of action for invasion of privacy.
At this stage in litigation, the task of the Justice sitting in chambers is not to determine liability or even to decide whether the actions complained of are actionable. The sole task is to determine whether it is “plain and obvious” that the plaintiff’s claim could not proceed if the matter were to go to trial. The striking out a plaintiff’s claim is reserved for those circumstances where proceeding any further would be a waste of time for the parties and the courts. If there is a simple possibility that the plaintiff might succeed at trial, the Civil Procedure Rules are designed to allow it to run its course. Any pronouncements from the bench at this stage in the proceeding must be interpreted in light of this context. The question is not whether there is a common law tort of invasion of privacy, but rather whether there might be. In the result, Stinson J. determined that there might be and goes even further to say there should be.
Lacking any clear pronouncement from the appellate courts, Justice Stinson of the Ontario Superior Court of Justice canvassed a range of lower-court decisions dealing with alleged invasions of privacy. To this end, Stinson J. borrowed from the analytical framework set out by Dean William Prosser in his seminal California Law Review article, “Privacy” and considered Ontario cases that addressed “intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs.”
The cases cited by Stinson J. in Somwar that fall into this category do not provide unequivocal guidance on whether the such a tort exists. A handful of decisions from Ontario’s lower courts have allowed claims or have at least allowed actions to proceed to trial based upon alleged intentional invasions of privacy, many of which are also associated with other causes of action, such as nuisance. On the motion to dismiss the plaintiff’s claim, the cases reviewed provide sufficient grounds for Stinson J. to conclude that it cannot clearly be said that there is no common law tort of invasion of privacy.
The foregoing is sufficient to dismiss the defendant’s motion, but the Court goes further and offers the conclusion that the time is right for a clear recognition of a common law right to privacy. Stinson J. begins this part of his analysis by posing the question: “is there a right to privacy in Canada and how is it protected?”
In the age of the Charter, the Supreme Court of Canada has been explicit that the common law must evolve to become consistent with “Charter values”. The leading case on this point, Hill v. Church of Scientology of Toronto, is cited by Stinson J., who quotes from Cory J.’s majority decision:
Historically, the common law evolved as a result of the courts making those incremental changes, which were necessary in order to make the law comply with current societal values. The Charter represents a restatement of the fundamental values which guide and shape our democratic society and our legal system. It follows that it is appropriate for the courts to make such incremental revisions to the common law as may be necessary to have it comply with the values enunciated in the Charter.
Section 8 of the Charter provides individuals with a constitutional right that is analogous with the “right to be let alone”: “Everyone has the right to be secure against unreasonable search or seizure.” While the Charter only applies to individuals vis-à-vis the state, the Supreme Court’s pronouncements on Section 8 lead to the conclusion that Charter values require that the common law recognize a “right to be let alone” between individuals.
Stinson J. refers to the judgement written by La Forest J. in R. v. Dyment, in which the Court identifies three zones of privacy, one of which is privacy of personal information. La Forest J. rooted this privacy interest in “the notion of the dignity and integrity of the individual.” Recent advances in technology that can be used to collect and disseminate personal information also prompt Stinson J. to recommend that the common law make the incremental changes to keep up with Charter values and with potentially-intrusive technology:
 With advancements in technology, personal data of an individual can now be collected, accessed (properly and improperly), and disseminated more easily than ever before. There is a resulting increased concern in our society about the risk of unauthorized access to an individual’s personal information. The traditional torts such as nuisance, trespass, and harassment may not provide adequate protection against infringement of an individual’s privacy interests. Protection of those privacy interests by providing a common law remedy for their violation would be consistent with Charter values and an “incremental revision” and logical extension of the existing jurisprudence.
While the importance of the Somwar case should not be overstated, keeping in mind that it relates to a motion to strike a statement of claim and is not a final, determinative judgement at trial. The test to be applied is only whether there could be such a cause of action, rather than whether there is one. However, the Court made the notable step of going beyond this simple question by propounding that the Charter and advancing technology may necessitate the updating of the common law to incorporate a clear right “to be let alone” between two private actors. Whether Justice Stinson’s decision will be followed by other lower courts and whether the appellate courts will concur are both open questions, but the decision should not be ignored as a simple interlocutory judgement on a low-threshold question. It likely represents part of a trend toward recognizing a free-standing right to privacy in those provinces where the legislatures have not stepped in to provide a statutory one.
* David T.S. Fraser is the chairman of the privacy group at McInnes Cooper and is also a part-time member of the Faculty of Law at Dalhousie University.
 R.S.N.L. 1990, c. P-21.
 2006 CanLII 202 (Ont. C.J.) (http://www.canlii.org/on/cas/onsc/2006/2006onsc10045.html) (“Somwar”).
 R.R.O. 1990, Reg. 194, Rule 21.01(1)(b).
 William L. Prosser, “Privacy” (1960) 48 Cal.L.Rev. 383.
 Prosser’s article classifies invasions of privacy in the following categories: “(i) intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs; (ii) public disclosure of embarrassing private facts about the plaintiff; (iii) publicity which places the plaintiff in a false light in the public eye; and (iv) appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness”. Quoted in Somwar, at para. 9.
 Stinson J. refers to the following cases in this group: Capan v. Capan,  O.J. No. 1361 (H.C.J.) (application to strike statement of claim; defendant did not establish that stalking, harassment and entry into the plaintiff’s home could not found a cause of action); Saccone v. Orr (1981), 34 O.R. (2d) 317 (Co.Ct.) (recording of a private telephone conversation that was subsequently broadcast at a municipal council meeting and then published in a local newspaper; Court concluded that the plaintiff “must be given some right of recovery” for actions of the defendant); Roth v. Roth, (1991), 4 O.R. (3d) 740 (Gen. Div.) (action related to blocking access to property and shutting off electricity of the plaintiff’s cottage; Court concluded that whether the case is actionable depends upon the circumstances and the rights in conflict; invasion of privacy is not derived from a property right and the interests of both the individual and society are served by proceeding); Lipiec v. Borsa,  O.J. No. 3819 (Gen. Div.) (Court awarded damages related to removal of a fence between properties and erection of a surveillance camera pointed at the defendant’s (plaintiff by counterclaim’s) yard); Tran v. Financial Debt Recovery Ltd.,  O.J. No. 4293 (S.C.J.) (reversed on other grounds,  O.J. No. 4103 (Div. Ct.)) (collection agency making repeated collection calls to plaintiff’s workplace after being advised to only call home number; plaintiff recovered under defamation, intentional interference with economic interests, intentional infliction of emotional suffering, and invasion of privacy); Garrett v. Mikalachki,  O.J. No. 1326 (S.C.J.) (dispute between neighbours leading to recovery under “intentional infliction of emotional distress, nuisance or invasion of privacy, and harassment”) and Rathmann v. Rudka,  O.J. No. 1334 (S.C.J.) (harassment amounting to nuisance and invasion of privacy).
 Somwar at para. 23.
  2 S.C.R. 1130.
 Quoted in Somwar at para 26, from Hill at para 92.
  2 S.C.R. 417 (“Dyment”).
 Quoted in Somwar at para 24, from Dyment at para 22.
Thursday, December 15, 2005
This just came over the wires ...
New Privacy-Protective Guidelines for the Provision of 'Plan B' Emergency Contraception by Pharmacists in Ontario:
TORONTO, Dec. 15 /CNW/ - New guidelines for pharmacists have been issued in record time through a highly successful collaboration between the Ontario College of Pharmacists, the Ontario Pharmacists' Association and the Information and Privacy Commissioner of Ontario.
Dr. Ann Cavoukian, Ontario's Information and Privacy Commissioner, stated, "Within a short week of voicing my concerns, I am delighted to say that our joint working group has successfully collaborated and reached an agreement on made-in-Ontario guidelines for pharmacists providing Plan B."
These guidelines follow the issuance of the College's December 8, 2005 notice advising pharmacists not to use the "Screening Form for Emergency Contraceptive Pills (ECPs)," developed by the Canadian Pharmacists Association, which recommended the collection of detailed personal information.
Ontario's new guidelines (available at www.ocpinfo.com) emphasize that pharmacists should continue to seek information from the patient only as necessary to clarify the appropriateness of providing Plan B, keeping in mind the need to respect the individual's right to remain anonymous and to decline responding to personally sensitive questions.
"I was assured by the College that pharmacists do not routinely collect personally identifiable information with regard to the provision of Schedule II products," said the Commissioner. Personally identifiable information should not be recorded except when requested by the patient for reimbursement purposes or in those rare instances where it is deemed important for continuity of care of the patient.
Under the Personal Health Information Protection Act (PHIPA), which was enacted last year to protect the health information of Ontarians, health information custodians must minimize their collections of personal health information and must not collect identifiable information if other information will serve the same purpose.
The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is an independent officer of the Legislature. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, and the Personal Health Information Protection Act, and commenting on other access and privacy issues.
December 15, 2005
Notice to Pharmacists
Re: Ontario Guidelines for Provision of Plan B (Schedule II)
Following the issuance of an Ontario College of Pharmacists Notice to Pharmacists last week concerning a specific form being used in some cases when the Schedule II product, Plan B, was requested, a working group was formed, consisting of staff from the College, the Ontario Pharmacists Association, and the Office of the Information and Privacy Commissioner of Ontario.
The goal of the group was to develop and agree on guidelines which could be used by pharmacists in Ontario to ensure that their ongoing practice with respect to the sale of this product meets all applicable legislation, including Standards of Practice. The attached document will serve to clarify the expectations of the College that pharmacists will continue to serve their patients well by providing appropriate information and counselling and to add value to the sale of Plan B as they would for any Schedule II product.
It is suggested that existing tools and practice be examined at this time to ensure compliance with these guidelines.
Anne Resnick, R.Ph., B.Sc.Phm
Associate Director, Professional Practice Programs
Ontario College of Pharmacists - December 15, 2005
Ontario Guidelines for Provision of Plan B (Schedule II)
Pharmacists are health care professionals whose practice is guided by the Code of Ethics and Standards of Practice established by their regulatory body, the Ontario College of Pharmacists (OCP). Pharmacists practice in accordance with all applicable legislation and regulations including Ontario's privacy legislation, the Personal Health Information Protection Act, 2004 (PHIPA). These guidelines are the result of the joint efforts of the OCP, the Office of the Information and Privacy Commissioner of Ontario (IPC), and the Ontario Pharmacists' Association (OPA). These guidelines follow the issuance of OCP's December 8, 2005 notice which advised pharmacists not to use the "Screening Form for Emergency Contraceptive Pills (ECPs)," developed by the Canadian Pharmacists Association (CPhA).
As there are already educational resources available to pharmacists for Plan B, these guidelines will not duplicate those efforts, but will outline the appropriate application of OCP's Standards of Practice and Code of Ethics and PHIPA in the context of providing Plan B.
The IPC recognizes the important health care services pharmacists provide. The IPC's mandate is to ensure that personal health information is collected, used and disclosed in the most privacy protective manner possible. Specifically, under PHIPA, health information custodians shall not collect, use or disclose personal health information if other information will serve the purpose. Moreover, PHIPA restricts the collection, use and disclosure of personal health information to that which is reasonably necessary to meet the purpose of providing health care. OCP's Code of Ethics and Standards of Practice provide the framework for pharmacists' practice. Many components of the Code of Ethics and Standards of Practice protect patient privacy and reinforce the Ontario health privacy legislation, PHIPA.
For the provision of Plan B, as with any other Schedule II product, the pharmacist must always be involved in the decision to provide the medication. As with other medications, prior to its sale, the pharmacist has a professional responsibility to be assured of the appropriateness of the drug for the individual.
Pharmacists should continue to seek information from the patient only as necessary to clarify the appropriateness of providing Plan B, keeping in mind the need to respect the individual's right to remain anonymous and to decline responding to personally sensitive questions. As with all Schedule II products, if a pharmacist makes a decision not to sell Plan B, reasons should be communicated to the patient.
Pharmacists do not routinely collect personally identifiable information as it relates to the provision of Schedule II products. In the case of Plan B, personally identifiable information should not be recorded except when requested by the patient for reimbursement purposes or in those rare instances where it is deemed important for continuity of care of the patient.
For some background, see
Wednesday, December 14, 2005
Thanks to a regular correspondent for pointing this out ...
The Personal Health Information Protection Act of Ontario has been declared to be substantially similar to PIPEDA:
Health Information Custodians in the Province of Ontario Exemption Order
P.C. 2005-2224 November 28, 2005
Whereas the Governor in Council is satisfied that the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Schedule A, of the Province of Ontario, which is substantially similar to Part 1 of the Personal Information Protection and Electronic Documents Act (see footnote a), applies to the health information custodians referred to in the annexed Order;
Therefore, Her Excellency the Governor General in Council, on the recommendation of the Minister of Industry, pursuant to paragraph 26(2)(b) of the Personal Information Protection and Electronic Documents Act (see footnote b), hereby makes the annexed Health Information Custodians in the Province of Ontario Exemption Order.
HEALTH INFORMATION CUSTODIANS IN THE PROVINCE OF ONTARIO EXEMPTION ORDER
1. Any health information custodian to which the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Schedule A, applies is exempt from the application of Part 1 of the Personal Information Protection and Electronic Documents Act in respect of the collection, use and disclosure of personal information that occurs within the Province of Ontario.
COMING INTO FORCE
2. This Order comes into force on the day on which it is registered.
Focus on the Family is running the following article in their "Today's Family News":
Churches fear breaching privacy laws
December 14, 2005
Recent privacy legislation is causing some churches to fear they could be breaking the law simply by circulating the addresses of members, praying aloud for people by name, and – at least in Ontario – making hospital visits, the Ottawa Citizen reported.
At the heart of their concern, which some think is exaggerated, is the Personal Information Protection and Electronic Documents Act, which Parliament passed in January 2004. It primarily affects businesses and would only apply to churches that sold their parish or membership lists or charged for their services.
Even so, it has prompted some pastors to question whether even making public the names and addresses of the people in their congregations might be deemed illegal under the Act.
One church in Halifax, for example, removed a “prayer board” in its foyer listing the names of people in hospital. Others have adopted privacy policies and some have even appointed privacy officers to oversee the correct handling of information.
For clergy in Ontario, the province’s year-old Personal Health Information Protection Act has made it more difficult from them to visit hospital patients, even if they belong to the same denomination.
Patients when being admitted have the option of indicating their faith background, which James Christie, dean of the faculty of theology at the University of Winnipeg, says clergy have assumed indicated they would welcome “some sort of pastoral presence.” But now, as he told the Citizen, “that graciousness is gone.”
But London, Ontario, lawyer Janet Allinson, a specialist in privacy law, believes many churches “are misunderstanding the legislation altogether. I get quite a few calls from people very concerned, they are so afraid of the Privacy Act.”
"I think it's important that they don't lose the spirit and treat it like a business" added Allinson.
The impact of the federal private sector privacy law has been very misunderstood by churches and other non-profits.
The Personal Information Protection and Electronic Documents Act, or PIPEDA as it is commonly known, applies to the collection, use and disclosure of personal information in the course of commercial activities, except in those provinces that have enacted substantially similar legislation. Ontario has not enacted legislation that is substantially similar to PIPEDA (other than the Personal Health Information Protection Act which may hinder the abilities of health information custodians to share information with visiting clergy, but does not regulate churches directly). In short, PIPEDA applies to personal information that is handled in connection with commercial activities, other than in Alberta, BC and Quebec.
The reason for the commercial activity connection is that the Federal Government is relying upon its constitutional jurisdiction over general trade and commerce in Canada to implement PIPEDA. It can use this power to regulate commerce generally, but is not able to regulate the non-profit sector using this power except to the extent that the non-profit organization actually is engaged in commercial activity. There are some activities that a non-profit can engage in that are deemed commercial activities and some activities can be sufficiently commercial to invoke PIPEDA. The deemed activities are generally limited to certain kinds of dealing with membership and donor lists. If a church exchanges, sells, trades or leases its membership list, that is a deemed commercial activity and PIPEDA applies (including requiring consent for the transfer). The key is an exchange of value. If a list is freely given with no expectation of any value in return, there is no commercial activity and PIPEDA is not triggered. Also, if a church veers away from its core not-for-profit objectives, it can be seen to be engaged in commercial activity. Charging admission to a benefit concert for the church is not commercial activity. Operating a business within the church may be commercial. Church fund-raising is not a commercial activity, nor is praying out loud or listing members in a directory.
Saturday, December 10, 2005
A letter to the editor in today's Toronto Star:
TheStar.com - No problem with giving Plan B info:
Letter, Dec. 9.
In his letter, Tim Lu stated that I recommended pharmacists not ask any questions when dispensing Plan B. Allow me to offer the following correction. I refer him to the Ontario College of Pharmacists notice of Dec. 8, 2005, which states the following: 'the Privacy Commissioner stressed that pharmacists should continue to provide information to patients who request this drug, to gather information and to educate and counsel patients. Pharmacists should ask questions of patients if necessary in the course of providing this service but should not record personal health information in a manner which identifies individual patients.'
My office did not recommend that pharmacists not communicate relevant information to women to ensure the safe and effective use of Plan B. Indeed, I noted that pharmacists provide very important services and guidance. However, in order to protect the privacy of Ontarians, as I am mandated to do under the Personal Health Information Protection Act, I must ensure that identifiable personal health information is only collected when it is necessary and that no more personal health information is collected than is necessary. With this in mind, my office together with the Ontario College of Pharmacists and the Ontario Association of Pharmacists is working expeditiously to develop new guidelines to assist pharmacists when dispensing Plan B.
Again, let me be clear. I have no problem with a pharmacist imparting information on Plan B to patients. My concerns lie with the unnecessary collection and recording of personally identifiable, sensitive health information.
Ann Cavoukian, Ontario Information and Privacy Commissioner, Toronto
Monday, October 31, 2005
Full marks to the Information and Privacy Commissioner for the fast investigation and report related to sensitive medical records being used as props on a Toronto movie set (see: The Canadian Privacy Law Blog: Incident: Medical records blowing in the wind in Toronto). She has issued the first order under the Personal Health Information Protection Act.
From the Commisioner's website:
IPC - Medical records found scattered across Toronto streets: Commissioner Cavoukian issues first Order under new law
NEWS RELEASE : October 31, 2005
TORONTO – An investigation into how personal health records ended up being strewn across the streets of downtown Toronto on October 1 as a backdrop for a film production has resulted in a ruling by Information and Privacy Commissioner Ann Cavoukian that both a Toronto X-ray/ultrasound clinic and a paper disposal company had breached Ontario’s Personal Health Information Protection Act (PHIPA).
The Commissioner, who was appalled at learning of this breach, went to the scene herself shortly after being advised of the records being scattered on the streets. “The Order I released today – the first under the new Act – should be carefully reviewed by every health information custodian and paper disposal company in Ontario. Everyone handling personal health records has to realize that the storage and destruction of such sensitive information has to be carried out in the most secure manner so that mistakes such as this are virtually eliminated.”
In her Order, Commissioner Cavoukian said that the personal health records were collected by a paper disposal company that engaged in both shredding and recycling activities. A portion of the personal health records picked up from the clinic were mistakenly believed to be intended for recycling. The records were subcontracted to another recycling company, which later sold them – intact – to the film company for use on its set.
The Commissioner found that:
- the Toronto clinic failed to take all reasonable steps to secure the personal health information in its custody or control;
- the clinic failed to ensure that the personal health information was disposed of in a secure manner; and
- the clinic failed to comply with section 17(1) of PHIPA, which requires it to be responsible for the proper handling of personal health information by itself and its agents. Commissioner Cavoukian said that, in the above context, a written contractual agreement would be required setting out the agent’s duty to securely shred the materials and require the agent to provide a written attestation confirming that shredding has been completed.
The Commissioner also found that:
- the paper disposal company’s action in forwarding the records to a recycling facility instead of shredding them, while caused by a mistaken belief that the records were intended for recycling, contravened the Act.
Commissioner Cavoukian ordered the clinic to review its information practices to ensure that the location of all personal health information within its custody or control is documented, and that this personal health information is adequately secured.
The Commissioner ordered the clinic to put into place a written contractual agreement with any agent it retains to dispose of personal health information. The agreement must set out the obligation for secure disposal and requires the agent to provide written confirmation once secure disposal has been carried out.
“Secure disposal,” the Commissioner said in her Order, “must consist of permanently destroying paper records by irreversible shredding or pulverizing, thus making them unreadable. Further, steps must be taken to ensure that no unauthorized person will have access to the personal health information between the time the records leave the health information custodian’s custody until their actual destruction.”
Similarly, the paper disposal company, which fell under PHIPA because it functioned as an agent, having been given personal health information directly by a health information custodian, was ordered by the Commissioner to put into place a written agreement that includes the requirement for the disposal company to engage in secure shredding and provide an attestation confirming destruction of records.
Among other requirements, the Commissioner also ordered the paper disposal company to put procedures into place that will prevent paper designated for shredding from being mixed together with paper that is intended to be disposed of via recycling.
This Order will establish the practice to be followed by all health information custodians and their agents in Ontario, with respect to the Commissioner’s expectations for the secure disposal of health information records under Ontario’s new Health Information Privacy law.
The Commissioner’s Order, HO-001 is available on the IPC website.
Some media coverage, as well:
Clinic, paper firm broke privacy rules
October 31, 2005
TORONTO -- Ontario's privacy commissioner has found a clinic and a paper-disposal company broke privacy rules after personal health records were strewn on a downtown movie set.
Ann Cavoukian says the health records were collected by a company that engaged in both shredding and recycling.
The company mistakenly believed that the records picked up from the X-ray and ultrasound clinic were meant to be recycled.
As a result, it subcontracted the paper to another recycling company, which later sold it to a film company for use on its set.
The health records then ended up being strewn across the streets of downtown Toronto on Oct. 1 as a backdrop for a film production.
Cavoukian says she was appalled at the breach of Ontario's Personal Health Information Protection Act.
'Everyone handling personal health records has to realize that the storage and destruction of such sensitive information has to be carried out in the most secure manner so that mistakes such as this are virtually eliminated,'' Cavoukian said.
The Toronto clinic, which she did not identify, failed to take all reasonable steps to secure the information and ensure it was disposed of securely.
The paper-disposal company also breached the act by sending the records for recycling instead of shredding them.
She also ordered both facilities to put measures in place to preclude a recurrence. "
Wednesday, October 12, 2005
Canadian information technology companies are players on a global stage. Few large information technology projects are restricted to only one country and any venture into electronic commerce invariably crosses borders. No ambitious Canadian IT company is content to narrow its sights to the domestic market. Lawyers advising these businesses have always had to maintain an awareness of legal developments elsewhere but the last few years have brought with them a range of new laws that affect their southward-looking clients. No area of law has seen as much change at that touching upon the protection of personal information.
The one law that has received the greatest publicity and, perhaps, the greatest scrutiny, is the USA Patriot Act, which was passed by the Congress within two months of the terrorist attacks of September 11, 2001. This law does not single out the technology industry but a number of its provisions have had a particular impact on cross-border services, regardless of the direction in which those services flow. Section 505 of the USA Patriot Act short-circuits ordinary search warrant requirements and allows the Federal Bureau of Investigation to have access to records such as financial records, credit reports, ISP logs and transactional records for intelligence, counter-intelligence and anti-terrorism purposes by use of a “national security letter”. The recipient of a national security letter is required to hand over the information requested and is specifically precluded from informing the individual concerned that the US government has sought access to the information. When information on Canadians is within the jurisdiction of the United States, privacy advocates fear that this information will be too-readily made available to law enforcement, who are able to dispense with the usual “probable cause” requirements. Information in the custody of a US company (or a subsidiary) in Canada may be within the Act’s jurisdiction.
In May of 2004, the Information and Privacy Commissioner of British Columbia initiated a public consultation on whether these provisions of the USA Patriot Act would infringe upon the privacy of British Columbians following an announcement by the BC Government that it would outsource the processing of medicare claims to a Canadian subsidiary of a US company. The request for submissions resulted in more than five hundred contributions from individuals and organizations throughout Canada.
As was pointed out in a number of submissions to the BC Commissioner, personal information has always been available for law enforcement, intelligence and anti-terrorism investigations, regardless of where the information actually resides. The principal effect of the BC Commissioner’s report was to shine a spotlight on the cross-border sharing of personal information and to raise awareness – some might say paranoia – about Canadian personal information being stored in the United States. The attention to the issue spawned significant changes to the BC public sector privacy law and put government outsourcing under the microscope. Many outsourcing customers, government included, are now including language to prohibit the transfer of personal information outside of Canada, and in some cases outside the home province of the customer.
Legal changes in California’s privacy laws are spilling over to other states and are having an impact upon Canadian technology companies. California’s trail-blazing consumer privacy law, which has been followed in a number of US states, requires that organizations notify affected individuals whose personal information may have been compromised or accidentally disclosed. The California law is intended to operate extra-territorially. These laws not only place the company in the uncomfortable position of having to notify customers, but also provide penalties for failing to do so. The California law in particular has prompted the recent deluge of public disclosures of privacy and security breaches in the United States and has also increased consumer expectations on both sides of the border. Similar provisions have found their way into Ontario’s relatively new Personal Health Information Protection Act and the concept of mandatory notification will undoubtedly be considered as part of the five year review of the Personal Information Protection and Electronic Documents Act.
In an era in which privacy and security are perceived to be clashing on a regular basis and in which identity theft is characterized as one of the fastest-growing crimes, it should not be surprising that technology lawyers have to grapple with privacy on a more regular basis as both a customer-relations issue and as a significant regulatory concern. At least a baseline knowledge of the legal regimes on both sides of the border are necessary to get a sense of the big picture for advising clients.
Tuesday, June 14, 2005
It's bad enough that sensitive medical information was being thrown out instead of being shredded, but someone dropped the bag of "trash" on a Manotick man's driveway. But it gets worse ... this is the second time.
The Ottawa Sun is reporting in incident involving the medical waste and health information originating from Gamma-Dynacare in a suburb of Ottawa.
Ottawa Sun Online: NEWS - Patient info in trash: "Homeowner finds medical waste, including personal data, in his driveway for second time
A MANOTICK homeowner was shocked last week to find used medical supplies and private health information in a garbage bag dumped in his driveway.
Anthony Heembrock opened the bag Thursday to find out who'd dumped garbage on Rideau Bend Cres. for a second week in a row.
He says he found medical debris, including bloodied gauze and lab test forms with patients' names, addresses, phone and OHIP numbers.
"What if my animals or my kids got into this stuff?" Heembrock said. "What about patients' confidentiality?"
He's worried that kids and pets are at risk from handling medical waste and patients from identity theft or fraud if the information fell into the wrong hands.
Heembrock said the forms listed the Gamma-Dynacare Medical Laboratories, which shares a building with the Manotick Medical Centre. Gamma-Dynacare didn't return calls yesterday.
Dr. Ann Fillingham, a physician at the health centre, says the public was never at risk from the bag of garbage but how it disappeared is under investigation, she said.
The medical items Heembrock found, including urine specimen bottles, had never been used, she said. The bag did contain cotton balls that are taped to patients' arms after blood tests because patients throw them in the trash.
The clinic has secure disposal of needles and blood products and shreds all sensitive patient information, Fillingham said.
LOCKED AT ALL TIMES
She said the records found were requisition forms from the lab, not medical centre patient records.
Someone must have grabbed the garbage in the few minutes between when it's collected from the building and put in a locked dumpster, Fillingham said. It's now locked up at all times.
"How the garbage got to where it got twice doesn't make sense," Fillingham said. "Something is going on. We're not letting it happen again."
Having health information turn up in the garbage could violate new health privacy legislation, said Bob Spence, spokesman for the province's information and privacy commissioner.
The Personal Health Information Protection Act requires health care workers to store, share and discard private information securely.
"Anyone who works in health would be encouraged to destroy health information rather than throwing it out in the trash," said Spence. "Once we obtain more information, we will be launching a privacy investigation into this."..."
Saturday, June 11, 2005
On Friday, the Canadian Bar Association's Access and Privacy Law Section executive had a unique opportunity to meet with the Federal and Provincial Access and Privacy Commissioners in Ottawa. It was a very interesting and useful session, but off the record.
The issue of notification of data breaches was raised and I was asked at the lunch by one of the Commissioners whether there has been serious research on the topic. Because there is no law (other than PHIPA in Ontario) that requires notification, any business dealing with an incident will need to consider what information, if compromised, will result in actual loss or harm to the individual(s) in question. The Commissioners are increasingly being contacted by businesses who want to know whether they should contact affected individuals, but they don't have all the information to fully assess the risk.
Though the media is full of information related to identity theft, I couldn't point to any substantive research of what information is useful to identity thieves. I know anecdotally that name, address, social insurance number (or SSN in the US), date of birth are the "keys to the kingdom". If anyone can point to anything authoritative that can provide insight, please e-mail it to me at firstname.lastname@example.org. I'll post links to anything I get.
Thursday, June 09, 2005
Since the ChoicePoint fiasco, the hot topic in privacy is the question of public notification of security breaches. California has led the way on this and many state and federal legislators are looking to follow California's lead. The Federal Privacy Commissioner in Canada has suggested that notification should be done, but our privacy law contains no obligation (except for Ontario's Personal Health Information Protection Act).
Bruce Scheier always has interesting things to say and on this topic there's no exception:
Schneier on Security: Public Disclosure of Personal Data Loss:
"... As a security expert, I like the California law for three reasons. One, data on actual intrusions is useful for research. Two, alerting individuals whose data is lost or stolen is a good idea. And three, increased public scrutiny leads companies to spend more effort protecting personal data.
Think of it as public shaming. Companies will spend money to avoid the PR cost of public shaming. Hence, security improves.
This works, but there's an attenuation effect going on. As more of these events occur, the press is less likely to report them. When there's less noise in the press, there's less public shaming. And when there's less public shaming, the amount of money companies are willing to spend to avoid it goes down...."
The attenuation effect may be true, but I don't think we've peaked on this yet. If you search Google News for "citigroup tape", you get well over 360 news stories about the incident. Eventually the media's interest will trail off, but I don't think it has happened yet.
Saturday, April 09, 2005
A medical lab in Windsor, Ontario was broken into on January 1, 2005 and the thieves made off with a computer containing personal health information. The lab only issued a notice this week after they incorrectly assumed they needed the OK from the Information and Privacy Commissioner of Ontario. (In fact, the new Ontario Personal Health Information Protection Act requires that such disclosures be reported to affected patients.) The lab says they informed the IPC right away, a fact that the IPC's office disputes.
Fort St. John - canada.com network:
"Patients kept in dark over theft of lab files: Information taken during break and enter in Windsor
April 9, 2005
Ontario's Ministry of Health wants to know why it took more than three months for a Windsor medical lab to begin reporting the theft of personal and medical information to affected patients and their doctors.
"Eventually, the ministry would want some kind of justification for the delay," ministry spokesman John Leatherby said. "Those who are affected need to be in the know."
Friday, Medical Laboratories of Windsor Ltd. (MLW) issued a news release reporting a computer containing patients' names, addresses, health card numbers and health information was stolen from its 1428 Ouellette Ave. office Jan. 1.
Windsor police have been investigating the theft but report no success.
"As soon as we discovered the theft, we contacted authorities," company spokeswoman Jennifer Yee said.
As required by law, the company notified Ontario's Office of the Information and Privacy Commissioner, but spokesman Bob Spence said Friday it wasn't until early March -- two months after the B&E -- that it was made aware of the theft. He said the privacy commissioner has also launched an investigation into the theft.
According to police, one or more suspects broke into the front door of the Ouellette Avenue office building that night and then smashed through MLW's medical office door on the third floor, leaving with a computer, flat-screen television, a computer monitor and petty cash.
The missing computer was used to collect and transmit ECG information from patient tests to family physicians and cardiologists, Yee said.
She said she "wouldn't want to speculate" on the number of patients affected by the theft, but added more than 100 doctors in the Windsor-Essex area were sent letters Thursday advising them of the theft.
"We sincerely regret this situation," Yee said.
Staff Sgt. Ed McNorton said Windsor police believe the suspects targeted the computer for its hardware value and not the personal and private medical information it contained.
Nevertheless, said the ministry's Leatherby: "Those individuals who have had their personal information stolen -- they should be next to the first persons to be advised."
Asked why MLW, which has operated locally the past 43 years, waited three months to alert doctors, patients and the public to the possible theft of personal data, Yee said it was only Thursday that the company received the required approval from the privacy commissioner's office.
But commissioner spokesman Spence told The Star Friday there is no need for such approval.
"We do not tell organizations not to advise people -- or announce to the public -- that information may have been lost," he said.
Though there are four other MLW offices across the county, Yee said, only the ECG test results and patient information of those attending the Ouellette Avenue office were affected.
The private company said it launched its own internal investigation and is also working with the Ontario Ministry of Health and Long-Term Care on the case.
"We have ... taken a number of steps to ensure MLW's security and data protection measures meet or exceed current health industry standards," company president Dr. George Yee said in Friday's news release.
The Health Ministry will wait until the conclusion of the police investigation before launching a probe into the reporting delay, Leatherby said.
Any patients requiring additional information are asked to call MLW at 258-1991."
Friday, March 11, 2005
Doctors Nova Scotia (formerly the Medical Society of Nova Scotia) this week asked me to write a brief article for their website and magazine about what physicians should do if the security of patient information is compromised. The question arises most often in the form of "what if my computer [or PDA] is stolen?"
I was happy to help since DoctorsNS has been extremely proactive in helping its members to address PIPEDA. In fact, it was for DoctorsNS that I originally wrote the Physician's Privacy Manual (e-mail me - david.fraser at mcinnescooper.com - if you are interested in purchasing a copy).
Q. With the new privacy law now in force, what measures do physicians have to take to prevent the theft of computers and the like containing confidential patient information and what should physicians do if something like this were to happen?
A. Since January 1, 2004, the collection, use and disclosure of personal information by private practice physicians in Nova Scotia has been regulated by the Personal Information Protection and Electronic Documents Act, commonly know by its acronym “PIPEDA”. The law covers all aspects of physicians’ responsibilities with respect to patient information and specifically includes an obligation to safeguard personal information against a wide range of risks. Among those risks are loss, theft and inappropriate access. The law does not dictate what specific technological or security measures must employ but it does provide say that the safeguards must be proportional to the sensitivity of the information in question. Because medical records are among the most sensitive, a physician’s responsibilities in this area are proportionately high.
While PIPEDA is a new law, it does not replace the obligations that physicians have always had to exercise due care to protect their patients from harm caused by the physician’s actions or omissions. The inappropriate disclosure of personal information can undoubtedly cause harm, particularly in this age of identify theft. In addition, individuals entrust their physicians with very sensitive information that may have significant consequences if it is disclosed to others. For example, a patient’s record may contain information about a particular condition that, if disclosed to the individual’s employer, could result in the individual being fired. The inappropriate disclosure of information about a battered spouse may have severe safety repercussions for that patient.
These rules apply to all patient information, regardless of whether it is written on paper or stored in a computer. Use of electronic systems pose additional risks, simply because large amounts of information may be stored in an easily stolen form. Also, external hackers might access an under-protected system, leaving very little sign that the information has been compromised. Physicians should take all reasonable measures to protect this information against the sorts of threats that may exist, depending upon the circumstances. Locks on doors, virus scanners and computer firewalls immediately come to mind. The encryption of electronic data may also be the last line of defence, meaning that data stored on a stolen hard drive still cannot be accessed by a thief who does not have the password.
So what should a physician do if he or she believes that patient information may have been compromised? PIPEDA does not specifically say, unlike Ontario’s new Personal Health Information Protection Act which requires all health information custodians to inform an individual at the first reasonable opportunity if that individual’s personal information is stolen, lost, or accessed by unauthorized persons. While physicians likely should contact all affected patients to inform them of a breach or possible breach, whether they are under a legal obligation to do so is unclear. Because the unauthorized access to personal information may put individual patients at risk, the only way that this risk may be mitigated is to inform the patients so that steps can be taken to minimize the harm. The following checklist may be helpful to assist with a physician who believes that patient information may have been lost, stolen or inappropriately accessed:
- If the incident relates to a theft or malicious intrusion attempt, the police should be notified as soon as possible.
- The College of Physicians and Surgeons should be notified.
- Your liability insurer and/or the Canadian Medical Protective Association should be notified.
- Immediate steps should be taken to prevent the recurrence of the loss; for example, computer servers should be immediately disconnected from potential avenues for intrusion, such as external networks and modems; locks should be changed on the doors if the incident relates to a physical break-in.
- Carefully consider whether patients should be contacted to allow them to mitigate the effects of the incident.
Physicians should not attempt to cover up or gloss over any of these incidents, as such actions tend to compound the problem and undermine patient confidence in physicians generally.
If you have any concerns about the way that personal information is safeguarded in your practice, Doctors Nova Scotia is able to help by referring you to information and specialists that can help minimize the risk to the security of your patient information.
I note that this article is not legal advice and only pertains to provinces where private practice physicians are governed solely by the Personal Information Protection and Electronic Documents Act (NS, NL, PE, NB and not BC, AB, SK, MB, QC, ON).
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.