1
|
- David T.S. Fraser
- Chair, McInnes Cooper Privacy Law Practice Group
- Counsel, National Privacy Services Inc.
- david.fraser@mcinnescooper.com
- 1-877-PRIVLAW // www.privlaw.com
|
2
|
- Often equated with confidentiality.
- Has been characterised as the right to be left alone, to be secure in
one’s home and free from unwanted interference.
- In the context of the new laws, privacy means having control over one’s personal
information
- Choice of whether to disclose information at all
- Control over with whom it is shared
- Control over how it is used
- Don’t lose control once you’ve released your information “into the
wild”
|
3
|
- From PIPEDA:
- Addresses “personal information” – information about an identifiable
individual:
- NOT name, title, business address or telephone number of an employee
or organization
- Would include name, address, income, health information, diagnosis,
health number, demographics, preferences, birth date, SIN, tissue
samples
- Also includes analysis or opinions about an individual
- Also includes information that may be traced back to an individual
- Virtually any information in an individual’s medical file is their
personal information
|
4
|
- Public sector laws date back 20+ years
- Privacy Act – protection of personal information held by federal
government
- Freedom of Information and Protection of Privacy Act (NS) – protection
of personal information held by the provincial governments
- Hospitals Act (NS)
- No private sector laws until recently
- Only Quebec - Act Respecting the Protection of Personal Information in
the Private Sector (1994)!
- In private sector, only had self-regulation
- Canadian Standards Association Model Code for the Protection of
Personal Information
- Canadian Bankers’ Association Privacy Code
- Canadian Association of Internet Service Providers Privacy Code
- CMA Health Information Privacy Code
|
5
|
- Some jurisdictions have specific health information legislation.
- Health Insurance Portability and Accountability Act (USA)
- Health Information Act (Alberta)
- Personal Health Information Act (Manitoba)
- Health Information Protection Act (Saskatchewan)
- Personal Health Information Protection Act (Ontario – pending)
|
6
|
- According to surveys, one significant impediment to widespread adoption
of electronic commerce has been consumer privacy
- Part of the federal government’s e-commerce agenda, but not limited to
online activities
- Instead of re-inventing the wheel, the federal government turned to a
widely-accepted (but not widely followed) privacy code – the Canadian
Standards Association Model Code for the Protection of Personal
Information
- Cannot simply follow the CSA Code, as the statute changes it in some
significant ways
|
7
|
- Personal Information Protection and Electronic Documents Act
- Based on the CSA Model Code
- Code was designed for commercial operations, not specific to health
information
- Strong view that PIPEDA is not appropriate for health information
- Many of the view that current practices were sufficient to protect
privacy
- Medical Associations recommended that PIPEDA be amended to deal with
health information or that it be “carved out” and supplemented by health
specific legislation.
|
8
|
- Applies to the “collection, use and disclosure of personal information
in the course of commercial activities”.
- “Commercial activities” means
- any particular transaction, act or conduct or any regular course of
conduct that is of a commercial character, including the selling,
bartering or leasing of donor, membership or other fundraising lists.
- Physicians in private practice are engaged in “commercial activities” …
PIPEDA applies
- Physicians exclusively in hospitals or public institutions are usually
not engaged in “commercial activities” … PIPEDA does not apply.
|
9
|
- Phased in application
- 1 January 2001 - Federal Private Sector, except health information
- Telecommunications, railways, air travel, shipping, credit bureaus,
banks
- 1 January 2002 – Health information in the federal private sector
- 1 January 2004 - Provincial Private Sector
- The rest of the economy, including physicians in private practice
- Exemption applies if provincial government steps in and passes
legislation that is declared to be “substantially similar”.
- No such legislation in Atlantic Canada –
- none anticipated
|
10
|
- Based on the principles of the Canadian Standards Association Model Code
for the Protection of Personal Information:
- Accountability
- Identifying purposes
- Consent
- Limiting collection
- Limiting use, disclosure and
retention
- Accuracy
- Safeguards
- Openness
- Individual access
- Challenging compliance
|
11
|
- 1. Accountability - an organization is responsible for personal
information under its control and shall designate an individual or
individuals who are accountable for the organization’s compliance with
the principles contained in the Canadian Standards Association model code
for the protection of personal information.
- You must have a privacy officer
- You must implement the ten principles
|
12
|
- 2. Identifying Purposes - the purposes for which personal information
is collected shall be identified by the organization at or before the
time the information is collected.
- You must make reasonable efforts to tell your patients why information
is being collected
|
13
|
- 3. Consent - the knowledge and consent of the individual are required
for the collection, or disclosure of personal information, except where
inappropriate. Form of consent is
dependent upon the sensitivity of the information.
- You must obtain informed consent for the collection, use and disclosure
of patient information
- Medical/health information is among the most sensitive, so have a
higher threshold of consent
- Consent can be revoked
|
14
|
- Consent must be informed (“knowledge and consent” and principle 2)
- Consent can take many forms:
- Explicit consent – affirmative indication that the patient assents;
- Can be written (consent form) or oral
- Implied consent – consent is implied from the actions of the patient;
- “Opt-out” consent – consent is assumed unless the patient indicates
otherwise;
|
15
|
- Physicians have traditionally relied on implied consent.
- Former Privacy Commissioner indicated that implied consent may be
appropriate within the “circle of care”,
- “assuming it is based on a general understanding of how personal
information will be used and disclosed, for those uses or disclosures
that a patient would reasonably expect.”
- For physicians, implied consent presents risks that you should be aware
of. “Circle of care” does not include non-treatment uses: peer review,
chart reviews, CMPA consultations, etc.
- Explicit consent provides clear documentation and evidence of the
patient’s understanding and their consent.
|
16
|
- 4. Limiting Collection - the collection of personal information shall
be limited by that which is necessary for the purposes identified by the
organization. Information shall
be collected by fair and lawful means.
- Can only collection necessary information
- Can only collect information for the purposes that have been
communicated to the patient
|
17
|
- 5. Limiting Use, Disclosure, and Retention - Personal information shall
not be used or disclosed for purposes other than those for which it was
collected, except with the consent of the individual or as required by
law. Personal information shall be retained only as long as necessary
for the fulfilment of those purposes.
- Must obtain consent for all purposes. Should get consent for
foreseeable uses in advance.
- Must consider records retention
|
18
|
- 6. Accuracy - Personal information shall be as accurate, complete, and
up-to-date as is necessary for the purposes for which it is to be used.
- If information is going to be used to make a decision about an
individual, the decision maker has the obligation to use current,
accurate information
|
19
|
- 7. Safeguards - Personal information shall be protected by security
safeguards appropriate to the sensitivity of the information.
- As custodian of very sensitive records, physicians must put in place
physical, organizational and technological security measures to protect
against the accidental disclosure, alteration, deletion, etc of
personal information
- Obligations begin with collection and end with safe disposal.
Obligations also follow the information when it is being processed by
third parties.
|
20
|
- 8. Openness - An organization shall make readily available to
individuals specific information about its policies and practices
relating to the management of personal information.
- 4.8.2 The information made
available shall include
- (a) the name or title, and the address, of the person who is
accountable for the organization's policies and practices and to whom
complaints or inquiries can be forwarded;
- (b) the means of gaining access to personal information held by the
organization;
- (c) a description of the type of personal information held by the
organization, including a general account of its use;
- (d) a copy of any brochures or other information that explain the
organization's policies, standards, or codes; and
- (e) what personal information is made available to related
organizations (e.g., subsidiaries).
- Must have a privacy policy that clearly communicates how the practice
handles personal information.
|
21
|
- 9. Individual Access - Upon request, an individual shall be informed
of the existence, use, and disclosure of his or her personal information
and shall be given access to that information. An individual shall be
able to challenge the accuracy and completeness of the information and
have it amended as appropriate.
- Individuals have a right of access to their personal information,
subject to narrow exceptions.
- Access must be provided within 30/30 days.
- Documents must be understandable – handwriting transcribed,
abbreviations and technical terms explained.
- Patients with a visual disability have a right to information in
Braille or read to them.
- Can charge a “reasonable fee” but don’t expect to recover your costs of
compliance
|
22
|
- 10. Challenging Compliance - An individual shall be able to address a
challenge concerning compliance with the above principles to the
designated individual or individuals accountable for the organization's
compliance.
- Every practice must have procedures in place to receive and respond to
complaints or inquiries about policies and practices relating to the
handling of personal information.
- The complaint procedures should be easily accessible and simple to use.
- Important mechanism to prevent queries from becoming complaints.
|
23
|
- Complaint driven process
- Commissioner can audit, but is unlikely to do so.
- No “reporting” requirements
- The Commissioner is akin to an “ombudsman”
- Has a mandate to resolve complaints.
- New Commissioner much more likely to be helpful.
- Any individual (not just patient!) can make a written complaint to the
Privacy Commissioner (s. 11).
- Commissioner may initiate a complaint of her own accord or conduct an
audit.
- Commissioner investigates the complaint
- Powers in s. 12(1): Compel evidence, administer oaths, accept any
evidence whether ordinarily admissible (or not), enter any premises
other than a dwelling, review documents, etc.
- Commissioner’s Report
- To contain findings and recommendations, whether there was a settlement
- “Anonymous” version is made public
- Commissioner can decline to issue a report if the complainant has other
recourse available
|
24
|
- Court hearing
- A complainant (not the organization), after receiving the
Commissioner’s report, may apply to the Federal Court – Trial Division
for a hearing.
- Hearing is not an appeal of the Commissioner’s findings
- Court’s remedies include:
- Order the practice/physician to correct its practices in order to
comply with ss. 5-10 of the Act;
- Order the practice/physician to publish a notice of actions taken to
correct its practices; and
- Award damages, including damages for humiliation the complainant may
have suffered.
|
25
|
- Commissioner has the power to “make public any information relating to
the personal information management practices of an organization if the
Commissioner considers that it is in the public interest to do so.” s.
20(2).
- Commissioner can publicize information handling practices, even before
the Court has been given the opportunity to consider the matter.
- Commissioner’s pronouncements are privileged for the purposes of any law
related to libel or slander, so long as it is said in good faith.
|
26
|
- PIPEDA creates a number of offences about which employers must be aware.
It is unlawful to
- discipline or retaliate against an employee or independent contractor
who
- “Whistleblows” to the Commissioner about the employer’s privacy
practices;
- Refuses to do something contrary to Part I of the Act;
- Acts to prevent a contravention of Part I of the Act;
- Interferes with an investigation of the Commissioner
- destroy personal information before a complainant has exhausted his/her
recourse against the organization
|
27
|
- Worst-case scenarios
- The CMA has estimated that the law will require 1900 additional
physician-years to implement across Canada
- Some have suggested that the uncertainty of the law means that
physicians should “wait and see” to see how it is interpreted
- Not a good idea – you don’t want to be the test-case
- CMPA
- “practitioners who are not implementing privacy law requirements in
their province/territory might be at medico-legal risk.”
- Whether the CMPA will respond to defend against complaints is also
undetermined
- Colleges
- Whether non-compliance may be unprofessional conduct is unclear
- Generally recognized that regulated professionals (physicians, lawyers,
engineers, etc.) are ethically/professionally obliged to obey the law
|
28
|
- Appoint a privacy officer (I, X)
- Will need to be well trained / have good resources
- Develop a communications plan (II)
- You must tell your patients how you will use their information
- Develop a consent strategy (III)
- You need consent … how will you get it?
- Develop a privacy policy (VIII)
- Every organization that collects, uses and discloses personal
information in the course of commercial activity must make this
available.
- Allow individual access (IX)
- Put in place pre-release screening
- Implement safeguards (VII)
- Have your safeguards audited by a professional who is attuned to
privacy issues
- Train all staff (VIII, II, I)
|
29
|
- Medical Society of Nova Scotia (http://www.doctorsns.com)
- Good resources and links to assistance
- MSNS has been the most proactive provincial society
- Office of the Privacy Commissioner (http://www.privcom.gc.ca)
- Some very generic resources – not focused on the medical community
- Industry Canada Privacy Awareness Tools
(http://ecom.ic.gc.ca/epic/internet/inecic-ceac.nsf/en/h_gv00207e.html)
- Canadian Medical Association (http://www.cma.ca/privacy-shortcuts)
- “Shortcuts” with general information for physicians – legislation
agnostic
|
30
|
- David T.S. Fraser
- Chair, McInnes Cooper Privacy Law Practice Group
- Counsel, National Privacy Services Inc.
- david.fraser@mcinnescooper.com
- (902) 424-1347
|