Personal health information breaches are on the rise and the Office of the Information and Privacy Commissioner in Ontario is embarking on an internal review of its processes in this and other areas as cases become more prevalent.
Speaking to a gathering at the Ontario Bar Association last week about the IPC’s current priorities and recent hot-button issues, Brian Beamish, the IPC’s new commissioner, said one of his main goals is to help institutions deal with the issue of snooping by health care staff into patient records.
Beamish referenced the Rouge Valley Centenary Hospital case, in which the hospital revealed in June 2014 that contact details for about 8,300 patients at the hospital — mostly parents who had babies between 2009 and 2013 — had been given to private companies selling registered education savings plans.
“This was disturbing because it was the first time snooping had gone beyond curiosity or spite. Here it was motivated by financial gain,” said Beamish.
After a lengthy investigation, Beamish said the IPC determined the hospital’s audit function was insufficient and therefore issued an order to the hospital.
“The database being used to get contact information for mothers did not produce an audit trail. They were unable to tell which mothers had been affected, which required them to notify any woman who had given birth over a set period of time,” he said. “We felt any directory or database with personal health information should be auditable and produce an audit trail.”
The IPC also issued recommendations around privacy policies and training to Rouge Valley.
Rouge Valley has appealed the order. Beamish noted it is the first health order that has been appealed.
In January 2015, the IPC issued a guidance document on snooping, which covers consequences to individuals and deterrence.
Beamish was appointed to a five-year term as commissioner in March, succeeding Dr. Ann Cavoukian, who held it for three terms. He said the IPC is in a “transition period” in which there will be a “subtle shift” for the office.
“I think you will see the IPC turning more towards Ontario-based issues,” he said. “We want to look at what we can do for Ontario institutions to help them with their obligations under our acts.”
Ultimately, Beamish said the IPC’s job is to process access to information appeals and do privacy investigations under public sector acts and the PHIPA.
“Year over year, we experience an increase in file work. We know we are not going to get more resources to do that and that makes it incumbent upon us to make sure we’re providing services in the most efficient and effective way possible,” he said. “That will continue to be a real focus for us.”
In 2014, the IPC received 2,000 appeals and complaints including 439 PHIPA complaints, 280 privacy complaints, and 1,320 access appeals. Of those appeals, 70 per cent were resolved or screened out, mostly through mediation, and an order was issued in about 30 per cent of the cases.
By comparison, institutions reported to IPC that they received about 60,000 requests for access to information last year.
Of the 439 PHIPA complaints received in 2014, most were related to breaches of personal health information, said Sherry Liang, assistant commissioner for tribunal services.
“Typically, most of those are self-reported, some come from patients and some of the 439 are about access to ones own personal health information,” she said. “My sense over the last couple of months is that the PHIPA breaches are on the rise [mostly reported by the institutions]. I think you will see more in 2015 than in 2014.”
Liang is launching an internal review of how the IPC deals with PHIPA complaints, with a focus on looking at efficiency, transparency, and fairness.
“After 10 years with PHIPA, it’s a good time to review and update our processes,” she said.
The IPC is also using other recent cases to help inform and review its policies.
Recently the IPC investigated a case involving a homeowner’s complaint that information from her application for a minor variance was being posted online by the City of Vaughan. The woman’s name and address were in the application and she felt it was a breach of her privacy.
The IPC decided posting that information was permitted by Ontario’s Municipal Freedom of Information and Protection of Privacy Act.
“It was part of a Planning Act process where these applications must be made available to the public for comment by interested parties. We recognize the Planning Act does require this information be made public in some form and the fact this municipality was using the Internet to do it did not take it outside MFIPPA,” said Liang.
But while it made that finding, the IPC did recognize it is an important issue for municipalities that want to disseminate their information online, but at the same time it does raise privacy concerns over the lack of control over the eventual dissemination of the data.
Therefore the IPC is planning to come up with guidelines for municipalities around use of that kind of information.
“We recognize there are systemic issues where the community could use some guidance,” she said.
In another case involving the Guelph Police Service, a complainant was concerned about use of his Youth Criminal Justice Act information as part of a police reference check.
The IPC concluded use of the information was clearly prohibited by the YCJA.
“The YCJA is a complete code for the use and disclosure of information about young offenders collected under that act. We decided it could not be a permitted use under MFIPPA,” said Liang.
Police record checks are also being looked at by assistant commissioner David Goodis who said there is a “growing concern” employers are obtaining irrelevant information, such as non-conviction information. The IPC has been pushing for legislative reform in this area.
“We’ve been pushing for consistency in this area and the [Ontario Association of Chiefs of Police] have developed good guidelines in how to conduct these record checks but the problem is not every police service in Ontario adheres to these guidelines,” he says.
“We’d also like to see a mechanism for redress if too much information is disclosed,” he added.
The IPC also investigated a case where a Toronto woman was denied entry to the United States due to a mental health concern. A few years prior, she had attempted suicide and the information was in CPIC because a 911 call was made when she was in crisis.
The IPC concluded when police upload information about a suicide it should be permissible only if there’s a valid public safety concern. For example, someone waving a gun around would be seen to be a bigger public safety concern versus someone who took too many pills.
“Most police services have complied with our guidelines but the Toronto Police Service has refused to do so, so we brought an application for judicial review and asked the Divisional Court to require the Toronto Police to comply with our reading of the legislation,” said Goodis.
A hearing on it is expected this fall.
Police officers wearing body cameras has also drawn attention in Ontario regarding how the information they gather will be used and managed.
“There’s a lot of support for body-worn cameras,” says Beamish. “There’s no question though the cameras will be collecting a lot of personal information and there needs to be protection for that information.”
He has met with police organizations about it and the need for “rigorous governance structure” in place, such as how the images will be secured, whether the cameras will be on all of the time, and how long will the image be retained.
Speaking to a gathering at the Ontario Bar Association last week about the IPC’s current priorities and recent hot-button issues, Brian Beamish, the IPC’s new commissioner, said one of his main goals is to help institutions deal with the issue of snooping by health care staff into patient records.
Beamish referenced the Rouge Valley Centenary Hospital case, in which the hospital revealed in June 2014 that contact details for about 8,300 patients at the hospital — mostly parents who had babies between 2009 and 2013 — had been given to private companies selling registered education savings plans.
“This was disturbing because it was the first time snooping had gone beyond curiosity or spite. Here it was motivated by financial gain,” said Beamish.
After a lengthy investigation, Beamish said the IPC determined the hospital’s audit function was insufficient and therefore issued an order to the hospital.
“The database being used to get contact information for mothers did not produce an audit trail. They were unable to tell which mothers had been affected, which required them to notify any woman who had given birth over a set period of time,” he said. “We felt any directory or database with personal health information should be auditable and produce an audit trail.”
The IPC also issued recommendations around privacy policies and training to Rouge Valley.
Rouge Valley has appealed the order. Beamish noted it is the first health order that has been appealed.
In January 2015, the IPC issued a guidance document on snooping, which covers consequences to individuals and deterrence.
Beamish was appointed to a five-year term as commissioner in March, succeeding Dr. Ann Cavoukian, who held it for three terms. He said the IPC is in a “transition period” in which there will be a “subtle shift” for the office.
“I think you will see the IPC turning more towards Ontario-based issues,” he said. “We want to look at what we can do for Ontario institutions to help them with their obligations under our acts.”
Ultimately, Beamish said the IPC’s job is to process access to information appeals and do privacy investigations under public sector acts and the PHIPA.
“Year over year, we experience an increase in file work. We know we are not going to get more resources to do that and that makes it incumbent upon us to make sure we’re providing services in the most efficient and effective way possible,” he said. “That will continue to be a real focus for us.”
In 2014, the IPC received 2,000 appeals and complaints including 439 PHIPA complaints, 280 privacy complaints, and 1,320 access appeals. Of those appeals, 70 per cent were resolved or screened out, mostly through mediation, and an order was issued in about 30 per cent of the cases.
By comparison, institutions reported to IPC that they received about 60,000 requests for access to information last year.
Of the 439 PHIPA complaints received in 2014, most were related to breaches of personal health information, said Sherry Liang, assistant commissioner for tribunal services.
“Typically, most of those are self-reported, some come from patients and some of the 439 are about access to ones own personal health information,” she said. “My sense over the last couple of months is that the PHIPA breaches are on the rise [mostly reported by the institutions]. I think you will see more in 2015 than in 2014.”
Liang is launching an internal review of how the IPC deals with PHIPA complaints, with a focus on looking at efficiency, transparency, and fairness.
“After 10 years with PHIPA, it’s a good time to review and update our processes,” she said.
The IPC is also using other recent cases to help inform and review its policies.
Recently the IPC investigated a case involving a homeowner’s complaint that information from her application for a minor variance was being posted online by the City of Vaughan. The woman’s name and address were in the application and she felt it was a breach of her privacy.
The IPC decided posting that information was permitted by Ontario’s Municipal Freedom of Information and Protection of Privacy Act.
“It was part of a Planning Act process where these applications must be made available to the public for comment by interested parties. We recognize the Planning Act does require this information be made public in some form and the fact this municipality was using the Internet to do it did not take it outside MFIPPA,” said Liang.
But while it made that finding, the IPC did recognize it is an important issue for municipalities that want to disseminate their information online, but at the same time it does raise privacy concerns over the lack of control over the eventual dissemination of the data.
Therefore the IPC is planning to come up with guidelines for municipalities around use of that kind of information.
“We recognize there are systemic issues where the community could use some guidance,” she said.
In another case involving the Guelph Police Service, a complainant was concerned about use of his Youth Criminal Justice Act information as part of a police reference check.
The IPC concluded use of the information was clearly prohibited by the YCJA.
“The YCJA is a complete code for the use and disclosure of information about young offenders collected under that act. We decided it could not be a permitted use under MFIPPA,” said Liang.
Police record checks are also being looked at by assistant commissioner David Goodis who said there is a “growing concern” employers are obtaining irrelevant information, such as non-conviction information. The IPC has been pushing for legislative reform in this area.
“We’ve been pushing for consistency in this area and the [Ontario Association of Chiefs of Police] have developed good guidelines in how to conduct these record checks but the problem is not every police service in Ontario adheres to these guidelines,” he says.
“We’d also like to see a mechanism for redress if too much information is disclosed,” he added.
The IPC also investigated a case where a Toronto woman was denied entry to the United States due to a mental health concern. A few years prior, she had attempted suicide and the information was in CPIC because a 911 call was made when she was in crisis.
The IPC concluded when police upload information about a suicide it should be permissible only if there’s a valid public safety concern. For example, someone waving a gun around would be seen to be a bigger public safety concern versus someone who took too many pills.
“Most police services have complied with our guidelines but the Toronto Police Service has refused to do so, so we brought an application for judicial review and asked the Divisional Court to require the Toronto Police to comply with our reading of the legislation,” said Goodis.
A hearing on it is expected this fall.
Police officers wearing body cameras has also drawn attention in Ontario regarding how the information they gather will be used and managed.
“There’s a lot of support for body-worn cameras,” says Beamish. “There’s no question though the cameras will be collecting a lot of personal information and there needs to be protection for that information.”
He has met with police organizations about it and the need for “rigorous governance structure” in place, such as how the images will be secured, whether the cameras will be on all of the time, and how long will the image be retained.