Home / Privacy Resources / Article Search / PrivaTalk - January 2004

PrivaTalk - January 2004

PrivaTalk

January 2004
Volume 4
Issue 1

Ontario Introduces Health Privacy Legislation

On December 17th, the McGuinty government introduced the Health Information Protection Act (HIPA).  This bill is intended to establish consistent and comprehensive rules, safeguards and legal protections, governing the collection, use and sharing of health information.  


Oversight and enforcement of the new act would fall to Ontario’s Information and Privacy Commissioner, Anne Cavoukian.  According to Cavoukian, this is legislation that is urgently needed and long overdue.  


Personal health information is defined in the bill as certain information about an individual, whether living or deceased and whether in oral or recorded form. It is information that can identify an individual and that relates to matters such as the individual’s physical or mental health, the providing of health care to the individual, payments or eligibility for health care in respect of the individual, the donation by the individual of a body part or bodily substance and the individual’s health number. Health information custodians are defined as listed persons, such as a health care practitioner, the operator of a hospital, nursing home, pharmacy or ambulance service or the Minister of Health and Long-Term Care, who have custody or control of personal health information as a result of the work that they do or in connection with the powers or duties they perform. The regulations made under the Act may specify other custodians.


Subject to few exceptions, if there is a conflict between a confidentiality provision in HIPA and one in another Act, HIPA prevails unless HIPA or the other Act specifically provides otherwise.


Part II of the bill sets out duties of health information custodians with respect to personal health information. A custodian must have in place information practices with respect to its collection, use and disclosure of personal health information and the administrative, technical and physical safeguards that it maintains with respect to the information. It must also take reasonable steps to ensure that records that it makes of personal health information are accurate and that the information is protected against unauthorized use or disclosure. A custodian must notify an individual if information about the individual is stolen, lost, or accessed by unauthorized persons.


A health information custodian must make available to the public a statement that describes its information practices, how to contact its contact person, how an individual can obtain access to or request correction of a record of personal health information about the individual and how to make a complaint to the custodian and the Commissioner. A custodian must notify individuals of its uses and disclosures of personal health information that fall outside the scope of the custodian’s description of its information practices.


Part III of the bill sets out rules concerning consent to the collection, use or disclosure of personal health information. No health information custodian is permitted to collect, use or disclose personal health information about an individual without the individual’s consent unless it is permitted or required by HIPA. Consent must either be expressly given by the individual or be implied, however, certain consents cannot be implied. An example is the consent to the disclosure of personal health information by a health information custodian to a person who is not a health information custodian.


An individual may withdraw a consent that the individual has given. An individual is capable of consenting to the collection, use or disclosure of personal health information if the individual is able to understand the purposes of the collection, use or disclosure, as the case may be, and to appreciate the reasonably foreseeable consequences of giving or withholding the consent. A person whom an individual has authorized to act on his or her behalf may give consent for the individual. If an individual is incapable of giving consent, a substitute decision-maker may give consent.


Part IV specifies that a health information custodian must not collect, use or disclose personal health information if other information can serve the purpose and may collect, use or disclose only as much personal health information as is reasonably necessary for the purpose. The Part contains restrictions on the collection, use or disclosure by any person of another person’s health number.


The Part also sets out circumstances in which a health information custodian may collect, use or disclose personal health information about an individual without the individual’s consent. The list of circumstances for disclosure includes disclosure for the purpose of providing health care to an individual if it is not reasonably possible to obtain the individual’s consent in a timely manner, but not if the individual has instructed the custodian not to disclose the information. The list also includes disclosure to a medical officer of health for public health protection purposes, disclosure if another Act permits or requires it, disclosure for the purposes of research to be performed in accordance with a research plan approved by a research ethics board and disclosure to the Minister of Health and Long-Term Care for monitoring payments for health care funded in whole or in part by the Ministry. The Minister may direct a health information custodian to disclose personal health information to a health data institute for the purposes of analysis with respect to the management or evaluation of all or part of the health system.


Part V provides that an individual is entitled to access to a record of personal health information about the individual that is kept by a health information custodian, except in certain cases such as where the information relates solely to monitoring the quality of health care provided in a health facility. The Part sets out procedures for granting and refusing access and for requesting corrections to personal health information. An individual who disagrees with a decision of the custodian is entitled to make a complaint to the Information and Privacy Commissioner.


Part VI of the bill deals with administration and enforcement. A person who has reasonable grounds to believe that another person has contravened or is about to contravene a provision of HIPA or its regulations may make a complaint to the Information and Privacy Commissioner. Upon receiving a complaint, the Commissioner may take a number of steps, such as requiring the complainant to try to effect a settlement, arranging for mediation or conducting a review. The Commissioner may also conduct a review related to an actual or an imminent contravention of HIPA or its regulations, whether or not a person has made a complaint. If the Commissioner conducts a review, this Part sets out circumstances in which an inspector appointed by the Commissioner may enter and inspect a premises without a warrant or with a warrant. In connection with an inspection, the inspector may also demand the production of documents or inquire into information and information practices of a health information custodian.


After conducting a review, the Commissioner may make a range of orders, including orders directing any person whose activities the Commissioner has reviewed to perform a duty imposed by HIPA, directing a health information custodian to grant an individual access to a requested record and directing a health information custodian to implement an information practice that the Commissioner specifies. If the Commissioner has made an order as a result of a contravention of HIPA, a person affected by the contravention may bring an action for damages.  Offences for contravening certain provisions of HIPA are also outlined in the bill.


HIPA, as proposed for first reading, can be found at http://www.ontla.on.ca/documents/Bills/38_Parliament/Session1/b031.pdf.  


Although the Ontario government failed to introduce broad private sector privacy legislation before 2004, the introduction of health privacy legislation is a great start – particularly given the sensitivity of health information.  The Ontario Information and Privacy Commissioner is quite pleased with the legislation but has stated that she would have liked to see a requirement that a health information custodian notify her office of a privacy breach if committed.  She will have to rely on individual notification through the complaint process to ensure that the organization has taken appropriate steps to prevent a similar breach from occurring in the future.      

New Federal Privacy Commissioner Appointed

The new Federal Privacy Commissioner, Jennifer Stoddart, who took over the role of Canada’s privacy watchdog on December 1st, nearly five months after a disgraced George Radwanski resigned from the post, recently told businesses seeking to understand and comply with the country’s new privacy legislation not to panic.  On January 1st, the final phase of the Personal Information Protection and Electronic Documents Act (PIPEDA) came into force. Every business across Canada that collects and uses customer information for commercial purposes nows need to comply, either with the federal law or similar legislation in British Columbia, Alberta and Quebec.  


Stoddart made a public statement stating that the Commissioner’s office is going to be very sympathetic to the problems of trying to implement “a law of this sophistication”.  At the same time, she warned that “repeat offenders” risk being publicly humiliated if it serves the public interest.  Stoddart was previously the privacy commissioner of Quebec, the first province to introduce private-sector privacy legislation back in the mid-1990s.  


PIPEDA is going to require businesses to appoint a privacy point-person and put systems in place to make sure customer information is secure, accurate, gathered with consent and not used beyond a stated purpose.  The far-reaching nature of the law is going to catch many organizations off-guard, particularly small businesses that have never heard of the legislation or simply don’t know how to comply with it.  A survey conducted last year for the Canadian Chamber of Commerce found that 81 per cent of small and mid-sized businesses were nearly clueless about the need to comply with new privacy legislation. The situation has improved, but a substantial number of businesses remain in the dark.  


The new commissioner has a challenging job ahead of her as she tries to juggle enforcement of a new private sector law, educate businesses about the new rules, while continuing the path of healing an office that was severely damaged by the Radwanski scandal.  Stoddart seems highly qualified to take on this task, given her years of experience in Quebec where she was the only commissioner in Canada to oversee a private sector privacy law.  


Stoddart describes her work style as consultative, and has said that she learned from her time in Quebec that great effort must be taken to reach out to small business groups and make sure they’re getting the message.  Her office has already begun to beef up education and outreach efforts. This includes an “E-kit” for businesses on the Commissioner’s Web site (http://www.privcom.gc.ca), which includes a privacy questionnaire and a link to a PowerPoint presentation that businesses can download and use for their own internal education programs.  


One of the questions Stoddart said she asked before taking the job is whether she could publicly name companies that have violated the law.  Publicly disclosing the names of lawbreakers is one of the few tools of enforcement a Commissioner has.  Although Stoddart promises to use this power on a reasoned, rational, defendable basis, it is quite clear that the Commissioner has no qualms about revealing names in order to ensure companies change their behaviour.  Thus, businesses should be well aware that there could be significant reputational costs for non-compliance that could permanently damage customer relations. 


As 2004 unfolds and we see decisions coming from the new Commissioner, we will get a clear sense of just how often the Commissioner uses her public disclosure powers.      

Peculiar Application of PIPEDA in a Wrongful Dismissal Case

Most employers would presume that, if an employee off with a back injury is caught engaging in strenuous activity, he can be fired for fraud or malingering.  


Michael Ross, a nine-year driver for Rosedale Transport, claimed to have suffered a back injury, preventing him from performing his job. As result, he was assigned light clerical and administrative duties at Rosedale’s Barrie terminal. One day Ross told his supervisor he had recently bought a house and was moving on the upcoming Saturday. Rosedale, suspecting Ross’s injuries to be spurious, retained a private investigator. Ross was videotaped loading furniture onto a pickup truck on the day of the move.  


Upon his return to work, Ross was confronted with the videotaped evidence and accused of fraud and malingering. He was provided the option of resigning. When he refused to, he was dismissed.  


Like every employee in the federal private sector, Ross had the choice of suing for wrongful dismissal in court or filing an unjust dismissal claim under the Canada Labour Code. The Minister of Labour appoints an adjudicator to hear the case, who has considerably more powers than a court, and can award both damages and reinstatement. Ross opted for this more powerful adjudication route.  


At the hearing, Ross objected to the admissibility of the videotaped evidence, contending that it was obtained without his consent, in violation of the federal privacy statute, the Personal Information Protection and Electronic Documents Act (PIPEDA).  


The employer argued the videotaped evidence, even though gathered without Ross’s consent, should be admitted since it related to the investigation of a breach of his employment agreement. It noted that, if an employer had to inform employees they were under surveillance, accurate information could never be gathered, and fraudsters would operate with impunity. In this case, if the tape was barred, Rosedale would have no evidence to support its case.  These arguments are exactly in line with advice given to private investigators by the previous Commissioner.  He stated that there are two relevant circumstances where PIPEDA allows information to be collected without consent. One is where the knowledge or consent of the individual would compromise the availability or accuracy of the information, and the other is where the collection is “reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province”, as set out in PIPEDA. 


Radwanski assured private investigators that the privacy legislation would not prevent them from operating.   Surprisingly, the adjudicator upheld Ross’s objection. According to him, it was unacceptably intrusive for Rosedale to conduct the video surveillance without Ross’s knowledge merely because it was suspicious of him, even though those suspicions apparently proved to be well founded.   The adjudicator’s view was that, since Rosedale had received a physician’s statement specifying that Ross was only fit for clerical duties, Rosedale should have had no grounds to suspect malingering.  


What, according to the adjudicator, was the employer to do if it suspected the employee of being less than truthful about his injury? He answered that Rosedale had the choice to require him to obtain an independent medical examination, rather than conducting video surveillance. The adjudicator proceeded to award Ross 58 weeks salary plus legal costs.  


In his zeal to secure privacy rights, the adjudicator delivered a significant blow to employers’ rights, as well as good sense. My question is, if an employee does not consent to an independent medical examination, what then?   Videotaped evidence is certainly less intrusive of privacy than an unwanted medical examination!  


The drawback to any physician’s examination is that it is usually subjective. Symptoms are ascertained based generally on what the patient tells the doctor. In contrast, videotaped evidence shows what an employee actually does, unrehearsed. It seems that the adjudicator could have admitted the evidence based on a common-sense recognition of the value of such information in combating fraud.  Instead, he effectively deprived this employer of one of the few remaining weapons in its arsenal in dealing with malingering.  


From a privacy perspective, this case seems to be a misapplication of PIPEDA and one that future labour decisions hopefully won’t follow!

The UK’s New Privacy and Electronic Communications Regulations

New rules to deal with unsolicited commercial e-mail, cookies and other privacy issues in electronic communications came into force in the UK on December 11th.  The UK’s Privacy and Electronic Communications Regulations implement an EU Directive and require the following:  


- Businesses must gain prior consent before sending unsolicited advertising e-mail to individuals, except where there is an existing customer relationship;  


- The use of cookies or other tracking devices must be clearly indicated and people must be given the opportunity to reject them. (Cookies are small text files used by most commercial web sites. The files are sent from a web server to a web site visitor’s computer and are stored on the hard drive, so that when the user visits the web site again or visits another page of the site, the site will remember the user);  


- Network operators and their partners will be able to provide subscription and advertising services to their customers based on location and traffic data, as long as subscribers give their consent and are informed of the data processing implications; and,  


- Individuals must be able to decide if they wish to be listed in subscriber directories. Clear information about the directory must also be given, e.g. whether further contact details can be obtained from just a telephone number or a name and address.  


Corporate subscribers are exempt from the prior consent rule for e-mail marketing, which means that spam to office e-mail accounts does not breach these Regulations, provided proper sender and contact details are given and opt-out requests respected. (Although it is worth noting that the collection and use of the e-mail addresses being targeted by spam may well breach UK’s Data Protection Act.)  


Communications Minister Stephen Timms issued the following statement regarding the new Regulations:  


 “The Office of the Information Commissioner, an independent authority that reports directly to parliament will enforce the regulations.  Breach of enforcement orders issued by the Information Commissioner is a criminal offence liable to a fine of up to £5,000 in a magistrate’s court, or an unlimited fine if  the trial is before jury. Anyone who has suffered damages because the Regulations have been breached has the right to sue the person responsible for compensation.”  


The Government has been careful to avoid any suggestion that these Regulations will solve the problem of spam. In face, few expect the Regulations to have any real impact on the volumes of spam received by UK individuals.  


Most spam comes from outside the EU, and given that it is often misleading, fraudulent or pornographic in nature, the senders often already breach other laws without caring. But critics have pointed out that by exempting corporate subscribers, the UK’s Regulations could have the unfortunate effect of actually encouraging more spam.  


According to research from WebAbacus, ninety-eight per cent of UK websites are breaking the Privacy and Electronic Communication Regulations.  Webmasters should take note of the law because WebAbacus indicates that most UK sites do not inform users about the cookies that are used to track their movements, or give the required single-click opt-out options.  


The Information Commissioner recently published guidelines that aim to help those seeking to comply with the new rules. Although the UK did not meet the implementation deadline set by the EU of October 31st, it is still further forward than the majority of EU Member States.  


The EU Commission has sent letters of formal notice, the first stage of infringement proceedings, to nine states that have not yet implemented the Directive: Belgium, Germany, Greece, France, Luxembourg, the Netherlands, Portugal, Finland and Sweden.    

Survey shows the Canadian Telecommunications Industry Needs to Better Protect Privacy

Fewer than two thirds of Canadian telcos respond to all online inquiries and more than a third share their customers’ personal data without permission, according to a recent survey of carriers across the country.  


The survey, conducted by The Customer Respect Group Inc. [ http://www.customerrespect.com/ ], of Bellevue, Washington, saw Rogers Communications Inc. score best, while Aliant Communications Inc. had the lowest overall score. In general, Canadian telecom firms did worse than their U.S. counterparts did in similar surveys by the same research firm earlier this year.  


The rankings are based on such factors as speed of response to online customer inquiries, the simplicity and ease of navigation of the companies’ Web sites, whether sites are customer-focused and friendly and the companies’ privacy policies. Customer Respect Group evaluates companies by studying their Web sites and sending test inquiries to determine response time.  


The Canadian survey included 11 companies. Rogers ranked with nine points of a possible 10, followed by Bell Canada with eight and Microcell Solutions Inc. with 6.8.  


The other eight companies in order of ranking were Cogeco Cable Inc. (6.2 points), Sprint Canada Inc. (6.0), Telus Corp. (5.7), Allstream Corp. (5.5), 360networks Corp. (5.2), Shaw Communications (4.9), Videotron Ltee. (4.7) and Aliant Corp. (3.5). The Canadian companies averaged 6.0 points, while the average of the latest U.S. survey was 7.0.  


Rogers and Bell scored best on principles and transparency – including privacy issues – and Telus and 360networks were also strong in this area.  


The survey found 73 per cent of telecom firms post privacy policies on their Web sites to explain how customers’ personal data will be used. Of those, 25 per cent do not collect data or use it only for internal purposes, 38 per cent share it with affiliates or subsidiaries, and 37 per cent share data without customer permission.  


It also found that 18 per cent of the firms surveyed did not respond to any customer inquiries. Two others responded to only half of the inquiries received – one within 48 hours, the other after four days.  


The telcos have been governed by Canada’s Personal Information Protection and Electronic Documents Act since 2001.  The results of this survey are therefore surprising and a clear indicator that there is still much work to be done to put customers’ interests first.  

Canadian Privacy Project Underway at the University of Ottawa

Whether for the sake of speed, efficiency, security, or marketing, Internet users are increasingly required to “identify” themselves by providing significant amounts of personal information. This process does not stop once individuals have gained access to a particular database or network; their activities and interactions can be further recorded and monitored.  


For Ian Kerr, who holds the Canada Research Chair in Ethics, Law, and Technology at  the University of Ottawa’s Faculty of Law, the extent of this identification has significant implications for our society. He has pointed out that networks such as the World Wide Web are the most visible aspect of the technology that threatens privacy. Recognizing the deep social significance of our shifting architectures, Kerr has assembled a multi-disciplinary team of 23 researchers who represent the academic, public, private, and not-for-profit sectors, including philosophers, ethicists, feminists, cognitive scientists, lawyers, cryptographers, engineers, policy analysts, government policy makers, privacy experts, and business leaders.  


The diverse interests and experience of this group are being united in a major project, entitled “On the Identity Trail: Understanding the Importance and Impact of Anonymity and Authentication in a Networked Society.” Over the next four years, this undertaking will receive almost $3 million in funding from the Social Sciences and Humanities Research Council of Canada, along with more than $1 million from corporate and non-governmental partners.  


The work is collaborative in nature, contemplating three broad research themes. The first will examine the social and philosophical concepts of identity, anonymity, and authentication. The second considers the constitutional and legal aspects of anonymity, which present a number of policy dilemmas for legislators and regulatory agencies, especially in an age of heightened security. The third theme focuses on the diverse range of technologies that make it possible to control identity, anonymity, and authentication, such as powerful forms of encryption that enable individuals to restrict intrusions into their lives.  


The search for a means of understanding and integrating the technologies that shape so much of our lives without sacrificing personal dignity is just one facet of this project’s ambitious aim of better understanding the social significance of the distributed intelligence that surrounds us.  Over the next four years, Kerr’s group will present its findings to the media, discuss privacy issues with the Department of Justice, universities and public advocacy interest groups and develop materials like an access-to-information guide, a privacy encyclopedia and a book.   


According to Kerr. Canada’s Personal Information Protection and Electronic Documents Act fails to clearly address a person’s anonymity.  He hopes to convince legislators and policy makers that amendments to the Act need to be made.