Privacy breach management and reporting is certainly receiving a great deal of attention in Canada. As of February 1st, 2023, public bodies in B.C. are now required to report privacy breaches to the Information and Privacy Commissioner of British Columbia if the breach could be expected to result in significant harm. The new requirement, which was among amendments to the B.C. Freedom of Information and Protection of Privacy Act (FIPPA) enacted in November 2021, were welcomed by Michael McEvoy, the B.C. Commissioner. A guidance document published by the Commissioner’s office provides a useful list of examples of breaches that could result in significant harm.
Meanwhile turning to the health sector, health information custodians in Ontario are required to provide the Information and Privacy Commissioner of Ontario with an annual report by March 1st of privacy breaches that occurred during the previous calendar year. This requirement is found in section 6.4 of Ontario Regulation 329/04 made pursuant to the Personal Health Information Protection Act, 2004, and sets out that custodian must identify in their report the number of times in the previous calendar year that personal health information (PHI) was stolen, lost, used or disclosed without authority, or collected by means of the electronic health record without authority. CLICK HERE for detailed guidance from the Ontario Commissioner on what to include in the annual statistics report.
On the East Coast, Nova Scotia’s Information and Privacy Commissioner Tricia Ralph began investigating a series of privacy breaches in August 2020, after the province’s health authority voluntarily reported that it had caught eight employees snooping in the electronic health records of individuals.
Nova Scotia Health investigated the eight employees and found that some had snooped into many patients’ records over a number of years, looking up friends, colleagues and acquaintances who they were not providing care to. 1,200 privacy breaches affecting 270 individuals were uncovered.
Medical records snooping has been a serious concern across Canada over the past 10 years amongst public health authorities, hospitals and clinics.
In addition to policies and training to reduce the risk of medical snooping, Commissioner Ralph stressed the importance of segregating data so staff can’t get to PHI they should not be privy to. Using technology to identify the unauthorized access to the PHI of patients for non-treatment purposes should no longer be optional in the health sector either. Regulators are rightfully expecting technology that identifies who is viewing a record, not just who is making edits, to be in place. Nova Scotia Health could have detected snooping into medical records in electronic information systems much sooner if readily available tools that create alerts when activity is suspicious had been actively deployed.
I believe the trend towards mandatory versus voluntary breach reporting will continue in Canada. PRIVATECH’s upcoming CIPP/C training course will highlight recent developments in Canadian privacy for the private, public and health sectors. Whether you intend to certify as an information privacy professional or not, this in-depth course will ensure you are up-to-date on privacy laws in Canada, recent investigations to learn from, and regulator expectations at the provincial and federal levels. Early bird pricing on the certification prep bundle ends March 6th. Contact firstname.lastname@example.org for training only options!