The IPC/Ontario issued a privacy complaint report on July 3rd that illustrates the downside of protecting an employee who has gained unauthorized access to personal information.
The IPC likes institutions and health information custodians to hold employees accountable for gaining unauthorized access to personal information by imposing discipline and (controversially) sharing the details of the disciplinary response with affected individuals. It made this position clear in 2010 in HO-010. In this most recent report, it even suggested that institutions should have a policy that calls for disclosing the details of its disciplinary response barring exceptional circumstances.
The report is about an OPP clerk who gave access to an occurrence report about the complainant to an acquaintance who was the complainant’s landlord. The OPP admitted the breach but also shouldered the blame. It counseled the clerk and provided remedial training to all clerks. In its representations to the IPC the OPP said “The clerk appeared to have acted alone, and made a single error on one occasion resulting in the disclosure of a single record. We believe that this mistake was due to a lack of training, rather than as a result of malice or intent.”
The IPC quoted this representation twice before rejecting it and reiterating the principles from HO-010. It was a very problematic position to take given HO-010 and the sensitivity of the personal information in a police occurrence report. It is also hard to frame actions like the clerk’s as merely negligent.
The IPC then, as invited by the OPP’s position, engaged in a detailed analysis of the OPP privacy governance framework before making a number of negative findings about the OPP’s policies, procedures and training. One wonders whether the OPP’s privacy governance framework would have been questioned at all if it had simply assigned fault to the clerk.
Ontario institutions and health information custodians who are faced with a privacy breach need to conduct thorough investigation with good causal analysis before the IPC gets involved. If fault lies with one or more employees, assigning fault and imposing appropriate consequences appears to be a relatively simple way to meet the IPC’s expectations. Taking such steps may even dissuade the IPC from asking broader and potentially more painful questions about organizational privacy governance.