HO, HO, HO-013 – Big order for Ontario hospitals lands just before the holidays

On December 16th the Information and Privacy Commissioner/Ontario issued its 13th order under the Personal Health Information Protection Act. It contains very detailed prescriptions pertaining to the PHIPA data security standard in section 12. The standard is contextual – i.e., the standard of care is always based on all the “circumstances.” However, given Ontario hospitals face similar foreseeable risks, hospitals should pay very close heed to the prescriptions in HO-013.

I’ll spare you a description of the background and get to the point. Here is a bulleted summary of the data security prescriptions in HO-13. Rather than describe each in detail I will give you very short (synthesized) descriptions and page references.

  1. Ensure that patient information systems support audits and investigations of system misuse. Collect reliable data on all access, copying, disclosure, modification and disposal of patient records. Retain data for a reasonable period of time. Pages 23 to 29.
  2. Conduct periodic audits for patient information system misuse: “Audits are essential technical safeguards for electronic information systems.” Conduct random audits on all system activity. Run a special audit program for “high profile” patients. Pages 32 to 34.
  3. Ensure that patient information systems feature reasonable search controls. Search controls should limit the ability of agents to perform “open-ended” searches. Pages 29 to 32.
  4. Ensure that patient information systems feature a login notice that appears on its own screen and requires express acknowledgement. Page 22.
  5. Conduct regular and comprehensive privacy training pursuant to a privacy training program policy. Require pre-authorization training and annual re-training. Training materials should be detailed and contain certain information prescribed in HO-013. Pages 34 to 36.
  6. Communicate regularly about privacy compliance and compliance duties pursuant to a privacy awareness program policy. Page 36.
  7. Administer a “pledge of confidentiality” that contains certain information prescribed in HO-013. Require agents to sign pre-authorization and annually. Pages 37 and 38.
  8. Maintain and administer a privacy breach management policy that meets particular requirements specified in HO-013. Pages 40 and 41.

Most hospitals will already have data security programs that feature many of the elements in the list above. Regardless, there are detailed requirements in HO-013 (not included in the summary above) that invite hospitals to conduct a broad gap analysis. Some gaps are likely to be closed easily and others may require the investment of additional ongoing resources – e.g., gaps with respect to training and communication programming. The most problematic prescriptions in HO-013 are those related to the modification of patient information systems. The prescriptions regarding search controls, for example, seem problematic and may create system usability (search) problems. The responding hospital did raise concerns about usability that the IPC dismissed.

Order HO-013 (IPC Ontario).

Scope of employer’s forensic examination criticized by PSLRB

There are a some notable points in a June 6th decision of the Public Service Labour Relations Board that upholds the discharge of a federal public servant for forwarding e-mails to his personal e-mail account.

The employer had discharged the employee for sending home restricted-access documents about internal job competitions, including documents related to a competition in which he had participated and documents containing the personal information of 108 other employees. The Board held that the grievor, who was an HR assistant, had engaged in a serious breach of trust and caused the employer embarrassment: “Progressive discipline does not apply to this case since very serious misconduct occurred.”

Although the Board dismissed the grievance with this strong and favorable employer endorsement, it did express a “concern” about the manner in which the employer conducted its forensic investigation into the grievor’s system usage. It said:

The grievor also raised concerns about the lack of concern that the employer showed for his privacy, specifically that it gave no specific instructions to Mr. Roussel about protecting the grievor’s privacy when Mr. Roussel conducted his investigation. I am also concerned about it. Furthermore, in the absence of such instructions, Mr. Roussel included in his report personal information about the grievor that had nothing to do with the purpose of the investigation, which was to inquire into the grievor conducting personal business using the employer’s network. I did not report on it since it was irrelevant to deciding the four grievances in front of me. However, this lack of respect for the grievor’s privacy does not reduce the seriousness of his misconduct. At this point, I can recommend only that in the future, the employer take employees’ privacy under consideration when conducting that type of investigation.

It’s not clear from the decision how exactly the employer erred given the Board’s limited description. In any event, employers should create and administer a protocol that governs non-routine access to system information and non-routine system monitoring – e.g., access for the purpose of conducting audits and investigations.

Gravelle v Deputy Head (Department of Justice), 2014 PSLRB 61 (CanLII).


In dispute over custodianship of medical files, balance favours established clinic

On May 22nd the Ontario Superior Court of Justice ordered medical files to be returned to a clinic by a departing doctor who claimed she had an independent practice and was the legal custodian of the files.

Justice Perell dismissed the defendant’s argument that a corporation could not be a “health information custodian” under the Personal Health Information Protection Act and held that the plaintiff clinic had made out a strong prima facie case that it had such status. His suggestion that the defendant was also a health information custodian could best be understood as a function of the qualified burden of proof on an interlocutory motion given, under PHIPA, there can be only one custodian of a record of personal health information.

Justice Perell’s balance of convenience analysis is noteworthy. He said the following about the public interest in providing patients with access to their personal health information pending final resolution of the dispute:

In considering the balance of convenience, it is appropriate to consider the interests of the patients whose health records have been removed from a health clinic to the home of a health care practitioner. In my opinion, a patient will have better access to his or her health records and the health care practitioner who will treat the patient during Dr. Simon’s semi-retirement will have better access to the health records if the records are at professional offices with normal business hours and full-time staff.

A plaintiff in a similar situation could similarly attempt to make a case for return of records based on a claim to relatively superior security measures, though the stakes of pursuing such an approach would be high.

Note that the plaintiff consented to a term permitting the defendant doctor to make copies of any file relating to a patient she had treated. This is a sensible thing to offer in a dispute over custodianship, but again, is inconsistent with the single custodian rule.

1615540 Ontario Inc. carrying on business as Healing Hands Message v Simon, 2013 ONSC 2986 (CanLII).

Access to e-mails, text messages and other ESI

I did double-duty today, also presenting on issues relating to control of corporate information in light of business computing trends like BYOD and cloud computing at day one of Osgoode PDP’s e-discovery certificate program. My slides are below.

Justice David Brown and Master Calum McLeod have written a number of the judgements I’ve blogged about here. I was able to stay for their lunch presentations on addressing the e-discovery burden. Justice Brown warned of a coming apocalypse (death by seppuku, to be precise) unless something gives way to break the e-discovery burden, starting with adversarial behavior in the discovery process. Master McLeod delivered similar message, though more from his in the trenches perspective – noting the wisdom of including ADR mechanisms into discovery plans and bifurcated discovery. Take note.

Child porn files seized from work computer admissible

On March 6th, the British Columbia Court of Appeal held that an accused’s section 8 Charter rights were violated when his work computer was seized by the police without a warrant but allowed the admission of evidence from the computer because it would not bring the administration of justice into disrepute.

The case illustrates that the standard for finding an objective reasonable expectation of privacy on a work computer following the Supreme Court of Canada’s decision in R v Cole is very low. While the record in Cole weighed particularly in favor of  an expectation of privacy finding, in this more recent case, the were no special facts. The employee (a school principal), for example, only used his work computer for browsing the internet. The Court nonetheless recognized a Charter-protected privacy interest.

Unfortunately, as in Cole, the record in this case did not appear to support any discussion of whether the computer was networked or the impact of the employer’s control over its network.

For an essay on what Cole means for employers, click here.

R v McNeice, 2013 BCCA 98 (CanLII).



Court orders safekeeping of medical records held by departed employee

On March 7th, the Ontario Superior Court of Justice issued an order to secure medical records held by a former employee of an addiction clinic.

The employee had copies of urinalysis reports stored on her personal e-mail account at the time of termination because she had used her personal e-mail account for work purposes. She allegedly used her continuing possession of the e-mails to extort the employer into offering reinstatement and later refused to return the e-mails, arguing they were evidence of the employer’s wrongdoing. (It is not clear from the decision what wrongdoing the employee alleges.)

The Court granted an ex parte order after applying the test for an Anton Piller. Notably, the order required the employee to turn control of her e-mail account to an independent supervising solicitor authorized to copy and retain the e-mails, delete the e-mails on the account and return control of the account to the employee. The Court authorized the employer to serve the order by e-mail.

Garber v Robinson, 2013 ONSC 1427 (CanLII).

The science of breach prevention and the art of breach response

Data loss prevention and response is a big topic now! The HRSDC lost hard drive is about a huge (but seemingly benign) incident that has attracted great attention. We also have the Obama administration’s attention to corporate network security – such attention given at a time in which sacrifices are being made to corporate network security based on trends such as BYOD.

Here is a practical guide that we’ve prepared to address the salient issues. We hope it’s useful to you.

Municipality breaches privacy statute by communicating via Facebook

Last September 27th, the Newfoundland and Labrador OIPC held that a municipality breached the Newfoundland Access to Information and Protection of Privacy Act because an employee, in the course of her duties, identified the Facebook accounts of two members of the public and messaged them through her own Facebook account.

The OIPC held that this use of Facebook led the municipality to engage in an improper use of personal information and breach its safeguarding duty. One problem, according to the OIPC, was the use of a means of communication not governed at all by the municipality:

Facebook is a social media website that is accessible from any computer or device which is capable of accessing the internet. In this sense, the use of Facebook by the Town employee may be akin to the removal of personal information from the Town office. This is further exacerbated by the use of the employee’s own personal account to engage in this communication. From this perspective, the information must be protected in the same manner as used by other public bodies which allow for the removal of personal information from their facilities.

The OIPC made clear, however, that communicating personal information through a Facebook account in a public body’s name is also inappropriate. It said:

For the various security and identification issues outlined above, there is no way to ensure that personal information is properly protected on these websites. If an individual requests that communications with a public body be carried out in this manner, the public body must first satisfy itself that the identity of the Facebook account holder is confirmed, and furthermore that express consent be obtained from the individual acknowledging that the privacy of the communication cannot be guaranteed.

The OIPC gives little reasoning about why communicating through a Facebook account in a public body’s name is less secure than communicating through other kinds of corporate email services, but the concept of channelling communications that include personal information through a consumer service like Facebook (which is neither designed as an email service nor targeted at business) raises obvious concerns.

Report P-2012-001 (27 November 2012, OIPC Newfoundland).

Social media and the law – three nuggets and one blawger’s tale #ALC2013

I’m posting this from beautiful Edmonton, where I presented at the Alberta Law Conference social media session together with Diane McLeod-McKay (Alberta OIPC, Director, Alberta PIPA) and Doug Jasinski (Skunkworks Creative Group). Thank you to our Chair and warm host, uber-librarian Shaunna Mireau (Field Law). It was a nice balanced session, with a little marketing and communication, a little core privacy and a little “other,” all of which came together nicely to give helpful picture to our lawyer audience.

I was the “other.” My slides are below and deal with (1) the “licensed communicator” concept for governing business use of social media, (2) the social media civil production cases and (3) preservation of social media evidence. I also (as asked) spoke a little about my own blogging experience, an enjoyable first.