Archive | Health privacy RSS feed for this section

No civil claim for misappropriated contact information says Ont SCJ

3 Nov

On October 25th the Ontario Superior Court of Justice dismissed certification motions in two actions that claimed damages for the misappropriation of contact information from a hospital information system. The information was taken and used to sell RESPs to the families of newborns.

Most significantly, the Court held there was no viable cause of action for intrusion upon seclusion because the information that was misappropriated did not support a breach that was serious enough to meet the standard established by the Court of Appeal for Ontario in Jones v Tsige. Justice Perell explained:

[151]      I generally agree with the Defendants’ arguments. It is plain and obvious in the case at bar that there is no tenable cause of action for intrusion on seclusion because there was no significant invasion of personal privacy and a reasonable person would not find the disclosure of contact information without the disclosure of medical, financial, or sensitive information, offensive or a cause for distress humiliation and anguish. The contact information that was the objective of the intrusion in the immediate case was not private, there was not a significant invasion of privacy, and the invasion of privacy was not highly offensive to an objective person.

[152]      In other words, in the immediate case, it is not the case that the disclosure of just contact information intrudes on the class members’ significant private affairs and concerns, and in the immediate case, it is not the case that the disclosure of contact information would be highly offensive to a reasonable person and cause her distress, humiliation, and anguish.

[153]      Generally speaking, there is no privacy in information in the public domain, and there is no reasonable expectation in contact information, which is in the public domain, being a private matter. Contact information is publicly available and is routinely and readily disclosed to strangers to confirm one’s identification, age, or address. People readily disclose their address and phone number to bank and store clerks, when booking train or plane tickets or when ordering a taxi or food delivery. Many people use their health cards for identification purposes. Save during the first trimester, the state of pregnancy, and the birth of child is rarely a purely private matter. The news of an anticipated birth and of a birth is typically shared and celebrated with family, friends, and colleagues and is often publicized. The case at bar is illustrative. All the proposed representative plaintiffs were not shy about sharing the news of the newborns.

Much will be said about this judgement. Here are some thoughts.

First. There’s an ambiguity . Justice Perell says there’s no reasonable expectation of privacy in the circumstances and the invasion is not “highly offensive.” How can there be an invasion if there’s no reasonable expectation of privacy? Reading the analysis as a whole, Justice Perell seems to be saying that there is an expectation of privacy (and a privacy breach), but not one that meets the “highly offensive” standard set in Jones v Tsige. This is a first.

Second. Justice Perell doesn’t use the “reasonable expectation of privacy” concept to delineate whether or not there has been an intrusion. I wish he did. For clarity’s sake, I’d like to see a merging of the REP doctrine developed in the Charter jurisprudence with the tort analysis. We’re talking about the same thing.

Third. Justice Perell was able to view the incident through a technical lens, analyzing each data element on its own and not in the broader context. Compare how he viewed the matter to the Toronto Star editors of this article. The difference is amazing.

Fourth. I don’t read paragraph 153 as endorsement of so-called “third-party doctrine.” Rather, it’s a very broad finding about the publicity of contact information. Contact information is too public in its quality to attract the protection of the common law, says Justice Perell. Compare this view to that of the Alberta OPIC, who has found that the loss of e-mail addresses alone (to a hacker, mind you) gives rise to a “real risk of significant harm.” Justice Perell’s finding (consistent with Jones v Tsige) suggests that the privacy statutes offer greater protection than the common law.

Fifth, I can’t help but think we’ll be litigating about what is and isn’t a breach of privacy for an eternity.

Broutzas v. Rouge Valley Health System, 2018 ONSC 6315 (CanLII).

Advertisements

In snooping investigations, disclose the logs

21 Dec

When an employer confronts an employee with an allegation of improper access to personal information, it is important to give the employee the event log data that proves the allegation. It may often be voluminous and difficult to interpret, but presenting a general allegation or summarizing events without particulars will give the employee a good reason to deny the allegation.

This is what happened in this very illustrative British Columbia case in which an arbitrator held he could not infer dishonesty from the grievor’s initial failure to admit wrongdoing because the grievor had not been given log data. Also, if an employee continues to deny responsibility, log data can be difficult to rely upon; even if it can be established to be authentic, there are issues about presenting log data in a meaningful and privacy-protective way. An early admission can go a long way.

Fraser Health Authority (Royal Columbian Hospital) v British Columbia Nurses’ Union, 2017 CanLII 72384 (BC LA).

IPC addresses PHIPA request for raw data

20 Dec

On September 29th, the IPC/Ontario held that PHIPA governs and provides a right of access to “raw data” about an identifiable individual. It also held that raw data is not subject to the right of access unless it can reasonably be severed from the repositories in which it is retained. The IPC said:

Having regard to the evidence before me, I conclude that where the extraction of the complainant’s information can be done through the development of conventional custom queries by hospital staff, based on information in reporting views available to the hospital, the complainant’s information can be reasonably severed for the purpose of section 52(3) of the Act.  The hospital’s obligation to provide access to this information, if the complainant wishes to pursue it, is met by providing him with the results of such queries.  The information need not be in native format, but can be in the format in which those results are generated through such queries.

“Reporting views” are tools that make generating certain types of reports from databases easier. The IPC has suggested that hospitals must provide access to data that can be extracted based on such tools together with “conventional queries”. Hospitals can charge a requesters a fee that represents reasonable cost recovery.

St. Michael’s Hospital (Re), 2017 CanLII 70006 (ON IPC).

IPC interprets prohibition on collecting health card numbers

20 Dec

Section 34(2) of PHIPA prohibits persons other than health information custodians or agents of health information custodians from collecting, using and disclosing health card numbers. There are some narrow exceptions, one of which applies when the collection, use or disclosure is “for purposes related to the provision of provincially funded health resources to [the] person [whose health card number is collected…].”

In a decision issued October 10th, the IPC said the following about the exception:

 Having regard to the above, I find the proper interpretation of section 34(2)(a) is that a collection or use of a health number will only be “related to the provision of provincially funded health resources” where the health number is collected or used for the purposes of the provincial funding of health resources, or directly obtaining those health resources.

The IPC therefore held that an insurance company could not routinely collect health card numbers on an application form for supplementary health insurance benefits. Although related in the broad sense, the insurance company did not routinely use the number to coordinate benefits. The IPC permitted the company to continue to collect health card numbers to obtain reimbursement for payments made under plans that provide for emergency medical travel coverage.

An insurance company (Re), 2017 CanLII 70023 (ON IPC).

Consent form decision imposes strict transparency requirement for handling employee medical information

9 Aug

Disputes about employer medical information consent forms are now common. It’s not hard to pick apart a form, and employers tend to suffer “cuts and bruises.” In once such case an arbitrator has recently held that an employer must identify “anyone with whom the information would be shared” in a consent form. The arbitrator also held that an employer must subsequently (and seemingly proactively) give notice of who is handling information:

I agree with the employer that it is not practical to obtain a new consent every time a manager or HR Specialist who is absent is temporarily replaced. However, the employer must advise the employee of the employer’s need and intention to share health information with a replacement and identify that individual by name and title. This would enable the employee to revoke the consent if he/she does not wish the health information to be shared with the individual replacing the manager or HR Specialist. If and when it becomes necessary to share health information with HR or legal services in order to seek advice, or to obtain approval from senior management with delegated authority, the employee should be informed of the title or office only of the person with whom information will be shared. The employee’s consent would not be required for the employer to be able to do so.

While there’s no debating an employee’s right of control, the degree of transparency required here is very high and operationally challenging in the least. “Person-based consents” (as opposed to “purpose-based consents”) can also restrict important flows of information in subtle yet problematic ways.

The best argument against person-based consents is one that refers to the public policy that is reflected in the Personal Health Information and Protection Act (which does not govern employers acting as employers except via section 49). Even in the health care context – where the standard should be higher, not lower than in the employment context given the limited range of information processed by employers – consent is deemed to exist for a certain purpose and information can flow to any health care provider for that purpose. This is subject to a “lock box” that gives patients the ability to shield their information from specific individuals, but the lock box essentially functions as an opt out. (For the nuances of how PHIPA’s “circle of care” concept works, see here.) Transparency is satisfied by the publication of a “written public statement” (a policy really) that “provides a general description of the custodian’s information practices.” There’s no reason to require more of employers.

OPSEU and Ontario (Treasury Board Secretariat), Re, 2017 CarswellOnt 11994.

Saskatchewan health authority criticized for slow incident response

26 Aug

Good incident response involves nailing your timing – not going too fast or too slow. 

On August 17th the Saskstchewan Information and Privacy Commissioner held that a health authority breached the Saskatchewan Health Information Privacy Act by failing to respond to an incident in a timely manner. 

The Commissioner’s report does describe a dilatory response – with a discovery of “snooping” in mid October 2015, an investigation that led to a paid suspension at the end of January 2016, notification to the Commissioner at the end of February 2016, notification to the Commissioner towards the end of March that the breach was bigger than first reported and eventual notification to affected individuals in July 2016. 

Think and don’t react, and you can even pause to momentarily to gain confidence in a next critical step, but always keep the ball moving.

Investigation Report 030-2016 (17 August 2016, Sask OIPC).  

The Saskatchewan OIPC okays health authority’s incident response

14 Jun

On June 8th, the Office of the Saskatchewan Information and Privacy Commissioner issued an investigation report in which it held that a regional health authority responded appropriately to a privacy breach. Most notably, the OIPC reinforced a recommendation about notification included in its 2015 publication, Privacy Breach Guidelines. The recommendation:

Unless there is a compelling reason not to, [health information] trustees should always notify affected individuals.

This is a novel and conservative variation on the normal harms-related principle that guides notification. It is simply a recommendation – and one directed only at public agencies and health information trustees in Saskatchewan. It is notable nonetheless, however, in that it reflects an arguably developing public sector norm. Right or wrong, there is a unique pressure on public sector institutions to notify that should always be considered as part of a public sector institution’s careful response to a data handling incident.

Investigation Report 101-2016 (8 June 2016).