Amendments to Manitoba’s patient privacy law are now in effect. The controversial changes to The Personal Health Information Act went largely unnoticed in the province, but will have big implications for Manitobans and the fundraising foundations that many hospitals, personal care homes or other designated health care facilities rely upon to support innovation in health research and patient care. What were these amendments and why are they controversial?
Continuing a series of blog posts that I’m calling “A Conversation with…“, I’m pleased to post the following conversation with my fellow Manitoban and our Provincial Ombudsman, Irene Hamilton.
Irene Hamilton, and her team of professionals at the Office of the Manitoba Ombudsman (the Ombudsman’s Office”), provides excellent service to Manitobans. Thanks to Irene Hamilton’s leadership, the Ombudsman’s Office has made a number of improvements to its operations over the years. I’m looking forward to seeing the changes to the Ombudsman’s Office website referenced below.
Thanks to Irene Hamilton for agreeing to engage in this online Q & A conversation. If you’d like to learn more about Irene Hamilton, the Ombudsman’s Office, or the issues raised in this conversation, I’d encourage you to visit the Ombudsman’s Office website.
Q. In most other provinces, privacy oversight is performed by an Information and Privacy Commissioner. How does the role of the Ombudsman compare to these positions?
A. In Manitoba, the Ombudsman is the Information and Privacy Commissioner as well. The role and function of the Ombudsman is similar to 10 of the 15 federal, provincial and territorial jurisdictions in Canada that have access to information and protection of privacy laws. In these 10 jurisdictions, the Information and Privacy Commissioner has “ombudsman” powers – that is, the power to comment proactively, investigate complaints and make recommendations to public bodies, but not the power to issue orders. In Prince Edward Island, Quebec, Ontario, Alberta and British Columbia, the Commissioners can issue orders in relation to access to information and protection of privacy.
There are other differences among the jurisdictions as well. With The Personal Health Information Act or “PHIA”, Manitoba had the first information privacy statute in North America dealing specifically with personal health information (as opposed to Manitoba’s Freedom of Information and Protection of Privacy Act, or “FIPPA”, that concerns access to and privacy of other kinds of information). Four other Canadian provinces have enacted similar legislation to PHIA since 1998, when PHIA first came into force here.
Q. The Freedom of Information and Protection of Privacy Act (“FIPPA”) includes, as its title suggests, both access to information and privacy mechanisms. On the face of it, these two terms seem inconsistent. How do we bring them together?
A. The application of the provisions of FIPPA do not create the inconsistency that one might infer from the title.
FIPPA has a set of rules concerning access to information and a set of rules concerning privacy of personal information. These two sets of rules are contained in two distinct parts of the Act and are administered separately.
There is a set of rules on how an individual can formally request access to a particular record under the control of provincial and municipal governments and other public bodies and how the public body is to respond. The general rule is that an individual has the right to see or receive a copy of the requested record, but specific exceptions can apply. One of those exceptions relates to protecting the privacy of information about another individual. The idea is to provide as much of the requested information as possible. This particular set of rules is triggered only when a person makes a formal FIPPA request for information.
The other set of rules in FIPPA is always in operation. These rules set out how provincial and municipal governments and other public bodies are to handle records containing personal information that are in their control while conducting their duties. These rules describe in what situations a public body can collect, use or share personal information and the basic rule is that the most limited amount of personal information necessary is to be handled for a particular situation. While an individual can expect certain privacy, there are specific situations where records about them can be collected, used or shared without their consent — for example for safety, public policy and specific operational reasons.
Q. Your office supports the “Right to Know” initiative. What is “Right to Know” about and why do you support it?
A. “Right to Know” is an international celebration observed annually in late September, to remind people that governments have legislation allowing people to obtain information held by government and other public bodies. The right of access, when used by individuals or organizations like media, helps to improve knowledge about government, scrutinize government and address public issues. “Right to Know”, with its public events and media focus, reinforces the commitment to a culture and spirit of openness, and promotes public awareness of access to information principles and the resources that assist in adherence to the legislation.
Q. Manitoba, like other provincial governments, has introduced Enhanced Identification Cards (“EIC”) to respond to increased security demands at U.S. border crossings. What role has your office played in the development and rollout of EICs?
A. Together with my Privacy Commissioner colleagues, I am of the view that the Enhanced Identification Card or “EIC” — a voluntary identity document for entry into the U.S. by road or water — raises privacy implications. I am pleased to say that my office was consulted early in the development of the Manitoba Enhanced Identification Card and we continued to be involved as the Manitoba Enhanced Drivers License was introduced as well. Through our participation we wanted to accomplish two main goals: 1. to fulfill our oversight role in relation to new government programs or initiatives by providing our comments to ensure the protection of personal information to the extent possible; and, 2. to bring the perspective of the public to the process by asking questions that people might have. In the process, we have promoted providing detailed information to the public so that they can determine if the EIC or EDL is the right card for them. We have also produced a “privacy awareness fact sheet” for persons considering obtaining an EIC or EDL. This is on our web site, at www.ombudsman.mb.ca.
Q. Your office releases summaries of selected access and privacy cases on its website. What is the most common area you investigate and report on?
A. One of our goals for this year is to redesign our website and include regular postings of our reports online for the reference of information privacy professionals as well as the public that will provide a better understanding of how we interpret various sections of the acts, and the basis upon which we come to our conclusions. Having said that, since June 2005 our office has produced dozens of “practice notes” about interpreting and administering various sections and principles of FIPPA and PHIA, probably of greater interest to information privacy professionals than to the public. These, too, are on our Manitoba Ombudsman web site.
We find that the greatest number of complaints that we receive are refusals of access to information under FIPPA. This includes not only responses by public bodies refusing access, but also failures to respond to the applicant. Unfortunately, we also receive numerous complaints about privacy breaches under PHIA.
Q. Looking forward, what kind of privacy developments should we watch for in 2010?
A. The file that will be most time consuming for us will be privacy protection of personal health information in the electronic health record that has been under development in Manitoba and across Canada for some time. Significant funds have been made available to Departments of Health throughout the country to build electronic systems that will connect to provide instantaneous access to health records. The system is designed to promote better care and eliminate administrative repetitiveness. Our view is that the public needs to understand what the electronic health record or “EHR” is, its scope and how their personal health information will be used and shared within that system.
For years now, Ontario’s Personal Health Information Protection Act has contained provisions requiring health custodians to notify individuals if their personal health information is stolen, lost or accessed by unauthorized persons. Until now, such mandatory privacy breach notification provisions have been limited to the sphere of health care in Ontario. That’s about to change.
The federal Personal Information Protection and Electronic Documents Act will likely contain mandatory privacy breach notification provisions in the near future. Since 2006, Special Committees at both the Federal and Provincial (Alberta and B.C.) levels have convened and generated a series of recommendations relating to breach notification. For further information on these recommendations, see the final reports of the Federal , Alberta and B.C. committees.
The most important recommendation independently generated by each of the committees provides that organizations should be under a statutory breach notification duty. On October 27, 2009, the initial step toward implementing this recommendation was taken in the Alberta Legislature with the first reading of Bill 54: Personal Information Protection Amendment Act, 2009. The Alberta privacy breach notification provisions will soon come into force. British Columbia and the Feds are expected to follow suit and implement similar requirements in the near future. When that occurs, private sector organizations across Canada will be required by applicable law to notify affected individuals when privacy breaches occur.
The best advice is to make sure that privacy protection policies, procedures and training are implemented and enforced… now.
Of the 198 new access complaints that were launched, 134 (68%) dealt with “refused access”. This indicates that the provincial government and public bodies either have to be more willing to grant access when requested or do a better job at explaining their rationale for refusing access. Of the 207 cases that were closed in 2008, 38% of the complaints were supported by the Ombudsman, 35% were not supported and 5% were resolved before the Ombudsman could issue a finding. This indicates that all of the complaints brought to the Ombudsman are not without merit. The public appears to have a relatively good understanding of what their rights are under FIPPA and PHIA.
The Ombudsman has also been proactively involved in the development stages of legislation and programs in order to address potential privacy issues. For example, the Ombudsman expressed concerns about the technology used in Enhanced Drivers Licenses (EIC). Radio Frequency Identification chips store the necessary information on the EICs, but the chips are always “on”, meaning that they can be read by unauthorized individuals. This concern is being addressed by providing the cardholder with a protective sleeve. However, if the sleeve is ripped, torn or used improperly, it will not provide the necessary protection. Therefore, the Ombudsman has stressed that it is essential that individuals understand the privacy implications of opting into the EIC program.
The Ombudsman was also been involved in assessing the use of closed-circuit television monitoring by Winnipeg Police, who have agreed to follow the recommendations of the Ombudsman and will not live-monitor the cameras and will work towards developing retention policies and technology to “sever” individuals from images which are not relevant.
Overall, the Ombudsman largely applauds public bodies and government agencies for addressing privacy concerns in the development phases of new programs and legislation. However, it is clear that public bodies need to do a better job of dealing with access requests.
If you’re a privacy professional, you’re likely overwhelmed with the ongoing task of staying on top of legal, industry and technology developments. As you know, there’s no shortage of issues these days. Hopefully, this blog is helping your efforts!
But if you work for a private sector organization and haven’t yet signed up for the federal Privacy Commissioner‘s e-newsletter entitled Privacy Perspectives, I’d suggest you do. It contains great information and helps to stay on top of things.
If you’re still in need of ongoing assistance and aren’t already a member of the Privacy Forum, you may want to touch base with me to learn more. It has been a super venue over the last 6 years for information sharing and the current members are an excellent group of individuals and first rate privacy professionals.
My May 7, 2008 column in the Winnipeg Free Press explains the difference between Manitoba’s Information and Privacy Adjudicator and a privacy commissioner, as appointed in almost every other province and at the federal level.
My December 5, 2007 column in the Winnipeg Free Press discusses the role of the Manitoba Ombudsman, and the need for a separate privacy commissioner.