By Aydin Farrokhi and Dr. Wael Hassan
In Canada data protection is regulated by both federal and provincial legislation. Organizations and other companies who capture and store personal information are subject to several laws in Canada. In the course of commercial activities, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) became law in 2004. PIPEDA requires organizations to obtain consent from individual whose data being collected, used, or disclosed to third parties. By definition personal data includes any information that can be used to identify an individual other than information that is publicly available. Personal information can only be used for the purpose it was collected and individuals have the right to access their personal information held by an organization.
Amendments to PIPEDA
The compliance and enforcement in PIPEDA may not be strong enough to address big data privacy aspects. The Digital Privacy Act (Also known as Bill S_4) received Royal Assent and now is law. Under this law if it becomes entirely enforced, the Privacy Commissioner can bring a motion against the violating company and a fine up to $100,000.
The Digital Privacy Act amends and expands PIPEDA in several respects:
- The definition of “consent” is updated: It adds to PIPEDA’s consent and knowledge requirement. The DPA requires reasonable expectation that the individual understands what they are consenting to. The expectation is that the individual understands the nature, purpose and consequence of the collection, use or disclosure of their personal data. Children and vulnerable individuals have specific
There are some exceptions to this rule. Managing employees, fraud investigations and certain business transactions are to name a few.
- Breach reporting to the Commissioner is mandatory (not yet in force)
- Timely breach notifications to be sent to the impacted individuals: the mandatory notification must explain the significance of the breach and what can be done, or has been done to lessen the risk of the
- Breach record keeping mandated: All breaches affecting personal information whether or not there has been a real risk of significant harm is mandatory to be kept for records. These records may be requested by the Commissioner or be required in discovery by litigant or asked by the insurance company to assess the premiums for cyber
- Failure to report a breach to the Commissioner or the impacted individuals may result in significant
Cross-Border Transfer of Big Data
The federal Privacy Commissioner’s position in personal information transferred to a foreign third party is that transferred information is subject to the laws and regulations of the foreign country and no contracts can override those laws. There is no consent required for transferring personal data to a foreign third party. Depending on the sensitivity of the personal data a notification to the affected individuals that their information may be stored or accessed outside of Canada and potential impact this may have on their privacy rights.
Personal Information- Ontario Privacy Legislations
The Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act and Personal Health Information Protection Act are three major legislations that organizations such as government ministries, municipalities, police services, health care providers and school boards are to comply with when collecting, using and disclosing personal information. The office of the Information and Privacy Commissioner of Ontario (IPC) is responsible for monitoring and enforcing these acts.
In big data projects the IPC works closely with government institutions to ensure compliance with the laws. With big data projects, information collected for one reason may be collectively used with information acquired for another reasons. If not properly managed, big data projects may be contrary to Ontario’s privacy laws.
Mark you calendars , October 1st 2017 Mandatory Breach Reporting Requirements kick in.
THERE ARE 7 SITUATIONS WHERE YOU MUST NOTIFY THE ONTARIO PRIVACY COMMISSIONER OF A PRIVACY BREACH
- Use or disclosure without authority : Looking at a family member, a celebrity, a politician records out of curiosity or for a malicious intent. Limited exceptions: accessing a record by mistake, or mailing a letter to the wrong address.
- Stolen Information: Laptop, Tablet, or paper theft or loss. In addition to being subject to malware or ransomware.
- Extended Use or Disclosure: Following a reported breach, a sales company used records to market its products or services.
- Pattern or Similar Breaches: Letters are being sent to the wrong address, employees are repeatedly accessing a patient’s record.
- Disciplinary action against a college member: A college member resigns, is suspended, or has their licenses revoked following or combined with a breach.
- Disciplinary action against a non college member: Resignation, Suspension, or firing of an employee following or during a breach.
- Significant Breach: the information is sensitive, large volume , large number of affected individuals, and more than one custodian or agent is involved.
Custodians will be required to start tracking privacy breach statistics as of January 1, 2018, and will be required to provide the Commissioner with an annual report of the previous calendar year’s statistics, starting in March 2019.
The Ministry of Health and Long-Term Care (“ministry”) is proposing amendments to the General Regulation (Ontario Regulation 329/04) under the Personal Health Information Protection Act, 2004 (PHIPA).
The purpose of the amendments has largely to do with clarifying the needs for health information custodian reporting of thefts, losses and unauthorized uses or disclosures of personal health information to the Information and Privacy Commissioner. Should the amendments be approved, the following requirements would have to be met:
“A Health information custodian would be obligated to report annually to the Commissioner the number of times, in the calendar year, the health information custodian had to notify individuals (in accordance with section 12(2) of PHIPA) of theft(s),loss(es) or of unauthorized use(s) or disclosure(s) of personal health information.
• It would be necessary for the report to be submitted to the Commissioner by March 1 of the following calendar year.
• The first report would be due in 2019.
• After submitting the report to the Commissioner, at the Commissioner’s request, a health information custodian would be required to provide the Commissioner with information contained in the notice that was issued to the affected individual(s), and/or any information the custodian relied on in deciding to notify the individual.”
The proposed amendments would also further allow the ministry to continue to validate progress on the implementation of changes proposed in the Health Information Protection Act (Bill 78). These changes were passed in May 2016.
The projected amendments have been posted to the Regulatory Registry website on March 10, 2017 and will be available until May 8, 2017. The posting can be accessed at: http://www.ontariocanada.com/registry/view.do?postingId=23883&language=en
Consent Management in Ontario
Depending on the type of personal health information (PHI) involved, Ontarians can withdraw consent to the use and disclosure of their PHI by various health information networks.
- Calling Service Ontario allows you to:
Block access to all personal health information used in Ontario labs
- Calling Service Ontario – Ministry of Health Info-line, you can ask to:
Block access to the use of all personal health information:
- In the drugs database
- Related to a specific drug in the database
- Visiting an Ontario lab, you can ask to:
Block access to the use of all personal health information used:
- In Ontario labs
- In a specific lab order
- Sending a fax to the Drug Programs Branch allows you to:
Block access to all personal health information:
- In the Drugs Database
- Related to a particular prescription
- Related to a particular drug
- Any hospital, clinic, or independent healthcare practitioner should be able to give you a form that you can send to the Service Ontario Ministry of Health info-line.