Steinecke Maciura LeBlanc Barristers & Solicitors - Get Ready for Privacy Legislation in 2004

[This month’s issue of Grey Areas consists of an article that regulators and professional associations may wish to reprint for their own members. Permission is granted to adapt the article to your own audience as long as any substantive changes are approved by Richard Steinecke.]

In a true story reported in the media in late February, a patient had a mammogram and pelvic examination. The laboratory in Ottawa forwarded the reports to the treating practitioner. A few weeks later, a copy of the reports showed up on the back of flyers distributed in Toronto for a real estate company. How did it happen? The investigation to date suggests that the hospital forwarded the results to a law firm in Toronto at the request of the patient. Paper picked up from an office building in Toronto was sold to a printer who used the scrap paper for a test run of the flyers. The test run was shipped with the rest of the flyers and distributed to the public. The Ontario Information and Privacy Commissioner[1] said an investigation could not be initiated because the federal Privacy Act does not yet apply. However, the situation would be very different in 2004.

On January 1, 2004, the Personal Information Protection and Electronic Documents Act[2] comes into full force and effect. Many practitioners and organizations will be covered by the Act after that date. If the events had occurred in 2004, the following important issues would be raised.

The Personal Information Protection and Electronic Documents Act applies to the collection, use or disclosure of personal information by an organization in the course of a commercial activity. This simple sentence raises a number of complex issues.

The laboratory, hospital, treating practitioner, and law firm all collected the personal information. It is unclear whether the printer, who collected the personal information inadvertently, had a duty to check whether the scrap paper held personal information before using it.

Health information is certainly personal information. Even if the laboratory report had used a patient number rather than the patient’s name, the information likely still relates to an identifiable individual because the individual can be recognized if one has the key to the code. Most information that one collects about one’s client (e.g., home address and other non-business contact information and financial information) or about other individuals in course of serving one’s client is personal information.

An organization is defined in the Act as including an association, partnership, person or trade union. This would capture the hospital, treating practitioner, laboratory, law firm and printer. Individual practitioners need to understand that they constitute an “organization” under the Act. The purpose of this term is probably to raise the primary responsibility for information handling practices to the highest organizational level. For example, the law firm is probably responsible to comply with the Act and the individual practitioners working for the law firm can simply follow its procedures, so long as they are in compliance with the Act.

In the course of commercial activity is perhaps the hardest of these terms to define. The law firm probably engaged in a commercial activity in using the personal information in the course of its practise[3]. The printer is almost certainly engaging in a commercial activity. Would a hospital, which is largely publicly funded and non-profit in nature, conduct commercial activities? Perhaps not when it simply treats patients. But if the patient was charged for sending a copy of the laboratory reports to the law firm then that activity could well be commercial in nature. If the laboratory were part of the hospital, it probably did not engage in a commercial activity; it is part of that organization. However, if the laboratory work for the hospital were outsourced to a private company, its operations might well be a commercial activity. Similarly, the treating practitioner, if an employee of the hospital, probably did not engage in a commercial activity in ordering the test and receiving the report. However, if the treating practitioner simply had privileges at the hospital and billed OHIP directly for the services, he or she might be viewed as engaging in a commercial activity.

The likelihood is that all practitioners in private practice are covered by the Act even if their services are publicly funded (e.g., through legal aid, government contracts, OHIP). Even non-profit organizations will be covered in respect of some of their activities that are commercial in nature.

2. Assuming The Act Applies to All of These Organizations, What Obligations Would They Have?

The first obligation is to collect, use and disclose the personal information only with the consent of the person to whom it relates, unless one of the few exceptions listed in the Act applies. The duty of consent for information handling is different from the traditional retainer to provide services usually obtained by practitioners. It involves disclosure to the client as to what information is being collected, why it is needed and how it will be used. If the law firm was advising the patient, the intended use to provide advice and conduct litigation would probably be obvious. Such consent might even be implied by the circumstances. However, there may be some secondary uses for which the client is unaware (e.g., quality assurance and risk management audits at the law firm; use as a precedent in other cases; regulatory access) and these might have to be explained under the statute.

Practitioners need to be careful when dealing directly with clients to explain what the information will be used for and, perhaps in a general way, the secondary uses for the information. Where the practitioner does not deal directly with the client, he or she will want to ensure that the person who does collect the information obtains the appropriate consent or that an exception to the consent requirement applies.

Another obligation is to keep the information reasonably secure. Because of the highly sensitive nature of the information in this case, significant security measures would be expected. All of the organizations would have to have policies and procedures for destroying the information. In this case, the law firm would be asked to explain why the sensitive document ended up in an insecure waste container. Staff training and information disposal procedures are critical components to the security requirements of the Act. The hospital, laboratory and treating practitioner would have to at least consider anonymizing the information before releasing it. This may not be practical in every case, but the organization would have to be able to explain why not.

Every person or organization covered by the Act must review their privacy practices and have publicly available information handling policies and procedures in place. This includes a description of when personal information will be collected, used and disclosed by the organization, consent procedures, limiting collection and use to what is needed, retention and destruction policies, providing access to the person to whom the information relates, permitting the correction of erroneous information, security practices, designating a contact person and establishing a complaints process.

A complaint to the Information and Privacy Commissioner of Canada could have resulted. The Information and Privacy Commissioner has the power to investigate the information practices of all those involved in the matter, including the law firm. This power includes the right to summons witnesses and examine them under oath and compel production of documents (especially if voluntary cooperation is not provided). The results of the investigation would be reported to the parties. The Information and Privacy Commissioner can also make public his or her findings (i.e., the power to shame the person or organization at fault).

After a report is issued, either the complainant or the Information and Privacy Commissioner, on the complainant’s behalf, can apply to the Federal Court of Canada for an order,

It is anticipated that most complaints will be resolved through agreements and informal action rather than court proceedings, but the potential for litigation is there.

Richard Steinecke will be a presenter at a seminar on getting ready for the new privacy legislation on November 7, 2003. The seminar will be held in Toronto and will include written materials, checklists and precedents. See www.sml-law.com/privacyseminar for registration details.

[1]See her news release at: http://www.ipc.on.ca/scripts/index_.asp?action=31&P_ID=14075&N_ID=1&PT_ID=13169&U_ID=0

[2]While there has been much discussion of a provincial privacy act, nothing has been introduced yet. With an election likely this spring, it is becoming increasingly evident that the federal act will be the one in place this coming January.

[3]An argument can be made that practising a profession is different from engaging in a commercial activity, but that is the kind of distinction that a court is unlikely to make if it tries to implement the spirit and intention of the legislation.