The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Monday, August 28, 2006
I blogged yesterday about the controversy surrounding an indirect CIA investee company providing services to Canadian health providers (Canadian Privacy Law Blog: Privacy groups slam use of CIA-backed software to index Canadian health files). The Information and Privacy Commissioner of Ontario just issued an investigation report ((PHIPA Report HI06-45) and the following media release in response:
CNW Group:Electronic health information strongly protected in Ontario: Commissioner Cavoukian
TORONTO, Aug. 28 /CNW/ - An investment in Initiate Systems Inc., a company providing software to an electronic health record application in Ontario, does not provide the CIA or anyone else with access to personal health information, says Dr. Ann Cavoukian, Ontario's Information and Privacy Commissioner.
In March 2006, In-Q-Tel, the venture capital arm of the CIA, invested in Initiate Systems Inc., whose software is being used in provincial electronic health record applications across Canada under an agreement with Canada Health Infoway, a federally funded, non-profit corporation that leads electronic health initiatives in Canada.
Prior to In-Q-Tel's investment, Initiate Systems' software was selected for use in one application in Ontario - the Enterprise Master Patient Index (EMPI). Although the EMPI contains health card numbers and other identifying information, it does not include diagnoses, prognoses, or other clinical information typically shared between health care providers and their patients. In Ontario, the Personal Health Information Protection Act establishes rules for the collection, use and disclosure of personal health information and designates the Office of the Information and Privacy Commissioner/Ontario as the body responsible for overseeing compliance with the legislation.
On August 11, 2006, privacy advocates expressed concerns that In-Q-Tel's investment in Initiate Systems may give the CIA access to provincial medical records. Commissioner Cavoukian immediately launched a privacy investigation into the allegations to determine if any personal health information was being disclosed in contravention of Ontario's health privacy legislation.
Among the Commissioner's findings in her investigation report:
- Cancer Care Ontario, which operates the EMPI on behalf of the Ministry of Health and Long-Term Care, allows Initiate Systems Inc. extremely narrow, on-site access to personal health information, under tightly controlled and limited conditions, and only as necessary to enable Initiate Systems Inc. to provide the services that it is contractually obligated to provide;
- No health information from the EMPI flows outside of Ontario;
- In-Q-Tel's investment in Initiate Systems Inc. does not allow In-Q- Tel to access any health information contained in the Ontario EMPI.
"Cancer Care Ontario, an organization that my office has worked with on privacy issues since the implementation of the Personal Health Information Protection Act nearly two years ago, has an extensive array of privacy safeguards in place," said Commissioner Cavoukian.
In addition to written privacy, confidentiality and security provisions in the Master Software License and Services Agreement with Initiate Systems Inc., other safeguards include:
- Initiate Systems does not have any remote access to EMPI data and performs all technical support for the EMPI in Ontario, with comprehensive security measures in place;
- Access to the EMPI by Initiate Systems' staff must be authorized and verified by CCO and may only occur on its Ontario premises; and
- Initiate Systems is prohibited from disclosing EMPI data to any party without the prior written consent of CCO, which has neither been sought nor granted.
Looking further ahead, Commissioner Cavoukian makes three recommendations in her investigation report, which is posted on the IPC's website: www.ipc.on.ca.
RECOMMENDATIONS
1. The Commissioner should be consulted concerning any proposed amendments or changes to the confidentiality or privacy obligations contained in the agreement between CCO and Initiate Systems.2. The MOHLTC or any other person who operates the EMPI in the future should advise the Commissioner if there is a breach of the confidentiality or privacy obligations of the agreement by Initiate Systems, and the steps taken to mitigate the breach, the measures taken to prevent subsequent breaches, and the manner and nature of the notification provided to individuals whose personal health information is contained in the EMPI.
3. The MOHLTC or any other person who operates the EMPI in the future using the Initiate Software should advise the Commissioner when changes will be made to the source code for the Initiate Software, as well as the nature and rationale for these changes.
The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, and the Personal Health Information Protection Act, and helping to educate the public about access and privacy issues.
For further information: Media Contact: Bob Spence, Communications Co-ordinator, Direct line: (416) 326-3939, Toll-free: 800-387-0073, Cell phone: (416) 873-9746, bob.spence@ipc.on.ca
Labels: breach notification, cardsystems, health information, ontario, phipa, privacy
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.