Information and Privacy Commissioner/Ontari 2005 Health and Business Privacy Law Ann Cavoukian, Ph.D. Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Ontario Bar Association “An Evening with the Information and Privacy Commissioner of Ontario” June 16, 2005
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• Require consent for the collection, use and disclosure of personal health information, with necessary but limited exceptions;
• Require that health information custodians treat all personal health information as confidential and keep it secure;
• Codify an individual’s right to access his/her personal health information, as well as the right to correct errors;
• Give a patient the right to instruct health information custodians not to share any part of his/her personal health information with other health care providers;
• 396 patient diagnostic reports went missing from patients’ charts in the course of routine clerical work;
• In this case, there were special circumstances that led the IPC to recommend that notice of the breach should be given in person by the health care provider and posted in the patient’s files. It was agreed that patients would be notified of the breach at their next appointment with their health care provider.
• A mother who was seeking both her own and her daughter’s health records from a record storage company was faced with a fee that she claimed was excessive and would impose a personal hardship.
• The IPC intervened to facilitate a reduced fee.
• The company agreed to reduce its fee if the complainant could provide information to support her statement that the fee would in fact impose a hardship. The information was provided through the mediator and the fee was reduced to an agreeable amount.
• The complainant was satisfied and the file was closed.
• Short notices to the public came to be realized as a necessity when legislation governing privacy began to increase, prompting many organizations to accommodate as much of the new regulations as possible into their privacy statements and notices;
"When GLBA and HIPAA were passed, there was a requirement to make these notices even more complete and long. That has resulted in privacy notices that are barely readable and largely ineffective.”
— Martin Abrams, Executive Director, Center for Information and Policy Leadership,
• The Hunton & Williams Center for Information Policy Leadership, pioneering in work on short notices, has conducted focus groups on privacy policies;
• They found that consumer trust in companies was eroded by lengthy, legalistic privacy policies;
• Focus group studies found that people preferred short privacy notices that clearly communicated how a company was using and sharing their personal information;
• Subjects expressed support for a common “template” that could be used by different companies.
The Short Notice• Cleary, what is needed are more effective communications tools
• The short notice is an initial notice that an individual receives when personal information is first sought;
• The goal of the short notice is to provide all individuals with essential information in an easily readable and comparable format.
• A short notice should include:
– who the privacy notice covers;– the types of information collected directly from the individual and
indirectly from others about the individual;– uses or purposes for the data collected;– the types of entities that may receive the information (if it is shared);– information on choices available to the individual to limit use and
exercise any access or other rights, and how to exercise those rights;– how to contact the organization for more information or to file a
While individuals are the main beneficiaries of improved communication of information about an organization’s privacy practices, there are also benefits for organizations:
• Able to communicate more effectively with the public allowing for the growth of a relationship based on trust, through simple understanding;
• A standardized format could be used globally by an organization to provide for economies of scale.
• 2003, the movement to establish a global short privacy notice was officially recognized at the International Conference of Data Protection Commissioners in Sydney, Australia
• 2004, in Berlin, a working group of Commissioners (including the IPC), business leaders, lawyers and privacy practitioners met and prepared a memorandum recognizing that a new architecture was needed for privacy notices
• 2004, the EU Article 29 Working Group issued the position paper WP100 on the use of “multi-layered notices”
• The goal is to develop easy to read items containing the necessary elements regarding the collection, use and disclosure of personal health information, but not so much information that the public will not be able to read them;
• The language of the notices must be accessible and easily understood by most people — plain language is key.
– Ontario Bar Association’s Privacy and Health Law sections
– Ministry of Health and Long-Term Care
– Ontario Dental Association
• One of only several projects around the world focusing on short notices in the health sector;
• The working group will continue to make efforts in developing additional layers of information to supplement the notices
• The IPC looks forward to engaging members of the health and legal profession in further improving the multi-layered approach in communicating with the public
• In Ontario, the IPC has taken a leadership role in promoting the use of short notices in the health sector
• Being the oversight body for PHIPA, the IPC has indicated that the notices prepared by health professionals must provide useful and understandable information to patients
• The IPC wanted to ensure that patients are well informed of their rights and have the knowledge to exercise those rights
• Additionally, the IPC also wanted to help Health Information Custodians communicate more effectively with the public — as PHIPA requires custodians to take reasonable steps to inform the public about their information practices and how patients may exercise their rights
• In line with the Berlin Memorandum, the PHIPA short notices group has adopted a multi-layered approach, with an emphasis on developing separate short notices for each of the following health care groups:
• Primary care providers • Hospitals and facilities• Long-term care facilities
• Primary Care Notices are not profession-specific, but should apply to all primary health care providers.
Design of the Health Information Short Notice (Cont’d)
Notices and brochures are harmonized with a consistent look and feel
• Notices– Capable of being used as a wall poster or in hand out paper format– Capable of being used online as well as in hard copy– Include IPC logo, logo of OBA and possibly logo of limited number
of distributing organizations – health Colleges and major health professional associations
– Have space for individual practitioner/hospital or facility to include contact information
• Brochures– Brochures can vary in length, depending on whether for primary care
or for hospital use– Brochures should be useable online as well as in hard copy
• The fastest growing form of consumer fraud in North America
• Identity theft is the most frequently cited complaint received by the F.T.C
• 10 million victims of ID theft each year, costing businesses $50 billion, and $5 billion in out-of-pocket expenses from individuals
— Federal Trade Commission, 2003
• The Canadian offices of Equifax and TransUnion credit bureaus have reported that they receive approximately 1,400 to 1,800 identity theft complaints per month
November 2004: ChoicePoint — Identity theft involving 145,000 personsDecember 2004: Bank of America — 1.2 million records misplacedJanuary 2005: T-Mobile — Illegal access to 16.3 million recordsJanuary 2005: HSBC — 180,000 MasterCard records stolenFebruary 2005: Ameritrade — 200,000 customer files lostMarch 2005: LexisNexis — Identity theft involving 32,000 recordsMarch 2005: DSW Inc — Hacker theft of 103 credit card numbersMarch 2005: Boston College — Theft of 120,000 alumni donor recordsApril 2005: TimeWarner — Lost files on 600,000 employees
May 2005: Largest Security Breach in Canada to dateUnited Food and Commercial Workers Local 832, Winnipeg, — Hard drives stolen from computers containing data on approximately 20,000 union members
June 2005: Citibank — Backup tape containing personal information on almost 4 million customers was lost by UPS delivery service
• A data aggregation and clearinghouse company that maintains databases of background information on virtually every U.S. citizen
• 19 billion public records in its database: motor vehicle registrations, license and deed transfers, military records, names, addresses and Social Security numbers
• ChoicePoint routinely sells dossiers to police, lawyers, reporters and private investigators
• In a plot twist taken from a Hollywood movie, criminals were creating false identities to establish accounts with ChoicePoint and then using those accounts to commit identity theft
• In response, ChoicePoint:– Notified 35,000 Californians as required by California
law, SB1386– Notified an additional 145,000 persons that
“unauthorized third parties” had obtained their personal information
• Los Angeles police believe that the actual number of persons affected could be 500,000 or more
Privacy & American Business, Consumer Privacy Litigation Report, 2004
• Since 2000, 182 cases of consumer privacy litigation have been brought against 234 corporate defendants, with $160 million paid out in damages.
•$52.5m to the Federal Trade Commission•$39.7m to state regulators•$32.3m to private individuals•$28.4m to private class action• $6.9m to various federal agencies
• California SB 1386 became effective in on July 1, 2003
• Essentially, it requires an agency, person or business that conducts business in California and owns or licenses computerized “personal information” to disclose any breach of security to any resident whose unencrypted data is believed to have been disclosed
• This law has had a substantial impact on business practices in California. The California Office of Privacy Protection recently surveyed California companies and found that:
• 76% changed their communications polices as a result of the new law;
• 50% changed the way they used social security numbers; and
• April 2005, 39 bills were pending in 19 states modeled after California’s SB1386
• May 2005, six states signed laws that now require consumers to be notified if personal information has been subject to a security breach–Arkansas, Georgia, Indiana, Montana, North Dakota and Washington
• Although the new laws are similar to California’s SB1386, varying state requirements will likely put pressure on Congress to pass a federal version of SB1386
• Legislation is also being considered that would ban the sale of Social Security numbers without the permission of the owner, except when needed by law enforcement
• In March of 2005, the IPC wrote a letter to the Minister of Consumer and Business Services, highlighting the need for private sector legislation in Ontario;
• Emphasis was placed on the increasing number of large-scale privacy breaches and the growing number of U.S. states that have bills pending to target identity theft;
• Further mention was given to the fact that Alberta, British Columbia and Quebec have already enacted private sector privacy legislation.
• Your clients must:– Understand the privacy principles– Identify company personal information holdings– Assess the impact of privacy principles on operations and align information
practices– Design or change existing information management systems
• Train staff, re-train staff – an on-going process
• Test and evaluate systems and processes
• Create or revise policies, procedures and practices
• Develop or revise forms and communications material
• Redraft contracts with agents/suppliers for compliance
• Inform the public and educate customers – use short notices!
“Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope.”