The Information and Privacy Commissioner of Ontario (‘IPC’) announced, on 14 December 2018, that it had opened an online statistics submission website and had issued a workbook and frequently asked questions in relation to the mandatory statistics reporting requirement (‘the Statistics Reporting Requirement’), which requires health information custodians (‘HICs’) covered under the Personal Health Information Protection Act 2004 (‘PHIPA’) to submit their 2018 annual statistics on health privacy breaches to the IPC by 1 March 2019.
Lonny J. Rosen, Partner at Rosen Sunshine LLP, told DataGuidance, “The Reporting Requirement should not be terribly burdensome. HICs have hopefully been tracking privacy breaches throughout the year, not only because of the Statistics Reporting Requirement, but in order to learn from and prevent the reoccurrence of such breaches […] Beyond strict compliance with policies and procedures, we encourage HICs to work to develop a ‘culture of privacy.’ This means that all agents are aware of the organisations obligations as a HIC and of the consequences of a breach, and focus on prevention of problems, including by identifying and calling out unsafe practices.’
The IPC highlighted that HICs that are also institutions under the Freedom of Information and Protection of Privacy Act, RSO 1990 c F-31 s 1 (‘FIPPA’) and the Municipal Freedom of Information and Protection of Privacy Act, RSO 1990 c M-56 (‘MFIPPA’) must submit health privacy breach statistics, even if they experienced no breaches during 2018, whilst HICs that are not institutions under FIPPA and MFIPPA only need to submit breach statistics if they experienced a breach.
There are now a number of circumstances in which the IPC must be notified of a breach
Rosen concluded, “Interestingly, [at a federal level] the Personal Information Protection and Electronic Documents Act, SC 2000 c 5 was recently amended to provide for mandatory breach notification [to individuals] as well as mandatory reporting to the Privacy Commissioner of Canada. However, the circumstances under which notification is required remain limited to cases where there are reasonable grounds to believe that the breach creates a ‘real risk of significant harm to the individual’ […] PHIPA, on the other hand, has included mandatory notification provisions since its enactment in 2004, but until this year, only patients/clients had to be notified at the first reasonable opportunity if their protected health information (‘PHI’) was lost, stolen or accessed by unauthorised persons. As a result of recent amendments, [in addition to the annual Statistics Reporting Requirement] there are now a number of circumstances in which the IPC must be notified of a breach, and there is no limitation on the circumstances under which a person must be notified if his/her PHI has been lost, stolen or accessed by unauthorised persons.”
RUMER RAMSEY Junior Privacy Analyst