Our goal is to promote confidence in the digital health care system by guiding custodians to respect the privacy and access rights of Ontarians, and supporting the pioneering use of personal health information for research and analytics to the extent it serves the public good.
Today, the COVID Alert exposure notification app was launched as an important digital tool to be used among other public health measures, to help control the spread of COVID-19 in Ontario.
I commend the robust safeguards the government has put in place to protect the privacy and security of Ontarians who choose to use the app. I also appreciate the opportunity to consult with the government on this important initiative and their spirit of collaboration and responsiveness in implementing our recommendations.
Because the app is a national initiative intended to be rolled out across the country, our review of the privacy aspects of the app was carried out in coordination with the Office of the Privacy Commissioner of Canada. Our review led to a comprehensive set of recommendations to our respective governments based on the key privacy principles outlined in a joint federal, provincial and territorial statement on contact tracing applications.
After completing a thorough review of the app, and on assurances that our recommendations will be implemented, I’m pleased, along with my federal counterpart, to support the use of the COVID-Alert app.
I recognize that for this app to be ultimately effective in curbing the spread of COVID-19, the public will want — and expect — assurances that their personal information will be protected and that their use of the technology is voluntary. I urged the Ontario Government, and they have committed, to issue strong public messages encouraging businesses and employers to respect the voluntary nature of COVID Alert by not compelling individuals to use the app or to disclose information about the use of the app.
These are exceptional times, and we have seen the dramatic and tragic effects of COVID-19 on many vulnerable members of our community. While today’s launch of the COVID Alert app marks a significant milestone in the fight to control the spread of COVID-19, the IPC’s work will not stop here. We will continue to monitor that the app is implemented for its intended purpose, that its safeguards are applied as designed to protect privacy, and that its collection and use of personal information continue to be necessary and effective in helping curtail the spread of COVID-19 in Ontario.
Canadian laboratory testing company found in violation of privacy laws
TORONTO – Thursday, June 25, 2020 – A joint investigation by the Information and Privacy Commissioners of Ontario and BC has found that LifeLabs failed to protect the personal health information of millions of Canadians resulting in a significant privacy breach in 2019.
The joint investigation revealed that the company’s failure to implement reasonable safeguards to protect the personal health information of millions of Canadians violated Ontario’s health privacy law, PHIPA, and BC’s personal information protection law, PIPA.
The Ontario and BC offices determined the company:
failed to take reasonable steps to protect the personal health information in its electronic systems;
failed to have adequate information technology security policies in place; and
collected more personal health information than was reasonably necessary.
Both offices have ordered LifeLabs to implement a number of measures (summarized in the accompanying backgrounder) to address these shortcomings.
Publication of the report is being held up by LifeLabs’ claims that information it provided to the commissioners is privileged or otherwise confidential. The commissioners reject these claims. The IPC and BC OIPC intend to publish the report publicly, unless Lifelabs takes court action.
“Our investigation revealed that LifeLabs failed to take necessary precautions to adequately protect the personal health information of millions of Canadians, in violation of Ontario’s health privacy law. This breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks. I look forward to providing the public, and particularly those who were affected by the breach, with the full details of our investigation.”
— Brian Beamish, Information and Privacy Commissioner of Ontario
“LifeLabs’ failure to properly protect the personal health information of British Columbians and Canadians is unacceptable. LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm. The orders made are aimed at making sure this doesn’t happen again.
This investigation also reinforces the need for changes to BC’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights. This is the very kind of case where my office would have considered levying penalties."
— Michael McEvoy, Information and Privacy Commissioner of British Columbia
On March 25, 2020, the Ontario government amended Ontario’s health privacy law. Once implemented, Ontario will be the first province in Canada to give the Information and Privacy Commissioner the power to levy monetary penalties against individuals and companies that contravene PHIPA.
Joint Statement by Federal, Provincial and Territorial Privacy Commissioners[1]
May 7, 2020
The safety and security of Canadians is of grave concern in the current COVID-19 health crisis. The urgency of limiting the spread of the virus is a significant challenge for government and public health authorities, who are looking for ways to leverage personal information[i] to contain and gain insights about the novel virus and the global threat it presents.
In this context, we may see more extraordinary measures being contemplated. Some of these measures will have significant implications for privacy and other fundamental rights. The choices that our governments make today about how to achieve both public health protection and respect for our fundamental Canadian values, including the right to privacy, will shape the future of our country.
One of the measures currently being contemplated or already being implemented in some jurisdictions within Canada and around the world is the launch of smart phone apps as a public health tool. Many of these apps are either for the purposes of contact tracing or for purposes of notifying individuals of the fact that they have been in close proximity of someone who has been confirmed or is assessed as likely to be a carrier of COVID-19, in order to help prevent further spread of the virus.
Commissioners felt it important to issue a common statement to Canadians because these applications raise important privacy risks. While applicable privacy laws must be observed, some of them do not provide an effective level of protection suited to the digital environment, as was highlighted in a joint resolution last fall. This is why we invite our respective governments, insofar as they plan to use contact-tracing applications, to respect at least the following principles:
Consent and trust: The use of apps must be voluntary. This will be indispensable to building public trust. Trust will also require that governments demonstrate a high level of transparency and accountability.
Legal authority: The proposed measures must have a clear legal basis and consent must be meaningful. Separate consent must be provided for all specific public health purposes intended. Personal information should not be accessible or compellable by service providers or other organizations.
Necessity and Proportionality: Measures must be necessary and proportionate and, therefore, be science-based, necessary for a specific purpose, tailored to that purpose and likely to be effective. To assist in determining whether the measure in question is justifiable in the circumstances, governments should consider the following:
Necessity: the public health purpose or purposes underlying a measure must be evidence-based and defined with some specificity. Is the purpose to notify users and advise them to take certain actions? Is it to assist public health authorities to better understand local conditions for resource allocation purposes? Is it for another purpose?
Proportionality: the measure should be carefully tailored in a way that is rationally connected to the specific purpose(s) to be achieved,
Effectiveness: the measure must be likely to be effective at achieving the defined purpose(s), and,
Minimal intrusiveness: while the least intrusive option for the intended purpose should be chosen, and data minimization should be applied, where that cannot be achieved or demonstrated, governments should clearly communicate the rationale for the level of personal information that they need to collect.
Purpose Limitation: Personal information must be used for its intended public health purpose, and for no other purpose.
De-identification: De-identified or aggregate data should be used whenever possible, unless it will not achieve the defined purpose. Consideration should be given to the risk of re-identification, which can be heightened in the case of location data.
Time-Limitation: Exceptional measures should be time-limited: any personal information collected during this period should be destroyed when the crisis ends, and the application decommissioned.
Transparency: Government should be clear about the basis and the terms applicable to exceptional measures. Canadians should be fully informed about the information to be collected, how it will be used, who will have access to it, where it will be stored, how it will be securely retained and when it will be destroyed. Privacy Impact Assessments (PIAs) or meaningful privacy analysis should be completed, reviewed by Privacy Commissioners, and a plain-language summary published proactively.
Accountability: Governments should develop and make public an ongoing monitoring and evaluation plan concerning the effectiveness of these initiatives and commit to publicly posting the evaluation report within a specific timeline. Oversight by an independent third-party – such as review and implementation monitoring by a privacy commissioner’s office – will help ensure accountability and reinforce public trust. While some privacy commissioners have the legal authority to conduct independent audits, it is encouraged that others be given this mandate by government through appropriate means. If effectiveness of the application cannot be demonstrated, it should be decommissioned and any personal information collected should be destroyed.
Safeguards: Appropriate legal and technical security safeguards, including strong contractual measures with developers, must be put in place to ensure that any non-authorized parties do not access data and not to be used for any purpose other than its intended public health purpose. Authorities must ensure the public are aware of associated risks and threats (e.g. online fraud or malware).
[1] The Information and Privacy Commissioner of Alberta is reviewing a privacy impact assessment for the ABTraceTogether app that was recently launched in Alberta, and will provide recommendations directly to the Government of Alberta.
LifeLabs recently notified the public about a cyberattack involving unauthorized access to its computer systems. Here is what you need to know about this breach:
Our office is working with the B.C. privacy commissioner to investigate the breach. We will be looking at what measures LifeLabs could have taken to prevent and contain the breach, assessing LifeLabs’ response to the breach, and reviewing what needs to be done to avoid further attacks.
We will publicly release our findings and recommendations once we have completed our investigation.
If you think you may be affected by the breach or would like more information, LifeLabs has set up a dedicated phone line and posted information on their website. LifeLabs has indicated that any individual affected by the breach can receive one free year of protection that includes web monitoring and identity theft insurance. You can visit LifeLabs at www.customernotice.lifelabs.com or contact them at 1-888-918-0467.
People affected by the breach are not required to file individual complaints with our office because our investigation is already underway. We will release our findings and recommendations once our investigation is completed. We will be working together with the B.C. privacy commissioner to address the interests of those affected by this breach.
Last week, my office issued a health privacy decision after investigating a complaint about a Toronto cosmetic surgery clinic use of video surveillance cameras in its examination and other rooms.
I was alerted to this possible violation of Ontario’s health privacy law by a reporter for CBC Marketplace, an investigative journalism program. While researching a story, a reporter with a hidden camera noticed a surveillance camera in an exam room of the Toronto Cosmetic Surgery Institute. My office launched an investigation immediately, and soon after the CBC story ran, we were contacted by concerned patients.
It’s important to note that the clinic shut down the cameras soon after the CBC story ran and previously saved footage (except for what was seized by the College of Physicians and Surgeons) was destroyed. They also advised our office that the cameras were for security purposes, installed after several break-ins.
Ontario’s health care providers have a legal duty to protect patient privacy. They must be mindful of where the line is drawn between protecting the interests of a medical facility and maintaining the privacy that patients deserve and expect when they seek health care in this province.
While our investigation was underway, the clinic reactivated only two remaining devices in public areas of the clinic - an entrance and reception desks. They now only record after hours. They are no longer recording personal health information, and have improved public notices alerting visitors to the surveillance.
Because of the clinic’s actions, we did not proceed with a formal review.
However, this investigation brought important issues to light, particularly in a culture where boundaries are shifting, and technology, surveillance, and communication channels are rapidly evolving. Despite these cultural changes, I reject the notion that privacy is becoming obsolete.
Bottom line: positioning a camera in an exam room and collecting footage where patients are undressed, vulnerable, and without an opportunity to expressly consent violates the trust that patients must have in the medical community. Without this trust, people might avoid seeking health care when they need it … resulting in serious ramifications for the health care system in Ontario.
