Trust in Digital Health

Even before joining the IPC, I always admired Ontario’s Personal Health Information Protection Act (PHIPA) for its “gutsiness.”  PHIPA introduced many novel concepts for its time. These include the first breach notification requirement in the country; a comprehensive code for consent and substitute decision-making; and a research governance framework that integrates a custodian’s data stewardship obligations with applicable national ethics standards and mandatory review by a research ethics board.

PHIPA also introduced the prelude to the “data trust” model. It designated certain prescribed entities and registries with significant latitude to use Ontarians’ personal health information (PHI) entrusted in their care for public good purposes, subject to strict accountability requirements. This includes a detailed review of their privacy practices and procedures by the IPC every three years.

PHIPA has evolved over the last 16 years, and in case you missed the memo, it has undergone a whole series of additional changes in 2020. These have been incremental but consequential.

Enhanced rights and responsibilities; stronger enforcement

For instance, last March, Bill 188 doubled the size of fines for offences under PHIPA, now up to $200,000 for individuals and $1,000,000 for corporations.

Bill 188 also introduced administrative penalties for the Information and Privacy Commissioner – a very first in Canada – whereby my office will be able to impose administrative monetary penalties directly against persons who contravene PHIPA. The penalty amounts and their administration have yet to be determined by regulation.

Along with new “teeth,” Bill 188 ushered in new rights and responsibilities:

• rights for individuals to obtain access to their PHI in electronic format (pursuant to regulations to be prescribed) so they could take steps to manage their own health information, including potentially through patient portals and health apps;
• responsibilities for the providers of these patient portals and digital health apps (new entities called “consumer electronic service providers”) to comply with certain requirements that have yet to be defined in regulations.

Also, the bill sets out explicit requirements for all custodians to maintain and monitor an electronic audit log of all instances where PHI is viewed, handled, modified, or otherwise dealt with, and to provide a copy of this log to my office on request (not yet in force).

Ontario’s Electronic Health Record at long last

On October 1, 2020, new regulations designated Ontario Health as the prescribed organization responsible for bringing to life the province’s long-awaited-for electronic health record (EHR) under Part V.1 of PHIPA.  One of the main goals of the EHR is to ensure that Ontarians’ comprehensive health information is brought together in a consistent format under a single, virtual ‘roof.’ This will make the information readily accessible to a broad range of health care providers across a wide spectrum of care settings, enabling more efficient and better-integrated care.

Part V.1 establishes a comprehensive privacy and accountability framework for the EHR. It defines an extensive role for Ontario Health as the administrator of the EHR subject to oversight by my office. It allocates shared responsibilities among multiple custodians using the EHR, to establish “who’s on first.”  For example, it clarifies the rules for custodians seeking to upload or download PHI, to or from the EHR; rules for honoring an individual’s consent directives and rules for overriding them, subject to notice requirements. There are also new rules for breach notification adapted specifically for the EHR context.

There are new rules that allow coroners, medical officers of health, and the ministry of health data integration unit (designated under Part III.1 of FIPPA) to collect PHI from the EHR. The Minister of Health may also direct disclosure of PHI from the EHR to others (for example, researchers) on request, subject to consultation with a yet-to-be- established advisory committee. This concept of an advisory committee is yet another interesting aspect of PHIPA.

Interoperability Specifications

Other PHIPA regulations relating to the digitization of PHI will come into force on January 1, 2021. These regulations set out a framework for establishing, monitoring, and enforcing compliance with interoperability specifications. Interoperability helps ensure that custodians’ electronic information systems, or “digital health assets,” can “speak to one another” making it easier for custodians to share PHI seamlessly across institutions.

Ontario Health has been charged with making these interoperability specifications, in consultation with my office (particularly where individuals’ privacy and access rights are at issue), and subject to approval by the Minister of Health. Ontario Health will also be required to publish these specifications, develop a certification process to green light electronic systems that meet the required specifications, and monitor custodians’ compliance with these specs.

2020 – A big year for PHIPA

Looking back, 2020 was a big year for PHIPA. These significant amendments speak to the intricacies of our new digital health reality. They demonstrate how incredibly complex the health system has become as it strives to deliver highly personalized digital health solutions at the individual level, while also increasing data sharing across different entities to help solve broader public health issues, like those we have seen with COVID-19, for example.

The elephant left standing in the room is how best to regulate the increasing number of private sector actors becoming inextricably linked into Ontario’s digital health system.  PHIPA has already shown itself ready to hold some private sector players (like health information networks providers and consumer electronic service providers) to certain obligations, but what about others? This must certainly be on the mind of many as Ontario continues to consult on a possible made-in-Ontario private sector privacy law.  Such a law, if adopted, would need to jive well with the growing tentacles of PHIPA to create a seamless and integrated regime, that is both practical and coherent.

Letter to Michael Maddock regarding Installing COVID Alert app on OPS-issued mobile devices

Letter to Mayor Tory regarding Installing COVID Alert app on City of Toronto mobile devices

Today, the COVID Alert exposure notification app was launched as an important digital tool to be used among other public health measures, to help control the spread of COVID-19 in Ontario.

I commend the robust safeguards the government has put in place to protect the privacy and security of Ontarians who choose to use the app. I also appreciate the opportunity to consult with the government on this important initiative and their spirit of collaboration and responsiveness in implementing our recommendations.

Because the app is a national initiative intended to be rolled out across the country, our review of the privacy aspects of the app was carried out in coordination with the Office of the Privacy Commissioner of Canada. Our review led to a comprehensive set of recommendations to our respective governments based on the key privacy principles outlined in a joint federal, provincial and territorial statement on contact tracing applications.

After completing a thorough review of the app, and on assurances that our recommendations will be implemented, I’m pleased, along with my federal counterpart, to support the use of the COVID-Alert app.

I recognize that for this app to be ultimately effective in curbing the spread of COVID-19, the public will want — and expect — assurances that their personal information will be protected and that their use of the technology is voluntary.  I urged the Ontario Government, and they have committed, to issue strong public messages encouraging businesses and employers to respect the voluntary nature of COVID Alert by not compelling individuals to use the app or to disclose information about the use of the app.

These are exceptional times, and we have seen the dramatic and tragic effects of COVID-19 on many vulnerable members of our community. While today’s launch of the COVID Alert app marks a significant milestone in the fight to control the spread of COVID-19, the IPC’s work will not stop here. We will continue to monitor that the app is implemented for its intended purpose, that its safeguards are applied as designed to protect privacy, and that its collection and use of personal information continue to be necessary and effective in helping curtail the spread of COVID-19 in Ontario.

Patricia Kosseim

Related documents:

• News Release: Federal and Ontario privacy commissioners support use of COVID Alert application subject to ongoing monitoring of its privacy protections and effectiveness
• Office of the Information and Privacy Commissioner of Ontario Recommendations on COVID Alert
• Office of the Privacy Commissioner of Canada Review of the COVID Alert app

Canadian laboratory testing company found in violation of privacy laws

TORONTO – Thursday, June 25, 2020 – A joint investigation by the Information and Privacy Commissioners of Ontario and BC has found that LifeLabs failed to protect the personal health information of millions of Canadians resulting in a significant privacy breach in 2019.

The joint investigation revealed that the company’s failure to implement reasonable safeguards to protect the personal health information of millions of Canadians violated Ontario’s health privacy law, PHIPA, and BC’s personal information protection law, PIPA.

The Ontario and BC offices determined the company:

• failed to take reasonable steps to protect the personal health information in its electronic systems;
• failed to have adequate information technology security policies in place; and
• collected more personal health information than was reasonably necessary.

Both offices have ordered LifeLabs to implement a number of measures (summarized in the accompanying backgrounder) to address these shortcomings.

Publication of the report is being held up by LifeLabs’ claims that information it provided to the commissioners is privileged or otherwise confidential. The commissioners reject these claims. The IPC and BC OIPC intend to publish the report publicly, unless Lifelabs takes court action.

“Our investigation revealed that LifeLabs failed to take necessary precautions to adequately protect the personal health information of millions of Canadians, in violation of Ontario’s health privacy law. This breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks.  I look forward to providing the public, and particularly those who were affected by the breach, with the full details of our investigation.”

— Brian Beamish, Information and Privacy Commissioner of Ontario

“LifeLabs’ failure to properly protect the personal health information of British Columbians and Canadians is unacceptable. LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm. The orders made are aimed at making sure this doesn’t happen again.

This investigation also reinforces the need for changes to BC’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights.  This is the very kind of case where my office would have considered levying penalties."

— Michael McEvoy, Information and Privacy Commissioner of British Columbia

On March 25, 2020, the Ontario government amended Ontario’s health privacy law. Once implemented, Ontario will be the first province in Canada to give the Information and Privacy Commissioner the power to levy monetary penalties against individuals and companies that contravene PHIPA.

• Background:
  • Backgrounder
  • LifeLabs Privacy Breach – December 17, 2019

Media contact:

Jason Papadimos (Ontario IPC)
@email 416 326-3965

Michelle Mitchell (BC OIPC)
@email 250 217-7872

Joint Statement by Federal, Provincial and Territorial Privacy Commissioners^[1]

May 7, 2020

The safety and security of Canadians is of grave concern in the current COVID-19 health crisis. The urgency of limiting the spread of the virus is a significant challenge for government and  public  health  authorities,  who  are  looking  for  ways  to  leverage  personal  information^[i] to contain and gain insights about the novel virus and the global threat it presents.

In this context, we may see more extraordinary measures being contemplated. Some of these measures will have significant implications for privacy and other fundamental rights. The choices that our governments make today about how to achieve both public health protection and respect for our fundamental Canadian values, including the right to privacy, will shape the future of our country.

One of the measures currently being contemplated or already being implemented in some jurisdictions within Canada and around the world is the launch of smart phone apps as a public health tool. Many of these apps are either for the purposes of contact tracing or for purposes of notifying individuals of the fact that they have been in close proximity of someone who has been confirmed or is assessed as likely to be a carrier of COVID-19, in order to help prevent further spread of the virus.

Commissioners felt it important to issue a common statement to Canadians because these applications raise important privacy risks. While applicable privacy laws must be observed, some of them do not provide an effective level of protection suited to the digital environment, as was highlighted in a joint resolution last fall. This is why we invite our respective governments, insofar as they plan to use contact-tracing applications, to respect at least the following principles: 

• Consent and trust: The use of apps must be voluntary. This will be indispensable to building public trust. Trust will also require that governments demonstrate a high level of transparency and accountability.
• Legal authority: The proposed measures must have a clear legal basis and consent must be meaningful. Separate consent must be provided for all specific public health purposes intended. Personal information should not be accessible or compellable by service providers or other organizations.
• Necessity and Proportionality: Measures must be necessary and proportionate and, therefore, be science-based, necessary for a specific purpose, tailored to that purpose and likely to be effective. To assist in determining whether the measure in question is justifiable in the circumstances, governments should consider the following:
  • Necessity: the public health purpose or purposes underlying a measure must be evidence-based and defined with some specificity. Is the purpose to notify users and advise them to take certain actions? Is it to assist public health authorities to better understand local conditions for resource allocation purposes? Is it for another purpose?
  • Proportionality: the measure should be carefully tailored in a way that is rationally connected to the specific purpose(s) to be achieved,
  • Effectiveness: the measure must be likely to be effective at achieving the defined purpose(s), and,
  • Minimal intrusiveness: while the least intrusive option for the intended purpose should be chosen, and data minimization should be applied, where that cannot be achieved or demonstrated, governments should clearly communicate the rationale for the level of personal information that they need to collect.
• Purpose Limitation: Personal information must be used for its intended public health purpose, and for no other purpose.
• De-identification: De-identified or aggregate data should be used whenever possible, unless it will not achieve the defined purpose. Consideration should be given to the risk of re-identification, which can be heightened in the case of location data.
• Time-Limitation: Exceptional measures should be time-limited: any personal information collected during this period should be destroyed when the crisis ends, and the application decommissioned.
• Transparency: Government should be clear about the basis and the terms applicable to exceptional measures. Canadians should be fully informed about the information to be collected, how it will be used, who will have access to it, where it will be stored, how it will be securely retained and when it will be destroyed. Privacy Impact Assessments (PIAs) or meaningful privacy analysis should be completed, reviewed by Privacy Commissioners, and a plain-language summary published proactively.
• Accountability: Governments should develop and make public an ongoing monitoring and evaluation plan concerning the effectiveness of these initiatives and commit to publicly posting the evaluation report within a specific timeline. Oversight by an independent third-party – such as review and implementation monitoring by a privacy commissioner’s office – will help ensure accountability and reinforce public trust. While some privacy commissioners have the legal authority to conduct independent audits, it is encouraged that others be given this mandate by government through appropriate means. If effectiveness of the application cannot be demonstrated, it should be decommissioned and any personal information collected should be destroyed.
• Safeguards: Appropriate legal and technical security safeguards, including strong contractual measures with developers, must be put in place to ensure that any non-authorized parties do not access data and not to be used for any purpose other than its intended public health purpose. Authorities must ensure the public are aware of associated risks and threats (e.g. online fraud or malware).

[1] The Information and Privacy Commissioner of Alberta is reviewing a privacy impact assessment for the ABTraceTogether app that was recently launched in Alberta, and will provide recommendations directly to the Government of Alberta.

LifeLabs recently notified the public about a cyberattack involving unauthorized access to its computer systems. Here is what you need to know about this breach:

• Our office is working with the B.C. privacy commissioner to investigate the breach. We will be looking at what measures LifeLabs could have taken to prevent and contain the breach, assessing LifeLabs’ response to the breach, and reviewing what needs to be done to avoid further attacks.
• We will publicly release our findings and recommendations once we have completed our investigation.

If you think you may be affected by the breach or would like more information, LifeLabs has set up a dedicated phone line and posted information on their website. LifeLabs has indicated that any individual affected by the breach can receive one free year of protection that includes web monitoring and identity theft insurance. You can visit LifeLabs at www.customernotice.lifelabs.com or contact them at 1-888-918-0467.

People affected by the breach are not required to file individual complaints with our office because our investigation is already underway. We will release our findings and recommendations once our investigation is completed. We will be working together with the B.C. privacy commissioner to address the interests of those affected by this breach.

Joint statement from the Ontario and B.C. privacy offices.

Backgrounder