Print Send to a Colleague Increase Font Size

Publication

title

First Order Issued under Ontario's PHIPA

DATE

November 25, 2005

EXPERTISE

Employment and Labour

One of Canada's largest Employment and Labour Law practices, dedicated to service and excellence

The Ontario Information and Privacy Commissioner has issued the first Order under the Personal Health Information Protection Act, 2004 (PHIPA).

The Order concluded an investigation by the Commissioner's office into how personal health records ended up being strewn across the streets of downtown Toronto in October on the location for the shooting of a film about the September 11th terrorist attack on the World Trade Centre.

The Commissioner's office was originally contacted by a newspaper reporter from the Toronto Star, who advised it that patient records were among the papers being blown around the street. While the facts giving rise to the Order are unique, the view the Commissioner's office took of the storage and destruction of personal health information is relevant for every health information custodian. In fact, when the Order was released, the Commissioner stated that it should be "carefully reviewed by every health information custodian and paper disposal company in Ontario."

A Toronto x-ray/ultrasound clinic had contracted with the paper disposal company to pick up and dispose of outdated health records. The paper disposal company, which engaged in both shredding and recycling activities, mistakenly believed that the documents were intended for recycling. The records were subcontracted to another recycling company which later sold them, intact, to the film company for its use on its set.

The Commissioner found that the clinic:

  • had failed to take all reasonable steps to secure the personal health information in its custody and control;
  • had failed to ensure that the personal health information was disposed of in a secure manner; and
  • had failed to comply with the PHIPA in that it failed to ensure that its agent (the paper recycling company) had properly handled the health information.

The Commissioner indicated that in light of the restrictions set out in the PHIPA and the obligations that must be met by those having custody and control of personal health information, where an agent is engaged to dispose of records, a written contractual agreement should be entered into specifying the agent's duties to securely shred the material and provide an attestation confirming that the shredding has been completed. The Commissioner also ordered the paper disposal company to put procedures in place to prevent paper designated for shredding from being mixed together with paper that is intended to be disposed of via recycling. This separation, in the Commissioner's view, is critical with respect to personal health information as secure disposal requires that the personal health information records be permanently destroyed by irreversible shredding or pulverizing, thus making them unreadable.

Although the decision dealt solely with paper records, the Commissioner was quick to note that the principles contained in it were equally applicable to personal health information contained and stored in electronic format. The Commissioner noted: "This means that health information custodians who are disposing of electronic records must ensure that those records are permanently destroyed or erased in an irreversible manner that ensures that the information cannot be reconstructed in any way."

The decision, which can be found online,[1] should be carefully reviewed by every health information custodian in the Province of Ontario, including hospitals, health care centres, clinics and homes for the aged, as well as every employer that receives health information from its employees.

While the Order was issued under PHIPA, those responsible for not only personal health information but also all other personal information under either the Personal Information Protection and Electronic Documents Act (Canada) or similar legislation in other provinces should review their document destruction procedures and protocols as well as their risk management and breach communications plans in light of the high standard to which the clinic was held by the Commissioner and bearing in mind the need to act swiftly in the event of a breach. Contracts with third-party shredding companies should be carefully reviewed as should any agreements with recyclers. All companies, regardless of business sector, would be wise to take the precautions suggested by the Commissioner vis-à-vis all personal information in their possession and/or control.

The lesson to be learned from this Order is that organizations having custody and control of personal health information or who are in the business of destroying same (and potentially others if the Commissioner's analysis is adopted by other Privacy Commissioners across the country) will be held to an extremely high standard by the Information and Privacy Commissioner when it comes to disposing of those records.

The purpose of this document is to provide information as to developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of Ogilvy Renault LLP or any member of the firm on the points of law discussed.

[1]     http://www.ipc.on.ca/docs/ho-001.pdf

 Back to Publications

Contacts

Christine A. Carron
Montréal
514.847.4404
ccarron@ogilvyrenault.com
Profile

Anne K. Gallop
Toronto
416.216.4038
agallop@ogilvyrenault.com
Profile

Martha A. Healey
Ottawa
613.780.8638
mhealey@ogilvyrenault.com
Profile

Manon M. Savard
Montréal
514.847.4520
msavard@ogilvyrenault.com
Profile



Sign Up For News