Print Send to a Colleague Increase Font Size

Publication

title

"A More Sinister Complexion": The Critical Need for Thorough and Robust Privacy Compliance Procedures and Plans

DATE

March 21, 2007

EXPERTISE

Life Sciences, Privacy and Access to Information

"Personal information stored on stolen devices can be used for purposes such as fraud and identity theft - problems that have reached epidemic proportions throughout North America. And with the movement of organized crime into this area, the problem takes on a greater and more sinister complexion."[1]

The recent news report relating to the theft of a laptop computer containing the personal health information of nearly 3000 current and former patients of the Hospital for Sick Children (SickKids) in Toronto and the resulting report of Dr. Ann Cavoukian, the Information and Privacy Commissioner of Ontario, is yet another reminder and call to action for all organizations that collect, use or disclose personal information. Although the Privacy Commissioner's decision arises under legislation governing the collection, use and disclosure of personal health information in the province of Ontario, it would be foolhardy for any organization subject to Canadian privacy laws to ignore the facts of that case and the resulting findings. The decision is a clear call for all organizations that collect, use or disclose personal information to ensure they have in place thorough and robust privacy compliance plans and procedures as well as a breach response plan that comes into effect as soon as a privacy breach occurs. Such plans must be comprehensive, communicated to all staff along with training, and updated regularly.

Most importantly, such privacy compliance plans and procedures must be endorsed by senior management and enforced.

HOW THE BREACH OCCURRED

In early January a physician clinician/researcher left SickKids with a laptop computer containing personal health information relating to current and former SickKids patients. The reason for removing the computer was to take the information home in order to analyse research data. The physician did not go directly home; he parked his minivan in a Toronto parking lot for roughly 3 ½ hours. As the minivan did not have a trunk, the physician covered the laptop with a blanket and placed it between the seats. On his return, the physician noted that the vehicle had been broken into and the laptop had been stolen. The laptop was not recovered. The information on the laptop was password protected, but not encrypted. Encryption was a security precaution that could have been taken before the theft occurred.

The police, the physician's department chair at SickKids and the Chair of the Research Ethics Board for the research study were immediately notified. SickKids' Privacy Contact was also notified and the members of the senior management team met. SickKids' critical occurrences policy was invoked and an internal investigation was conducted. The Office of the Ontario Information and Privacy Commissioner was also notified. SickKids commenced a review of its policies and practices regarding portable computing devices, the use of encryption and remote access. It also issued a preliminary precaution to all staff stating that no identifiable patient information - either physical or electronic - was to leave the hospital.

RESULTS OF THE ONTARIO PRIVACY COMMISSIONER'S INVESTIGATION

The Ontario Privacy Commissioner conducted an investigation and concluded that, contrary to the Ontario Personal Health Information Protection Act (PHIPA), SickKids had not:

  • taken reasonable steps to ensure that personal health information in its custody or control was protected against theft, loss and unauthorized use or disclosure;
  • ensured that the records of personal health information in its custody or under its control were retained, transferred or disposed of in a secure manner;
  • conducted its research study in compliance with PHIPA; or
  • put in place information practices that met the requirements of PHIPA.

The Privacy Commissioner ordered SickKids to develop or revise and implement policies and procedures to ensure that records containing personal health information are safeguarded at all times as required under PHIPA. Specifically, SickKids was ordered to develop or revise and implement:

  • a comprehensive corporate policy that, to the extent possible and without hindering the provision of health care, prohibits the removal of identifiable personal health information in any form from the hospital premises. To the extent that such information must be removed in electronic form, it must be encrypted;
  • a hospital-wide endpoint electronic devices policy, applicable to both desktop and portable devices, which mandates that any personal health information not stored on secure servers must either be de-identified or encrypted;
  • a comprehensive corporate policy relating to the use of secure remote access and/or virtual private networks as an alternative to using laptop computers;
  • a privacy breach protocol/policy; and
  • education and training to staff members, researchers and clinicians on the risks associated with the use of laptop computers, as well as detailed instructions on how to secure the information contained on laptop computers and regarding its new policies on a regular and recurring basis, once complete.

Finally, SickKids was required to review and revise its research protocols and applications to comply with PHIPA.

IMPLICATIONS OF THE ONTARIO PRIVACY COMMISSIONER'S ORDER FOR ONTARIO HEALTH INFORMATION CUSTODIANS

The Privacy Commissioner's order will have a very significant impact on the manner in which personal health information is protected by health care custodians. The use of portable computing devices, the removal of personal health information from the secure premises of a health information custodian now must be assessed against the Privacy Commissioner's findings and order in this case. Most definitely, organizations that require or permit the removal or transportation of identifiable personal health information from secure premises must immediately review such policies and take steps to ensure that any such information is encrypted (if in electronic format) or, if not in electronic format, is somehow de-identified or made secure. The Privacy Commissioner very clearly noted that passwords are often the "weakest link in the security chain" and that password protection alone "can no longer be considered to provide adequate protection against unauthorized access to [personal health information] stored on mobile computing devices."

Similarly, all organizations must review their internal policies to ensure that they have in place a privacy breach response plan. Although SickKids had in place a policy entitled Management of Critical Occurrences, the Privacy Commissioner found that the policy was not suitable for responding to a privacy breach/incident.

Those engaged in clinical research involving human subjects in Ontario will be impacted most particularly since the Privacy Commissioner concluded that, notwithstanding the fact that the research study had Research Ethics Board (REB) approval, the research protocol did not meet the requirements of PHIPA. The Commissioner specifically noted that the industry standard, the Tri-Council Policy Statement entitled Ethical Conduct for Research Involving Humans, and other SickKids REB policies did not appear to incorporate the requirements for research plans under PHIPA. This finding means that research plans for clinical research must be very carefully reviewed against the requirements of PHIPA. REB approval of a study protocol may not be seen as a confirmation that a research plan is compliant with Ontario law.

Simply put, in her order of March 7, 2007, Dr. Cavoukian stated: "[t]here is no excuse for unauthorized access to personal health information due to the theft or loss of a mobile computing device - any [personal health information] contained therein must be encrypted."

IMPLICATIONS OF THE ONTARIO PRIVACY COMMISSIONER'S ORDER FOR OTHER ORGANIZATIONS

Organizations not subject to PHIPA must still read and consider the Ontario Privacy Commissioner's decision. The requirements under PHIPA are substantially similar to those under other private sector privacy legislation in Canada, most notably the Personal Information Protection and Electronic Documents Act. The key considerations for other organizations are the following:

  • clear, comprehensive and centralized polices are required;
  • action must be taken on an organization-wide basis; policies may not be developed on a case-by-case-basis or involve discretionary decisions made on an individual basis;
  • the polices must be thorough, robust and clearly communicated with appropriate training;
  • senior management must actively support a culture and climate of privacy compliance;
  • polices and procedures must be enforced.
AND, FINALLY, A WORD ABOUT CARS.

It is worth noting that the Ontario Privacy Commissioner's decision does not discuss or analyse in any detail the physician's decision to leave a laptop containing personal information in a vehicle except to say the "staff member demonstrated poor judgement in leaving a laptop computer in a vehicle (despite attempts to conceal it) in a parking lot in downtown Toronto, an area targeted by thieves." Bluntly, there was no need for the Commissioner to discuss whether or not it is appropriate to leave information in a vehicle given her findings that to meet the requirements of PHIPA, an organization must ensure that such a situation simply cannot arise. Had the policies been in place, along with training, senior management approval and support, and active enforcement, the situation would not have arisen unless the staff member concerned had deliberately contravened the policy. Vehicles are not secure storage sites. They never were and, in all likelihood, never will be. The answer, however, based on this case is not to address the use of a vehicle as a temporary retention facility but rather to ensure that the situation cannot arise because personal information is either not removed from secure premises, or if removed, is de-identified or encrypted.

For more on this important issue, don't miss our Ottawa seminar: Privacy Breach? Developing a Corporate, Communications and Human Resources response plan better than 'What now?'

Martha A. Healey

[1].    Information and Privacy Commissioner/Ontario, Order HO-004, March 2007. Available on-line at http://www.ipc.on.ca/images/Findings/up-3ho_004.pdf.

The purpose of this document is to provide information as to developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of Ogilvy Renault LLP or any member of the firm on the points of law discussed.

© Ogilvy Renault LLP 2007 - All Rights Reserved

 Back to Publications

Contacts

Christine A. Carron
Montréal
514.847.4404
ccarron@ogilvyrenault.com
Profile

Kateri-Anne Grenier
Québec
418.640.5932
kgrenier@ogilvyrenault.com
Profile

Martha A. Healey
Ottawa
613.780.8638
mhealey@ogilvyrenault.com
Profile

Penny S. Bonner
Toronto
416.216.6629
pbonner@ogilvyrenault.com
Profile

Anne K. Gallop
Toronto
416.216.4038
agallop@ogilvyrenault.com
Profile



Sign Up For News