Findings under the Privacy Act
Veteran’s complaint highlights significant privacy issues
A veteran filed a complaint with our Office alleging that Veterans Affairs Canada had violated the Privacy Act by using his personal information inappropriately when it included excessively detailed and sensitive medical information in briefing notes to the Minister of Veterans Affairs.
The complainant also alleged that the department had transferred his medical file to a hospital administered by Veterans Affairs without his consent.
The incidents referred to in the complaint occurred in 2005 and 2006.
The investigation confirmed that several briefing notes prepared for the Minister of Veterans Affairs contained sensitive medical information concerning the complainant. As well, the notes included significant detail about how the complainant interacted with the department, not only as a client but also as an advocate for veterans.
The investigation also determined that officials from numerous branches at Veterans Affairs, including Program Policy, Communications and Media Relations, were involved in discussing and contributing to the content of the briefing notes and also had full access to them.
On the second issue raised in the complaint, the investigation found that the department sent several large volumes of the complainant’s personal and medical information to a hospital that it administers. This material included medical reports, letters between the complainant and the department, as well as a briefing note prepared for the minister.
Veterans Affairs stated that it transferred the information to the hospital in order to establish his suitability for referral to a treatment program offered there. Departmental guidelines required clients to complete a Release of Information Form authorizing such transfers. However, this was not done.
The investigation determined that the volume and sensitivity of personal information, including medical information, contained within two briefing notes to the minister was excessive and went far beyond what was necessary for the stated purpose of the briefings.
While there were other briefing notes containing personal information, those were prepared for the purpose of a ministerial response to particular issues raised by the complainant and therefore the content appeared appropriate.
One of the notes that raised serious concerns was prepared in March 2006 in order to brief the Minister on the complainant’s participation in a Parliament Hill press conference to discuss issues related to veterans. In addition to briefing the Minister on the complainant’s advocacy activities, the note contained considerable sensitive medical information including, diagnosis, symptoms, prognosis, chronology of interactions with the department as a client, amounts of financial benefits received, frequency of appointments, and recommended treatment plans. The complainant had provided this information to the department in relation to an application for veterans’ benefits.
Several months later, Veterans Affairs re-used and updated the detailed briefing note from March 2006 with the intent to brief the Minister on a specific treatment/benefit issue.
Also of deep concern was the way in which the complainant’s personal information was widely shared between branches of Veterans Affairs in the preparation of briefing notes. Sensitive personal information was inappropriately shared with departmental officials who would normally require only very limited or no access to medical information in fulfilling their duties. In fact, they had no need to know the complainant’s medical information in order to add their contribution to the briefing notes.
On the second issue referred to in the complaint, the investigation found that the complainant had never provided consent for his information to be transferred to the hospital.
In both matters raised in the complaint, the investigation found that Veterans Affairs’ use of the complainant’s personal and medical information was not in accordance with section 7 of the Act, which states that personal information under the control of a government department shall not, without an individual’s consent, be used by the department except for the purpose for which the information was obtained or compiled, or for a use consistent with that purpose.
Accordingly, the complaint was well-founded.
As a result of this investigation as well as information that has come to light through media reports and telephone calls from other individuals, the Office of the Privacy Commissioner has significant privacy concerns about the use of sensitive medical information within Veterans Affairs. The Office is particularly concerned about the apparent lack of controls to protect sensitive medical information from being widely accessed and disseminated within the department.
The Office has reminded Veterans Affairs of its obligations under the Privacy Act and, in particular, that the use of personal information must be appropriately limited and proportionate to the operations of the institution in order to be in accordance with section 7 of the Act.
The Office of the Privacy Commissioner has issued the following formal recommendations to Veterans Affairs Canada:
- Revise existing information-management practices and policies to ensure that personal information is shared within the department on a need-to-know basis only. Personal information, including but not limited to sensitive medical information, should not be shared with programs that have no operational requirements for access to such information.
- Provide training for employees about appropriate personal information-handling practices.
- Review procedures to ensure that consent is obtained prior to personal information being transferred to veterans’ hospitals.
The Office of the Privacy Commissioner believes there is a possibility that this case may be an indication of a more systemic privacy issue within Veterans Affairs.
During the investigation, officials did not satisfy the Office that the department currently has adequate policies and procedures in place to govern the handling of veterans’ personal information. As well, officials could not clearly identify or explain policies, procedures or typical information-sharing practices.
The Office of the Privacy Commissioner has also become aware – through media reports as well as information provided by individuals who have contacted the Office – about other allegations of personal information being handled inappropriately.
As a result, the Office of the Privacy Commissioner has determined that it is appropriate to conduct an audit to examine the way in which the department handles the personal information of veterans to ensure compliance with federal privacy legislation.