Coordinating Investigations: How the Federal and Provincial Commissioners are Working Together

Personal Health Information Protection Act Conference 2005

May 4, 2005
Toronto, Ontario

Address by Patricia Kosseim
General Counsel, Office of the Privacy Commissioner of Canada

---

Introduction

I would like to thank the conference organizers for the generous invitation to deliver the luncheon address today. I would also like to thank all of you in advance, for your kind attention, as your digestive system wages battle on your nervous system to win over your body's energy and state of consciousness.

I was asked last November, before I even joined the OPC, to talk about "Coordinating Investigations: How the Federal and Provincial Commissioners are Working Together". I accepted the invitation on the ambitious assumption that I would likely learn enough about the subject during my first five months on the job to talk to you intelligently about it. And though I'm still learning, I'm comforted by the fact that everyone else is too — for this is new, uncharted territory for all of us to explore and discover.

A key feature that makes Canada unique in all respects is our diversity. We take great pride in the vast richness of our peoples and our geography. Just as diverse is the political and jurisdictional landscape of our country. And, though we may despair over it at times, political and jurisdictional differences serve as a unique laboratory for social and legislative change. We can observe legislative and policy experiments in one jurisdiction and use that knowledge and experience to emulate and/or develop even more effective laws and policies in other jurisdictions.

We have certainly seen such diversity in the development of privacy laws across Canada. Over the past three decades, privacy legislation has marched steadily on in federal, provincial and territorial jurisdictions, primarily in the public sector at first, then increasingly in the private sector and, then more specifically in the health sector, which as you all know first-hand, straddles both public and private entities.

Although this diversity offers many benefits in terms of adapting, comparing, evolving and improving laws and policies over time, there are also significant challenges, particularly in the health sector. Personal health information flows far and fast in a digital environment, attracting the application of a multiplicity of privacy-related laws during its travels. Because these laws differ across jurisdictions, policy-makers, practitioners, health care managers, researchers, system developers, payers, insurers, employers, all face the daunting task of understanding the differences between these laws and determining which among them apply to any given transaction.

These challenges will be the main focus of my talk today- how we deal with privacy matters in areas of shared, or concurrent jurisdiction. Addressing such challenges will be critical for the successful development of pan-Canadian, inter-operable electronic health record systems, and national health research and surveillance programs, as examples of major, multi-jurisdictional initiatives, aimed at improving the delivery of health care and addressing broader health system and public health issues.

The complexity of jurisdictional issues in the private sector

As you know, since January 1, 2004, the Personal Information Protection and Electronic Documents Act — PIPEDA — covers the collection, use and disclosure of personal health information which takes place during the course of commercial activity both within and across provinces. To this general rule, however, are very important exceptions and qualifications:

PIPEDA applies to employee information only in relation to federal works, undertakings or businesses. It does not cover employee information in other sectors.

To the extent that the collection, use and disclosure of personal health information takes place in the course of commercial activity that crosses provincial or national borders, PIPEDA will apply.

However, if we are dealing with intra-provincial commercial activity, then PIPEDA will not apply if there is substantially similar provincial legislation in place. To date, only three provincial laws have been declared by the Governor in Council to be substantially similar to the data protection provisions of PIPEDA.

• Quebec's private sector law, as of December 2003
• Alberta's private sector law, as of October 2004
• British Columbia's private sector law, also as of October 2004.

Interestingly, between January 1, 2004, when PIPEDA took full effect, and October 12, 2004, when Alberta and B.C.'s Acts were declared substantially similar and the exemptions were ordered, both federal and provincial jurisdictions applied to some of the same activity. This was a period of shared or concurrent jurisdiction.

Ontario has also recently applied to have its Personal Health Information Protection Act (PHIPA) declared substantially similar. Since January 1, 2004 and prior to the adoption of PHIPA in November 2004, only PIPEDA applied to any collection, use and disclosure of personal information that occurred in the course of commercial activity within that province. Since November 1, 2004, PHIPA now has concurrent jurisdiction over the collection, use and disclosure of personal health information by health information custodians. This concurrent federal-provincial jurisdiction will continue in respect of HICs until such time as PHIPA is declared substantially similar and HICs' activities are exempt from PIPEDA.

Though these rules may seem simple and straight-forward, they are anything but. Jurisdictional issues are typically very complex and lead to different results depending on the specifics of the transaction in each case. The rules may be just as complex even where there is substantially similar legislation in place. The only simple commonality between cases is the need for flexibility, collaboration and cooperation between Privacy Commissioners. These are the key ingredients that Commissioners' Offices work with to implement an effective and workable privacy regime in Canada.

Let me give you some examples.

Intra-provincial commercial activity

Even where a "substantially similar" order exists, not all intra-provincial commercial activity will necessarily be covered by the order and jurisdictional boundaries are not always clear. Complex jurisdictional issues may still arise and require close collaboration between jurisdictions to deal with them.

For instance, Alberta's Health Information Act (HIA) applies to health service providers who are paid under the Alberta Health Care Insurance Plan to provide health services. On this definition, HIA does not cover health practitioners, such as dentists who provide health services privately. While Alberta's Personal Information Protection Act (PIPA) does apply to private sector organizations, such as dental clinics, it does not apply to health information as defined by HIA which is collected, used or disclosed for health care purposes. Under this dual regime, the collection, use or disclosure of personal health information by dentists working in private practice to provide health services, seems to have fallen between the cracks as it is not currently covered by either Alberta Act. Hence, such activity would be subject to the federal PIPEDA.

As a postscript to this scenario, Bill 8 was introduced in the Legislative Assembly of Alberta in March to resolve this issue. Among other things, Bill 8 proposes to amend Alberta's PIPA in favour of bringing the activities of private practitioners who collect, use or disclose personal health information in the course of providing health services clearly within its scope. Until such time as the amendment is adopted, the federal and Alberta offices are working closely and collaboratively to address the various, complex jurisdictional challenges as they arise.

As another example, Ontario's Personal Health Information Protection Act (PHIPA) imposes the full panoply of personal information protection obligations on health information custodians or HICs. PHIPA also imposes some obligations on non-HICs, but only in respect of use and disclosure of the personal health information they receive from HICs. For example, insurance companies are obligated under PHIPA not to use or disclose personal health information they receive from HICs for any purpose other than that which is specified. The same insurance company however is not regulated by PHIPA in respect of other privacy obligations, such as, collection, access, rectification, accountability, safeguards, etc. In respect of these other privacy obligations, PIPEDA would continue to apply to them. Here again, the federal and Ontario offices will work closely and collaboratively to enforce the full range of organizations' obligations under the concurrent jurisdiction of both PHIPA and PIPEDA in the most seamless and effective manner possible.

Inter-provincial commercial activity

Further complex jurisdictional issues arise when information flows across provincial boundaries. For example, an Alberta organization may disclose personal information to a separate organization in Saskatchewan in the course of commercial activity. An individual could complain about this inter-provincial transaction to the Office of the Privacy Commissioner of Canada. Alternatively, an individual who is disgruntled about the disclosure aspect of the transaction could initiate a complaint against the Alberta organization with the Alberta Information and Privacy Commissioner under PIPA. Or, if the individual wishes to complain about the improper collection of their personal information by the Saskatchewan organization, he or she may direct the complaint to the Privacy Commissioner of Canada, since Saskatchewan does not have substantially similar legislation in place governing its private sector organizations and activities. In any event, whether the complaint is initiated in Alberta and/or federally in respect of the same transaction, our respective offices will work together to try to minimize the number of investigations and coordinate our dealings wherever possible.

In one case currently being dealt with by our office, the complainant worked for an organization in British Columbia. The organization provides disability insurance. The individual applied to the insurance company, headquartered in Quebec, for access to their files. Those insurance files are kept in Toronto. The insurance company responded as if PIPEDA regulated the question. Given these facts, is PIPEDA the appropriate legislation? Should PIPEDA apply because there is no substantially similar legislation governing the private sector in Ontario where the files are? Should PIPEDA apply because this involves an inter-provincial transaction — the purchase of insurance services? Does it fall under Quebec jurisdiction because the insurance company is headquartered there? Does it fall under B.C.'s private sector act as an employer-employee issue?

In another case, we are dealing with the same scenario, only the employer is located in the Maritimes, where there is no substantially similar legislation. How, if at all, should the treatment of this case differ from the first? We are in the course of working through these jurisdictional tangles, but the most important thing here is to converse with our provincial counterparts and find the best way of assisting the individual in protecting his or her fundamental right of privacy.

No doubt, these jurisdictional issues will become less daunting over time. I can assure you that federal and provincial Commissioners are working together to resolve them in a collaborative way. All privacy authorities in Canada recognize the importance of working together to resolve these issues. Some individuals may raise jurisdictional challenges in the courts but, by and large, these issues can be resolved through a collegial process. Our goal in every case is to establish as simple and clear a mechanism as possible for individuals and organizations to understand their respective rights and obligations.

Federal and Provincial Commissioners have been working to develop formal protocols for handling investigations where there may be overlapping jurisdiction. In March 2004, the Privacy Commissioner of Canada sent a letter of understanding to the Information and Privacy Commissioners of Alberta and British Columbia to confirm discussions about the handling of complaints relating to organizations in those provinces. This letter of understanding sets out in part how the Office of the Privacy Commissioner of Canada would handle complaints both before and after a finding of "substantially similar" was made in respect of the provincial laws. More recently, the Commissioner has corresponded with Dr. Cavoukian about how the federal and Ontario offices shall handle complaints of common concern since the coming into force of Ontario's Personal Health Information Protection Act, 2004 and as we await its substantially similar designation. These letters of understanding are available on the Privacy Commissioner of Canada's web site (priv.gc.ca).

Moreover, many efforts are made informally and behind the scenes to streamline the federal-provincial approach to jurisdictional issues. Senior staff from the various Commissioners' offices have established a private sector privacy forum which seeks to coordinate and harmonize federal and provincial oversight of the private sector in Canada. Staff take part in monthly teleconferences and/or meetings to develop procedures for determining jurisdiction, transferring complaints and conducting joint or parallel investigations. In addition, a first Investigators' Conference was held in Regina this March joining together investigators from the western provinces to exchange information on jurisdictional issues and discuss how they have handled cases of common interest. The Conference was highly successful and we are looking to roll out the experience in other regions of Canada. There is further information about jurisdictional issues, including a fact sheet, on our web site, as well as on the web sites of other provincial information and privacy commissioners.

A recent example of an investigation conducted through federal-provincial collaboration involved a couple in Alberta who was receiving medical faxes in error — 10 faxes from seven different organizations in all. An article in an Edmonton newspaper suggested that the faxes involved communications that were intended between health service providers and contained personal health information about identifiable individuals.

A preliminary investigation determined that several of the parties who were responsible for sending the records were not subject to Alberta's Health Information Act. But some of the transactions did fall within federal jurisdiction under PIPEDA. The Federal and Alberta offices collaborated in investigating this incident. It was determined that the couple received 10 faxes from 7 different organizations. The parallel investigations determined that the organizations were in contravention of both the provincial and federal laws.

Conclusion

As complex as these jurisdictional issues may be, they should not be allowed to cloud over our obligations of transparency and accountability.  Hiding behind the "jurisdictional cloak" serves the interests of no one - not the individual whose health privacy is at stake, nor the organization that is severely impeded in its ability to resolve the issue and get on with business.

The Office of the Privacy Commissioner of Canada is open to ideas for dealing with the jurisdictional complexities of ensuring privacy protection in Canada.  Our goal is not to be excessively exacting or inflexible.  But, rather, it is to use our legislative powers and tools, in collaboration with our provincial colleagues, to encourage organizations, in every practical way possible, to fashion their information practices so as to provide the most effective protection of this fundamental human right we call privacy. 

With the 2006 PIPEDA review coming up, we have completed our first lap of private sector privacy legislation at the federal level. While PIPEDA may have had the effect of encouraging several provinces to adopt substantially similar legislation since 2000, we have now come full circle around the track and are well positioned to compare, contrast, and learn from their innovative approaches and solutions. No doubt, PIPEDA will benefit from this knowledge and improve as a result of recent provincial experiences.

In the case of Québec, their experience dates back to 1994. We stand to gain enormously from more than 10 years' worth of Québec jurisprudence which has interpreted its private sector legislation. In fact, our office has commissioned a review and summary of this Québec jurisprudence to be made publicly available on our website in both official languages. We are working with an editorial board, composed of representatives from several provincial Commissioners' offices, including the Commission d'accès à l'information du Québec to complete and eventually publish this work. Through this document, we hope to shed light on how similar or equivalent privacy concepts such as "personal information", "consent", "necessity", "purpose", etc. have been interpreted by Quebec courts and have evolved over the years. By "translating" Québec's bank of existing knowledge and experience into user-friendly, readily-accessible format, we hope to benefit all other jurisdictions that are just now, having to give meaning and effect to their more recent private sector acts.

Such is the advantage of diversity as a unique feature of our Canadian confederation.

Thank you.