Announcement

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web.

OPC satisfied with remedial actions by RESP company that collected and used maternity patient data without consent

January 24, 2017

A Registered Education Savings Plan (RESP) company whose representative collected and used personal information from hospital patients without consent has implemented recommendations from the Office of the Privacy Commissioner of Canada (OPC).

An investigation of Global RESP Corporation had found the company contravened the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law, by failing to obtain consent to collect, use and disclose personal information belonging to the complainant, a maternity patient at a hospital in Toronto.

The investigation also found that the company did not have sufficient policies, procedures and training in place to ensure that its representatives were obtaining contact information of prospective clients in accordance with PIPEDA.

The company agreed to implement the OPC’s recommendations.

A year after the investigation findings were issued, Global confirmed that an independent third party had completed an audit, and certified that Global’s accountability measures were operating with sufficient effectiveness to provide reasonable assurance that the personal information the company processes is being collected and used in accordance with PIPEDA.

The OPC was also provided with a copy of the independent third party’s audit report and, in light of the actions taken by Global, is satisfied that Global has addressed the recommendations.

The investigation was conducted in cooperation with the Office of the Information and Privacy Commissioner of Ontario (IPC), which has jurisdiction over Ontario hospitals under the province’s Personal Health Information Protection Act (PHIPA). The IPC investigation found that the Rouge Valley Health System failed to put in place reasonable technical and administrative safeguards to protect patient information and issued an Order under PHIPA. The IPC has indicated that the hospital has since taken steps to rectify the deficiencies uncovered by the IPC investigation and has satisfied the terms of the Order.

These investigations demonstrate the ability of federal and provincial authorities to work together to address serious privacy issues affecting the public on multiple jurisdictional levels with respect to matters covered under PIPEDA.