Taking Stock

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the Reach Canada 30th Anniversary Conference

June 16, 2011
Ottawa, Ontario

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Introduction

All of these issues have long been near and dear to my heart. In a previous life, I worked in human rights, first at the Canadian Human Rights Commission and then at Quebec’s human rights commission. During the 1990s, we saw a significant shift from complaints dealing with sexual discrimination to complaints related to matters involving disabilities.

For me, the key to disability rights is maintaining dignity. And a big piece of that is the ability to maintain one’s privacy – which is where I’ll focus my remarks today.

Role of the OPC

Some of you may not be very familiar with the role of my Office, so it might be appropriate to start with a quick sketch of what we do.

Parliament has tasked us with the mission of protecting and promoting the privacy rights of Canadians. We enforce Canada’s two federal privacy laws:

  • First, the Privacy Act, which imposes obligations on some 250 federal government departments and agencies to respect privacy rights by limiting the collection, use and disclosure of personal information. 
  • The other law is the Personal Information Protection and Electronic Documents Act, or PIPEDA, which covers the private sector.  It applies to Canadian businesses and organizations across Canada except where provincial legislation has been deemed “substantially similar” – in British Columbia, Alberta and Quebec. Even in those provinces, PIPEDA applies to federally regulated organizations such as banks, airlines and telecommunications companies.

My Office has a number of tools available to help it fulfill its mission to protect the privacy rights of Canadians, including complaint investigations, audits, court action, and public education.

Protecting privacy is an enormous – but exciting – challenge given how rapidly the landscape has been evolving in recent years.

On the public sector side, the rationale of safety and national security has been used – in Canada and elsewhere – to justify a dramatic expansion in the collection of personal information.

In the private sector, our personal information has become an increasingly hot commodity for many organizations that use it in order to try to sell us their services and products.

We live in an era of big data. Technological advances allow more and more personal information to be gathered, analyzed and stored.

Health Records and Privacy

That data includes health information – which is of particular relevance to our discussion this morning. As we all know, health information is, by its very nature, extremely sensitive information.

Yet, shockingly, we continue to hear stories of health information being treated in a cavalier fashion.

For example, my colleague in Saskatchewan has been grappling with a recent string of incidents involving huge numbers of medical files being tossed into dumpsters.

Not too many weeks ago, the University of Western Ontario announced that it had lost a USB memory stick containing the personal information of 4,500 children who have taken part in speech therapy and hearing programs.  The risk of putting identifiable personal information on a tiny - and easily lost – device is significant.

The emergence of electronic health records, meanwhile, is raising new concerns for privacy. While electronic health records are touted as a way to revolutionize health care, there is a risk that – if they are not implemented properly – our privacy will be more vulnerable than ever before.

Through our discussions with Canada Health Infoway, we’ve raised concerns about issues such as ensuring accountability and improving transparency for patients – including their options to control who has access to their personal health information.

As well, we want to ensure strong controls to prevent unauthorized access to health information. We’ve seen many examples of what can go wrong without those controls.

Celebrities and other people with a high-profile are particularly vulnerable to the curiosity of health care workers – and poor access controls on electronic records.  

Some of you may remember how several Toronto hospital employees were disciplined a number of years back for looking at private patient records after hospital stays by Toronto Maple Leafs coach Pat Quinn and former prime minister Brian Mulroney.

Recently, I read with dismay an article in the New York Times about the exploding gossip industry and the huge sums that certain websites, TV shows and magazines are willing to pay for health and other sensitive information about celebrities. In one of numerous examples cited, a worker at a drug and alcohol addiction centre said she received $10,000 for information from Lindsay Lohan’s confidential file.

But it’s not just the famous who have reason to fear.

In Alberta, a health care worker who also worked at a tanning salon was identifying potential dates at the salon, and then checking out their electronic medical records.

In another case here in Ottawa, a patient told hospital staff that she did not want her estranged husband or his girlfriend – both of whom worked at the hospital – to know she had been admitted or to have any access to her electronic health record. Despite the warning, the girlfriend – a nurse who was not involved in the patient’s direct care – repeatedly accessed her record and shared the information with the husband.

Veterans Affairs Investigation

Access issues were also central to our investigation last year into the serious mishandling of a veteran’s sensitive medical and personal information.

The investigation of Veterans Affairs Canada found that the veteran’s information was shared – seemingly with no controls – among departmental officials who had no legitimate need to see it.

This information subsequently made its way into a ministerial briefing note about the veteran’s advocacy activities. 

We concluded that the Department had contravened the Privacy Act, which requires that personal information be used only for the purposes for which it was collected or for other consistent purposes and that it be shared only on a need-to-know basis.

As a result of what was learned during the investigation, as well as information that has come to light through media reports and telephone calls to my Office, we decided to launch an audit of the Department’s handling of veterans’ personal information.

Disabilities and the Workplace

I would also like to touch on another area that I understand is the subject of many inquiries to Reach – health and disability issues and the workplace.

Employers, employees, unions and health care practitioners have a myriad of duties under a number of statutes and at common law that involve the collection, use and disclosure of personal health information. For example, there are ongoing requirements to report or disclose personal health information with respect to disability, workplace accidents, injury or illness.

The Supreme Court of Canada has accepted that employers may need to monitor the absences of employees who are regularly away from work, in light of the nature of the employment contract and the responsibility of the employer to manage its workforce. This means that an employer may request a medical note to establish that absences are in fact related to a disability or other health issue preventing the employee from carrying out their workplace duties.

Consistent with PIPEDA findings, human rights law and human resources best practices, an employer cannot request information about an employee’s diagnosis or treatment.

However, an employer is entitled to ask for certain information to verify leave, such as:

  • The expected duration of the absence;
  • The date the employee was seen by a health care professional; and
  • Whether the patient was examined in person by the health care professional issuing the certificate.

Another complex workplace issue is the duty to accommodate, which can raise significant privacy concerns for disabled employees.

The central principle of accommodation is to uphold the dignity of the employee being accommodated. An employee must be accommodated in a manner that most respects their dignity, which includes respecting privacy and confidentiality.

The Supreme Court of Canada has confirmed that while the legal duty to accommodate an employee with a disability primarily rests with the employer, that duty is also shared by the employee and unions.

Employees and unions must cooperate with any health-related accommodation. This may entail the employee disclosing to the employer and union relevant personal health information required to facilitate accommodation efforts.

Employers can only request information that is relevant to the accommodation of a disability. This involves a delicate balance between the employee’s right to privacy, and the employer’s obligation to make appropriate accommodation.

While employers cannot ask for the employee’s diagnosis or information about treatment, they can inquire as to the employee’s prognosis for an expected return to work or improved attendance.

In practice, there may be a significant amount of personal information that is disclosed and shared between the parties.

The parameters of the duty to accommodate and information sharing continue to be litigated before courts, boards and tribunals – something we’ll have to continue to follow.

OPC and Access Issues

In closing, I would like to quickly mention a couple of initiatives that my Office has been involved with.

Through our Contributions Program, last year we funded a public education project by the Canadian Association of the Deaf which focused on identity theft and privacy.

The association held a one-day national workshop with leaders from the deaf community and invited agencies such as the RCMP, financial institutions and the Office of Consumer Protection.

The workshop was a two-way dialogue, with presentations from experts on identity theft and related frauds, and discussions on issues that deaf individuals face as they try to protect themselves from fraud and report crimes. That event was followed by local workshops across the country.

This year, we are funding another initiative by the association to create “simple language” information about PIPEDA as well as videos offering the same information in both American Sign Language and Langue des Sourds du Québec.

On another front, my Office is in the early stages of a project to revamp our website to ensure broader accessibility. As part of a government-wide initiative, we are re-designing the site to serve the widest possible audience and the broadest-possible range of hardware and software platforms, from adaptive technologies to emerging technologies.

Thank you. I look forward to your questions and an interesting discussion.

Date modified: