Privacy Commissioner makes public his comments on Ontario's draft privacy legislation proposal
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Ottawa, April 8, 2002 - The Privacy Commissioner of Canada, George Radwanski, sent the following letter to the Honourable Norman Sterling, Minister of Consumer and Business Services of the province of Ontario, on Thursday, March 28, 2002:
Dear Minister Sterling:
Re: A Consultation on the Draft Privacy of Personal Information Act, 2002
I appreciate this opportunity to comment on the Consultation Draft of the Privacy of Personal Information Act, 2002.
I recognize that this is a consultation draft that will undoubtedly be revised before it is introduced in the Ontario Legislature. Nonetheless, I thought that it would be appropriate to offer some general comments at this time. My comments are intended to assist your Ministry in understanding the criteria that I will use when I am called upon to assess provincial legislation to determine if it is substantially similar to the Protection of Personal Information and Electronic Documents Act (PIPED Act).
Under the PIPED Act, I have an obligation to report annually to the Parliament of Canada on the "extent to which the provinces have enacted legislation that is substantially similar" to the PIPED Act.
This obligation supports subsection 26(2)(b) of the PIPED Act that allows the Governor In Council to exempt an organization, a class of organizations, an activity or a class of activities from the application of Part 1 of the Act in respect of the collection, use or disclosure of personal information that occurs within a province that has enacted legislation substantially similar to the PIPED Act.
In the event that a provincial act is not deemed to be substantially similar, or in the case of a province that chooses not to pass substantially similar legislation, the PIPED Act will begin to apply, as of January 1, 2004, to the collection, use or disclosure of personal information in the course of any commercial activity within that province.
I have stated in my Annual Report that I will interpret substantially similar to mean equal or superior to the PIPED Act in the degree and quality of privacy protection provided. I have also indicated that to be considered substantially similar, any provincial legislation will have to reflect the ten principles set forth in Schedule 1 to the PIPED Act. While the ten principles are fundamental, I consider consent, the reasonable person test, access and correction rights, oversight, and redress to be the key components in making an assessment of substantially similar.
This is consistent with the approach set out by the Department of Industry in a notice published in the Canada Gazette Part 1 on September 22, 2001. The notice explains the process that the department will follow for determining whether provincial/territorial legislation will be deemed substantially similar.
According to the Canada Gazette notice, the Minister will expect substantially similar provincial or territorial legislation to:
- incorporate the ten principles in Schedule 1 (section 5) of the PIPED Act;
- provide for an independent and effective oversight and redress mechanism with powers to investigate; and
- restrict the collection, use and disclosure of personal information to purposes that are appropriate or legitimate.
The process will be triggered by a province, territory or organization advising the Minister of Industry of legislation that it believes is substantially similar to the PIPED Act. The Minister may also act on his or her own initiative and recommend to the Governor In Council that provincial or territorial legislation be designated as substantially similar.
The notice states that the Minister will seek the Privacy Commissioner's views on whether or not legislation is substantially similar and include the Commissioner's views in the submission to the Governor In Council.
Before commenting on specific aspects of the legislation, I should explain the structure of my comments. I have not responded to the questions set out in the consultation draft. Many of these questions can more appropriately be answered by organizations and individuals who are likely to be directly affected by the legislation. I have limited my comments to those aspects of the draft legislation that are more relevant to an assessment of whether legislation based on this draft would be considered substantially similar.
My comments address the following issues:
- the ten principles from the PIPED Act and the reasonable person test;
- the scope of the legislation;
- regulation-making authority;
- access and correction rights;
- the provisions specific to personal health information; and
- personal health information and research.
As I mentioned above, any provincial legislation must reflect the ten principles set forth in Schedule 1 to the PIPED Act to be considered substantially similar. I am pleased to see that the draft legislation incorporates all of the principles. The draft legislation also contains a reasonable person test in section 1, the Purposes clause. This is repeated in subsection 22(1)(b).
The remainder of my letter addresses specific aspects of the draft legislation. While I hope that these early comments will be helpful, I wish to emphasize that they are in no way intended to be a formal or final determination of the extent to which this legislation is substantially similar to the PIPED Act.
While the broad scope of the legislation is welcome, section 7 sets out certain categories of information to which the legislation does not apply. I have concerns about subsections (e), (f) and (k).
Subsections (e) and (f) exclude personal health information that is collected or created for the purpose of a proceeding relating to labour negotiations or for the purpose of negotiations relating to employment relations, until after the proceeding or negotiations are completed. The need for these subsections is not explained, nor is it readily apparent.
I have grave difficulty with subsection 7 (1)(k) that permits the scope of activities to which the Act does not apply to be expanded through the use of regulations. This would deprive the Act of the certainty and specificity which is essential if it is to be substantially similar to the federal law.
The subsection just cited is an example of a significant weakness in the draft legislation- the broad power that is given to the Lieutenant Governor in Council to make regulations. This authority to issues regulations is so broad that it could dramatically reduce the scope of the proposed law and weaken the fair information practices-for example, the consent provisions and the access and correction rights discussed below. In contrast, the regulation-making authority in the PIPED Act is more limited.
Under subsection 80(1), the Lieutenant Governor in Council may make regulations for several purposes, including:
- specifying that certain types of information shall or shall not be included in the definition of personal health information;
- exempting organizations or health information custodians from any provision of the Act or the regulations;
- specifying circumstances in which an organization is exempt from following its information practices;
- respecting any matter necessary or advisable to carry out effectively the purposes of the Act.
In addition, there are other sections of the draft legislation that refer to the use of regulations, for example subsection 35(d), as discussed below, that allows personal information to be used without consent "in the cases described in the regulations for the purpose of this clause."
This broad regulation-making authority makes it very difficult to assess the effective level of protection provided by the legislation. For example, the authority to issue regulations exempting organizations from following certain information practices could be used to allow a certain class of organizations to refuse access, or it could be used to allow additional uses or disclosures without consent.
The regulation-making authority is so broad that it effectively provides a back door way to amend the legislation. The authority to issue regulation should not be so broad that it could be used to weaken core principles.
I define privacy as the right to control access to one's person and to personal information about oneself. An individual cannot exercise this control without the ability to consent, or withhold consent, to the use of personal information. The requirement for consent must be at the heart of any good privacy law.
The overall approach to consent in the draft legislation is commendable. In particular, I welcome the emphasis on express consent. For example, under subsection 8(1) express consent is required for the collection of personal health information by an organization that is not a health information custodian.
However, the consent regime in the draft is weakened by the large number of situations where consent is not required for the collection, use or disclosure of personal information.
The collection, use and disclosure of personal information without the individual's consent should occur only in exceptional circumstances. The draft legislation allows collection, use or disclosure without consent in too many situations:
- subsection 33(1)(i) allows collection without consent when "authorized or required by law." This provision should be narrowed by removing the word "authorized." Because use and disclosure without consent is permitted when collection without consent is allowed, removing "authorized" would also prevent use or disclosure without consent when authorized by law;
- subsection 35(d) allows personal information to be used without consent "in the cases described in the regulations for the purpose of this clause." This is one of the many instances in legislation where the regulation-making authority has the potential to gut the intent of the legislation. This subsection should be removed;
- the necessity of subsection 37(1)(j) that allows disclosure without consent to another organization or its professional advisors is not apparent and is written too broadly. Other provisions in the legislation allow disclosures without consent for the purpose of collecting a debt and to lawyers for the purpose of representing or advising the organization. As well, the legislation allows an organization to disclose information to an agent to performs duties on behalf of the organization.
The ability to withdraw consent is an important component of the individual's ability to exercise control over his or her personal information. Subsection 12(1) sets out circumstances where consent cannot be withdrawn. I strongly object to subsections 12(1)(f) and 80(1)(j) that permit the use of regulations to specify other circumstances where consent cannot be withdrawn.
Access and Correction Rights
Effective access and correction rights are an essential component of good privacy legislation. By exercising these rights, individuals can help police the practices of an organization by ensuring that the information being collected is not excessive and that inaccurate information is not being used to make decisions that might affect them.
The draft legislation has separate access rules for personal health information held by health information custodians and personal information held by other organizations. To respond to the consultation question following section 55, I think that these two sets of rules are both confusing and unnecessary. I recognize that there may be a need for specific provisions to deal with access to personal health information, but these should be incorporated into the general rules.
Subsection 56(1)(a) allows access to be refused if the information relates to the security or defence of Canada or the conduct of international affairs. Subsection 56(1)(b) allows access to be refused if the information relates to an investigative body enforcing or investigating the enforcement of a law or by-law. While I understand the intent of these two provisions, they raise certain concerns. First of all, I question how an organization will determine if information falls into these categories. A retailer, a charity or a health care practitioner is unlikely to have the expertise to determine if releasing certain information will threaten national security. If the information has been disclosed to a law enforcement agency or an investigative body, then subsections 56(1)(c) and 56(8) would allow access to be withheld and these provisions would not be needed. Second, there should be a process to allow the use of these provisions to be monitored. I would recommend that any organization withholding access on these grounds be required to notify the Commissioner. The PIPED Act requires that the Commissioner be notified, in writing, when access is withheld on grounds similar to those in subsections 56(1)(c) and 56(8).
Sections 57 and 59 allow an organization or a health information custodian to require an individual requesting access "to pay a reasonable cost recovery fee determined in accordance with regulations." An individual's right to access his or her personal information should not be constrained by cost. The provision allowing the waiving of fees if the cost will cause financial hardship for the applicant is not a sufficient solution. On the contrary, this provision could, in fact, require the individual to divulge additional information to demonstrate hardship.
The PIPED Act provides that access should be provided at "minimal or no cost." Based on our experience with the PIPED Act to date, this provision has not been an issue for the organizations subject to the legislation.
Section 32 also contains a reference to fees although it is unclear if these relate to access. The intent of this provision needs to be clarified.
The correction rights in the draft legislation are consistent with those in the PIPED Act.
I am pleased that the Ontario Information and Privacy Commissioner has been designated as the oversight body for the legislation. The powers granted to the Commissioner to investigate complaints or conduct reviews are appropriate, with one exception: the Commissioner should be given the authority to compel testimony. Without this authority, the Commissioner cannot be certain of having all the information required to conduct an investigation or a review.
The Privacy Commissioner of Canada has the authority to compel testimony under both the PIPED Act and the Privacy Act. Although neither I nor any of my predecessors has been forced to use this power, the existence of this authority power has been valuable in encouraging co-operation.
Redress provisions are necessary to ensure that organizations that contravene a provision of the legislation can be required to halt or alter the offending practice or to take corrective actions. The ability to prosecute or fine an offending organization is also essential. In addition, an individual who has been affected by these practices must be able to seek damages.
Although the redress provisions in the draft legislation differ from those in the PIPED Act, in part because of the Ontario Commissioner's order making powers, they are appropriate.
Personal Health Information
The protection of personal health information is a pressing and complex issue that raises difficult questions of ethics, policy and competing social needs. Patients have a right to expect that their personal health information will not be collected unless it is necessary for their care. They have a right to expect that it will not be used in any way that could do them harm. If individuals do not have confidence that their personal health information is being adequately protected they may be reluctant to seek medical care or to confide fully to their health care providers.
We all have a stake in the health care system and we all have a stake in protecting personal health information. This is why I felt that it was important to appear before the Standing Committee on General Government on February 8, 2001 to comment on the Government of Ontario's proposed personal health information legislation (Bill 159).
The provisions in this draft legislation dealing with personal health information are an improvement over those in Bill 159:
- the draft law (subsections 8(1)(2), 8(7) and 19(2)(b) and section 54) provides strong and specific protection for genetic information. Both organizations and health information custodians must obtain a separate and express consent for collecting, using or disclosing genetic information. Genetic information must also be stored separately from other personal health information;
- express consent is required for the collection of personal health information by an organization that is not a health information custodian; and
- overall, the draft legislation does a better job of protecting personal health information while allowing the reasonable use of this information for research and administrative purposes.
Although the draft legislation is a significant improvement over Bill 159, it shares some of the same weaknesses. As noted above, the broad regulation-making authority is a concern. Subsection 80(1) allows the Lieutenant Governor in Council to make regulations:
- specifying persons who shall not be included in the definition of health information custodian;
- specifying that certain types of information shall or shall not be included in the definition of personal health information;
- exempting health information custodians from any provision of the Act or the regulations.
The last provision could be used to weaken significantly the protection afforded personal health information and to alter the delicate balance that has been achieved elsewhere in the legislation.
As is the case with the general provisions dealing with collection, use and disclosure, the number of situations in which consent is not required for the collection, use or disclosure of personal health information raises concerns:
- the provisions that allow collection, use or disclosure of personal health information when "authorized by law" should be changed to "when required by law;"
- several of the uses set out in subsection 36(1)(c) such as resource allocation and program monitoring and evaluation, are not directly related to a patient's care and should be done using de-identified health information;
- under subsections 37(1)(e) and (f) and 44(i), an organization can disclose personal health information without consent for the purposes of administering, enforcing, or an investigation relating to enforcement of, a municipal by-law. The need to disclose personal health information for the purposes of enforcing a municipal by-law is not apparent;
- under subsection 39 (1)(e) a custodian can disclose personal health information without consent to a prescribed registry or repository of personal health information held for research purposes or personal health information "that relates to the storage . of bodily parts or substances." These registries and repositories would be created by regulation and the information they contain would be exempt from access under subsection 58(1)(d). The role of these registries and repositories needs to be made clearer; and
- subsections 39(3) and (4) allow the Minister, the operator of an ambulance service and others to disclose information among themselves for purposes related to the Ambulance Act. This is another case where it is not clear why de-identified health information cannot be used.
As a general rule, notice should be provided where exemptions exist for collection, use or disclosure of personal health information without consent.
Under section 46, a health information custodian is required to disclose without consent, to the Minister of Health, personal health information for the purpose of monitoring or verifying claims for payment for health care in any way funded by the Ministry. While I understand the need to monitor and verify claims for payment, I believe that the commissioner should have oversight over these disclosures.
The rules for "quality of care information" that were in Bill 159 are now set out in a proposed Quality of Care Information Protection Act, 2002, that has been added as a schedule to the draft legislation. [Quality of care information is information collected or prepared by a quality of care committee as part of its role of improving the quality of care provided by a hospital or other institution.] Under subsections 58(1)(a) and 63(1) respectively, an individual is unable to request access to this information or complain about what constitutes quality of care information. The draft legislation justifies this by arguing that this is necessary "to encourage health professionals and institutions to hold frank discussions to improve patient care." Given the potential importance of this information to an individual who believes that he or she, or a relative, has received improper care, denying access rights and the ability to complain about the inclusion of information as quality of care information seems excessive. At a minimum, an individual should be able to complain to the Commissioner about what constitutes quality of care information.
Personal Health Information and Research
Any legislation that applies to personal health information must strike a balance between the individual's control over that information and society's interest in the health research. I believe that the appropriate balance is one that safeguards the genuine interests of the individual while permitting the conduct of legitimate research that uses information in ways that can have no impact on the individuals to whom it pertains.
As I explained in my Annual Report, I intend to interpret broadly the intent of subsection 7(2)(c) of the PIPED Act that allows an organization to use personal information without the knowledge or consent of the individual if it is used for statistical, or scholarly study or research purposes. The Act specifies that, if this information is used without consent, four criteria must be met:
- the purpose, in this case research, cannot be achieved without using the information;
- the information is used in a manner that will ensure its confidentiality;
- it is impracticable to obtain consent; and
- the organization must inform the Commissioner before the information is used.
The requirement that the information be used in ways that will ensure its confidentiality is of paramount importance. Personal health information can be disclosed and used without consent for heath research, as described above, provided that it remains strictly within the confines of the research project and that it can in no way harm the individual to whom it pertains. This means that under no circumstances whatsoever can the personal health information be disclosed to an individual's employers, insurers, relatives, marketers or other third parties. As well, it means that the individual cannot be contacted by anyone other than his or her own physician or other primary health care provider.
The provisions in the draft legislation relating to the use of personal health information for research purposes are an improvement over those in Bill 159. Section 45 allows personal health custodians to disclose personal health information to a researcher without consent provided the project is reviewed and approved by a research ethics board. (Personal health information held by organizations other than health care custodians can be disclosed without consent for "statistical, scientific or scholarly study or research purposes" under rules set out in subsection 33(1)(e). Section 45 lists a number of factors that research ethics boards should take into account in assessing projects, including "whether it is necessary to use personal health information without consent in order to accomplish the objectives of the research."
These rules would be further improved with certain changes:
- section 45 prevents a researcher from contacting an individual to whom the information relates unless the custodian authorizes the contact. This provision should be tightened to prohibit contact except by a physician or a primary health care provider; and
- the Commissioner should be informed of the research project, prior to the commencement of the research, to mirror a provision in the PIPED Act and subsection 33(1)(e) in this legislation.
I appreciate the opportunity to provide these comments. I look forward to reviewing the legislation that emerges as a result of this consultation process. Please do not hesitate to contact me if you have any questions concerning my comments.
Privacy Commissioner of Canada
- Date modified: