This investigation file was opened following the publication of a Toronto Star article in 2019 (the Article). The Article reported that a company that sells and supports electronic medical record software in primary care practices in Ontario, was anonymizing health data and selling the data to a third party corporation. In response to the article, the Office of the Information and Privacy Commissioner of Ontario commenced a review under the Personal Health Information Protection Act (the Act) and sought to identify the individual or entity who allegedly de-identified and sold the data.
The corporation that was identified as having sold the information was named as a respondent in this investigation and a number of other respondents were also added, one of which was identified as the health information custodian.
This Decision concludes that the act or process of de-identifying personal health information is a “use” within the meaning of section 2 of the Act, and that the use of personal health information for the purpose of de-identification is permitted without the consent of the individual, where the conditions set out under subsection 37(1)(f) of the Act are met. At the time of this investigation, the health information custodian’s written public statement about its information practices did not comply with section 16(1)(a) of the Act. However, this issue has since been remedied and the custodian’s updated privacy policy now meets the requirements of the Act by explicitly describing its practice of de-identifying personal health information and selling the information to a third party for a number of purposes, including for health-related research. With regard to the de-identified personal health information, the custodian has complied with subsection 12(1) of the Act, in that reasonable steps have now been taken to ensure the protection of personal health information by amending the sale agreement to include additional privacy and security controls. Further, the IPC has no information to suggest that the personal health information was not properly de-identified within the meaning of the Act.
Accordingly, this review will be concluded without proceeding to the adjudication stage and without an order being issued by this office.