How government’s response to COVID-19 ushered in new privacy protections

Mar 31 2020

As I write this, people are trying to come to terms with a ‘new normal’ and adapting to the restrictions and fears that this health crisis has brought to our everyday lives. I think about our friends in the health and child protection sectors who continue to provide essential and often life-saving services to families across Ontario. My focus is also on keeping our staff, our families, and the public safe as we shut our physical doors and strive to provide some of the tribunal services that Ontarians depend on. However, despite closing our office to the public, the IPC is working. We continue to provide advice and consultation to the public and our public sector partners on all matters relating to access and privacy.

I’ve also been giving a lot of thought to how and when we will return to full service once the crisis is over. So I was surprised to see that in its passing of omnibus legislation designed to address the economic effects of COVID-19, the government set a path toward some significant changes to our access and privacy laws that, for the most part, strengthen data protection in our province.

While several amendments are primarily technical in nature, some will have a tangible impact on privacy rights in Ontario, so for brevity, I’ll provide an overview of just a few of those.

A significant change to Ontario’s health privacy law gives individuals more control over their personal health information and acknowledges the realities of our growing use of web-based solutions. This amendment sets in law the right of individuals to manage their own health records using various digital tools, or “consumer electronic service providers.” For example, with this amendment, individuals could use apps to access copies of physician reports and prescriptions, which could then be stored on a smartphone. By the same measure, the amendment may give my office oversight of apps that collect personal health information directly from the individual (for example, blood sugar readings), providing increased privacy protection for consumers. I’ll also have the power to forbid a health custodian from sharing information with apps, for example, in situations where my office has concerns about the service provider’s privacy policies or practices.

The amendments also set in legislation mechanisms to prevent and detect unauthorized ‘snooping’ into patient records. Ontarians deserve to have the protection of legislation from those that would pry into their personal health information out of curiosity, concern, or even malice. The changes require health information custodians to monitor access and use of personal health information records using an electronic audit tool — this is a significant step toward strengthened patient privacy. Under the amendments, I will also have the power to demand the production of these logs for my review.

Perhaps most significantly, once regulations are in place, my office will be given the power to levy monetary penalties against those who contravene our health privacy law, including for breaches, such as those resulting from abandoned records. Privacy commissioners across the country have been calling for the power to impose administrative penalties, and Ontario will be the first to enshrine it into legislation.  In addition to this, the amended law doubles the maximum fines for an offence under PHIPA to $200,000 for individuals and $1,000,000 for corporations. It also allows an individual to be imprisoned up to a year for an offence.

As the regulations are developed, I expect the IPC will continue to be heavily engaged in consultation with the government. I encourage you to read Bill 188, the Economic and Fiscal Update Act, 2020, for more details on the amendments. Meanwhile, we continue to hope for an end to this devastating pandemic and a return to healthy life.

Brian