The Office of the Information and Privacy Commissioner (OIPC) is currently reviewing Bill 12, the Statutes Amendment Act, 2014, which includes amendments to the Health Information Act (HIA).
“We are pleased that the Bill includes a requirement for custodians of health information to notify affected individuals about privacy breaches when they occur,” commented OIPC Director of Compliance and Special Investigations Brian Hamilton. “This is consistent with the letter Commissioner Clayton wrote to Minister Horne on the subject and it puts the onus on custodians to notify individuals about privacy breaches, where it belongs. The amendment will also ensure that employees and contractors inform custodians about privacy breaches, allowing custodians to respond in a timely manner, which we see as a very positive addition to the law.”
“We are also happy to see Bill 12 adds new offence provisions for failing to report a breach to affected individuals or the Commissioner and for failing to take reasonable steps to protect the security of health information. Custodians must understand there are consequences for not complying with the legislation.”
The OIPC first saw the Bill when it was tabled in the Legislature on May 5. The Office is continuing its assessment of the proposed amendments; however, our preliminary review of the Bill has raised some questions about the following:
- Under this Bill, custodians must notify the Minister of Health, the Information and Privacy Commissioner, and affected individuals of a privacy breach if there is a “risk of harm” to an individual. This threshold for notification differs from that which is set out in Alberta’s Personal Information Protection Act (PIPA) and may cause confusion among those who are regulated by both Acts. We recommend using the wording “real risk of significant harm” from PIPA, rather than “risk of harm.” The PIPA threshold has also been proposed by the federal government in Bill S-4, the Digital Privacy Act.
- Until the regulations are introduced, it is difficult to understand what constitutes “a risk of harm”. If the bar is set too low, this could lead to notification fatigue among the public. If the bar is set too high, serious breaches may not be reported. We would welcome the opportunity to share our experience with the government to help set an appropriate threshold.
- The Bill includes authority for the Commissioner to disclose information to the Minister; however, it is important to note that the Commissioner is an independent Officer of the Legislature and does not report to the Minister. Further, the Bill already includes a requirement that custodians notify the Minister of a privacy breach, making the proposed disclosure authority for the Commissioner redundant.
- This disclosure provision could also have a chilling effect on custodians’ confidential consultations with the Commissioner and may impact individuals’ willingness to request reviews, make complaints or report privacy concerns if they perceive that “any information” they share with the Commissioner may be disclosed to the Minister.
“We are encouraged by the steps taken by the government to introduce mandatory breach notification in the health sector and we hope to be given an opportunity for meaningful consultation on the regulations,” said Hamilton.