Section 60 of the Health Information Act (HIA) requires that a health custodian take reasonable steps to maintain administrative, technical and physical safeguards to protect individuals’ health information.
In addition, section 64 of HIA places a duty on health custodians to prepare a privacy impact assessment (PIA) that describes how proposed administrative practices and information systems relating to the collection, use and disclosure of individually identifying health information may affect an individual’s privacy. A PIA completed by a health custodian must also be submitted to the Office of the Information and Privacy Commissioner (OIPC) for review before implementation.
The OIPC understands that there is some confusion about whether the Commissioner can relax the requirements for submitting a PIA during a public health emergency. To be clear, the Commissioner has no authority under HIA to disregard a health custodian’s section 64 obligations during a public health emergency, even if the new administrative practice or information system is a measure to combat the pandemic.
The OIPC has noted that privacy laws do not impede the work of public health officials during a public health emergency. What constitutes “reasonable safeguards” during a public health emergency may be different from normal circumstances.
During these unprecedented times, if a health custodian is considering new administrative practices or information systems with implications for individuals’ privacy to combat the pandemic, the OIPC is asking that health custodians, at the very least, notify the Commissioner about the new administrative practice or information system. Notification of a new administrative practice or information system can be submitted to the OIPC via email.
When notifying the Commissioner, please describe what the new program is meant to achieve and any safeguards for health information.
Health custodians need to determine what are reasonable safeguards in the circumstances and be prepared to justify their decision. Health custodians should also ensure individuals are aware of any heightened risks to privacy as a result of a new administrative practice or information system being implemented.
The OIPC recognizes the pressures all organizations, especially health custodians, are facing. The OIPC also knows first-hand through breaches reported to the Commissioner that security and privacy risks significantly increase when processes are interrupted, new processes are established or new tools are implemented during an emergency without proper planning or security and privacy controls.
Public health is the number one priority, but ensuring security and privacy risks are considered and mitigated to the greatest extent possible will help reduce other incidents from emerging during these challenging months ahead.