Organizations subject to PIPEDA are required to report to the OPC any breaches of security safeguards involving personal information that pose a risk of significant harm to the individuals.
PIPEDA is a Canadian federal law that sets out the rules for the collection, use and disclosure of personal information in the course of those commercial activities. PIPEDA outlines the 10 Fair Information Privacy Principles that businesses must follow regardless of their size. Organizations need to know privacy rules and make sure that you have the appropriate safeguards implemented in your business.
PIPEDA applies to most businesses across Canada, excepting Quebec, British Columbia, and Alberta. These provinces have their own private sector laws that are substantially similar to PIPEDA.
But even in those provinces, PIPEDA covers federally regulated industries like transportation, telecommunications and banking. In addition, all businesses that operate in Canada and handles personal information that crosses provincial or national borders are subject to PIPEDA, regardless of which province or territory that they're based in. All businesses in the three territories also fall under PIPEDA.
In Alberta, we have privacy legislation called the Health Information Act (HIA) that takes precedence over PIPEDA and Alberta's Personal Information Protection Act, (PIPA). If a business, like a physician's office, has a privacy breach which includes health information, then the custodian of the physician office must report the privacy breach following the HIA regulations. If employee information or other non-health information is included in the breach then that triggers privacy breach notification under PIPA. Sometimes, a breach can include both types of information and the physician office must notify under each legislation.
In BC, the Personal Information Protection Act (PIPA) is BC's private sector privacy law that has also been deemed substantially similar to the federal private sector privacy law. BC does not have health information specific privacy legislation, so PIPA applies to private organizations in BC, including physician practices, and governs how the personal information about patients, employees and volunteers may be collected, used and disclosed.
If you are a business in Canada, for example, an electronic medical records (EMR) business and you have a data center in Canada where all of your clients across Canada provide their information and store it in your data center, the EMR vendor likely falls under the PIPEDA regulations.
The vendor may be responsive to other legislation as well. If you are an EMR vendor, you do not directly comply with the HIA in Alberta because that applies only to custodians. However, as an information manager of a custodian under the HIA, you have some obligations under the HIA in the event of a privacy breach. But that does not mean that you don't also have obligations under PIPEDA.
Personal information is more than just a name or an address. It's data about an identifiable individual that can, by itself or combined with other information, identify a person. It could be a person's age, ethnicity, medical information, credit card number or even an income level. It might also include their Internet Protocol (IP) address or their website or email information.
Regular surveys done by the Office of the Privacy Commissioner of Canada says that small businesses tend to be less aware of their privacy responsibilities than larger organizations. In 2017, 65% of large organizations with more than 100 employees indicated that they were privacy aware. But only 43% of small businesses indicated that they were privacy aware. Smaller companies may not have dedicated compliance officers or privacy officers, and they may not have a sense of privacy knowledge.
The compliance challenge for smaller organizations is made more difficult by the limited human and sometimes the financial resources available to them and the gap on the knowledge about the privacy obligations.
Lack of awareness can potentially lead to complaints about your business, which has an impact on your business's reputation.
A privacy breach occurs when there is an unauthorized access to or the collection, use, disclosure, our disposal of personal information. There are many things that could qualify as a privacy breach. If you have a financial transaction that includes clients’ information and now is publicly available on your website, that's a privacy breach. If you have somebody in your organization who has access to personally identifying information as part of their job, but they use it for some purpose other than their job, that's snooping, and that is a privacy breach.
There are many examples about what is a privacy breach, but any time that you view, use, or disclose without aauthorization is considered a privacy breach.
Privacy breaches also have a negative impact to our business because it takes time and resources to manage a privacy breach, and it has a huge impact to the reputation of an organization.
The November 2018 PIPEDA mandatory privacy breach notification regulations requires you to know where all of your personally identifiable information sources are and know the safeguards implemented to protect the data.
Then, you need to monitor the data to identify any breaches. If there is a breach of those security safeguards, you need to record all breaches. So even if there is a breach of a safeguard that nobody has exploited, you still need to record that you have identified that there is a potential risk and what you've done to be able to manage that risk and prevent that from happening again.
Next, you need to determine the risk of significant harm, or ROSH. (more about this later.)
The risk of harm test that identifies what information had been included in the breach and the type of harm that could happen to that individual as a result of the breach. When it reaches that ROSH threshold, then you need to notify the Office of the Privacy Commissioner of Canada office. Or, if you are in BC, Alberta or Quebec, you need to report that to the provincial privacy commissioner.
You also need to notify other people about that privacy breach.
You probably need to notify your clients. If you are an EMR vendor or another vendor that's providing a service to healthcare providers, you need to notify them about the breach.
As an example, if you are an EMR vendor that has been breached–perhaps a security compromise or hack into your data centre–you have a responsibility to notify the healthcare providers who collected the personal information. The EMR vendor must also report the privacy breach to the Office of the Privacy Commissioner.
You might also have an obligation to notify the individuals that have been affected by that breach. In your information manager agreement in Alberta, you should have clear written expectations about whether or not a vendor should notify the patients directly about a privacy breach or if the custodian or the health care provider is going to assume that responsibility. This is an important detail that you need to identify in your information manager agreement.
Also see the Practice Management Success Tip Top 3 Agreements Your Healthcare Practice Must Have (And Why) from Information Managers at https://InformationManagers.ca/top-3 for more on information management agreements (IMA.)
The risk of significant harm (ROSH) is a framework for assessing the risk to the individual as a result of the breach of individually identifying information. Adopt and use a framework for your organization to assist you to quickly and consistently assess a breach for ROSH.
If there is personally identifying information included in the breach, we can assume that the information is sensitive information to the individual. Generally, I recommend a default that if individually identifiable information is included in the breach, then assess that there is a significant risk of harm to the individual.
The circumstances of a breach may make the information more or less likely to be used maliciously. For example, additional questions that you may want to consider include how did the breach occur? How likely is it that someone would be harmed by the breach? Who actually accessed or could have accessed that personal information? How long has that personal information been exposed? Is there evidence of malicious intent, like hacking? Or was it a theft? Or did somebody intentionally tried to use that information and use it in a very covert way? Were a number of pieces of personal information breached therefore, increasing the risk of misuse? Is the breached information in the hands of an individual that represents a reputation to the risk of that individual or themselves? Or, was the information exposed to a limited, known number of entities who have committed to destroy and not disclosed the data.
As always, good privacy is good for business. Poor privacy protection can damage your company's reputation and cut into your profit margin. When your practice proactive privacy, you enjoy the confidence and trust of your customers. Canadians tell us that the more they trust a company, the more likely they are to do business with it. Getting privacy right is your opportunity to demonstrate that you deserve their trust and their business.
Remember that one of the fair information principles is accountability. At the end of the day, you are responsible for protecting the personal information that you have collected.
Reference: Privacy and your business: An introduction to the Personal Information Protection and Electronic Documents Act. Office of the Privacy Commissioner of Canada. https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-compliance-and-training-tools/pp_bus/
Privacy Management Program
Build privacy protections into everything you do is a business. Having clear policies and procedures for the collection, use and disclosure of personal information is of vital importance for your business.
When we know better, we can do better…
I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.
How to Manage a Privacy Breach with Confidence
The 4 Step Response Plan will help you with prevent privacy breach pain and give you the tips, templates, training, and tools that you can use right away to prepare your privacy breach response plan:
In the world of privacy breaches ‘If’ has become ‘When’. Will you be ready?
The best way to do this is by developing a privacy management program that covers all aspects of how you handle personal information. The 4 Step Response Plan will help your organization be prepared to prevent privacy breach pain.
Click here for more information on the on-line 4 Step Response Plan course available now!