Office of the Information and Privacy Commissioner for B.C. (OIPC) recently conducted a review of medical clinics in the province to assess how they are handling personal patient information.
Medical clinics were selected because of the particularly sensitive nature of the personal information involved. The review identified some common gaps. In particular, the OIPC noted in its report that:
•employees of medical clinics often did not know what policies were in place;
•if policies were in place, they often were incomplete;
•risk assessments often were not conducted when new technologies were put in place;
•sensitive personal medical information was collected online without appropriate technical safeguards in some cases; and
•employees often did not know how to protect personal information and also did not know what processes to follow in the event of a privacy breach.
In this report, the OIPC set out 16 recommendations for medical clinics to follow with respect to personal information.
The OIPC also referred to and relied on its PrivacyRight initiative, launched earlier this year. PrivacyRight is a free online program on the OIPC website that includes webinars, podcasts and other resources to help private organizations meet their obligations under the Personal Information Protection Act (PIPA).
How does this apply to your organization?
In B.C., medical clinics are governed by PIPA, the same legislation that applies to all private-sector organizations that handle the personal information of British Columbians.
The recommendations set out by the OIPC in the report on medical clinics also apply to how B.C.-based employers handle the personal information of employees and customers. Employers are generally responsible for the actions of their employees. Your employees are your front-line defence for ensuring that your organization is compliant with PIPA.
Helpful reminders
Employers should consider implementing the following:
•If you have not already, develop a robust privacy policy and employee privacy policy. The policies should include an inventory of what type of information your organization collects, why the information is collected and where it is stored. It should also articulate a process for responding to privacy complaints.
•Every organization should designate a minimum of one privacy officer. The privacy officer is the organizational go-to for privacy-related questions and concerns. They are also responsible for ensuring organizational compliance with PIPA.
•If you have employees who handle personal information, offer them training and education about best practices for collecting and storing that information. Make sure your employees understand the process for handling complaints and also for responding to privacy breach incidents.
•Anyone who has access to personal information in your organization, including outside contractors, should review your privacy policy and employee privacy policy. Consider implementing and requiring sign-off of a confidentiality agreement as appropriate.
•If you collect personal information online, be sure to post applicable privacy policies online. Consider appropriate technical safeguards for the personal information or employee personal information that you collect online.
•If personal information is disclosed to, or is accessed by, service providers, make sure you have contracts or agreements in place that detail the expectations of how your service providers will handle the personal information.
•Conduct a regular risk assessment and audit compliance of employees and service providers and update your privacy program as necessary.
When implementing privacy management initiatives, it is important to ensure that adequate resources are in place to fund these initiatives. Employees need adequate training and support to carry out and enforce privacy management.
Whether you collect a lot or only a small amount of personal information about employees or customers, it is your legal obligation to ensure that your organization is compliant with PIPA. The reminders listed above are a good start to ensure that your organization is implementing best practices in terms of management of personal information of your employees, as well as ensuring your employees act in compliance with PIPA.•
While every effort has been made to ensure accuracy in this article, you are urged to seek specific advice on matters of concern. The article is for general information purposes only and does not constitute legal advice.
Keri Bennett is a partner at Roper Greyell LLP; Janna Crown is an articled student at the law firm.
