Law Times

Page 9 Law Times • January 20, 2014 Focus On Privacy Law Health sector warned about privacy class actions Custodians need 'zero-tolerance policy' on snooping by employees BY MICHAEL McKIERNAN For Law Times T he health-care sector needs to change its attitude to patient data if providers want to avoid becoming embroiled in the developing health privacy class action field, according to the general counsel to Ontario's privacy commissioner. Speaking at a joint session put on by the Ontario Bar Association's privacy and health law sections on Nov. 27, David Goodis, director of legal services and general counsel at the Office of the Information and Privacy Commissioner of Ontario, said custodians of patients' personal information need a "zero-tolerance policy" when it comes to record snooping by employees. "This is important for both custodians as employers and for employees to understand that this is not something where you say, 'Oh well, it's no big deal. You just had a look and didn't disclose anything to anybody.' It is a big deal and there needs to be, in my opinion, a culture change in that regard," said Goodis at the event on hot topics related to privacy in health law. "There has to be more of a sense of [saying]: 'Look, this is not going to be tolerated. If you take these kinds of actions, you do this kind of snooping, there's going to be serious consequences.'" Timothy Banks, head of the privacy and security practice group at Dentons Canada LLP, says a cultural change in relation to patient privacy would also help combat unintentional data breaches by health authorities since a lax attitude to security often contributes to many exposures of personal information. "These are not high-tech breaches. We're seeing garden-variety cases of unencrypted hard drives on stolen laptops and USB keys dropped in the playground. There's a culture in which employees are permitted to remove files containing very sensitive information from the premises. I think there's much that can be done in increasing the level of accountability among employees." A lax attitude to security often contributes to many exposures of personal information, says Timothy Banks. Newfoundland and Labrador has emerged as a hotbed for class actions related to alleged snooping by employees with three of the province's health authorities facing claims from disgruntled patients. Western Health is facing a lawsuit by a representative plaintiff on behalf of more than 1,000 class members who allege a clerk improperly accessed their records. The class action against Eastern Health involves 122 patients and alleged misconduct by 11 employees while a similar action is targeting Central Health. None of the allegations have been proven in court. Goodis' office offers online training for employees and managers aimed at reducing instances of unauthorized access to patient health information. He says employers can limit the chances of a deliberate breach by implementing access controls for employees depending on their need and logging and auditing access to make sure workers don't get casual about viewing records unrelated to their work. Appropriate discipline, depending on the circumstances of a breach, can also play a part in driving the message home, he says. Flags to denote employees and family members who are also patients of the custodian can be a useful extra layer of security, according to Goodis, since interpersonal conflict "seems to be a common theme" in incidents involving wrongful access of patient data. That was the case in the landmark privacy case of Jones v. Tsige in which the Court of Appeal for Ontario created the new privacy tort of intrusion upon seclusion. In that case, the plaintiff successfully sued the common-law partner of her former husband for inappropriately accessing her banking information 174 times over four years. At the OBA event, Alex Cameron, the partner at Fasken Martineau DuMoulin LLP who represented the defendant, told the audience a "target was painted" on the health-care sector by the court's decision when it specifically mentioned intrusions into health records as an example of when a claim may arise. Although the intrusion must be intentional for a claim to succeed, the court made clear that this includes recklessness, a threshold Cameron says could potentially be a factor in cases involving a failure to keep up with best practices in privacy protection. "Think about that and your encryption of mobile devices and whatnot," said Cameron. "There are a lot of things that are just standard practice and if you're not up to that level at this point, then you're going to potentially get a finding of recklessness, I think." However, Borden Ladner Gervais LLP class actions partner Barry Glaspell told the gathering that the transience of the law in the area is just one of the barriers to nascent health privacy class actions. "Eventually, these issues are going to get to the Supreme Court of Canada and we may not have a tort of seclusion or whatever by the time we get to the Supreme Court," said Glaspell. Glaspell said the number of class members and the value of each claim rarely reach the scale necessary to get plaintiffs' counsel interested and noted that in cases with settlements, the terms have generally favoured defendants. For example, in Rowlands v. Durham Region Health, a case involving a lost memory device containing the health records of 85,000 individuals immunized during 2009's H1N1 flu scare, the settlement required affected patients to show they had suffered a loss as a result of the data breach with the only compensation paid out so far being the $500,000 in counsel fees. And since any class action settlement will likely come from taxpayer money, Glaspell said health-care defendants will likely get "quite a bit of sympathy" when they get to court. With that advantage in cases lacking egregious circumstances, he said it's particularly important for custodians to act properly once they discover a breach. "Good or bad behaviour after the problem arises is crucial from a class action perspective because bad behaviour is what class actions are supposed to work on and post-incident bad behaviour can become the cause of action, not that actual action at the beginning." LT Reports of data breaches soaring BY MICHAEL McKIERNAN For Law Times J ennifer Stoddart used her final annual report as privacy commissioner of Canada to demand a modernized Privacy Act as complaints about the federal public sector and reported data breaches hit record highs for the 2012-13 fiscal year. Stoddart retired from the post in December after a decade but lamented in her October annual report that her term would end without witnessing substantive changes to the Privacy Act, legislation that has gone virtually unchanged since its passage in 1983. "The government's continued lack of action on introducing amendments to modernize the Privacy Act is . . . troubling. While the act has been, and continues to be, effective at setting the ground rules for how federal government departments and agencies handle personal information, the world has changed dramatically since it was introduced over 30 years ago," Stoddart wrote in the annual report. "Along with advances in technology, Canadians' concerns and expectations have moved forward, bringing healthy pressure to bear upon government and citizens. In order to maintain legitimacy, credibility, and trust, the government's stewardship of personal information needs to respond in kind, and I firmly believe that updating the Privacy Act would not only modernize the law but also send a strong signal to public servants and citizens that the federal government takes its responsibility to protect personal information seriously." Data breaches by public sector organizations have hit public confidence in the government's ability to handle its personal information, according to Stoddart. The office received a record 109 breach reports in the last year, according to her annual report. That was up 36 per cent from www.lawtimesnews.com the 80 breaches reported the previous year. It was also the fourth consecutive year in which the number of reported breaches increased. Four institutions accounted for more than half of the reports in the last year: the Canada Revenue Agency topped the charts with 22, followed by the Correctional Service of Canada with 17, and Human Resources and Skills Development Canada with 11. The Department of Foreign Affairs and International Trade came next with 10 data breaches reported. HRSDC's total included the highprofile loss of a USB key containing the personal information of more than 500,000 student loan recipients. Stoddart noted there was a silver lining in the statistics since breach reporting to the privacy commissioner is still voluntary within the federal government despite her desire to make it mandatory. That means the overall number of reported and unreported breaches may not See Big, page 10

• Cover