Everyone has been in a situation when they needed something printed but did not have access to a printer. So what did you do? If you are like me, you probably sent the document to a friend or family member for them to print it. Alternatively, you sent it to yourself to download on your home computer to print. However, have you thought back to whether those documents contained personal information of someone else? Did you ask your friend/family member to delete that email? Did you delete the file from your personal computer? Recently, the Ontario Information and Privacy Commissioner was confronted with this exact situation. An employee had sent personal health information to her husband to print. The employee had also used the home computer for work. Following their separation, the estranged spouse discovered this information and reported it to the employer, a rehabilitation clinic. In turn, the rehabilitation clinic contacted the Commissioner to report a breach.
Was Personal Health Information Breached?
Following the initial notification, the clinic hired IT professionals to conduct an assessment. It was determined that there were 164 unique files containing personal health information of 46 clinic clients. The files contained information such as applications for benefits, test results, treatment plans, and letters from hospitals. With respect to the emails, they were initially sent to the spouse for the purpose of printing the documents. While the employee thought that she had removed personal information from the documents, it was ultimately determined that they contained personal health information nonetheless, despite the documents not containing names of clients. It is important to note that the Commission explicitly noted that even though the emails did not include names of the clients, the records included information that could be used to identify an individual. The Commission confirmed the test for such an assessment: is it reasonably foreseeable that without special knowledge, someone can identify the client by combining the information provided by the custodian with other available information. If so, the document contains personal health information.
Based on the evidence, the Investigator determined that the employee did not intend for the spouse to have access to personal health information. However, the employee made the personal health information of the clinic’s clients available, even if it was done so inadvertently and in error. The Investigator noted that the legislation does not require that the disclosure be deliberate.
Clinic’s Response to the Breach
The Investigator noted that section 12(1) of Personal Health Information Protection Act requires that health information custodians take reasonable steps to ensure that the records are protected. At the time of the breaches, the clinic had a secure server in place for remote access. Safeguards included in the Clinician Agreement, prohibited staff from printing, copying or downloading electronic records except as necessary for the provision of care and remote access to the clinic server was not available. The Agreement also required that employees were required to maintain confidentiality and security of records that were located offsite. After the incident, the Clinic revised its Clinician Agreement and Privacy Policy making explicit the steps to be taken should a similar situation arise. The latter Policy required that personal information could only be sent, downloaded or stored in very limited circumstances (i.e. where remote access is not available and the records could not be viewed from an encrypted device). The Agreement provided that in these rare circumstances, the information shall be encrypted and permanently deleted once no longer required.
The clinic also amended their Confidentiality Agreements to prohibit the sharing of any confidential information through personal email accounts. Additionally, confidential information was not to be left to be exposed for others to view. Finally, the clinic arranged privacy training and education for all staff.
With respect to containment and notification, the employee met with all active clients to advise them of the breach. The clinic subsequently sent follow-up notification letters. Although the clinic had not notified the employee’s regulatory College, the spouse reported it to the College.
The Investigator determined, based on the above steps, that no review under section 58 of PHIPA was required.
Takeaways
As an employer, it is important to implement and enforce policies and procedures related to use of electronic devices. Specifically, medical clinics ought to limit employee’s ability to use personal emails for work-related tasks and provide employees with the necessary technology to fulfil employment-related tasks.
As an employee, it is important to remember that not all vectors of connection to a work network are secure. For instance, make sure to avoid connecting to a remote desktop using an insecure connection (i.e. the local Starbucks Wi-Fi – its free for a reason). More importantly, note that downloading a document from your remote desktop onto your personal laptop exposes that document to your network and all of its security flaws. Be sure to use employer-approved technology to perform work-related tasks – your personal email is not for work. Finally, if a situation calls for you to use your personal computer for work-related tasks, be sure to delete the files you download onto your computer after you complete your task.
Following basic cybersecurity principles is a good way to avoid the Privacy Commissioner getting involved in your personal life.
See A Rehabilitation Clinic (Re), 2020 CanLII 45770 (CanLII)