If it is passed, the proposed Privacy of Personal Information Act
would give sweeping powers to the province’s Information and Privacy Commissioner, Ann Cavoukian, to monitor and dictate how organizations handle data. It would also place greater restrictions on health care institutions and non-profit organizations — two sectors which are largely exempt from the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
The legislation is being drafted by the Ministry of Consumer and Business Affairs. Following a public consultation period, the ministry plans to table the legislation this spring and hopes to see it passed by next year.
Ministry sources said the provincial government does not feel the PIPEDA goes far enough to protect citizens in key areas like health care. They also feel it places an administrative burden on smaller organizations, which do not typically appoint a chief privacy officer to make sure they comply with it. In particular, the legislation says that inadequate privacy protection is holding back Internet use and e-commerce. Spokespeople for the federal Ministry of Industry could not be reached at press time.
The Act would “”boost consumer confidence in using online services without imposing an undue burden on businesses,”” the draft legislation states. “”This, in turn, would build confidence in a healthy economy that includes a strong focus on online services and electronic commerce.””
Instead of appointing a chief privacy officer, for example, Ontario organizations would comply with a series of principle-based rules. Ministry officials said small businesses have raised concerns that the PIPEDA is more directed at large, sophisticated businesses like banks and communications companies. Possible rules would include the need for “”express, informed consent”” from an individual before data could be collected, along with an “”implied consent”” clause that would cover situations where the purpose for the collection, use or disclosure is reasonably obvious.
Hospitals and other health-care institutions raised many objections to the PIPEDA when it was being passed and gained several extensions and exemptions from portions of the final law. This has raised considerable questions about the projects underway at many hospitals to set up an electronic patient records system. The Privacy and Personal Information Act covers specific areas of health research such predictive genetic information used in the Human Genome Project and would require researchers to obtain approval from an ethics board prior to the release of any data.
Kathleen Priestman, a spokeswoman for the Ottawa-based Public Interest Advocacy Centre, said the involvement of an ethics board was an encouraging sign, but there are still several holes in the legislation.
“”Is there any transparency in this process? Can somebody object to the (ethics board) findings?”” she said. “”There’s no kind of discussion about what happens in terms of an appeal — what then does the Privacy Commissioner do with the report?””
Ontario’s proposed legislation would also regulate public sector institutions like the Ministry of Health and Long-Term Care to protect against privacy violations through data matching. “”Except where the minister needs personal health information for fraud control and payment purposes, or where specifically provided by law, these additional safeguards would help ensure the ministry does not receive personal health information unless given permission to do so by the Ontario Information and Privacy Commissioner,”” the draft states. “”Even then, that information would contain only minimal identifiers.””
Priestman said Ontario could face a backlash from health sector officials similar to the furor over the PIPEDA.
“”There is a distinct possibility that the more teeth they put in it, the more people are going to balk,”” she said, although she noted that many of the institutions that collect the most data are national organizations that would fall under the PIPEDA. “”They aren’t going to be too worried about this Act.””
If it is passed into law, the Privacy of Personal Information Act would allow individuals to sue for compensatory damages, while the government would issue fines.