Breaching Privacy Breaches
“But that is not a privacy breach.” Occasionally as an Early Resolution Officer I am met with this response when delivering the news that our office will be opening a privacy breach investigation file. This got me to thinking about the perception of privacy breaches. When we hear “privacy breach” we often associate it with the employee who looked up customer information without a need to know, or the medical office that threw their old patient files in a dumpster behind a building. A privacy breach generally stems from one of six categories: over collection, indirect collection, unauthorized use, unauthorized disclosure, inadequate safeguards, or inaccurate information.
The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), and The Health Information Protection Act (HIPA) and their regulations speak to the obligations around protecting the privacy of the personal information (PI) and personal health information (PHI) collected by a public body or health trustee. Failure to meet these obligations constitutes a breach. Inappropriate access or snooping, which in privacy terms can be unauthorized use or disclosure, are the most common types of privacy breach but let’s take a look at some of the other types of privacy breaches that people don’t always recognize.
Through the administration of various programs and services across all levels of government and the healthcare system, an urge exists to collect as much information as possible about an individual and that way the information is available should it ever be needed. This is referred to as over-collection and it is a type of privacy breach. Whether dealing with FOIP, LA FOIP or HIPA our office is a proponent of the “data-minimization principle.” The “data minimization principle” means that collection, use and/or disclose of information should be limited to the least amount of identifying information necessary for the purpose. The unfortunate nature of over-collection is that individuals often have no choice but to consent to it, as it is common for the applications and agreements for various services and programs to contain vague, all-encompassing language.
Public bodies and health trustees have a duty to protect the PI and PHI in their custody and control. This duty to protect includes maintaining administrative, technical and physical safeguards that not only protects the confidentiality and integrity of the information but protects against loss of information as well. Failure to protect PI and PHI constitutes a breach, even if the information was not inappropriately accessed, used or disclosed. Inadequate safeguards can be frustrating to an affected individual as often times their existence is only discovered after the information is compromised.
Collection and use of inaccurate information by a public body or health trustee cannot only lead to difficulties in administration of programs but also lead to a breach of privacy. If out-of-date or inaccurate information is relied upon, PI/PHI can be mailed to the wrong address or disclosed to someone who does not have consent/a need to know. Inaccurate information is unique in that it can constitute a privacy breach on its own but also result in additional privacy breaches like improper disclosure. Under FOIP, LA FOIP and HIPA the individual has the ability to request access to their own personal information to ensure that it is accurate, and request that amendments be made or notations be added for information that they do not agree with.
Privacy Breaches can occur in many forms and this blog is not meant to be an exhaustive list of all the types of privacy breaches that can occur, but rather shift the focus from the highly publicized snooping/inappropriate access cases to some of the lesser known breaches.