Submission Regarding Organ and Tissue Donation in Saskatchewan
Thank you for the invitation to participate in the public hearings on organ and tissue donation in Saskatchewan held by the Legislative Assembly’s Standing Committee on Human Services on September 6, 2016.
We understand that the reason for the hearings is a shortage of organ and tissue donation in the province. We do not have a solution for that as is not our area of expertise. However, we note that whatever strategy is pursued going forward, it would involve the collection, use and disclosure of personal health information that will most likely involve a computer or information system. To help ensure that the integrity, security and confidentiality of the personal health information involved is sufficiently protected, including from employee snooping, this office would suggest your recommendations stipulate that any such system must create and maintain a record of user activity/audit logs including viewing which a report of which could be produced at the request of the subject individual or used for internal monitoring and auditing purposes. The system should also rely on role based access and permissions and require strong access controls and authentication (i.e. strong passwords, timeout features). It should also be required that users of the system sign a confidentiality agreement and take mandatory privacy training.
Further, it is our preference that any sharing of personal health information with third parties or information management service providers should not occur unless a written agreement is entered into in advance by the parties. All parties involved need to think about or negotiate the following in any written agreement entered into:
1. Define what personal health information means.
2. Describe the purpose for data sharing.
3. Reference all applicable legislation that provides the legal authority for collection, use, and disclosure of personal health information.
4. Establish an understanding of who has custody and control.
5. Identify the type of information that each party will share with each other.
6. Identify the uses for the information and limitations on the uses to the specified purpose.
7. Describe who will have access and under what conditions.
8. Describe how the information will be exchanged.
9. Describe the process for ensuring accuracy.
10. Describe the process for managing privacy breaches, complaints, and incidents.
11. Identify retention periods.
12. Identify secure destruction methods when retention expires.
13. Describe the security safeguards in place to protect information.
14. Describe termination of the agreement procedures (see Best Practices for Information Sharing Agreements, IPC, September 2014, www.oipc.sk.ca)
We note that The Human Tissues Gift Act, 2015 (not yet proclaimed) includes new rules respecting the sharing of information by organ procurement organizations in section 16. In order to ensure that appropriate written agreements are entered into by the parties, I propose that section 16 of this Act be amended as follows:
16 An organ procurement organization may share any information that it has obtained pursuant to this Act, including personal information and personal health information, with a person or another organ procurement organization if the sharing of that information is reasonably necessary to facilitate the process of transplantation, or for the purposes of transplant, medical education or scientific research provided the parties enter into a written agreement containing the following elements:
(a) a description of the purposes or expected outcomes of the sharing of personal information or personal health information;
(b) provisions setting out the obligations of a party respecting the security and safeguarding of personal information or personal health information received by that party;
(c) provisions that prohibit the subsequent collection, use and disclosure of the personal information or personal health information for purposes not related to the purpose set out in the agreement, except:
(i) with the consent of the individual to whom the information relates; or
(ii) if required or authorized by law;
(d) provisions requiring the party to comply with The Local Authority Freedom of Information and Protection of Privacy Act, The Health Information Protection Act and any other applicable Act in relation to the personal information or personal health information;
(e) provisions for the termination of the information sharing agreement and, in the case of a termination, provisions that:
(i) prohibit any further collection, use or disclosure of the personal information or personal health information received by the parties, except:
(A) with the consent of the individual to whom the information relates; or
(B) if required or authorized by law; and
(ii) specify the ongoing obligations of the parties to secure and safeguard the personal information or personal health information;
(f) a requirement to notify the minister or public body in writing immediately if the organization becomes aware that any conditions set out in this agreement have been breached;
(g) a provision allowing the minister’s or public body’s delegate to access, inspect or audit the organizations premises to confirm that the organization is complying with the terms and conditions of the agreement and all applicable Acts; and
(h) any other provisions that the minister or public body considers necessary to protect the personal information and the personal health information involved.
I have made similar suggestions for HUBS and for researchers under The Archives and Public Records Management Act. It is a trend that if organizations have access to sensitive personal information that access should be accompanied with obligations to protect that information.
To further clarify when it is appropriate to use or disclose personal health information, this office has proposed the following amendment to The Health Information Protection Act in Striking a Balance, Proposals for Amendments to The Health Information Protection Act available on our website, www.oipc.sk.ca:
27(4) A trustee may disclose personal health information in the custody or control of the trustee without the consent of the subject individual in the following cases:
(e) if the subject individual is deceased:
(vi) for the purpose of determining or carrying out the individual’s wishes in relation to the donation of the individual’s body parts, tissue, or bodily substances;
We would request that you recommend the adoption of our proposed amendment.
Lastly, in order to ensure that donors, families and stakeholders understand any changes made to the program, we believe an ongoing communication plan should be established. We request that this be built into your recommendations.
I am pleased to be here and am ready to take your questions.
Ronald J. Kruzeniski, Q.C.
Saskatchewan Information and Privacy Commissioner