Privacy Breach Guidelines for Trustees

Privacy Breach Guidelines for Trustees

This document has two purposes. The first is to assist health trustees to understand what a privacy breach is and how to deal with one. The second is to outline what to expect from a privacy breach investigation from the office of the Information and Privacy Commissioner (IPC). For more information please see Part 5 and Part 7 of The Rules of Procedure.

The Health Information Protection Act (HIPA) outlines the privacy rules for trustees. This document will explain steps to respond to a privacy breach involving personal health information. For more information about HIPA in general consult the IPC Guide to HIPA.

Government institutions under The Freedom of Information and Protection of Privacy Act (FOIP) and local authorities under The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) should consult Privacy Breach Guidelines for Government Institutions and Local Authorities.

What is a Privacy Breach?

What is privacy?

“Privacy” can have many different meanings. However, in HIPA, the focus is on personal health information privacy; the right of an individual to determine for themselves when, how and to what extent their personal health information will be shared.

Personal health information is defined in section 2(m) of HIPA.

When does a privacy breach occur?

A privacy breach is often thought of as inappropriate sharing of personal health information. However, a privacy breach can occur in a number of different ways:

Collection: A privacy breach could occur if a trustee asks for or collects more personal health information needed for the purpose for which it is being collected (e.g. a health services number is required for a non-health related service, personal health information is not collected directly from the individual, etc.). The rules for collection are found in sections 23, 24, and 25 of HIPA.

Use: A privacy breach could occur when personal health information already in the possession or control of the trustee is used for reasons that are not consistent with the purpose for which they were collected (e.g. personal health information is collected to provide one service and then used to promote a different service). The rules for use are found in sections 23, 26, 29, and 30 of HIPA.

Disclosure: A privacy breach could occur when an unauthorized disclosure of personal health information transpires (e.g. when personal health information is missing, or when a trustee shares personal health information with another organization without authority, etc.). Note: if personal health information in the custody or control of a trustee is missing, even if there is no evidence that someone has viewed the personal health information, it qualifies as a disclosure. The rules for disclosure are found in sections 23, 27, 28, 29 and 30 of HIPA.

Accuracy: Trustees have a duty to ensure personal health information is as accurate and complete as possible. A privacy breach may occur when personal health information is inaccurate (see section 19 of HIPA).

Other sub-issues: Other issues that might arise during a privacy breach investigation could include need-to-know, data minimization, and consent. However, they would likely be tied to one of the other major issues.

Duty to protect

Section 16 of HIPA requires that a trustee have administrative, technical, and physical safeguards to protect personal health information.

Administrative safeguards are controls that focus on internal organization, policies, procedures, and maintenance of security measures that protect personal health information. Examples include written policies and procedures, annual training for employees, confidentiality agreements, agreements with information management service providers (IMSPs), auditing programs, records retention and destruction schedules, and access restrictions.

Technical safeguards are the technology and the policy and procedures for its use that protect personal health information and control access to it. Examples include separate user identifications, passwords, firewalls, identification and authentication controls, virus scanners, and audit capabilities in digital systems.

Physical safeguards are physical measures, policies, and procedures to protect personal health information and related buildings and equipment, from unauthorized intrusion and natural and environmental hazards. Examples include locked filing cabinets, offices and storage rooms, alarm systems, and clean desk approaches.

Integrity refers to the condition of information being whole or complete; not modified, deleted or corrupted.

Confidentiality implies a trust relationship between the person supplying information and the individual or organization collecting or using it.

Threat means a sign or cause of possible harm.

Hazard means a risk, peril, or danger.

Security means a condition of safety or freedom from fear or danger.

Unauthorized access occurs when individuals have access to personal health information that they do not need-to-know, either by accident or on purpose. This would also qualify as either an unauthorized use or unauthorized disclosure.

Unauthorized collection occurs when personal health information is collected, acquired, received or obtained by any means for purposes that are not allowed under sections 23, 24, or 25 of HIPA.

Unauthorized use refers to the use of personal health information for a purpose that is not authorized under sections 23 and 26 of HIPA.

Unauthorized disclosure refers to the act of revealing, showing, providing copies, selling, giving, or relaying the content of personal health information in ways that are not permitted under sections 23, 27, 28, 29, and 30.

Trustees should have education programs in place for their employees which address the trustee’s duties under HIPA, safeguards the trustee has established, the need-to-know, and consequences for violating HIPA.

There’s been a Privacy Breach: Now What?

If you have discovered a privacy breach, contact your organization’s privacy officer immediately. Write down all of the information related to the discovery of the breach.

If you have been tasked with dealing with the breach, consider the following guidelines.

Contain the breach

It is important to contain the breach immediately. In other words, ensure that personal health information is no longer at risk. This may involve:

  • stopping the unauthorized practice;
  • recovering the records;
  • shutting down the system that was breached;
  • revoking access to personal health information; and/or
  • correcting weaknesses in physical security.

Notification

It is best practice to inform affected individuals and the IPC of breaches in most cases. The following is a list of individuals or organizations that may need to be notified as soon as possible after learning of the incident:

  • your organization’s privacy officer;
  • the IPC (for more information see the specific section on proactively reporting to the IPC later in this document);
  • the police, if criminal activity is suspected (e.g. burglary); and/or
  • the affected individuals (unless there are compelling reasons why this should not occur).

How to notify affected individuals

Notification of individuals affected by the breach should occur as soon as possible after key facts about the breach have been established.

It is best to contact affected individuals directly, such as by telephone, letter or in person. However, there may be circumstances where it is not possible and an indirect method is necessary or more practical. Such situations would include where contact information is unknown or where there are a large number of affected individuals. An indirect method of notification could include a notice on a website, posted notices, media advisories, and advertisements. Ensure the breach is not compounded when using indirect notification.

Notifications should include the following:

  • a description of the breach (a general description of what happened);
  • a detailed description of the personal health information involved (e.g. name, medical record, etc.);
  • steps taken and planned to mitigate the harm and to prevent future breaches;
  • if necessary, advice on actions the individual can take to further mitigate the risk of harm and protect themselves (e.g. how to change a health services number);
  • contact information of an individual within your organization who can answer questions and provide further information;
  • a notice that individuals have a right to complain to the IPC (provide contact information); and
  • recognition of the impacts of the breach on affected individuals and an apology.

Investigate the breach

Once a breach has been contained the next step is to investigate the breach. Here are some key questions to ask during a privacy breach investigation:

  • When and how did your organization learn of the privacy breach?
    • Has the privacy breach been contained?
    • What efforts has your organization made to contain the breach?
  • What occurred?
    • What type of breach occurred (e.g. collection, use, disclosure, accuracy, etc.)?
    • What personal health information was involved in the privacy breach?
    • When did the privacy breach occur? What are the timelines?
    • Where did the privacy breach occur?
  • How did the privacy breach occur?
    • Who was involved?
    • What employees, if any, were involved with the privacy breach? What privacy training have they received?
    • Who witnessed the privacy breach?
    • What factors or circumstances contributed to the privacy breach?
    • What is the root cause of the breach?
  • What is the applicable legislation and what specific sections are engaged?
  • What safeguards, including policies and procedures, were in place at the time of the privacy breach?
  • Was the duty to protect met?
    • Were the safeguards followed?
    • If no safeguards were in place, why not?
    • Were the individuals involved aware of the safeguards?
  • Who are the affected individuals?
    • How many are there?
    • What are the risks associated to a privacy breach involving this information (e.g. is the affected individual at risk for identity theft, health insurance fraud, etc.)?
    • Have affected individuals been notified of the privacy breach?

Prevent future breaches

The most important part of responding to a privacy breach is to implement measures to prevent future breaches from occurring.

  • What steps can be taken to prevent a similar privacy breach?
    • Can your organization create or make changes to policies and procedures relevant to this privacy breach?
    • Are additional safeguards needed?
    • Is additional training needed?
    • Should a practice be stopped?

Privacy breach report

Once the necessary information has been collected, it is a good idea to prepare a privacy breach investigation report. The report should include the following:

  • a summary of the incident and immediate steps taken to contain the breach;
  • background of the incident, timelines, and a chronology of events;
  • description of the personal health information involved and affected individuals;
  • description of the investigative process;
  • the root and contributing causes of the incident;
  • a review of applicable legislation, safeguards, policies, and procedures;
  • a summary of possible solutions and recommendations for preventing future breaches. This should include specific timelines and responsibility for implementation of each action.

The IPC will also request that public bodies complete the IPC’s Privacy Breach Investigation Questionnaire (Questionnaire) if a file is opened. The Questionnaire is described later in this resource.

When employee snooping is suspected

Sometimes the privacy breach involves an employee or contractor who purposely accessed personal health information of individuals without a need to know. The following are steps or items to consider when investigating this type of breach:

  • record details of how the breach came to light;
  • suspend employee’s access to the personal health information;
  • retrieve log information if available;
  • interview the employee in question (establish if the employee may have shared their user account and identification and routinely logged out of account);
  • identify and interview any witnesses;
  • review the privacy training the employee in question has received (have warnings of routine audits been given?);
  • review any relevant contracts;
  • consider who needs to be notified (e.g. supervisor, union, police, e-Health Saskatchewan, etc.);
  • decide if the identity of the employee in question will be disclosed to the affected individual when providing notification; and/or
  • proactively report to the IPC for further advice.

The IPC recommends that a trustee share any discipline measures taken against an employee who has snooped (without revealing the identity of the individual) to the rest of the employees in the organization and the affected individuals. Please also include any details of employee discipline when reporting details of the breach to the IPC.

What Can I Expect if the IPC is involved?

How IPC investigations are initiated

The IPC can learn of a privacy breach and begin an investigation in several different ways. Some of them include:

  • a citizen could come to the IPC with a complaint about a trustee’s actions or practices involving their personal health information;
  • a third party in possession of personal health information could notify the IPC;
  • employees of a trustee could inform the IPC of inappropriate practices within the organization;
  • the IPC could act on media reports; and/or
  • the trustee can proactively report a breach to the IPC.

What happens when a trustee proactively reports a breach to the IPC?

Trustees should consider proactively reporting privacy breaches to the IPC. This means that when a trustee learns of a breach, it reports it to the IPC. While not mandatory, the IPC does encourage organizations to proactively report. The IPC has a reporting form for public bodies to proactively report a privacy breach to the IPC: Proactively Reported Breach of Privacy Reporting Form for Public Bodies.

Advantages of proactively reporting

Some of the benefits of proactively reporting include:

  • may reduce the need for the IPC to issue a report on the matter;
  • receiving timely, expert advice from the IPC – the IPC can help guide the trustee on what to consider, what questions to ask and what parts of the legislation may be applicable;
  • should the media get wind of the privacy breach, the trustee can assure the public that it is working with the IPC to address the matter; and
  • should affected individuals contact the IPC, we can assure the individuals that it is working with your organization to address the breach which may prevent a formal complaint to the IPC.

What are the possible outcomes when I proactively report?

When a trustee proactively reports a privacy breach to the IPC, a file will be opened. The trustee will be asked to complete and provide the IPC’s Questionnaire and other relevant material within 30 days.

The Questionnaire takes trustees through the four best practice steps of responding to a breach (containment, notification, investigate, and prevent future breaches). Through this process of answering the questions, the completed Questionnaire should provide the IPC with what is required to conduct our investigation. If further information is required, the IPC will advise.

Once the IPC receives the relevant material, it will review the file and make a decision. The possible outcomes are as follows:

  • if the Commissioner is satisfied with the trustee’s overall response to the breach, the file will be closed informally without a public report. This process may include some informal recommendations from the IPC;
  • if the breach is egregious or it involves a large number of affected individuals, the Commissioner may determine that a report will be issued;
  • if an affected individual makes a formal complaint, the Commissioner may determine that a report will be issued; or
  • if the Commissioner is not satisfied with the trustee’s response, the IPC will issue a report.

Once the IPC has made a decision, the trustee will be advised if a report will be issued or not. The trustee will also be notified if an affected individual makes a formal complaint which would also result in a public report.

Summary of investigation process

  1. A privacy complaint is received at the IPC or a trustee proactively reports a breach to the IPC. It will be assigned to an Intake Officer.
  2. Intake Officer will ensure all necessary information has been received from the complainant, trustee, or other parties. When there is a complainant, the Intake Officer will attempt informal resolution between the parties.
  3. If informal resolution is not possible, the Intake Officer will send out a notification e-mail to all parties. It will request that the Questionnaire and relevant materials be provided in 30 calendar days. Additional relevant materials can include copies of relevant policies and/or procedures and/or agreements (or plans to develop relevant polices and/or procedures and/or agreements) or any other relevant documentation.
  4. File will be assigned to an Analyst. The Analyst will ensure materials arrive in 30 calendar days. If materials are not received in 30 calendar days, or an agreed upon deadline, the escalation guidelines are as follows:
    • the Analyst will follow up and attempt to receive materials;
    • the Analyst will escalate to the Manager of Compliance (MoC). MoC will attempt to get materials within seven calendar days before moving it on;
    • MoC will escalate to the Director of Compliance (DoC);
    • the Commissioner may contact the ‘head’.
  5. The Analyst will review materials received and do some initial analysis to determine direction of investigation.
  6. The Analyst will meet with the MoC and DoC and if necessary with the Commissioner to discuss direction of investigation. The MoC and DoC or the Commissioner may direct the Analyst to try and reach an informal resolution if a complainant is not involved. If successful, the file will be closed informally, without a report. Otherwise, the Analyst will prepare the draft report.

If it is a proactively reported breach, the Analyst will review materials received and meet with the Commissioner and MoC to discuss direction of investigation. The possible outcomes are as follows:

    • if the Commissioner is satisfied with the trustee’s overall response to the breach, the file will be closed informally and without a public report. This process may include some informal recommendations from the IPC.
    • if the Commissioner is satisfied with the trustee’s overall response to the breach, but the breach is egregious, there is a systematic issue involved, there is significant educational value or it involves a large number of affected individuals, the IPC may determine that a report will be issued; or
    • if the Commissioner is satisfied with the trustee’s overall response to the breach, but an affected individual makes a formal complaint, the IPC may determine that a report will be issued.

If the IPC decides to close the file informally, the Analyst will notify the trustee. Otherwise, the Analyst will notify the trustee if the IPC has decided to issue a report.

  1. The Analyst will prepare a draft report. The Analyst will send a PDF copy of the draft report to the trustee’s Privacy Officer and request response within seven calendar days. The trustee will be asked if there are any factual inaccuracies. This has the potential to change a finding or recommendation.
  2. The Analyst will put the draft report into a final format and send to the Commissioner for final approval.
  3. The Analyst will e-mail the final report to any complainant(s) and trustee.
    • one copy of the final report will go to the complainant(s); and
    • another copy of the final report will be e-mailed to the following:
      • Head or designate of the trustee;
      • Privacy Officer;
      • Deputy Minister of Health, Deputy Minister of Justice, other relevant Deputy Ministers, and any others as directed by the Commissioner.

The Report is now issued.

  1. All reports will be posted to the website on or after three to five days of issuance, unless the Commissioner directs otherwise.
  2. Section 49 of HIPA requires the trustee to respond to the Commissioner’s final report within 30 days. It must also provide a copy of its response to any complainant(s). The response must be sent within 30 days of the issuance of the report. If no response is received from the trustee within 23 days of issuing the final report, the Analyst will provide the trustee with one reminder of its duty to respond. Trustee responses are tracked by the IPC and reported on in the Annual Report.
  3. Trustees should also be aware that a complainant can appeal the trustee’s decision to the Court of Queen’s Bench.

Informal resolution

Where possible, the IPC will aim to achieve informal resolution for investigation files. Informal resolution is beneficial to all parties involved as it can expedite resolution for the complainant and reduce the amount of work for both the trustee and IPC.

When a privacy complaint is first received by the IPC, it will receive a file number and be assigned to an Intake Officer. The Intake Officer will first verify that the IPC had received all the necessary information and documents from the complainant. The Intake Officer will then contact both the complainant and the trustee in order to facilitate a possible informal resolution.

Some of the ways an Intake Officer might facilitate an informal resolution are as follows:

  • dispel any misunderstandings;
  • clarify the complainant’s objectives with the trustee;
  • facilitate negotiations between the complainant and trustee;
  • clarify the role of the IPC; and/or
  • identify the possible outcomes of an investigation.

If an Intake Officer is not able to reach an informal resolution, notification letters will be sent and the file will be assigned to an Analyst. However, the IPC will be open to reaching informal resolution at any stage of the investigation process.

If the IPC is satisfied with a trustee’s internal investigation report, we may close the file through information resolution.

When informal resolution is achieved, the Commissioner will not issue a Report.

What will be the IPC’s focus?

The IPC will look at all of the elements of the breach. However, focus will be on the following areas:

  • the duty to protect (did the trustee meet the duty to protect?);
  • compliance with the applicable legislation;
  • safeguards, policies, and procedures in place at the time of the breach (were they followed and were they effective?);
  • training of the employees involved; and
  • potential employee snooping (if applicable).

The key questions for a privacy breach investigation are found in the Questionnaire. It captures most issues the IPC routinely considers during our investigation. However, every investigation is unique. It is not unusual for an Analyst to ask further questions of a trustee during the process.

It is important to also provide the IPC with relevant documentation such as policies and procedures, training materials, copies of the personal health information in question, etc.

Draft report

Once finished, the Analyst will present a draft report to the trustee which includes analysis of the file, findings and recommendations.

The trustee can respond to the draft report indicating if there are any factual inaccuracies.

If a trustee cannot respond within seven calendar days, please contact the Analyst to discuss. If there is no response, the Analyst will move the investigation forward to a final report.

Please note that the Commissioner may paraphrase or quote from a trustee or complainant’s submission, letter or e-mails in the draft or final report.

Commissioner’s report

Once an Analyst has received the response to the draft report from the trustee, they will make final changes to the report and pass it to the Commissioner for final approval.

The Commissioner will issue a report for every investigation file that is not resolved informally. A copy of the report will also be sent to the Ministry of Health, Ministry of Justice, and any other relevant ministries, organizations, or associations the Commissioner considers appropriate.

All reports will be posted on the IPC website within three to five days from issuance.

HIPA requires that the trustee provide a response within 30 days to the relevant parties.

The IPC is paperless

The IPC has gone paperless. As such we prefer to receive correspondence, the completed Questionnaire, and other documentation electronically. Any documentation could be sent by e-mail, mail, or USB key.

The IPC can now offer use of our Liquid Files (file transfer system) as a means to securely deposit large and/or sensitive documents. If you would like to provide the Questionnaire and attachments using Liquid Files, please contact the Analyst and they will provide you with a file deposit link.

Please password protect any sensitive PDF or Word documents, especially if they contain personal health information. Please do not hesitate to contact us if you require support.

Finally, please do not transmit the password in the same e-mail as the documents. Please send it in a separate e-mail or call the IPC.