Guidelines For Professional Regulatory Bodies

Guidelines

Guidelines for Professional Regulatory Bodies

Discipline decisions, and other discipline related documents, published on the websites of professional regulatory bodies may contain sensitive personal information or personal health information, including information such as alleged wrongdoings, opinions about members and physical and mental health information. Professional regulatory bodies in Saskatchewan may be subject to access and privacy laws, including The Freedom of Information and Protection of Privacy Act (FOIP) and The Health Information Protection Act (HIPA), and their regulations. As such, any disclosure of personal information or personal health information should be done in accordance with the applicable access and privacy law.

By making discipline decisions, and other discipline related documents (including notice of complaints, notice of hearings, and discipline decisions) available to the public, professional regulatory bodies are being transparent in its decision-making and demonstrating its accountability to the public. One way of making these documents available to the public is by publishing them on the internet. While publishing on the internet accomplishes the task of promoting transparency and demonstrating accountability, personal information or personal health information contained within these documents may be published on the internet. This information can be compiled and used for unintended and nefarious purposes including stalking, bullying, and identity fraud and theft.

This resource is focused on the publication of discipline decisions, and other discipline related documents, on professional regulatory body websites. The resource provides general non-binding advice and is only meant for consideration for professional regulatory bodies as they develop their policies and procedures on the publication of discipline-related documents.

Applicable Access and Privacy Laws

FOIP

Some professional regulatory bodies qualify as a “government institution” under FOIP. Before publishing discipline related documents, professional regulatory bodies who are government institutions should first determine if the discipline decision contains personal information. If so, then it must identify its authority under FOIP to disclose personal information. Therefore, these professional regulatory bodies must first have authority under FOIP to disclose personal information when publishing discipline related documents on their websites.

How does a professional regulatory body figure out if it qualifies as a “government institution” under FOIP?

Some professional regulatory bodies qualify as a “government institution” pursuant to subsection 2(1)(d)(i), which provides:

2(1)(d) “government institution” means, subject to subsection (2):

(i) the office of Executive Council or any department, secretariat or other similar agency of the executive government of Saskatchewan;

Other professional regulatory bodies may qualify as a “government institution” pursuant to subsections 2(1)(d)(ii)(A) and/or 2(1)(d)(ii)(B). These two subsections of FOIP provide as follows:

2(1)(d) “government institution” means, subject to subsection (2):

(ii) any prescribed board, commission, Crown corporation or other body, or any prescribed portion of a board, commission, Crown corporation or other body, whose members or directors are appointed, in whole or in part:

(A) by the Lieutenant Governor in Council;

(B) by a member of the Executive Council;

 

Subsection 2(1)(d)(ii) of FOIP uses the word “prescribed”, which means prescribed in The Freedom of Information and Protection of Privacy Regulations (FOIP Regulations) (subsection 2(1)(h) of FOIP).

Section 3 and Part I of the Appendix of the FOIP Regulations sets out the boards, commissions, Crown corporations and any other body that may be prescribed as a government institution under FOIP.

Professional regulatory bodies who qualify as a government institution must comply with FOIP when determining whether it will publish personal information contained in discipline related documents.

What is personal information under FOIP?

Discipline related documents may contain the personal information of several individuals, including witnesses, affected individuals, the Complainant, and/or the professional member. Subsection 24(1) of FOIP defines personal information as follows:

24(1) Subject to subsections (1.1) and (2), “personal information” means personal information about an identifiable individual that is recorded in any form

Personal information should be information that is personal in nature. Examples of personal information that discipline related documents may contain the professional member’s discipline, impact upon affected individuals and the identity of the complainant.

Does FOIP authorize professional regulatory bodies to disclose personal information through the publication of discipline decisions?

Below are some subsections of FOIP that a professional regulatory body (who is subject to FOIP) may consider when determining if it has the legal authority to disclose personal information.

Subsection 29(2)(t) of FOIP

Subsection 29(2)(t) of FOIP provides that a government institution may disclose personal information in its possession or control if an Act or regulation authorizes the disclosure.

29(2) Subject to any other Act or regulation, personal information in the possession or under the control of a government institution may be disclosed:

(t) for any purpose in accordance with any Act or regulation that authorizes disclosure;

Therefore, professional regulatory bodies should determine if their enabling legislation authorizes them to disclose personal information contained within a discipline related document. It should be noted that while legislation may require the professional regulatory body to disclose information to certain parties, such as the member, legislation may not be authorizing the disclosure of such information to the general public by publishing documents on its website. Professional regulatory bodies must be cognizant of this difference when determining what information within discipline related documents should be posted on their websites.

Subsection 29(2)(u) of FOIP/Subsection 16(f) of FOIP Regulations

Subsection 29(2)(u) of FOIP and subsection 16(f) of the FOIP Regulations provides that a government institution may disclose personal information for the purpose of commencing or conducting a proceeding or possible proceeding before a tribunal. Subsection 16(f) of the FOIP Regulations provides:

16 For the purposes of clause 29(2)(u) of the Act, personal information may be disclosed:

(f) for the purpose of commencing or conducting a proceeding or possible proceeding before a court or tribunal;

Proceedings may require the professional regulatory body to disclose exhibit books that contains personal information to the member (and the member’s legal counsel). In Investigation Report 109-2016, the Commissioner recommended as a best practice that professional regulatory bodies and their legal counsel carefully review the evidence submitted and redact or de-identify personal information as much as possible. Such redactions or de-identification may have to be done with the member’s legal counsel’s consent. If personal information must remain in the exhibits, then the professional regulatory body should get an undertaking from the member’s legal counsel that the personal information will not be disclosed by them.

Subsection 29(2)(u) of FOIP/Subsection 16(g) of FOIP Regulations

The disciplining of a member of a profession body is often related to the member’s performance or carrying out of a function, duty or responsibility as an officer or employee of a government institution. Subsection 29(2)(u) of FOIP and subsection 16(g) of the FOIP Regulations provides a government institution may disclose such information. These same provisions also authorize the disclosure of the terms or circumstances under which a person ceased to be an employee of a government institution.

16 For the purposes of clause 29(2)(u) of the Act, personal information may be disclosed:

(g) to any person where the information pertains to:

(i) the performance of any function or duty or the carrying out of any responsibility by an officer or employee of a government institution; or

(ii) the terms or circumstances under which a person ceased to be an employee of a government institution including the terms of any settlement or award resulting from the termination of employment;

It should be noted that the above disclosure provisions of FOIP authorize the disclosure of personal information at the discretion of the head of the professional regulatory body. They do not require the head of the professional regulatory body to disclose personal information.

HIPA

Health professional regulatory bodies that regulate members of a health profession pursuant to an Act qualify as a “trustee” under HIPA. Before publishing discipline decisions, health professional regulatory bodies who are trustees must determine if the discipline decision contains any personal health information. If so, then they must identify their authority under HIPA to disclose personal health information on their website.

How does a professional regulatory body determine if it qualifies as a “trustee” under HIPA?

Subsection 2(1)(t)(xiii) defines “trustee” as follows:

2(1)(t) “trustee” means any of the following that have custody or control of personal health information:

(xiii) a health professional body that regulates members of a health profession pursuant to an Act;

What is personal health information under HIPA?

Discipline related documents may contain personal health information of several individuals, including witnesses, affected individuals the Complainant and/or the professional member. Subsection 2(1)(m) of HIPA defines personal health information as follows:

2(1)(m) “personal health information” means, with respect to an individual, whether living or deceased:

(i) information with respect to the physical or mental health of the individual;

(ii) information with respect to any health service provided to the individual;

(iii) information with respect to the donation by the individual of any body part or any bodily substance of the individual or information derived from the testing or examination of a body part or bodily substance of the individual;

(iv) information that is collected:

(A) in the course of providing health services to the individual; or

(B) incidentally to the provision of health services to the individual; or

(v) registration information;

Does HIPA authorize health professional regulatory bodies to disclose personal health information through the publication of discipline decisions?

Below is a subsection of the HIPA Regulations that a health professional regulatory body should consider when determining if it has the legal authority to disclose personal health information.

Subsection 16(2) of HIPA Regulations

A health professional body may consider subsection 16(2) of the HIPA Regulations when determining if it can publish personal health information in discipline decisions.

16(2) A health professional body to which personal health information is disclosed pursuant to clause (1)(a), clause 15(2)(d) or section 17 shall only use or disclose that personal health information for one or more of the following purposes:

(a) for a purpose authorized by a bylaw that:

(i) is made pursuant to an Act that regulates a health professional body; and

(ii) is approved by the minister;

(b) to carry out the duties of the health professional body with respect to regulating the members of its profession;

(c) for the purposes of a program.

Subsection 27(4)(i) of HIPA

Subsection 27(4)(i) of HIPA provides that a trustee may disclose personal health information for the purpose of commencing or conducting a proceeding before a tribunal. Subsection 27(4)(i) of HIPA provides:

27(4) A trustee may disclose personal health information in the custody or control of the trustee without the consent of the subject individual in the following cases:

(i) where the disclosure is being made for the purpose of commencing or conducting a proceeding before a court or tribunal or for the purpose of complying with:

(i) an order or demand made or subpoena or warrant issued by a court, person or body that has the authority to compel the production of information; or

(ii) rules of court that relate to the production of information;

Proceedings may require the professional regulatory body to disclose exhibit books that contain personal health information to the member (and the member’s legal counsel). In Investigation Report 109-2016, the Commissioner has recommended as a best practice that professional regulatory bodies and their legal counsel carefully review the evidence submitted and redact or de-identify personal health information as much as possible. Such redactions or de-identification may have to be done with the member’s legal counsel’s consent. If personal health information must remain in the exhibits, then the professional regulatory body should get an undertaking from the member’s legal counsel that the personal health information will not be disclosed by them.

Open Court Principle

The open court principle provides that the courts should be open to public scrutiny to ensure the proper administration of justice. There are cases, though, where openness is limited to protect the privacy, including publication bans which protect complainants, victims and/or witnesses. In Patient 0518 v RHA 0518, 2016 SKQB 175, the Court of Queen’s Bench for Saskatchewan noted that the open court principle is not absolute. There are circumstances in which public access to legal proceedings should be restricted.

Applying the open court principle to a discipline committee is fine in relation to the public having access to the hearing but that does not necessarily mean that all personal health information needs to be distributed to the public or made available on a website.

Courts are not subject to access and privacy laws. However, the professional regulatory bodies may be a government institution under FOIP or a trustee under HIPA. Therefore, they must only collect, use and/or disclose personal health information according to FOIP or HIPA. Professional regulatory bodies may choose to abide by the open court principle (which is laudable) but they have no choice but to also abide by the applicable access and privacy law.

Publishing Discipline Related Documents

Before publishing discipline related documents on the internet, professional regulatory bodies must:

  • Determine if de-identified information will still accomplish its purpose in publishing the discipline related documents. For example, the professional regulatory body should consider de-identifying witnesses, affected individuals and complainants’ personal information. Publishing such personal information may deter individuals in the future from bringing forth concerns to the professional regulatory body.
  • For the personal information that remains in the discipline related document, such as the personal information of the professional member, the professional regulatory body should ensure it has the authority under the applicable access and privacy law to disclose personal information contained within the discipline related document.
  • That it has appropriate safeguards in place to enhance privacy but still promote accountability and transparency. See below for additional notes.

Safeguards to Enhance Privacy but Still Promotes Transparency and Accountability

Policies and Procedures

Professional regulatory bodies should consider designating a specific person responsible for their compliance with access and privacy legislation, the development of appropriate privacy policies and procedures and providing training staff and discipline committee members.

Professional regulatory bodies should have written policies and procedures to guide its staff in drafting and publishing discipline decisions. First, policies and procedures should guide staff to only include the necessary personal information (or personal health information) that was needed to arrive at the decision and to remove non-relevant information.

Policies and procedures should also guide staff to de-identify personal information (or personal health information) as much as possible, especially if the information belongs to a person who is not the member receiving discipline (this includes witnesses, complainants and affected individuals). De-identification methods can include redacting identifiable information or replacing names (and other identifiable information) with pseudonyms.

Written policies and procedures should guide staff on how to determine that the discipline related documents contain only the personal information they have authority to disclose. If the personal information of affected individuals remained in the discipline related document that will be published on the internet, the professional regulatory body should allow the affected individuals to make an argument as to why their personal information should be removed prior to publication.

Professional regulatory bodies who will be publishing discipline related documents on their websites should also consider making related policies and procedures available to any person involved in the discipline process. This is so that members and any other person involved in the matter know what personal information (or personal health information) may be published in discipline related documents.

Web Robot Exclusion Protocol

Even when there is legal authority for disclosure, professional regulatory bodies should consider privacy enhancing technologies, including the robots exclusion protocol that limits the indexing of search results by well-known search engines such as Google and Bing. The robots exclusion protocol can act as a barrier to people who may wish to use the personal information for nefarious purposes. However, the discipline information is still available to individuals who actively go to the professional regulatory body’s website and search for discipline related documents.

 

 

Back to Resource Directory