Canada published draft guidelines on the use of medical devices powered by machine learning

RCMP plan to equip every Sask. Detachment

G20 leaders make privacy, AI declaration

Ontario: $988K settlement reached in Peterborough hospital

Three simple rules for managing your privacy

Global definitions for artificial intelligence

New guidance on sending bulk communications

The Essential Guide To Data Privacy


Why some reviews and investigations cannot pass go

July 8, 2021 - Diane Aldridge, Executive Director of Compliance

If you have ever contacted our office regarding a concern with how a public body (government institution or local authority) or trustee has responded to your access to information request or handled your personal information or personal health information, you probably heard that we are an office of last resort. As the oversight body, we are an appeal body. That means that you must first have made the access request to the appropriate body and waited the requisite period of time before bringing your concerns to our attention. The same can be said for privacy complaints, for the most part. But, even once you submit your request/complaint, we don’t immediately open a file as we have to make a call in terms of if we can proceed.

What do I mean by that? Firstly, we must have jurisdiction. That is, the body that your request/complaint is made involves a public body or trustee. Even if it appears this is the case, we also need grounds to proceed. It is much more straightforward in a review if we have grounds as will be evident in the documentation, but the applicant still needs to point out which issues they want us to consider in the review (i.e. fee estimate, manner of access, search, fee waiver, access denied, time extension). So clearly, providing all the necessary documentation is crucial for us to move forward.

With a privacy complaint, if you believe that a public body or trustee breached your privacy, what you bring to us must be specific and convincing. For instance, what personal information or personal health information is involved? On what day/time did the alleged inappropriate or unauthorized collection, use or disclosure of your personal information or personal health information occur? Who was involved? How do you know that this occurred? What proof do you have that would support your assertions?

In either case, if enough information is not provided even after our intake team intervenes, the request/complaint may be dismissed and no review or investigation is undertaken by our office. This could happen too if statutory time limits have expired.

If it looks like we have jurisdiction and sufficient grounds to go forward with a review or investigation, notifications to the parties are sent indicating that we are proceeding. However, we could still end up discontinuing the review or investigation if we are convinced that the appeal concerns a trivial matter, is frivolous, vexatious, not made in good faith, or for other reasons noted in the legislation. For the most part, the reasons for making an access request(s) or submitting a privacy complaint(s) aren’t relevant, but motives may be considered if actions taken by the submitter of the request/complaint amount to an abuse of process. For example, the following excerpts are taken from our Review Report 225-2015:

  1. Did the Applicant request this review on grounds that are frivolous, vexatious or not in good faith?

[10] Subsections 43(2)(a) and (b) of HIPA provides:

43(2) The commissioner may refuse to conduct a review or may discontinue a review if, in the opinion of the commissioner, the application for review:

(a) is frivolous or vexatious;

(b) is not made in good faith;

[11] This provision enables the Commissioner to dismiss or discontinue a review where it appears the access provisions of HIPA are not being utilized appropriately. …

[12] Personal health information is one of the most sensitive forms of personal information. It is collected primarily for reasons connected with patient care and is collected under circumstances of vulnerability and trust. Therefore, denying someone the right of review should only be permitted in the most extreme of circumstances and when there is compelling evidence to do so.

[13] On the other hand, HIPA must not become a weapon for disgruntled individuals to use against a trustee for reasons that have nothing to do with the Act. …

[16] Depending on the nature of the case, one factor alone or multiple factors in concert with each other can lead to a finding that a request is an abuse of the right of access. …

[62] The rights afforded the public to access under HIPA are accompanied by concomitant responsibilities on the part of Applicants. One of these responsibilities is working in tandem with the trustee to further the purposes of the Act. Actions, on the part of an Applicant that frustrate this approach can be said to be an abuse of this process. Examples include overwhelming a trustee with access requests, not working constructively to resolve issues, making repeated unfounded accusations and being uncooperative or harassing to those who are attempting to assist.

[65] In conclusion, considering all that is before me, I find that the Applicant’s review request is vexatious.

[66] I find that the review under consideration has been initiated on vexatious grounds pursuant to subsection 43(2)(a) of HIPA. I therefore discontinue this review

[Emphasis added]

In the above case, the review was discontinued for the reasons noted, but this is an uncommon outcome. I find in most cases, individuals that come to our office do so in good faith and are eager to cooperate and not surprisingly, those files proceed without complication. So, if unclear at all as to what is required, please contact us.


Categories: Blog

Back to Blog