Canadian Institute Conference – Toronto

David Loukidelis, Information and Privacy Commissioner
June 19, 2001


Some might be tempted to say that achieving an acceptable balance between privacy, and use or disclosure, of personal health information in the healthcare sector presents special, perhaps insurmountable, challenges. No one can seriously dispute that the sharing of some individually-identifiable information is necessary for proper diagnosis and treatment. The same can be said for many important medical research activities. The challenge, of course, is to delineate the boundaries between individual autonomy – as articulated through requirements for consent to disclosure or use of personal information – and the public good in effective medical research.

In an attempt to strike that difficult balance, many Canadian jurisdictions have, in recent years, enacted special health information privacy laws. British Columbia has, by contrast, simply extended its general public sector privacy law to the public health care sector. By indirect means, much of the private health care sector is also covered by privacy protection requirements. The purpose of this paper is to describe, in general terms only, some of the ways in which the legislation works through the efforts of the province’s health officials and the Office of the Information and Privacy Commissioner (“OIPC”). This paper will also describe some of the problems that can arise under the present system.


Again, unlike a number of other Canadian jurisdictions, British Columbia does not have specific legislation concerning health information privacy. Instead, the province relies on the Freedom of Information and Protection of Privacy Act (“BC Act”), which is similar to Ontario’s and Alberta’s legislation of the same name.

    What Information Is Covered By the Act?

Part 3 of the BC Act contains familiar rules setting out fair information practices that must be adhered to by the over 2,200 public bodies that are subject to the BC Act. Those rules apply to the collection, use and disclosure of “personal information”. Schedule 1 defines “personal information” as “recorded information about an identifiable individual”, including

  • so-called tombstone data (name, age, sex, race, etc.),
  • “an identifying number, symbol or other particular assigned to the individual”,
  • “the individual’s fingerprints, blood type or inheritable characteristics”, and
  • “information about the individual’s health care history, including a physical or mental disability”.

By contrast to statutes such as Alberta’s Health Information Act or Ontario’s now-withdrawn Bill 159, the BC Act does not prescribe what qualifies as identifiable information. In Alberta, information is “individually identifying” only if the identity of the data subject “can readily be ascertained from the information” in issue. Under Bill 159, by contrast, information would be non-identifiable only if the information in issue cannot be used, linked, matched or manipulated “by a reasonably foreseeable method” to identify the data subject’s identity. Although the issue has never arisen for me to consider, I expect the Legislature in British Columbia intended to impose a standard of identifiability closer to that found in Bill 159 than that in the Alberta law.

It should be noted, in passing, that a very strong argument can be made that, especially in a publicly funded health care system, certain information describing professional services provided by a health care provider does not necessarily merit the same (if any) protection as “personal information” within the meaning of the BC Act. Such a case has been made, with great persuasive force, by Murray Rankin, Q.C., Chris Jones and James Rowan, in an article forthcoming in the Canadian Journal of Administrative Law and Practice. Their views have strong appeal.

    What Fair Information Practices Apply?

The Part 3 rules on collection, use and disclosure of personal information can be summarized as follows:

  • personal information can only be collected where collection of that information is “expressly authorized by or under an Act”, the information is collected for law enforcement purposes, or the information “relates directly to and is necessary for an operating program or activity of the public body” (s. 26),
  • a public body must collect personal information directly from the information the information is about, unless the information has consented to another method of collection, the OIPC authorizes another method, or another enactment authorizes another method,
  • personal information may only be used for the purpose for which it was obtained or compiled or for a use consistent with that purpose (s. 32),
  • personal information may only be disclosed by a public body in prescribed circumstances, including where the information had identified the personal information and consented (s. 33(b)), for the purpose for which it was obtained or compiled or for a use consistent with that purpose (s. 33(c)), to comply with an enactment of British Columbia or Canada or an agreement under such an enactment (s. 33(d)), to someone within the same public body where the personal information is necessary for that person’s duties (s. 33(f)), for research purposes in certain cases (s. 33(r) – see below),
  • a public body must make every reasonable effort to ensure that information used to make decisions that directly affect someone is accurate and complete,
  • a public body must protect personal information by making “reasonable security arrangements” against such risks as unauthorized access, collection use, disclosure or disposal (s. 30), and
  • a public body must retain personal information for a year after it has been used to make a decision that directly affects someone (s. 31).

The BC Act also provides for use of individually identifiable data for research. Of course, if an individual consents to use or disclosure of her or his personal information for research, that use or disclosure is permitted. This approach is followed in clinical trials, e.g., those conducted by the BC Cancer Agency. Section 35 of the BC Act goes further, however, and provides what I consider to be a workable compromise between individual privacy interests and the public interest in medical research. That section reads as follows:

Disclosure for research or statistical purposes

35 A public body may disclose personal information for a research purpose, including statistical research, only if

(a) the research purpose cannot reasonably be accomplished unless that information is provided in individually identifiable form or the research purpose has been approved by the commissioner,

(b) any record linkage is not harmful to the individuals that information is about and the benefits to be derived from the record linkage are clearly in the public interest,

(c) the head of the public body concerned has approved conditions relating to the following:

(i) security and confidentiality;

(ii) the removal or destruction of individual identifiers at the earliest reasonable time;

(iii) the prohibition of any subsequent use or disclosure of that information in individually identifiable form without the express authorization of that public body, and

(d) the person to whom that information is disclosed has signed an agreement to comply with the approved conditions, this Act and any of the public body’s policies and procedures relating to the confidentiality of personal information.

Clearly, the most notable aspects of this provision are found in paragraphs (a) and (b). By using the words “cannot reasonably be accomplished”, the Legislature chose a threshold lower than that found in the Personal Information Protection and Electronic Documents Act as it relates to use of personal data for research. It also applied an objective standard for judging whether a research purpose can be accomplished using anonymized, or non-personal, information. Ultimately, the Information and Privacy Commissioner has the authority to investigate research uses of data, in response to complaints or on her or his own motion. This allows some check and balance against unnecessary use of personal – i.e., identifiable – data for medical research.

Whether the approach in other jurisdictions, of requiring expert committees to approve such uses, is an improvement is for others to judge. As far as I am aware, there have been no abuses of this approach. Some might argue this merely begs the question of whether ant problems have simply gone undetected. But the OIPC’s experience in dealing with the major research centres in British Columbia is that they are well aware of s. 35 and their obligations under it. It is also clear that these centres use existing research ethics committees to vet and approve research proposals, including in light of the s. 35 criteria.

    What Institutions Are Covered By the Act?

The Act covers a wide variety of “public bodies”, of which there are over 2,200 across British Columbia. British Columbia’s hospitals, regional health care boards and boards of health are covered, as “health care bodies”. Schedule 1 to the Act defines the term “health care body” as follows:

“health care body” means

(a) a hospital as defined in section 1 of the Hospital Act,
(b) a Provincial auxiliary hospital established under the Hospital (Auxiliary) Act,
(c) a regional hospital district and a regional hospital district board under the Hospital District Act,
(d) a local board of health as defined in the Health Act,
(e) a metropolitan board of health established under the Health Act,
(f) a Provincial mental health facility as defined in the Mental Health Act,
(g) a regional health board designated under section 4 (1) of the Health Authorities Act, or
(h) a community health council designated under section 6 (1) of the Health Authorities Act;

The provincial Ministry of Health is covered by the Act because it is a ministry of the Crown. The self-governing bodies for various health-related professions are also covered, as “local public bodies”. These bodies include the College of Physicians and Surgeons, the College of Dental Surgeons, the College of Pharmacists, Registered Nurses’ Association and the Health Professions Council. The Act does not, however, extend to the private practices of individual practitioners, including doctors. Nor does it apply to private medical labs, such as MDS or BC Bio-Medical Labs. As is discussed below, however, coverage of the self-governing professional bodies offers the opportunity to promote privacy protection through conduct guidelines and bylaws for members of those bodies.

The rest of this paper focuses on examples of how the British Columbia Act has worked in the health care sector generally, including in areas where sector-participants are not directly covered by the Act.


3.1    PharmaNet – PharmaNet is a province-wide electronic network that shares patient prescription information and histories among pharmacists, who are not directly subject to the Act. It was a joint initiative of the Ministry of Health and the College of Pharmacists. Four main justifications were advanced in putting it in place:

  • it is intended to prevent double-doctoring by drug users in order to falsely obtain prescription drugs,
  • it is aimed at preventing patients (notably the elderly) from taking harmful combinations of prescription drugs,
  • it is meant to streamline the system to achieve increased cost-efficiency in publicly-funded prescription programs, and
  • it is intended to provide fast, interactive access to patient information and personal health numbers.

Other objectives for PharmaNet are articulated in s. 37 of the Pharmacists, Pharmacy Operations and Drug Scheduling Act, including facilitating the practice of pharmacy, facilitating patient care, facilitating scientific or drug utilization research conducted at a hospital or university and facilitating Ministry investigations of drug abuse or fraudulent prescriptions.

PharmaNet was broadly seen as reasonable and worthwhile from a health care point of view, but from a privacy rights perspective it was seen as problematic. The main privacy issue was the mandatory nature of the program. Another notable concern was the perceived widespread accessibility of sensitive patient information. This was of concern in part because PharmaNet was designed so that one’s entire prescription history for the preceding 18 months would be displayed upon each system access.

Communication between the OIPC, the Ministry of Health and the College of Pharmacists proved critical at the beginning of PharmaNet.. The OIPC’s involvement during project implementation led to a number of privacy safeguards, including the following:

  • Custodial responsibility of the patient data was assigned to the College of Pharmacists, which was given the ability to discipline pharmacists who are detected browsing or otherwise improperly using data (a power the College has used on a number of occasions),
  • Requirement for positive identification before accepting or recording any data for an individual,
  • Installation of a system that detects unauthorized browsing, i.e., use of the network by a pharmacist or technician must be linked to drug dispensing, counseling or other valid transaction,
  • Adoption of a number of security safeguards, including requirements for passwords for access, data encryption and restrictions on access on a need to know basis,
  • Responsibility for maintaining privacy is assigned to the licensed pharmacist on duty,
  • Clients are given the option to attach a private ‘keyword’ to their account, allowing only those who know the keyword access (although refusal to allow access results in refusal of service), and
  • Any proposed changes in software must be reviewed by the Pharmacare Change Management Committee, which is comprised of Pharmacare, HealthNet/BC, the College of Physicians and Surgeons, the Ministry of Health and the College of Pharmacists.

In addition, s. 38.1 of the Pharmacists, Pharmacy Operations and Drug Scheduling Act was enacted to limit the classes of individuals who have access to PharmaNet data. Cabinet may make regulations expanding or retracting those classes of authorized users. That Act also effectively prohibits the sale of data for “market research” and limits disclosure of “patient record information” for research purposes to data stripped of “patient names and addresses”. (This does not, of course, mean patient data so disclosed are anonymous – their linkage to the provincial health number (“PHN”) alone would make such data identifiable and thus personal information.) In addition, Pharmacists, Pharmacy Operations and Drug Scheduling Act contemplates the making of bylaws by the College of Pharmacists to govern members’ behaviour in relation to PharmaNet.

Ongoing communications between the OIPC and PharmaNet – through the Pharmacare Advisory Committee, the PharmaNet Committee, the College of Pharmacists and the Ministry of Health – have been important in ensuring PharmaNet continues to adhere to generally-accepted privacy practices. Among other things, in 1997 the Ministry of Health had KPMG undertake a review of PharmaNet’s security and moved to implement the results of that work. The OIPC continues to monitor progress with security and to keep abreast of compliance with the KPMG recommendations.

Despite these positive aspects of the OIPC’s involvement, the OIPC was not able to accomplish everything it wished. For example, the OIPC wanted to change the mandatory nature of the program and allow opt-in, it sought the use of keypads for password entry and it sought limitations on the information found in the system. The OIPC also remains wary of the danger of function creep in PharmaNet and similar systems. One example of this would be any attempt to permit law enforcement officials to browse sensitive personal information without prior judicial authorization.

The extension of PharmaNet into hospitals and, as a test program, doctors’ offices presents new enforcement challenges. The OIPC continues to work with the Ministry of Health and the PharmaNet Committee to ensure that the access-limitation, auditing and other privacy aspects of the system are adequate for use in these new environments. As we move into this phase, it is clear that most, if not all, of the privacy challenges can continue to be met through dialogue and consultation. Because the BC Act prevails over any bylaws adopted under the Pharmacists, Pharmacy Operations and Drug Scheduling Act, the once-size-fits-all approach under the BC Act will continue to underpin whatever is done under PharmaNet.

3.2    Model Bylaws for Professions – Under the Health Professions Act, colleges can be established to regulate health professions or disciplines, including regarding practice qualifications and the conduct of members. These bodies include the Colleges referred to earlier, as well as many other health-related professions. With Cabinet approval, a college can adopt regulatory bylaws for members. These bylaws can cover, among other things, access to health records and general conduct standards for members. The provincial Ministry of Health has published model bylaws for use by the various colleges. The OIPC participated in the drafting of these bylaws.

Through such regulatory bylaws, the fair information practices under Part 3 of the BC Act can be extended, as appropriate, to private practitioners who would not otherwise be covered by the legislation. The bylaws also deal with the practices of the colleges themselves, even though they are directly covered by the BC Act. These provisions include the following:

  • establishment of a freedom of information coordinator to fulfill the duties under the BC Act,
  • protection personal information through the creation of safe methods of storage for both physical and electronic records,
  • staff training to ensure proper handling of records, and
  • establishment of a safe manner of disposal of records containing personal information.

Part 6 of the model bylaws contains provisions for dealing with health records kept by college members. These relate to the creation, use, retention and disposal of personal information. Part 6 also provides detailed provisions concerning how patients can gain access to their records.

The incorporation of privacy protections in the model bylaws has, in effect, extended the BC Act to members of the various colleges. It is interesting to note that, although the bylaws relate only to recorded information, any inappropriate collection, use or disclosure of unrecorded information may constitute a breach of the standards of professional ethics endorsed by the college. In this respect, the bylaws echo the general ethical rule, familiar to physicians at least, that patient information must be kept in confidence. Overall, the model bylaws help to enshrine fundamental privacy tenets in the workings of various professional colleges and also extend them to health care practitioners’ private offices. I have recently directed staff to review the model bylaws, to identify any areas that require revision and to approach the Ministry of Health to initiate their update.

An obvious shortcoming in this approach is that it delegates enforcement to individual colleges. Some of them may not have the resources, or the will, to properly monitor and enforce compliance with these aspects of the bylaws. Because of the decentralized enforcement approach inherent in the bylaws, it is difficult to say whether this approach has been as or more effective than would be the case if health privacy laws applied directly to practitioners. As far as the OIPC is aware, however, there is no reason to believe that the delegated approach has created any serious difficulties.

3.3    Privacy Code for Private Physicians’ Offices – Along the lines of the Health Professions Act approach, the OIPC – in co-operation with the College of Physicians and Surgeons of British Columbia and the British Columbia Medical Association – drafted a Privacy Code for Private Physicians’ Offices. Although the BC Act does not cover private physicians’ offices, the principles of the BC Act are an important component of maintaining doctor-patient confidentiality. Our work on the privacy code enabled the OIPC to reach offices not covered by the BC Act. The privacy code includes a number of important privacy components, including the following:

  • personal information should be directly related to care or administrative services in order to be collected,
  • collection of personal information should be direct (from the patient) in most cases and only indirect where the physician feels it is necessary for quality care,
  • disclosure of personal information to the patient should be accommodated within 30 days of request by the patient if the information will not result in harm to the patient or a third party, will not be an unreasonable intrusion of a third person’s privacy or the records were not created or compiled in contemplation of litigation or other legal privilege, and
  • records must be disposed of by secure shredding, complete burning or erasing of information stored by electronic methods.

As is the case with the health professions model bylaws, the efficacy of such privacy codes depends on their sound enforcement by the professional regulatory body. It is also necessary to ensure that such codes keep current, to which end I have asked staff to determine whether a revision of the code is in order.

3.4    Privacy Impact Assessments – Unlike the examples of cooperation in the form of the PharmaNet initiative and the model bylaws, use of a privacy impact assessment tool (“PIA”) is an initiative of the OIPC. Our PIA tool – which is under revision - has the broadest possible application. This self-administered assessment is designed for use by all public bodies, regardless of their mandate or size, to identify and avoid (or mitigate) the impact on privacy of any proposed laws, programs or policies. We have continually urged all public bodies to use the PIA tool at the earliest possible stages of design, to ensure that inappropriate proposals are identified and killed, or amended, before it becomes too costly to do so. (Our model PIA tool – which is found on our website – is in the course of being revised in light of recent developments generally in privacy practices.)

PIAs are an invaluable resource, especially, for policy-makers or planners who are new to the world of privacy protection. By laying out a number of significant issues – including nature, source, use, disclosure and security of information collected – as well as examining the individuals affected and the authorization of and notification for collection, PIAs help to avoid privacy violations. Perhaps one of the greatest dangers associated with them, however, is the tendency to regard a PIA as a merely a managerial tool – one that identifies and manages privacy impacts, rather than identifies them and avoids them altogether.

PIAs illustrate a challenge that faces regulatory bodies such as the OIPC – ensuring that regulated parties are reminded of, and knowledgeable about, their legal duties. In the case of the PIA tool, placing it on our website is one way of advocating its use, but it is not the only (or best) way to ensure it is used. As a result, neither I nor my colleagues miss an opportunity to urge public bodies to use PIAs, wherever possible, and to suggest that they provide us with a copy of PIAs for comment and feedback (though not formal approval of proposed actions). We do this through speeches, meetings, letters, our newsletter and word of mouth. This is a good example of how regulatory bodies such as ours must use education, advocacy and persuasion to ensure the spirit and letter of the law are well known and are acted on.

3.4    Site Visits – Site visits are another means of ensuring that public bodies keep abreast of privacy practices under Part 3 of the BC Act and best practices generally. By ‘site visits’, I refer to the practice of the OIPC – generally in the person of the commissioner and a portfolio officer – visiting a public body and assessing its privacy practices through observation of its operations and interviews with its staff. There are three main objectives of a site visit:

  • meeting the head of a public body and key information management staff,
  • examining how the public body collects, uses, discloses, secures and disposes of personal information, and
  • identifying and discussing any immediate concerns about privacy, security and accessibility of personal information.

A site visit has never been conducted without notice to the public body, even though the commissioner has the power to do so. During the visit, any concerns with privacy practices are noted and later communicated in writing to the public body. The public body then responds with details of the steps it has taken to correct deficiencies noted by the OIPC.

Site visits enable the OIPC to communicate with health care bodies directly, thus ensuring they are kept abreast of the regulator’s current attitudes and allowing them to air concerns or problems with the OIPC. Site visits provide an opportunity for informal communication that allows for constructive problem-solving on the spot. This is a useful adjunct to the more formal approach, which is used where appropriate, of only responding to specific complaints (and then using a formal investigative process). In light of the ever-present limits on resources available to regulatory agencies, the value of informal, pro-active site visits is notable.

In addition to site visits of the kind just described, more formal audit-type approaches can be undertaken. The best example is the 1997 review of the BC Cancer Agency. The BC Cancer Agency was chosen for a number of reasons: it collects a great deal of personal information from its patients, the patient data is centrally stored for a number of facilities (including four comprehensive care centres, twenty-three consultative clinics (fourteen of them located in other facilities), twenty-two provincial chemotherapy clinics and seventy regional pharmacies); and the agency deals with a large volume of data. (In 1996 alone, there were approximately 17,00 new cancer cases in public body and the BC Cancer Agency treated about half of them.) Significantly, the agency must deal with the difficult job of balancing disclosure required to facilitate patient care and research with patients’ privacy.

The site visit, or audit, gave the OIPC the opportunity to assist the BC Cancer Agency with this difficult task. The site visit led to 29 recommendations by the then commissioner. A follow-up review was done by the OIPC two years later and the majority of the results were considered encouraging. The BC Cancer Agency improved its privacy practices in a number of key areas, including:

  • implementation of a data access audit system,
  • the appointment of a head of freedom and information and protection of privacy,
  • improved training for staff on privacy issues,
  • creation of a confidentiality contract for volunteers,
  • development of privacy sensitive contracts with outside bodies,
  • implementation of new password updating requirements, and
  • redrafting of patient information publications in relation to the protection of privacy.


The OIPC must continue to rely on the positive relationships it has developed with various health care bodies. New challenges are emerging and, with our emphasis on communication at the start-up phase of a project and as an on-going tool, privacy can be better protected only with ongoing dialogue.

Two new challenges have already identified themselves. Continuing regionalization indicates that even more layers of privacy safeguards will be needed, as more people will have access to data. In addition, administrative teams will need to ensure safeguards are in place and that staff are adequately trained.

Information technology can pose a great threat to personal privacy. The health sector in public body is quickly moving towards an Internet-based records management system that would allow for information-sharing among a variety of healthcare workers and agencies. The HealthNet/BC system is attempting to connect all healthcare workers in order to facilitate data transfers. The privacy implications are notable and, with the OIPC’s support, the Ministry of Health has already taken a number of steps to ensure some privacy protection. These measures include:

  • providing free software – called HN Secure – to all doctors, pharmacies and labs, to help them ensure the secure transfer of data over the Internet,
  • implementing training requirements for anyone who will be using the integrated electronic system,
  • restrictions on who can access the system to those who need access to the data for work purposes, and
  • creating doctor’s office information brochures for patients entered in the system.

There is little doubt that more work is required in order to ensure health information privacy. Each project provides more knowledge about how to work together and achieve the mutually beneficial results of quality patient care and protection of patients’ fundamental rights. The interaction of privacy experts and health experts is an essential component of this. The continued development of strong relationships between the OIPC and health care bodies will help ensure that health privacy remains an important issue during both the implementation and on-going phase of various projects.

The largest issue of all, of course, is how ongoing federally-funded harmonization initiatives will play out. Thus far, British Columbia has decided that one Act is enough to protect health information, but enactment of the Personal Information Protection and Electronic Documents Act and initiatives under the Health Infoway (for example) raise the question of where harmonization will take us. To the lowest common denominator?

Canadian Institute Conference – Toronto
Health Information Privacy – The British Columbia Experience
David Loukidelis, Information and Privacy Commissioner for BC
June 19, 2001

[1] Speech has been edited slightly for posting on the Web

June 19, 2001
Information and Privacy Commissioner of British Columbia