British Columbia’s privacy commissioner says we’re falling behind the rest of Canada in mandatory reporting of privacy breaches. As Elizabeth Denham notes, most other provinces have legislation that compels both public- and private-sector agencies to report such breaches. We do not.
This is indeed an issue. But before we add the additional element of compulsion to our statutes, I think it’s vital to look more closely at the problem. Our existing privacy legislation is a total shambles.
For years, we had the worst record in Canada for getting health data into the hands of university researchers. There has been some improvement of late, but the fundamental difficulty remains. No one knows what the rules actually demand or permit.
We saw a striking example of this confusion in the recent ombudsperson drama. Jay Chalke, newly appointed to the office, was asked to investigate the firings three years ago at the Health Ministry.
Chalke said he feared existing privacy statutes would constrain any such investigation. Yet that prompted a riposte from the deputy attorney general, who made light of Chalke’s concern. Both are experienced government lawyers. Who is right?
And those Health Ministry firings themselves reveal — in heartbreaking detail — the same underlying confusion. After several privacy breaches came to light, seven researchers were fired, one of whom subsequently killed himself.
Among those dismissed was a harried employee who allegedly gave patient files to a researcher without removing personal health numbers (the names and addresses had been scrubbed).
Now, it’s theoretically conceivable that someone could use a PHN to trace a patient of interest, so this is not a trivial matter. (Although I know of no case in Canada where it’s ever happened. And with good reason: It’s out-and-out professional misconduct.)
However, the researcher realized the PHNs were still there, and immediately returned the files, so no harm was done.
Yet the employee was fired and the researcher’s access to data was terminated (though later reinstated). Fair deal, or grotesque over-reaction?
And that’s just the problem. We have a number of overlapping privacy statutes, each written in dangerously vague language. There is a fearsome amount of room for interpretation within them.
An example? A few years ago an adult man killed himself in Victoria. He left a suicide note, which his father wished to see.
No, he was told by the commissioner’s office. That would be an invasion of the dead man’s privacy. It doesn’t get more screwed up than that.
Now put yourself in the position of a government official — or, for that matter, a university dean or a health-authority manager. There might or might not have been a privacy breach in your office. No one can say for certain. What do you do?
This actually happened to administrators at the University of British Columbia some years ago. A young female student attempted suicide, was admitted to hospital, then discharged.
But staff, uncertain about the girl’s privacy rights, decided not to tell her mother. The girl subsequently attempted suicide a second time, and died.
Was not informing the mother the correct decision? Who knows?
But this much you can be sure of. If you get on the wrong side of the privacy police, you pay a heavy price. Better safe than sorry. That’s partly why those health staffers were fired.
Our position resembles the early days of criminal law, circa the 1500s. There were statutes on the books in those days, but no one fully understood their reach or application. It took centuries of litigation and courtroom precedent to fill the gaps.
So yes, we should have enforceable privacy laws. But please, let us first have a fully worked out, tried and trusted regime that everyone understands.
Otherwise, we’re closing the barn door with a pack of wolves inside.