CASL – important developments and enforcement updates

Big news last week about CASL (Canada’s anti-spam legislation) – the right of private action, which was scheduled to come into effect on July 1st, was indefinitely delayed by an Order-in-Council issued by the Federal Government on June 7.

This is a relief for every organization, whether for-profit, non-profit, orcharitable. The right of private action was generally being met with dread – it allowed for private litigants to sue for any breach of specific sections of CASL and to claim for significant damages. Those damages included statutory damages of up to $1 million per day for violations.

Enforcement activity since 2014

However, this development doesn’t mean that CASL is toothless. Far from it. Fines under CASL are a maximum of $10 million per violation for businesses/organizations. That’s huge.

I attended an update on CASL put on by the CRTC for the Ontario Bar Association in mid-May. There has been a lot of activity around CASL enforcement since CASL came into effect 3 years ago (July 1, 2014). Here are a few tidbits that I learned about:

  • In lieu of prosecutions, the CRTC tends to pursue “undertakings” when an investigated complaint reveals an apparent violation of CASL
  • These undertakings require the offender to implement a robust compliance program
  • Undertakings are accompanied by a reparation payment (in lieu of a fine/penalty)
  • These reparation payments are substantial:
    • Porter $150K
    • Rogers $200K
    • Kellogg’s $60K
    • Blackstone $50K
    • William Rapanos (individual) $15K
    • Compu-Finder $1.1M (being contested)
  • The ability of the offender to pay is taken into account as one of the factors in determining an appropriate payment. For example, Blackstone is a small business, resulting in a significantly reduced penalty. Still, $50K is a huge amount for any small business to pay.

Deemed implied consent – 3-year grace period ends July 1

Remember, CASL requires that your organization have consent (express or in some cases implied) when sending commercial electronic messages (CEMs). (To be “commercial”, the email/text must be trying to get people to buy a product or service.)

There was a 3-year grace period in which organizations were allowed to email current and former donors, members, volunteers and those with business relationships. That grace period ends on July 1, 2017. After that, the list of individuals to whom your organization can send CEMs is limited to a 2-year ever-refreshing window – you can only email with implied consent if you have had contact with the individual (as a donor, member, volunteer or for business purposes) for 2 years from the date of that contact.

How to be CASL compliant

What also became evident is that your organization needs to have a CASL policy, undertake and update CASL training of all staff, and monitor CASL compliance. If your organization becomes the subject of a complaint/investigation about CASL, you need to demonstrate good record-keeping – i.e., keeping screenshots of subscribes to newsletter lists and emails containing express consent to receive CEMs.

The CRTC update also offered these additional bits of information:

  • Non-profits are “not bubbling to the top” of the enforcement radar, which is good news for the health sector
  • Sending a survey is not a CEM.

The CRTC’s slides were available to attendees. If anyone is interested in receiving a copy, please let me know.

DDO’s CASL Toolkit for the non-profit and charitable sectors

DDO Health law published a “CASL – Anti-Spam Toolkit” in June 2014 targeted at assisting non-profit and charitable organizations to become CASL compliant. Copies are available for purchase – please contact me if interested.

Updated April 2016 – Proposed Changes to Ontario’s Health Privacy Legislation – Bill 119

Bill 119 proposes to amend the Personal Health Information Protection Act, 2004 (PHIPA).  DDO Health Law has prepared a blacklined version of PHIPA so it is easy to see the proposed changes:

Proposed Changes to PHIPA through Bill 119 Blacklined Not Official Version 2016

 

Caution: This is for general information purposes only and is not an official version.  These changes are not yet law and there may be further future amendments.  Please contact us if you have questions.

Mary Jane Dykeman       mjdykeman@ddohealthlaw.com

Kathy O’Brien                    kobrien@ddohealthlaw.com

Health Sector Privacy Officer Training

 

Health Sector Privacy Officer Training – to register online

The privacy practices of health care organizations are under increasing scrutiny from patients (and their families), the courts, the media and the regulator, the Information and Privacy Commissioner of Ontario (IPC/O). As Privacy Officer, it is your job to ensure your organization is compliant with privacy laws and IPC/O guidelines. Whether you are new to the Privacy Officer role or are a seasoned privacy professional, you may wonder whether you have the latest information to do your job properly.  You may have already discovered that it is not enough to know the technicalities of the law; it is also important that you understand the spirit of the legislation and how to apply the law to specific and sometimes difficult situations.

This is the only course of its kind in Canada.

This course will give you confidence in your role by giving you the information and skills you need to succeed as a Privacy Officer.

You receive:

  • 20 hours of intensive instruction from leading legal educators in the field
    • 3 full day sessions each available in person in downtown Toronto or via webcast
  • Reassurance that you have the most current information on privacy practices and expectations for health care organizations
  • Practical and dynamic skills training for adult learners using scenarios, stories, quizzes and assignments
  • Sample tools to adapt to your organization for your everyday use, including (and many more):
    • Privacy program checklist
    • Privacy policies
    • Privacy breach checklist
    • Privacy breach notification
  • A privacy library
    • The primary Ontario privacy resource – “Guide to the Ontario Personal Health Information Protection Act: A Practical Guide for Health Care Providers” (H. Perun, M. Orr, F. Dimitriadis, Irwin Law, 2005)
    • Online resources are compiled for you in a few downloadable PDFs so you do not have to find the resources yourself and print them individually
  • A reading list to prepare you before each session
  • Homework to assist you to work through your own organization’s documents
  • A report card you complete yourself at the end of the course to share with your Board or supervisor to demonstrate your organization’s privacy compliance status and remaining privacy gaps, if any
  • A letter outlining the training you have received, for your organization’s due diligence

While we focus on Ontario legislation – this course is of value to any health sector Privacy Officer.

For more information go to our online registration platform. And for even more information, contact Franca Latino by phone at: 416-967-7100 x 242  or by email at: flatino@ddohealthlaw.com

Waiting for ONCA: Don’t put your by-laws on hold

Wondering what’s happening with ONCA (Ontario’s long-awaited Not-for-Profit Corporations Act, 2010)?

Answer:  nothing.  We’re in limbo.  Back in September, the Ontario government announced that ONCA would be further delayed, indefinitely.  The announcement reassured that the government remains committed to bringing in ONCA “at the earliest opportunity”, but it did not identify a planned (or even anticipated) proclamation date.  Instead, it promised the sector at least 24 months’ prior notice of ONCA coming into force and effect.

There have been no developments or updates since September.  Practically speaking, the earliest we can hope to see ONCA come into effect is Spring 2018.

Everyone in the not-for-profit sector is eager to take advantage of ONCA, which will bring the sector participants into the 21st century.  Yes, there will be preliminary effort and resources needed to transition under ONCA – particularly applying for Articles of Amendment (which will amend the existing Letters Patent) and updating your organization’s by-laws.  But there’s a 3-year window to do that, so no urgent action will be required on the day ONCA comes into effect.

What we are looking forward to:

  • Once a not-for-profit corporation is transitioned under ONCA, member relations will be much easier. ONCA facilitates electronic communication with members and the holding of electronic member meetings.
  • ONCA allows the Board itself to appoint directors to the Board, on an annual basis, up to a threshold number. This could be a very valuable tool, allowing the Board to supplement its skill sets on an annual basis, as its priorities and objectives change.
  • ONCA allows the Board much more flexibility in delegating decision-making down to Board committees. This needs to be managed thoughtfully, but a stronger committee structure can allow the Board to focus its attention on the most strategically challenging decisions it faces.
  • ONCA offers not-for-profit boards comfort that, should they take actions that are inadvertently or technically off-side their articles of by-laws, those actions are nevertheless valid. Business corporations have enjoyed this reassurance for decades.

Areas of ongoing concern:

  • There is unease about the provisions of ONCA that give non-voting members voting rights in specific circumstances: g., amendments to rights attached to a group of members, amalgamation, and the sale of substantially all of the corporation’s property.  The Ontario government previously proposed (via 2013’s Bill 85) that those provisions would be delayed for a further 3 years after ONCA comes into force, presumably to give the government and sector further opportunities to consider the appropriateness of this scheme for the sector.  We will be watching to see if similar amendments to ONCA are introduced and passed by the Ontario government before ONCA comes into force.

Are you waiting for ONCA to update your by-laws?  Please don’t.

In chatting with a number of our not-for-profit clients, I’ve learned that many organizations that typically review their by-laws every 3 to 5 years – a good governance practice – have put that project on hold, waiting for ONCA.  Some haven’t touched their by-laws since 2010, when ONCA was passed by the Legislature.  Those by-laws are now at least 6 years stale, and in real need of some fresh eyes.

Reviewing and refreshing your organization’s by-laws should not be put on hold.  Best governance practices evolve.  Your governance structure changes.  Your by-laws are a governance and business critical legal document.  They need nurturing and care from time to time.

Don’t by like Lucky and Pozzo (that’s a Waiting for Godot reference) – stop waiting and be proactive.  Task your board’s Governance Committee with a full by-law review, if such a review hasn’t happened in the last 3 to 5 years.

If you are a FIPPA or MFIPPA institution – you must know the new recordkeeping obligations

On January 1, 2016, amendments came into force that impact recordkeeping obligations under FIPPA and MFIPPA. The Information and Privacy Commissioner of Ontario released a document to explain the amendments and assist institutions to meet their new obligations called  “FIPPA and MFIPPA: Bill 8 – The Recordkeeping Amendments”.  As an example of the changes, institutions are now required to ensure the preservation of records and makes it an offence to alter, conceal or destroy a record with the intention of denying a right of access to the record or the information the record contains.

This is a must read for all health sector FOI co-ordinators.

 

 

IPC releases new privacy resource to assist health care organizations

The Information and Privacy Commissioner of Ontario has released slides from the PHIPA Summit in December 2015 to assist health care organizations navigate new (and not so new) technologies. Click here to read the PowerPoint presentation.

The presentation covers:

  • Fax
  • Email
  • Mobile and portable devices
  • Encryption
  • Passwords
  • Wireless
  • Electronic medical records
  • Shared electronic health record systems
  • Unauthorized access to electronic records

This is a must read for all privacy officers of health care organizations.

 

 

1234