Important Developments on Police Record Checks

Initially enacted by the Ontario government in 2015, the Police Record Checks Reform Act, 2015 (the “Act”) has finally been proclaimed by the Lieutenant Governor to come into force on November 1, 2018.  In addition to standardizing requests for police record checks, the Act extends privacy protections to the individuals who are the subjects of police record checks (“subject individuals”) by (i) implementing a consent regime, and (ii) prescribing what can and cannot be disclosed in respect of each type of police record check requested.

Impact on your Organization

If your organization requests police record checks as part of its recruitment efforts, whether in respect of employees, volunteers, or volunteer Board members, you will want to refresh your policies and procedures to ensure that they align with the requirements of the Act.  Contravention of the Act is an offence liable to a fine of up to $5000.

Application of the Act

The Act applies to a “police record check”, which is a search of the records maintained within a police database in Canada (e.g., Canadian Police Information Centre database) and required to be conducted by persons (including organizations) in respect of a subject individual for the purposes of:

  • Hiring the subject individual for employment.
  • Engaging the subject individual for volunteer work.
  • Admitting the subject individual to an educational institution, a program, or a membership body.
  • Receiving goods and services from the subject individual or providing them to the subject individual.

The Act will not apply to certain types of searches, such as those in connection with an application for a change of name, an application for custody of a child by a non-parent, certain searches requested by a children’s aid society, and certain others that are listed in the Act and one of its accompanying regulations (“Exempted Searches”).

For some Exempted Searches, the application of the Act is simply delayed for a year and will apply to those searches on November 1, 2019.  Examples of Exempted Searches for which the application of the Act is delayed is a search requested by the Crown in Right of Ontario for appointing certain public servants under Part III of the Public Service of Ontario Act, 2006, or for screening a provider of goods or services to be awarded a contract to provide goods or services to a ministry or government agency.

Types of Police Record Checks

The Act creates three types of police record checks, each disclosing only the information permitted to be disclosed in the Schedule to the Act.  The types of police record checks are set out below in order of the amount of information disclosed (greatest to least):

  1. Vulnerable Sector Check
  2. Criminal Record and Judicial Matters Check
  3. Criminal Record Check

While there is variation amongst the types of police record checks and the information that is permitted to be disclosed, the following is a list of information that is not permitted to be disclosed for any type of check:

  • Summary convictions, if the request is made more than 5 years after the date of the conviction.
  • Court orders made under the Mental Health Act, Part XX.1 of the Criminal Code (Canada), or those related to withdrawn charges.
  • Certain restraining orders made against the subject individual.
  • Convictions for which a pardon has been granted (subject to exceptions).

The Act also specifies when “non-conviction information” can be disclosed. Subject to certain exceptions under the Act, this is information related to the subject individual being charged with a criminal offence which was subsequently dismissed, stayed, withdrawn, or resulted in a stay of proceedings or acquittal.  Non-conviction information may only be disclosed pursuant to a Vulnerable Sector Check if certain criteria listed in the Act are met (e.g., the criminal charge is one listed in the regulations under the Act, the alleged victim was a child or a vulnerable person, and there is a pattern of behaviour or incidents indicating a risk of harm to a child or a vulnerable person). The subject individual has an opportunity to request a reconsideration of any disclosure of non-conviction information.

Procedure for Police Record Checks

In order to standardize the request for and conducting of police record checks, the Act establishes the following procedures:

  • A written request for a police record check may be made by the subject individual or by a person or organization in respect of the subject individual.
  • The written request for a police record check must:
    • Specify the type of police record check being requested.
    • Include the written consent of the subject individual (such consent must be in respect of the particular check being requested).
    • Include any applicable fee.
  • The results of the police record check must first be disclosed to the subject individual, and to no other person.
  • If, after receiving the results, the subject individual provides written consent, the results may be provided to the person or organization that requested the police record check or other person or organization specified by the subject individual.
  • The individual or person that receives the results of a police record check on the consent of the subject individual shall not use or disclose the results except for the purposes for which it was requested or as authorized by law.

If you need assistance in updating your policies and procedures, contact me @ mdeiana@ddohealthlaw.com.

PHIPA: Mandatory Breach Notification

The Information and Privacy Commissioner of Ontario (“IPC”) recently released a guidance document explaining when privacy breaches must be reported to the Commissioner. The Guidelines are entitled “Reporting a Privacy Breach to the Commissioner: Guidelines for the Health Sector” (September 2017).  The Guidelines also require custodians to begin tracking statistics on privacy breaches as of January 1, 2018 and to begin filing an annual report with these statistics on March 1, 2019.

When does the requirement to report certain breaches to the IPC take effect?
These reporting requirements come into effect October 1, 2017, via amendments to the PHIPA Regulation.

Who reports?
Health information custodians with custody and control of personal health information.

What is to be reported?
Any of the categories of breaches described in the PHIPA regulation.

In the Guidelines, the IPC breaks down the categories of mandatory privacy breach reports and gives some examples of circumstances that must be reported. There are 7 categories of breaches – but only one category is necessary to trigger the requirement to report. The categories are:

  • use or disclosure without authority
  • stolen information
  • further use or disclosure without authority after a breach
  • pattern of similar breaches
  • disciplinary action against regulated health professionals
  • disciplinary action against non-College members
  • significant breach.

Remember:
These Guidelines apply to reports that must be made to the Commissioner and they are not applicable to notification of individuals whose privacy has been breached.

When should notice be given?
The Guidelines do not specify when notice is to be given; however, it is wise to make such reports as soon as reasonably possible after the breach occurs. The IPC may be able to offer guidance toward mitigating the effects of the breach.

The Guidelines are available here:

https://www.ipc.on.ca/wp-content/uploads/2017/08/health-privacy-breach-notification-guidelines.pdf

Contact us for guidance on when to report privacy breaches or to participate in our Privacy Officer training.

For more information contact mjdykeman@ddohealthlaw.com or spalter@ddohealthlaw.com.

Ontario’s new Patient Ombudsman

Recently here at DDO we were discussing the role and powers of the Patient Ombudsman. The Patient Ombudsman has jurisdiction to resolve complaints about health service organizations such as public hospitals, long-term care facilities, and certain services provided by the LHINs.

The Patient Ombudsman is an office of last resort – so people having complaints must first explore resolution directly with their health service organization. When a complaint is filed, the Patient Ombudsman will ensure that no other body has jurisdiction over the complaint and, with patient consent, will try to facilitate resolution by contacting the health sector organization.

The Patient Ombudsman may investigate complaints where a facilitated resolution is unsuccessful. Health sector organizations such as hospitals and long-term care homes will be well placed to respond to inquiries from the Patient Ombudsman if their internal processes for addressing complaints are robust, thorough, and comprehensive.

For more information about the Patient Ombudsman, for help in crafting a robust complaint process, or for help in responding to an inquiry from the PO, please contact me at spalter@ddohealthlaw.com.

12345