Record Preservation under FIPPA

Our last posting provided a broad outline of the Freedom of Information and Protection of Privacy Act (“FIPPA”, for short). As we noted before, FIPPA isn’t just for information held by the government; many non-governmental organizations, including hospitals and universities, have an obligation to respond to public requests for access to their records. You can find out whether your organization is subject to FIPPA here:

This time we’re going to focus on one crucial aspect of FIPPA:  record preservation. Recall that if an organization is subject to FIPPA, individuals and corporations have a right to access the information that it collects and uses, subject to limited exclusions and exemptions. When a request for access is made, the organization must respond within 30 days (subject to limited extensions). Compliance would be virtually impossible absent a reliable records management system that incorporates clear recordkeeping requirements, and FIPPA is designed to ensure such a system is in place, while setting rules about the collection and use of the personal information organizations gather.

To begin with, collection and use of personal information is forbidden unless it’s expressly permitted by statute, or is necessary in connection with an organization’s lawful activity. FIPPA imposes a responsibility to protect the confidentiality of the collected personal information and the privacy of the individuals to whom it relates.  FIPPA also sets out retention and destruction requirements for records containing personal information.

In support of this, organizations are required to define, document, and put into place reasonable measures to prevent unauthorized access to all records.  And institutions are also required – and this really does bear emphasis – to ensure that only the individuals who need the records to perform their duties are given access to them. This is where many organizations run into trouble.

While FIPPA has always addressed the implementation of measures to prevent unauthorized access and inadvertent damage or destruction to records.  Since 2014, organizations must develop, document, and implement reasonable measures to preserve records in the institution’s custody or control according to the applicable record-keeping or record retention requirements or policies established under a statute or otherwise. There may also be government directives that apply to given organizations, while those that are designated as “public bodies” under the Archives and Recordkeeping Act, 2006 are subject to additional requirements to create a records schedule, submit it to the Archivist of Ontario for approval, and then follow it.  A lengthy list of the designated public bodies can be found here:

The impetus to emphasize record preservation arose in the wake of the government’s cancellation of various gas plant agreements, which generated controversy that prompted an investigation by the Ontario Information and Privacy Commissioner into the records management practices of political staff. This revealed that senior ministerial staff and personnel within the premier’s office had destroyed or deleted e-mails, which was already a contravention of the archives and recordkeeping legislation mentioned above. It seemed something more was needed.  In the Commissioner’s strongly worded report and addendum, changes to FIPPA were recommended.

Thus FIPPA was updated in 2014 with the record preservation requirement described above. It was also amended to make it an offence for anyone to “alter, conceal or destroy a record, or cause any other person to do so, with the intention of denying a right under [the Act] to access the record or the information contained in the record.” To establish this offence one must prove the actor’s intention to deny a right of access, meaning inadvertent destruction of records would likely not attract a penalty.  However, it is sensible to avoid the necessity of proving inadvertent destruction by implementing best practices that comply with law.  For institutions considering the destruction of records containing personal information, such destruction can only be done in accordance with the requirements set out in FIPPA. And for public bodies considering the destruction of public records, the Archives and Recordkeeping Act requires that record destruction only occur in accordance with approved records schedules or with the consent of the Archivist of Ontario.  Best practices require rigorous adherence to FIPPA’s requirements, records schedules (for public bodies), and the organization’s own internal policies. This is the only sensible way forward.

Please feel free to contact me at

What Colleges, members, advocacy associations and health care institutions need to know about Bill 87

Bill 87, the Protecting Patients Act, 2016, was introduced by Ontario’s Minister of Health and Long-Term Care on December 8th.  Proposed amendments to the Regulated Health Professions Act will give the Minister more control over the composition of colleges’ statutory committees, increase the colleges’ power to suspend members as an interim measure, implement changes regarding sexual abuse that aim to protect the public, and increase reporting obligations of members. Fines for a facility’s failure to report sexual abuse are also increased.

Regulators should be vigilant to ensure that their needs are communicated to the government and request consultation prior to the government making regulations that will affect selection of panel members and quorum for the Registration, Discipline, Fitness to Practice and Inquiry, Complaints and Reports committees, among other matters. Members of regulated health profession colleges, as well as advocacy associations, should be concerned about increased reporting obligations for members and collection of members’ personal information and personal health information to aid the Minister in deciding whether or not a college is fulfilling its duties under the Act.  Health care institutions should be aware of the increased monetary fines for failures to report sexual abuse.

A detailed exploration of the Bill’s impact on the Regulated Health Professions Act follows.

Bill 87’s impact on the Regulated Health Professions Act:  a detailed review

Bill 87, the Protecting Patients Act, 2016, amends a number of pieces of health care legislation.  This blog focuses on the proposed amendments to the Regulated Health Professions Act.

Under the proposed amendments to section 5, the Minister may require reports from a regulated health profession college Council that may contain personal information or personal health information of its members, to the extent necessary to allow the Minister to determine whether:

  • the college is carrying out its objects and fulfilling its duties; and
  • whether the Minister should exercise his powers under the Act or under a health profession Act, the Drug and Pharmacies Regulation Act or the Drug Interchangeability and Dispensing Fee Act

Although the Bill limits the collection of personal information and personal health information to no more than is necessary for the intended purpose, and indicates that collection of this information should not occur if other information will suffice, we have some concern about this ability of the Minister to require the production of personal information and personal health information of members where the Minister reviews the Council’s activities and requires the provision of reports and information.  The Minister’s review of a Council’s activities ,and decision about whether to take action, should not hinge on personal information or personal health information of members. Why would de-identified information or information in aggregate form only not suffice?

Under the proposed amendments, the Minister may request that a college collect personal information directly from its members not only for the purposes of health human resources planning but also for health human resources  research.

New regulation-making powers that are proposed will increase the oversight powers of the government by allowing it to make regulations:

  • governing the composition of committees of the Executive, Registration, Quality Assurance, Patient Relations, Discipline, Fitness to Practise and Inquiry Complaints and Reports Committees; qualifications for sitting on these committees; and reasons for disqualification from them;
  • setting out rules for the selection of panels of the Registration, Discipline, Fitness to Practice and Inquiry, Complaints and Reports Committees and quorum for these panels;
  • clarifying how a college is required to perform its inquiry, complaints, reports, discipline and incapacity functions in respect of allegations of misconduct of a sexual nature and providing for further functions and duties not inconsistent with those functions; and
  • expanding the purposes for which funding for therapy or counselling may be available from a college.

These new regulation-making powers will give the government more control over the kinds of qualifications necessary for members who sit on statutory committees. Any rules set out in these government-made regulations will prevail over rules about committee composition that are currently set out in college by-laws. The degree of input by the colleges into these regulations will depend on the amount of consultation the government undertakes, if any, and the degree to which colleges notify the government of their needs. There is no requirement for consultation with members or the colleges prior to the government making such regulations.  Colleges will want to be proactive in communicating their needs to government.

Additional proposed amendments will enhance the colleges’ power to protect the public from members about whom a complaint or report has been made by permitting an interim suspension order if the Committee is of the opinion that the member’s conduct or the member’s physical or mental state exposes, or is likely to expose, the member’s patients to harm or injury.  Any such interim suspension order, however, is not permitted to contain gender-based restrictions on the member’s certificate of registration. Registrars are also given power to withdraw a complaint or report before the Inquiry, Complaints and Reports Committees takes any action, if the complainant requests the withdrawal of the complaint or report.

The proposed changes also place more obligations on members to report:

  • their membership in another regulatory body that governs a profession inside or outside of Ontario;
  • findings of professional misconduct or incompetence from other regulatory bodies, inside or outside Ontario; and
  • if he or she has been charged with an offence and bail conditions, if any; the results of any appeal must also be reported.

The proposed changes in respect of sexual abuse aim to enhance protection of the public. These amendments:

  • prescribe offences that can trigger the application of the mandatory revocation provisions, via a government-made regulation (not a college regulation);
  • expand the list of grounds for mandatory revocation of a member’s certificate of registration;
  • require suspension where the professional misconduct involving sexual abuse does not fit within the expanded list of acts triggering mandatory revocation;
  • increase the amount of information available from the public register;
  • define “patient” to include an individual who was a member’s patient within the last year or within such longer period of time as may be set out in a government-made regulation;
  • define “patient” by criteria (other than time) set out in a government-made regulation;
  • increase monetary penalties for a facility’s failure to report suspected sexual abuse of a patient by a member, from $25,000 for individuals to not more than $50,000 (upon conviction) and from $50,000 for corporations to $200,000; and
  • allow patients who make complaints or reports involving sexual abuse allegations to access funding for patient therapy and counselling immediately, instead of waiting until after a finding of professional misconduct is made.

Advocacy associations, health care facilities and regulators are encouraged to voice any concerns they may have about this bill to the government without delay. For more information or assistance please contact

Patients First Act (Bill 41) receives Royal Assent

Bill 41, the Patients First Act, received Royal Assent on December 8th — it is now law.

What were the final changes to the Bill?

The Bill was reported out of Committee last week with a handful of amendments, most of them focusing on privacy. The amendments emphasize the protection of personal health information in the hands of investigators and supervisors appointed by the Ministry or the LHIN and require that any public report prepared by an investigator or supervisor include only de-identified personal health information.

There is also a new requirement that the LHIN provide prior notice of the appointment of a supervisor not just to the board of the impacted health service provider but also to the Minister.

Another change requires the Minister to consider the French Language Services Act requirements when establishing provincial priorities and strategic directions for the provincial and local health systems in Ontario.


If you have any questions about how Bill 41 may impact your health care organization, please contact Kathy O’Brien:  Follow me on Twitter @KathyOB_DDO.

MOHLTC seeks feedback on proposed QCIPA regulations

The Ministry of Health and Long-Term Care has issued proposed regulations under the Quality of Care Information Protection Act.

These regulations would:

  • add long-term care homes and laboratories and specimen collection centres as health facilities.  Health facilities can establish Quality of Care Committees that enable them to hold shielded discussions about quality of care issues.
  • require all health facilities to have written terms of reference for their Quality of Care Committee that are available to the public.

See the regulations at:

Comments are due by November 28th.