Best Practices Checklist for Drafting a Data Sharing Agreement

With the rapid advancements in technology and the breadth of data available, public bodies, organizations, and agencies are increasingly sharing information to increase knowledge, conduct research, and inform policies and procedures about public issues.

In Ontario, data sharing between organizations is governed by privacy legislation such as the Personal Health Information and Protection Act (“PHIPA”) and Freedom of Information and Protection of Privacy Act (“FIPPA”). In some cases, it is a statutory requirement that a written data sharing agreement (“DSA”) be established between the parties to set out the terms and conditions under which information is shared:

  • to ensure compliance with applicable laws
  • to ensure the proper safeguards are implemented to prevent unauthorized use, collection and disclosure.

In any event, it is considered best practice that data partners develop a written DSA when sharing information to protect data.

What is in a DSA?

Data sharing can be complex depending on the data partners, type of information, and the flow of information. This is why a DSA must be carefully drafted to ensure that your organization is compliant with applicable privacy laws and that proper safeguards are in place to protect your information. If your organization is involved in the collection, use, and disclosure of information you should consider the following ten questions when drafting a DSA:

  1. Who are the parties that will be collecting, using, and disclosing data?
    • Who will be disclosing or receiving the data?
    • If governed under PHIPA, identify if the party is a:
      1. Health Information Custodian (“HIC”)
      2. Health Information Network Provider (“HINP”)
      3. Electronic Service Provider
      4. Prescribed Entity
      5. Prescribed Registry
      6. Agent
    • Under PHIPA, a party can wear multiple hats (i.e. a party can be both a HIC and a HINP and would have to comply with the obligations as set out in the Act).
    • Will there be a secondary use or disclosure of the data by the recipient?
  1. What is the purpose of data sharing between the parties?
    • If you are disclosing data, you must consider how the receiving party is going to use your data, and for what purpose.
    • Data cannot be collected any more than reasonably necessary to serve the purpose. It is important that DSAs make it clear as to why a party is collecting or using the data.
    • For example, some common purposes under PHIPA include:
      1. Research
      2. Planning, management and analysis of the health system
  1. What information is being shared?
    • Is it personal health information?
    • Is it personal information?
    • Is it de-identified data?
    • Is it other information that is not governed by privacy legislation?
    • Is the information going to be linked to other data sets?
  2. What is the legal authority for collection, use and disclosure of the data? What is the governing legislation?
    • Under what legislation are the parties able to collect, use, and disclose data? This is often dependent on who the party is, and what type of information is being shared.
  3. How will the data be shared between the parties?
    • Will the data be disclosed only from one party to another? Or will it be disclosed both ways?
    • Will there be third party disclosures?
    • It is often helpful to include a flow chart to illustrate how the data is being shared especially in complex situations where there are multiple parties, and uses.
  4. What are the data elements, data sets, time frame, and collection rationale?

  5. How will the data be transferred?
    • What secure method of transfer will be used? Will it be electronic or hard copies?
  6. What is the frequency of data transfer?
    • Is it a one-time disclosure or on-going disclosure (i.e. annual disclosure of information)?
  7. How will the data be retained or destroyed?
    1. In some cases, the data is either returned to the originating party or destroyed after the DSA is terminated or expired. This should be clearly stated in the DSA.
  8. What privacy and security safeguards are in place by the receiving party to ensure your data is protected against unauthorized use?
    • For example:
      1. Administrative Safeguards: Have in place robust policies and procedures governing authorized users collection, use and disclosure of data; establish privacy breach protocols; provide on-going privacy and security training; and monitoring compliance.
      2. Technical Safeguards: Encryption for portable devices; strong passwords; firewalls; and anti-malware scanners.
      3. Physical Safeguards: Use alarm systems and lock rooms where equipment is used to send or receive information; keep portable devices in a secure location, such as a locked drawer or cabinet.

Note that this blog does not constitute legal advice – seek assistance from legal counsel. For assistance in drafting a data sharing agreement, please contact Pamela Seto at pseto@ddohealthlaw.com.

 

Important Developments on Police Record Checks

Initially enacted by the Ontario government in 2015, the Police Record Checks Reform Act, 2015 (the “Act”) has finally been proclaimed by the Lieutenant Governor to come into force on November 1, 2018.  In addition to standardizing requests for police record checks, the Act extends privacy protections to the individuals who are the subjects of police record checks (“subject individuals”) by (i) implementing a consent regime, and (ii) prescribing what can and cannot be disclosed in respect of each type of police record check requested.

Impact on your Organization

If your organization requests police record checks as part of its recruitment efforts, whether in respect of employees, volunteers, or volunteer Board members, you will want to refresh your policies and procedures to ensure that they align with the requirements of the Act.  Contravention of the Act is an offence liable to a fine of up to $5000.

Application of the Act

The Act applies to a “police record check”, which is a search of the records maintained within a police database in Canada (e.g., Canadian Police Information Centre database) and required to be conducted by persons (including organizations) in respect of a subject individual for the purposes of:

  • Hiring the subject individual for employment.
  • Engaging the subject individual for volunteer work.
  • Admitting the subject individual to an educational institution, a program, or a membership body.
  • Receiving goods and services from the subject individual or providing them to the subject individual.

The Act will not apply to certain types of searches, such as those in connection with an application for a change of name, an application for custody of a child by a non-parent, certain searches requested by a children’s aid society, and certain others that are listed in the Act and one of its accompanying regulations (“Exempted Searches”).

For some Exempted Searches, the application of the Act is simply delayed for a year and will apply to those searches on November 1, 2019.  Examples of Exempted Searches for which the application of the Act is delayed is a search requested by the Crown in Right of Ontario for appointing certain public servants under Part III of the Public Service of Ontario Act, 2006, or for screening a provider of goods or services to be awarded a contract to provide goods or services to a ministry or government agency.

Types of Police Record Checks

The Act creates three types of police record checks, each disclosing only the information permitted to be disclosed in the Schedule to the Act.  The types of police record checks are set out below in order of the amount of information disclosed (greatest to least):

  1. Vulnerable Sector Check
  2. Criminal Record and Judicial Matters Check
  3. Criminal Record Check

While there is variation amongst the types of police record checks and the information that is permitted to be disclosed, the following is a list of information that is not permitted to be disclosed for any type of check:

  • Summary convictions, if the request is made more than 5 years after the date of the conviction.
  • Court orders made under the Mental Health Act, Part XX.1 of the Criminal Code (Canada), or those related to withdrawn charges.
  • Certain restraining orders made against the subject individual.
  • Convictions for which a pardon has been granted (subject to exceptions).

The Act also specifies when “non-conviction information” can be disclosed. Subject to certain exceptions under the Act, this is information related to the subject individual being charged with a criminal offence which was subsequently dismissed, stayed, withdrawn, or resulted in a stay of proceedings or acquittal.  Non-conviction information may only be disclosed pursuant to a Vulnerable Sector Check if certain criteria listed in the Act are met (e.g., the criminal charge is one listed in the regulations under the Act, the alleged victim was a child or a vulnerable person, and there is a pattern of behaviour or incidents indicating a risk of harm to a child or a vulnerable person). The subject individual has an opportunity to request a reconsideration of any disclosure of non-conviction information.

Procedure for Police Record Checks

In order to standardize the request for and conducting of police record checks, the Act establishes the following procedures:

  • A written request for a police record check may be made by the subject individual or by a person or organization in respect of the subject individual.
  • The written request for a police record check must:
    • Specify the type of police record check being requested.
    • Include the written consent of the subject individual (such consent must be in respect of the particular check being requested).
    • Include any applicable fee.
  • The results of the police record check must first be disclosed to the subject individual, and to no other person.
  • If, after receiving the results, the subject individual provides written consent, the results may be provided to the person or organization that requested the police record check or other person or organization specified by the subject individual.
  • The individual or person that receives the results of a police record check on the consent of the subject individual shall not use or disclose the results except for the purposes for which it was requested or as authorized by law.

If you need assistance in updating your policies and procedures, contact me @ mdeiana@ddohealthlaw.com.

PIPEDA Security Breach Obligations

Background

The Personal Information Protection and Electronic Documents Act (“PIPEDA” or the “Act”)[1] relates to how private sector organizations collect, use, and disclose personal information during commercial activities in Canada (not any other activity). This means that the Act usually does not apply to charities, not-for-profits, and political parties (unless they are engaged in commercial activities). “Commercial activity” in the Act is broadly defined to mean “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”[2]

The Digital Privacy Act

Bill S-4, The Digital Privacy Act,[3] introduced amendments to PIPEDA in June 2015, but didn’t come into force in full because regulations prescribing required details were not enacted. In March 2018, an Order in Council was issued by the Government of Canada, bringing the amendments into force on November 1, 2018. The companion Breach of Security Safeguards Regulations (the “Regulations”)[4] was published on April 18, 2018.

PIPEDA Security Breach Obligations

New provisions under PIPEDA and the Regulations relate to obligations of:

  • reporting to the Privacy Commissioner (the “Commissioner”)
  • providing notice to affected individuals
  • providing notice to other organizations or government institutions
  • keeping and maintaining a record of every breach.

Two key definitions relate to these obligations:

  • “breach of security safeguards” means the “loss of, unauthorized access to or disclosure of personal information resulting from a breach of an organization’s security safeguards [that are referred to in Schedule 1(4.7) of the Act] or from a failure to establish those safeguards”[5], and
  • “significant harm” means “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property”.[6]

Note that the factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm (the “R-ROSH” test) to the individual are also listed in the Act, and include:

  • the sensitivity of the personal information involved in the breach
  • the probability that the personal information has been, is being or will be misused
  • any other prescribed factor.[7]

Report to the Commissioner

An organization must report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.[8] The report must be made as soon as feasible after the organization determines that the breach has occurred.[9] The report must be in writing and must contain:

  • a description of the circumstances of the breach and, if known, the cause
  • the day on which, or the period during which, the breach occurred or, if neither is known, the approximate period
  • a description of the personal information that is the subject of the breach to the extent that the information is known
  • the number of individuals affected by the breach or, if unknown, the approximate number
  • a description of the steps that the organization has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm
  • a description of the steps that the organization has taken or intends to take to notify affected individuals of the breach
  • the name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.[10]

An organization may submit to the Commissioner any new information that the organization becomes aware of after having made the report.[11] Furthermore, the report may be sent to the Commissioner by any secure means of communication.[12]

Notification to Affected Individuals – When?

Unless otherwise prohibited by law, an organization must notify an individual of any breach of security safeguards involving an individual’s personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.[13] The notification must contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm.[14] It must also contain:

  • a description of the circumstances of the breach
  • the day on which, or period during which, the breach occurred or, if neither is known, the approximate period
  • a description of the personal information that is the subject of the breach to the extent that the information is known
  • a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach
  • a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm
  • contact information that the affected individual can use to obtain further information about the breach.[15]

Notification to Affected Individuals – How?

The Act also requires that the notification be conspicuous and be given to the individual directly, subject to certain exceptions.[16] Direct notification must be given to the affected individual in person, by telephone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances.[17] Indirect notification to an affected individual must be given by an organization in any of the following circumstances:

  • direct notification would be likely to cause further harm to the affected individual
  • direct notification would be likely to cause undue hardship for the organization
  • the organization does not have contact information for the affected individual.[18]

Note that indirect notification must be given by public communication or similar measure that could reasonably be expected to reach the affected individuals.[19]

Notification to Other Organizations/Government

An organization that notifies an individual of a breach of security safeguards must notify any other organization, a government institution or a part of a government institution of the breach if the notifying organization believes that the other organization or the government institution or part concerned may be able to reduce the risk of harm that could result from it or mitigate that harm, or if any of the prescribed conditions are satisfied (none yet).[20] The notification must be given as soon as feasible after the organization determines that the breach has occurred.[21]

Record-Keeping Requirements

An organization must keep and maintain (for 24 months after the day on which the organization determines that the breach has occurred[22]) a record of every breach of security safeguards involving personal information under its control, including those breaches that do not create a real risk of significant harm to an individual.[23] It must, on request, provide the Commissioner with access to, or a copy of, a record.[24] The record must also contain any information that enables the Commissioner to verify compliance with the breach reporting and notification obligations outlined above (excluding those related to notifying organizations or government institutions).[25]

Statutory Penalty

Once the new provisions in PIPEDA are in force, every organization that knowingly contravenes the new obligations outlined above (excluding those related to notifying organizations or government institutions) is guilty of an offence that is punishable by a fine not exceeding $100,000.[26]

Contact nghalustians@ddohealthlaw.com for more information.

 

[1] http://laws-lois.justice.gc.ca/eng/acts/P-8.6/

[2] PIPEDA, s. 2(1).

[3] For more information: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/r_o_p/02_05_d_63_s4/

[4] http://www.gazette.gc.ca/rp-pr/p2/2018/2018-04-18/html/sor-dors64-eng.html

[5] PIPEDA, s. 2(1).

[6] PIPEDA, s. 10.1(7).

[7] PIPEDA, s. 10.1(8).

[8] PIPEDA, s. 10.1(1).

[9] PIPEDA, s. 10.1(2).

[10] Regulations, s. 2(1).

[11] Regulations, s. 2(2).

[12] Regulations. S. 2(3).

[13] PIPEDA, s. 10.1(3).

[14] PIPEDA, s. 10.1(4).

[15] Regulations, s. 3.

[16] PIPEDA, s. 10.1(5).

[17] Regulations, s. 4.

[18] Regulations, s. 5(1).

[19] Regulations, s. 5(2).

[20] PIPEDA, s. 10.2(1).

[21] PIPEDA, s. 10.2(2).

[22] Regulations, s. 6(1).

[23] PIPEDA, s. 10.3(1).

[24] PIPEDA, s. 10.3(2).

[25] Regulations, s. 6(2).

[26] PIPEDA, s. 28.

PHIPA: Mandatory Breach Notification

The Information and Privacy Commissioner of Ontario (“IPC”) recently released a guidance document explaining when privacy breaches must be reported to the Commissioner. The Guidelines are entitled “Reporting a Privacy Breach to the Commissioner: Guidelines for the Health Sector” (September 2017).  The Guidelines also require custodians to begin tracking statistics on privacy breaches as of January 1, 2018 and to begin filing an annual report with these statistics on March 1, 2019.

When does the requirement to report certain breaches to the IPC take effect?
These reporting requirements come into effect October 1, 2017, via amendments to the PHIPA Regulation.

Who reports?
Health information custodians with custody and control of personal health information.

What is to be reported?
Any of the categories of breaches described in the PHIPA regulation.

In the Guidelines, the IPC breaks down the categories of mandatory privacy breach reports and gives some examples of circumstances that must be reported. There are 7 categories of breaches – but only one category is necessary to trigger the requirement to report. The categories are:

  • use or disclosure without authority
  • stolen information
  • further use or disclosure without authority after a breach
  • pattern of similar breaches
  • disciplinary action against regulated health professionals
  • disciplinary action against non-College members
  • significant breach.

Remember:
These Guidelines apply to reports that must be made to the Commissioner and they are not applicable to notification of individuals whose privacy has been breached.

When should notice be given?
The Guidelines do not specify when notice is to be given; however, it is wise to make such reports as soon as reasonably possible after the breach occurs. The IPC may be able to offer guidance toward mitigating the effects of the breach.

The Guidelines are available here:

https://www.ipc.on.ca/wp-content/uploads/2017/08/health-privacy-breach-notification-guidelines.pdf

Contact us for guidance on when to report privacy breaches or to participate in our Privacy Officer training.

For more information contact mjdykeman@ddohealthlaw.com or spalter@ddohealthlaw.com.