Nunavut’s Information and Privacy Commissioner (IPC) has recommended prosecution of a doctor who repeatedly accessed the medical records of a former employee, violating their privacy in the process.
But exactly how that prosecution will happen, and who will do it, remain open-ended questions. The RCMP and prosecutorial services don’t think it’s in their mandate, and there is uncertainty about whether or not the Government of Nunavut’s Justice Department is the appropriate entity either.
It’s an interesting twist in this case. While the Access to Information and Protection of Privacy Act (ATIPPA) act allows for prosecution, it has never happened before — and the process is unclear, the IPC said.
It also recommended that Health develop a comprehensive anti-intrusion plan to prevent similar privacy breaches in the future, and acquire software to alert it to “red flag” behaviours in accessing private health data in the territory.
Over a period of 18 months, and without any clinical purpose, a doctor viewed the records of someone who worked in Nunavut’s health-care system. (The IPC did not name the doctor, nor the complainant – or the community as they would tend to identify that person, it said.)
In May 2020, there was a workplace incident involving the complainant and the doctor. The details of that incident weren’t relevant to the decision, but the IPC said “it is enough to say the incident was stressful to the complainant, and that the doctor later acknowledged that their conduct was inappropriate and apologized for it.”
Shortly after that incident, the doctor began looking at their electronic medical records (EMRs). The doctor did so through Nunavut’s EMR system, which is called Meditech.
Meditech logs who looks at records, and that audit trail confirmed his pattern over an 18-month period. Although there was an audit trail, Meditech does not have a built-in alert system. The doctor’s behaviour only came to light because the complainant asked, via a privacy request, to see the audit trail from Meditech.
When confronted, the doctor admitted to the behaviour and their contract with the Department of Health was terminated and the matter was referred to the doctor’s professional regulator.
Doctor’s letter of admission breached privacy again
The doctor’s admission came in the form of a letter to the territorial medical chief of staff. The complainant said that, in the letter, the doctor breached their privacy yet again.
That’s because the doctor was using information, obtained from the privacy breach, to explain tehir conduct. That meant the personal information was disclosed to the medical chief of staff and anyone else in Health who read the letter.
A ‘profound violation’
The IPC said the doctor’s actions were a “profound violation” of the complainant’s personal privacy.
The doctor admitted the breach, but they “hardly had a choice,” it said, because of the data trail from Meditech.
“In their letter to the medical chief of staff, the doctor offered a rationale for the data intrusion, but it is self-serving and scarcely believable. I find the letter constitutes a further privacy breach, because it uses information obtained from the privacy breach to try to justify the privacy breach,” the IPC said.
The only questions before it was the consequences for the doctor and what steps Health can take to mitigate the risk of future breaches.
A ‘data intruder’
Interestingly, the IPC took aim at the language often used when accessing private information.
It is commonly referred to as “snooping” — but it noted that word has a connotation of innocent curiosity. The IPC mulled using “data voyeurism” or “data invasion” but ultimately settled on “data intrusion.”
“The doctor was a data intruder,” it said.
Refusal to name doctor
The complainant wanted the privacy commissioner to name the doctor in its report, which is a public document. The complainant argued that naming and shaming would be a major deterrence, and that data intruders should not benefit from the very privacy protections they breached.
But the IPC noted that it has issued close to 240 reports since the office was created a quarter-century ago, and not once has it named anyone.
“The legal test for revealing a data intruder’s name is whether it is ‘necessary’ to explain my findings and recommendations. I understand the Complainant’s arguments that it may be desirable to name this data intruder, but I find it is not necessary. I therefore will not do it.” it said.
Prosecuting the doctor, but how? And by who?
The complaint asked if the doctor can be prosecuted for the breach, and here they found a favourable ear.
Under section 59 of ATIPPA, anyone who “knowingly collects, uses or discloses personal information in contravention of this Act or the regulations is guilty of an offence punishable on summary conviction and is liable to a fine not exceeding $5,000.”
The IPC said, to its knowledge, there had never been a prosecution under this section in Nunavut, though there have been successful privacy prosecutions in other Canadian jurisdictions.
The IPC had previously raised the possibility of prosecution, but in none of the cases was the process by which a prosecution might actually occur discussed.
“And therein lies the rub,” it said.
It reached out to the Public Prosecution Service of Canada (PPSC), the territory’s only prosecutorial service, and the RCMP, its only police force.
“Neither was able to commit to investigating (in the case of the RCMP) or prosecuting (in the case of the PPSC) an offence under section 59 of the ATIPPA,” it said. “They are not sure it is within their respective mandates.”
It also reached out to the Government of Nunavut’s Department of Justice, which is ultimately responsible for the investigation and prosecution of territorial offences (as opposed to Criminal Code offences or other federal statutes.) That discussion was not concluded as of the time of the ruling, it said.
(All of the discussions with PPSC, the RCMP and the government involved prosecutions generally under section 59 and not the specifics of this case.)
The IPC said it was “doubtful” that Justice was the appropriate entity to deal with ATIPPA offences as it applies only to a “public body” under the GN umbrella.
“An alleged offender will almost always be someone employed by or otherwise associated with the (Government of Nunavut),” it said.
Nevertheless, it recommended that Health, in consultation with Justice, consider prosecuting the doctor.
“But I am aware of the difficulties: The doctor is no longer in Nunavut, there is a six-month limitation period for a summary conviction offence, the maximum fine hardly merits the required cost and effort, and GN Justice may first have to negotiate under a prosecution protocol for ATIPP offences with the PPSC,” it said.
Preventing future incidents
The real heart of the report was whether Health had adequate safeguards against data intrusion.
It noted that Nunavut is one of “very few” jurisdictions in Canada without health-specific privacy legislation. In Nunavut, the standard is found in section 42 of ATIPPA:
“The head of a public body shall protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.”
The IPC ruled Health did not meet the standard of “making reasonable security arrangements.”
It made the following recommendations:
- Health, in collaboration with the GN Department of Justice, consider prosecution of the doctor under section 59(1) of the ATIPPA
- Health develop a comprehensive anti-intrusion plan
- Health acquire software that will alert it to “red flag” behaviours by users of the Meditech system
- Health assign to a specific position the responsibility for specifying, reviewing, and following-up on “red flag” behaviours by users of the Meditech system
- Health modify the Meditech system so that users who access the records of a person with whom they have no clinical relationship receive a clear warning
- Health modify the Meditech system so that a given user can be blocked from accessing a given patient’s records
- Health provide to this office, before the end of December 2023, a progress report on its medical records anti-intrusion plan
For more information, see Department of Health (Re), 2023 NUIPC 6 (CanLII)