The Enforcement of PHIPA

AuthorHalyna N. Perun; Michael Orr; Fannie Dimitriadis
Health information custodians and others who are not in compliance with the
Personal Health Information Protection Act, 2004,1or who are alleged to have
breached the legislation or the regulation, risk becoming the object of enforce-
ment action. There are several formal legal ways of enforcing PHIPA and
obtaining redress for breaches of the legislation, including the following:
a review by the Information and Privacy Commissioner, whether on the
basis of a complaint or on the initiative of the Commissioner, who has the
power to make enforceable orders;
a court action for damages for breach of the legislation; and
a prosecution for an offence under the Act.
Each of these processes is considered in detail below.
1 S.O. 2004, c. 3, Sch. A [PHIPA].
15 The Enforcement of
1) Background on the Commissioner and the Legislation
The Ontario Information and Privacy Commissioner,2referred to in PHIPA
simply as “the Commissioner,” is the main enforcement body under PHIPA.
The Office of the Information and Privacy Commissioner was created
under the Freedom of Information and Protection of Privacy Act,3in 1988 as the
oversight body when Ontario’s first public sector privacy legislation came into
force. When Ontario’s municipal sector was added to Ontario’s public sector
freedom of information and protection of privacy legislative regime on 1 Janu-
ary 1991 with the coming into force of the Municipal Freedom of Information
and Protection of Privacy Act,4the oversight powers of the Information and Pri-
vacy Commissioner were extended accordingly. Since then, the office has
developed considerable experience in interpreting privacy law and has been a
consistent advocate for the importance of protecting privacy in both the public
and private sectors. The Commissioner is an independent officer of the
Ontario Legislature, not reporting to any Minister.5The Commissioner contin-
ues to be governed by the general provisions of FIPPA, as amended by PHIPA,
for PHIPA matters within the Commissioner’s jurisdiction.6Among those
general provisions are provisions that require the Commissioner to report to
the Legislature annually on her activities under FIPPA, MFIPPA, and PHIPA.7
For some time, the Commissioner has been critical of the extent of her
powers under FIPPA and MFIPPA to investigate and make orders in connec-
tion with complaints about the privacy practices of institutions subject to
FIPPA and MFIPPA.8Those Acts contain a power for the Commissioner to
2 Serving as Ontario’s Information and Privacy Commissioner since 1998, Dr. Ann
Cavoukian (Ph.D., Psychology) was re-appointed in May 2004 for a further term of
five years.
3 S.O. 1987, c. 25, subsequently R.S.O. 1990, c. F.31, s. 4 [FIPPA].
4 S.O. 1989, c. 63, subsequently R.S.O. 1990, c. M.56 [MFIPPA].
5FIPPA, above note 3, s. 4(1). The Commissioner is appointed by the Lieutenant Gover-
nor in Council on the basis of approval by the Legislature (s. 4(2)) for a five-year
renewable term (s. 4(3)).
6 This would include FIPPA, ibid., ss. 4–9, and 58, as amended by PHIPA, s. 81.
7FIPPA, ibid., s. 58.
8 Information and Privacy Commissioner, A Special Report to the Legislative Assembly of
Ontario on the Disclosure of Personal Information by the Province of Ontario Savings
Office, Ministry of Finance (26 April 2000) [POSO Report]; see especially the Adden-
dum entitled “Powers Necessary to Conduct a Proper Investigation.” The POSO
Report arose out of a review conducted by the Commissioner in 2000 based on a
conduct “inquiries,” which include the powers to enter and inspect premises,9
require the production of records,10 and summon and examine persons under
oath.11 The Commissioner’s powers to conduct inquiries, however, apply only
to “appeals” from a decision of an institution concerning an access request or
a correction request.12 The Commissioner does not have any similar investiga-
tive powers under FIPPA or MFIPPA to review complaints about the informa-
tion practices of institutions subject to those Acts.13 Furthermore, FIPPA and
MFIPPA provide the Commissioner with powers to order effective remedies
for access and correction matters.14 Regarding other types of complaints, how-
ever, the Acts provide the Commissioner only with the power to order an insti-
tution to cease information practices that contravene the Acts or to destroy
information collected in contravention of the Acts.15 Apart from the powers to
order these particular remedies, the Commissioner is otherwise limited to
making assessments about compliance, and recommendations on the infor-
The Enforcement of PHIPA 559
news reporter’s information that in 1997 the Ontario government provided personal
information about POSO customers, including account information, to a private
financial consultant and private market research firm to analyze prospects for a possi-
ble privatization of POSO and to survey POSO account holders to determine their
reactions. Ultimately the Commissioner determined that the disclosure of personal
information by the government in those circumstances was not in accordance with
FIPPA. The issue of relevance here was that the Commissioner reported that a num-
ber of government officials whose input was expected to be relevant refused to co-
operate with the investigation, and that her office lacked the powers to require their
co-operation. The Addendum to the Report focused on this issue and recommended
amending FIPPA and MFIPPA to provide improved investigative powers. As noted in
the Report, the same types of recommendations for enhanced powers had been made
to and accepted by the Standing Committee on the Legislative Assembly in 1991 and
1994 during the three-year reviews of FIPPA and MFIPPA respectively, though the
Acts were not amended in accordance with the recommendations.
9FIPPA, ibid., s. 52(4); MFIPPA, ibid., s. 41(4).
10 FIPPA, above note 3, ss. 52(4) & (7); MFIPPA, above note 4, ss. 41(4) & (7).
11 FIPPA, ibid., s. 52(8); MFIPPA, ibid., s. 41(8).
12 FIPPA, ibid., ss. 50(1) & 52(1); MFIPPA, ibid., ss. 39(1) & 41(1).
13 In fact, there appears to be little formal recognition of the Commissioner’s role with
respect to such complaints; rather, the ability to deal with such matters is largely seen
as being implicit in the Commissioner’s powers to assess compliance with FIPPA and
MFIPPA and to make recommendations on the practices of particular institutions:
FIPPA, ibid., ss. 58(2)(b) & (c), and see page iv in the Addendum to the POSO Report.
14 FIPPA, ibid., s. 54; MFIPPA, above note 4, s. 43.
15 FIPPA, ibid., s. 59(b); MFIPPA, ibid., s. 46(b). This order power, however, does not
appear to have any enforcement mechanism. Improvement of the order powers in
FIPPA and MFIPPA was one of the key elements recommended by the Commission-
er in Appendix E to the Addendum to the POSO Report.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT