The Enforcement of PHIPA

• Author: Halyna N. Perun; Michael Orr; Fannie Dimitriadis
• Pages: 557-597

A. TYPES OF ENFORCEMENT UNDER PHIPA

Health information custodians and others who are not in compliance with the

Personal Health Information Protection Act, 2004,1or who are alleged to have

breached the legislation or the regulation, risk becoming the object of enforce-

ment action. There are several formal legal ways of enforcing PHIPA and

obtaining redress for breaches of the legislation, including the following:

• a review by the Information and Privacy Commissioner, whether on the

basis of a complaint or on the initiative of the Commissioner, who has the

power to make enforceable orders;

• a court action for damages for breach of the legislation; and

• a prosecution for an offence under the Act.

Each of these processes is considered in detail below.

557

1 S.O. 2004, c. 3, Sch. A [PHIPA].

15 The Enforcement of

HIPA

B. COMMISSIONER’S REVIEW

1) Background on the Commissioner and the Legislation

The Ontario Information and Privacy Commissioner,2referred to in PHIPA

simply as “the Commissioner,” is the main enforcement body under PHIPA.

The Office of the Information and Privacy Commissioner was created

under the Freedom of Information and Protection of Privacy Act,3in 1988 as the

oversight body when Ontario’s first public sector privacy legislation came into

force. When Ontario’s municipal sector was added to Ontario’s public sector

freedom of information and protection of privacy legislative regime on 1 Janu-

ary 1991 with the coming into force of the Municipal Freedom of Information

and Protection of Privacy Act,4the oversight powers of the Information and Pri-

vacy Commissioner were extended accordingly. Since then, the office has

developed considerable experience in interpreting privacy law and has been a

consistent advocate for the importance of protecting privacy in both the public

and private sectors. The Commissioner is an independent officer of the

Ontario Legislature, not reporting to any Minister.5The Commissioner contin-

ues to be governed by the general provisions of FIPPA, as amended by PHIPA,

for PHIPA matters within the Commissioner’s jurisdiction.6Among those

general provisions are provisions that require the Commissioner to report to

the Legislature annually on her activities under FIPPA, MFIPPA, and PHIPA.7

For some time, the Commissioner has been critical of the extent of her

powers under FIPPA and MFIPPA to investigate and make orders in connec-

tion with complaints about the privacy practices of institutions subject to

FIPPA and MFIPPA.8Those Acts contain a power for the Commissioner to

Guide to the Ontario Personal Health Information Protection Act

558

2 Serving as Ontario’s Information and Privacy Commissioner since 1998, Dr. Ann

Cavoukian (Ph.D., Psychology) was re-appointed in May 2004 for a further term of

five years.

3 S.O. 1987, c. 25, subsequently R.S.O. 1990, c. F.31, s. 4 [FIPPA].

4 S.O. 1989, c. 63, subsequently R.S.O. 1990, c. M.56 [MFIPPA].

5FIPPA, above note 3, s. 4(1). The Commissioner is appointed by the Lieutenant Gover-

nor in Council on the basis of approval by the Legislature (s. 4(2)) for a five-year

renewable term (s. 4(3)).

6 This would include FIPPA, ibid., ss. 4–9, and 58, as amended by PHIPA, s. 81.

7FIPPA, ibid., s. 58.

8 Information and Privacy Commissioner, A Special Report to the Legislative Assembly of

Ontario on the Disclosure of Personal Information by the Province of Ontario Savings

Office, Ministry of Finance (26 April 2000) [POSO Report]; see especially the Adden-

dum entitled “Powers Necessary to Conduct a Proper Investigation.” The POSO

Report arose out of a review conducted by the Commissioner in 2000 based on a

conduct “inquiries,” which include the powers to enter and inspect premises,9

require the production of records,10 and summon and examine persons under

oath.11 The Commissioner’s powers to conduct inquiries, however, apply only

to “appeals” from a decision of an institution concerning an access request or

a correction request.12 The Commissioner does not have any similar investiga-

tive powers under FIPPA or MFIPPA to review complaints about the informa-

tion practices of institutions subject to those Acts.13 Furthermore, FIPPA and

MFIPPA provide the Commissioner with powers to order effective remedies

for access and correction matters.14 Regarding other types of complaints, how-

ever, the Acts provide the Commissioner only with the power to order an insti-

tution to cease information practices that contravene the Acts or to destroy

information collected in contravention of the Acts.15 Apart from the powers to

order these particular remedies, the Commissioner is otherwise limited to

making assessments about compliance, and recommendations on the infor-

The Enforcement of PHIPA 559

news reporter’s information that in 1997 the Ontario government provided personal

information about POSO customers, including account information, to a private

financial consultant and private market research firm to analyze prospects for a possi-

ble privatization of POSO and to survey POSO account holders to determine their

reactions. Ultimately the Commissioner determined that the disclosure of personal

information by the government in those circumstances was not in accordance with

FIPPA. The issue of relevance here was that the Commissioner reported that a num-

ber of government officials whose input was expected to be relevant refused to co-

operate with the investigation, and that her office lacked the powers to require their

co-operation. The Addendum to the Report focused on this issue and recommended

amending FIPPA and MFIPPA to provide improved investigative powers. As noted in

the Report, the same types of recommendations for enhanced powers had been made

to and accepted by the Standing Committee on the Legislative Assembly in 1991 and

1994 during the three-year reviews of FIPPA and MFIPPA respectively, though the

Acts were not amended in accordance with the recommendations.

9FIPPA, ibid., s. 52(4); MFIPPA, ibid., s. 41(4).

10 FIPPA, above note 3, ss. 52(4) & (7); MFIPPA, above note 4, ss. 41(4) & (7).

11 FIPPA, ibid., s. 52(8); MFIPPA, ibid., s. 41(8).

12 FIPPA, ibid., ss. 50(1) & 52(1); MFIPPA, ibid., ss. 39(1) & 41(1).

13 In fact, there appears to be little formal recognition of the Commissioner’s role with

respect to such complaints; rather, the ability to deal with such matters is largely seen

as being implicit in the Commissioner’s powers to assess compliance with FIPPA and

MFIPPA and to make recommendations on the practices of particular institutions:

FIPPA, ibid., ss. 58(2)(b) & (c), and see page iv in the Addendum to the POSO Report.

14 FIPPA, ibid., s. 54; MFIPPA, above note 4, s. 43.

15 FIPPA, ibid., s. 59(b); MFIPPA, ibid., s. 46(b). This order power, however, does not

appear to have any enforcement mechanism. Improvement of the order powers in

FIPPA and MFIPPA was one of the key elements recommended by the Commission-

er in Appendix E to the Addendum to the POSO Report.