Thank you, Mr. Nadli. The motion is in order. To the motion.
Question.
Question has been called.
---Carried
Committee Report 9-17(5) is deemed read and is to be printed in Hansard in its entirety.
The Access to Information and Protection of Privacy (ATIPP) Act came into force on December 31, 1996. The law was created to promote government accountability by balancing access to government information with the protection of individual privacy rights related to that information.
Under the act, the Information and Privacy Commissioner (IPC) is appointed for a five-year term as an independent officer of the Legislative Assembly. The act requires the Commissioner to file an annual report on her activities and authorizes the Commissioner to include recommendations for amending the legislation to improve the act’s efficiency and effectiveness.
The Standing Committee on Government Operations conducted a review of the 2012-2013 Annual Report of the Information and Privacy Commissioner of the Northwest Territories, which was tabled in the Legislative Assembly on February 11, 2014. Members would like to thank Ms. Elaine Keenan Bengts for her report and for her appearance before the committee at the public review on April 25, 2014. The committee also wants to take this opportunity to thank Ms. Keenan Bengts for her continued commitment and dedication to all matters relating to access to information and the protection of privacy by public agencies in the Northwest Territories.
In 2012-2013 the Commissioner opened 16 new files, down from 27 in 2011-2012. Of the 16 new files, seven dealt with health information. Ms. Keenan Bengts completed 12 review recommendations, an increase of two over the previous year. Of these recommendations, seven were focused on the collection, use or disclosure of health information. This, undoubtedly, prompted the Commissioner to call 2012-2013 “the year of health privacy concerns.” As noted in the Commissioner’s message at the opening of the report:
“The issues ranged from patient concerns about the way in which their personal health information was being shared within the confines of a health authority to concerns raised by patients who were also employees of one of the Northwest Territories’ health authorities who questioned whether or not fellow employees or supervisors had access to their personal health records. And, once again, there were cases of misdirected faxes containing personal health information.” (page 7)
Of the cases resulting in review recommendations, the recommendations of the IPC were adopted in full by the relevant public body in six cases; partially adopted in two cases; not applicable in two cases, as no recommendations were made; and not accepted in two cases.
Eight public bodies were involved in 14 matters before the IPC in 2012-2013. Of these, the Yellowknife Health and Social Services Authority, the Dehcho Health and Social Services Authority, the Department of Environment and Natural Resources and the Department of Education, Culture and Employment each had two or more matters before the IPC.
As already noted, the Information and Privacy Commissioner is authorized to make recommendations for legislative change. This year the Commissioner highlighted five legislative issues. Of these, four relate to long-standing recommendations raised in her past reports and forwarded to this House by the standing committee: new health privacy legislation, access and privacy legislation for municipalities, the need for a general review of the ATIPP Act and what a revised act might include. In addition, the IPC has raised another matter for consideration, that of access to information and protection of privacy by First Nations governments.
Again this year the Information and Privacy Commissioner has made her concerns known regarding the potential for breaches of privacy within the health and social services system, which were heightened with the move to electronic medical records in 2010.
Of the breach-of-privacy complaints reviewed by the IPC in 2012-2013, two illustrate the problems that can arise with respect to the handling of medical information. In the first example, Review Recommendation 12-106, a complaint was brought against the Beaufort-Delta Health and Social Services Authority (BDHSSA) by a complainant who was also an employee. This individual requested that access to his paper medical records be restricted to protect the privacy of his medical issues from coworkers, after he received care at the Inuvik Hospital. Pursuant to his request, the paper records were immediately secured. However, when the complainant later grew concerned about his electronic records, he requested an audit and learned these records had been accessed 12 times outside the period during which he received medical attention.
The IPC’s review of the audit confirmed that the majority of times the records were accessed it was for legitimate reasons, but revealed that for several of the entries it could not be determined who was accessing the records and no reason had been recorded for the access. The BDHSSA argued there was no evidence to suggest that the information on the file had been improperly used or disclosed.
In commenting on this case, the Commissioner expressed the opinion that “the onus lies on the health authorities to provide evidence that all access to an individual’s personal health records is proper and for a legitimate reason under the act… Individuals have a right to know who has accessed their records and for what purposes. If the health authority cannot do that, there is a flaw in the system.” (pages 23, 22)
The IPC Made Six Recommendations, Detailed On Page 24 Of The Report. Recommendations Included: conducting a thorough privacy impact assessment on the electronic record system; removing generic computer names and passwords from the computer system; taking steps to ensure every access to the system includes a reason; instituting a system of regular random audits on the system; and improving training on privacy for staff, including regular messaging about the importance of keeping health records private. The BDHSSA accepted all of the recommendations in full.
Mr. Nadli.
Thank you, Mr. Speaker. I seek unanimous consent to waive Rule 93(4) and move Committee Report 9-17(5) into Committee of the Whole for consideration today. Mahsi.
---Unanimous consent granted
