The Access to Information and Protection of Privacy (ATIPP) Act came into force on December 31, 1996. The purpose of this legislation is to promote government accountability by balancing access to government information with the protection of individual privacy rights related to that information.
Under the act, the Information and Privacy Commissioner ("the IPC") is appointed for a five-year term as an independent officer of the Legislative Assembly. That appointment is currently held by Ms. Elaine Keenan Bengts. The act requires the IPC to file an annual report on her activities and authorizes her to include recommendations for amending the legislation to improve the act's efficiency and effectiveness.
On February 22, 2018, the Standing Committee on Government Operations ("the committee") conducted a public review of the 2016-2017 Annual Report of the Information and Privacy Commissioner, which was tabled in the Legislative Assembly on October 3, 2017.
On January 15, 2019, the committee held a public review of the IPC's 2017-2018 Annual Report, which was tabled in the Legislative Assembly on October 29, 2018.
Both of these reviews are summarized in this report.
THE ROLE OF THE INFORMATION AND PRIVACY COMMISSIONER
Access to Information and Protection of Privacy Act
The Office of the Information and Privacy Commissioner was established in 1997, following the enactment of the Access to Information and Protection of Privacy (ATIPP) Act. The ATIPP Act applies to the Government of the Northwest Territories (GNWT) and its departments, boards, and agencies, as set out in the ATIPP Regulations. The office provides independent oversight and enforcement of the government's responsibilities under the act.
The IPC is appointed as a statutory officer of the Legislative Assembly for a five-year term and can only be removed "for cause or incapacity," which affords her the ability to comment freely and directly. Ms. Keenan Bengts currently holds the office for a five-year term terminating on October 30, 2020.
The ATIPP Act enshrines two principles: 1) public records must be accessible to the public; and 2) personal information must be protected by public bodies. The act outlines the rules by which the public can obtain access to government-held records, and rules about the collection, use and disclosure of information by government, such that the privacy rights of individuals are protected and upheld.
Generally, the act requires that the government collect only information that is absolutely necessary for implementation of the program under which the information is collected. The Supreme Court of Canada has ruled that laws like ATIPP are "quasi-constitutional" laws that are held to be paramount to other laws, unless otherwise specified, and which define fundamental democratic rights.
The act is generally interpreted by the courts such that access to information is considered the standard and that any exceptions to this must be narrowly interpreted in a way to allow the greatest access possible. The right of access is not absolute, however. There are limited exceptions which protect individual privacy rights, proprietary business information, and Cabinet confidences and allow government employees to give frank and candid advice facilitating decision-making by political leaders.
The IPC reports to the Legislative Assembly of the Northwest Territories. The powers provided to the IPC under the ATIPP Act include the powers to investigate, mediate and resolve matters concerning access and privacy disputes and complaints; comment on the privacy implications of proposed legislation or government programs; undertake research into matters related to the purposes of the act; and educate the public about their rights.
Following on a comprehensive review of the ATIPP Act, undertaken by the Department of Justice between 2012 and 2016, Bill 29, An Act to Amend the Access to Information and Protection of Privacy Act was introduced in the Legislative Assembly in October 2018. This bill, which was extensively amended at the committee stage, received assent on June 6, 2019. As the new provisions are brought into force, certain aspects of the IPC's role and authorities will be changed and enhanced. For the purposes of the fiscal years examined in this report, however, the legislation as it was last amended in 2015 governed the IPC's activities.
Health Information Act
The new Health Information Act (HIA), which came into effect on October 1, 2015, governs the collection, use and disclosure of personal health information and provides for its protection. The legislation applies to all records containing health information that are under the control of a "health information custodian," as defined in the act, whether that custodian operates in the public or private sector.
The act sets out clear direction that medical practitioners are to have access to records only to the extent required in order to provide care. The act allows medical practitioners to assume that an individual who seeks health care has implicitly provided consent to the collection, use or disclosure of such personal health information as is necessary to provide the patient with appropriate care. This assumption of implicit consent is contingent upon the practitioner's belief that the patient is knowledgeable about how his or her personal information will be collected, used and disclosed.
The act gives patients the right to put conditions on who has access to their records. Where a patient expressly indicates that the practitioner may not rely on implied consent, the practitioner is then required to obtain the patient's written consent to collect, use or disclose the patient's health information. There are limited exceptions to this right, such as to facilitate the provision of emergency health care. Similarly, a patient may not prohibit the disclosure of personal health information by a health information custodian where that disclosure is authorized by the HIA or another enactment; for example, to the Workers' Safety and Compensation Commission.
The HIA gives patients the right to access their own health records. The process is similar to that contained in the ATIPP Act which governs access to personal information contained in government records. Unlike the ATIPP Act, however, which only permits recovery of photocopying costs, access by a patient to their medical records under the Health Information Act is subject to the payment of fees.
The act allows a person who believes their records have been improperly collected, used or disclosed to request the IPC to undertake a review. Rights of appeal under this Act are different than those under ATIPP. Appeal rights apply to both access to information and breach of privacy issues. As well, the IPC has the authority to appeal the decision of a health information custodian to the courts.
The act also imposes a positive duty on health information custodians to notify any individual whose medical records have been compromised. This "data breach notification" must also be given to the IPC, who may choose to investigate the breach.
THE INFORMATION AND PRIVACY COMMISSIONER'S ACTIVITIES
The Commissioner's Message
The Information and Privacy Commissioner often chooses to highlight topical aspects of her work in her annual "Commissioner's Message."
In her 2016-2017 Commissioner's Message, the IPC noted that it was her 20th anniversary as IPC of the Northwest Territories, which also meant that twenty years had passed since the coming-into-force of the ATIPP Act. She noted that advancements in technology over the past two decades are such that ATIPP operates in a very different environment than the one that existed when the legislation was first drafted.
She observed that her role as IPC started with a focus on access but, over time, privacy considerations took a primary role. Now, in the era of "big data" the focus is turning to access again, as the public continues to be concerned about the ability of governments to protect the personal information they collect, the value of information as an asset grows and the public demands that governments be accountable and transparent. This, she notes, makes strong ATIPP legislation "increasingly vital to the maintenance of our democratic ideals as the world changes in ways no one would have imagined in 1997."
With respect to the Health Information Act, the IPC indicated that she had completed her first three reviews. She opined that the act is dense, complicated and hard to interpret, meaning reviews take longer than under the ATIPP Act. She also observed that, again this year, health information custodians were far from compliant with the act and much work needs to be done in this area. The IPC expressed her concern that the information-technology system being used by the Health and Social Services Authorities still does not have the functionality to allow patients to control the access and use of their personal health information as mandated by the act.
For 2017-2018, the IPC's message focused on the initiative to update the ATIPP Act, led by the Department of Justice. She expressed frustration with the amount of time taken by the department to complete its review, which resulted in the "Northwest Territories...now [being] the last Canadian jurisdiction, but for Nunavut, to modernize its first-generation access and privacy legislation."
Modern legislation, the IPC observed, is not all that is required. "We need a real commitment to the spirit and intention of the act and this year, more than any other year, I have seen a marked decrease in the willingness of public bodies to hold up those ideals." The IPC noted that many times this year public bodies have refused to follow her recommendations, rejecting her analysis and application of the law. "Public bodies can easily avoid accountability when they refuse to follow recommendations made."
The IPC encouraged the Department of Justice to look to the ATIPP legislation passed by the Government of Newfoundland and Labrador in 2015. Under that legislation, "if a public body wishes to disregard those recommendations...it must ask the court for an order to allow it to do so. This change puts the onus on the public body, where it should be, to obtain court approval of its decision, rather than leaving it to the individual." She also raised the issue of bringing municipalities under ATIPP, noting that Nunavut recently amended its Act to accommodate the inclusion of municipalities, leaving the NWT as the only remaining Canadian jurisdiction that does not require municipal compliance with ATIPP.
Committee notes that these concerns were given careful consideration in the review of Bill 29, An Act to Amend the Access to Information and Protection of Privacy Act. The act has since been amended to require government compliance with the IPC's recommendations and to require municipal compliance with ATIPP, which will be phased-in through the regulations, allowing time for municipalities to prepare to meet their obligations under the act.
With respect to the Health Information Act, the IPC noted that the Minister of Health has issued a series of policies and procedures pursuant to the HIA, but that these were not accessible online and should be. She also again raised the issue of the apparent affinity of the health sector for outdated fax technology, which has resulted in data breaches that have been the subject of a number of media reports.
The IPC concludes her 2017-2018 Commissioner's Message by commenting on the work by her office to improve its website at www.atipp-nt.ca and by acknowledging an increase to her budget to hire a full time Deputy-IPC, to be shared with the Nunavut office.
The Year in Review
In 2016-2017, the IPC opened 61 new files (2015-2016 - 43) and issued 15 review recommendations (2015-2016 - nine) under the ATIPP Act. Of the 61 new files, 32 were related to access-to-information matters, 14 were related to breach-of-privacy matters, five were requests for comment or consultation by public bodies, and 10 were miscellaneous or administrative inquiries.
2016-2017 was the first full year of the Health Information Act being in force. The IPC opened eight new files, of which three were breach notifications from various branches of the amalgamated Health and Social Services Authority; two involved the submission of Privacy Impact Assessments (PIAs) per section 89(2) of the act; one was a comment to the Minister on the Department' of Health and Social Services' Mental Health Care Action Plan; and two were related to administrative matters. In addition, three formal reports containing recommendations were issued.
While her report had, in the previous year, been quite critical of the Department of Health and Social Services and its failure to address requirements under the new act, the IPC noted that things appear to be slowly improving. She observed some progress on the development of system-wide standards, policies and procedures as required by section 8 of the act. She noted a significant upturn in the number of breach notifications, suggesting a greater awareness of what constitutes a breach under the act, and further observed that these breaches are being properly handled with steps being taken to prevent reoccurrences. The IPC also reported that posters, informing patients of their rights under the Health Information Act, are starting to appear in Yellowknife clinics.
In 2017-2018, the IPC opened 53 new files and issued 18 review recommendations related to matters under ATIPP. Of the 53 new files, 24 were related to access matters, 17 were related to privacy matters, seven were requests for comment or consultation by public bodies, and five were miscellaneous or administrative inquiries.
One of the privacy-related files was initiated by the IPC with a view to engaging the City of Yellowknife in a discussion about access and privacy issues related to a matter that received media attention. The City did not reply to the IPC's invitation and no discussions took place, but the IPC again emphasized with Committee during the review the importance of bringing municipalities under ATIPP.
With respect to the Health Information Act, the IPC noted that the number of files "skyrocketed" from eight new files opened in the previous year to 33 new files opened in the second full year of the act being in force. The IPC views this as a positive indication that both the public and health information custodians are paying more attention to their rights and responsibilities under the act.
Of these 33 files: 22 were breach notifications received from the Department of Health and Social Services and the Northwest Territories Health and Social Services Authority pursuant to section 87 of the act; six were breach-of-privacy complaints received from the public; two were privacy impact assessments received pursuant to section 89(2) of the act; one was a request to review the response received to a request for access to personal health information pursuant to section 141; one was a review commenced on the IPC's own initiative pursuant to section 137(1); and one was an administrative file. No review reports were issued under the HIA in 2017-2018.
As noted in the introduction, committee held a public hearing on the IPC's 2016-2017 Annual Report on February 22, 2018.
In her opening remarks, the IPC noted that both the ATIPP Act and the HIA set out timelines within which she must complete any reviews of government decisions made under the respective acts. She indicated that the increase in her workload precipitated by the coming into force of the HIA was creating additional pressure on her office which would need to be resolved either through increased resourcing or changes to the timelines under the legislation.
Committee took note of this observation, which was raised in the context of Committee's review of Bill 29. Under ATIPP, the IPC has six months (180 days) to complete a review. Bill 29 proposed to reduce this timeline to two months (60 days). Cognizant of the government's rationale for reducing the IPC's timeline in an effort to respond to public calls for a more expedient ATIPP process, committee nonetheless felt that the proposed reduction to the IPC's timeline was too severe. In response, committee moved a motion, which was passed with concurrence of the Minister, to set the IPC's timeline for reviews at three months (90 days).
During the review, the IPC was asked about privacy impact assessments (PIAs) and how they are undertaken by the government. The IPC replied that a PIA is a tool to assist in highlighting the privacy impacts of a particular policy or project. It requires government to consider, in advance, what personal information is proposed to be collected, the purpose for which it will be used, how long it will be retained and how it will be protected. The IPC advised committee that she has been given the opportunity to review three PIAs completed by government and expressed her view that such assessments should be mandatory.
Committee also touched on the subject of the implementation of the HIA, asking the IPC for her comments on how this work has been proceeding. She replied that it is her understanding that the Department of Health and Social Services has hired a privacy coordinator and has created a set of policies to help staff to understand and comply with their responsibilities under the act. The IPC offered that she views these developments positively.
When asked what she thinks people need to know about their rights under the Health Information Act, the IPC replied that people should be aware that they have a right to see their medical files and that they have a right to deny access to their records under certain conditions.
The IPC was also asked for her comments on the concept of "implied consent" which is contained in the legislation. Consent is dealt with under Part 3 of the act, which provides that consent to the collection, use and disclosure of a patient's medical records can be "express" or "implied" provided that it is "knowledgeable." This allows a health care provider to assume that, by seeking medical treatment, a person has implied that they consent to the collection, use and disclosure of their information, unless they provide express (i.e. written) instructions stating otherwise. The IPC replied that implied consent is a difficult concept to put into practice, making this part of the act one that needs to be fixed.
The review concluded with a discussion of the practical application of a patient's right to direct who may or may not have access to their medical records. The IPC told Committee that she would like to see the GNWT upgrade the functionality of its health information-technology systems to allow "masking" of certain medical records, such that a health care provider would be prevented from accessing a record if such access was expressly prohibited by the patient.
When asked if the GNWT was meeting its responsibilities under the act, the IPC replied "simply put, no" but allowed that it took some time for the GNWT to become compliant when ATIPP was first introduced too.
As noted in the introduction, committee held a public hearing on the IPC's 2017-2018 Annual Report on January 15, 2019.
Committee's review commenced with a broad question to the IPC. Noting that the government espouses the principles of openness and transparency, to the extent that a minister has been made responsible for Public Engagement and Transparency, a Committee member asked the IPC how this seeming commitment aligns with her experience.
The IPC replied that, for the most part, she senses a healthy respect for the act and its purposes, noting that there are still pockets within government where there are problems with ATIPP compliance, and expressing concern about what she perceives as a growing trend towards not accepting or only partially accepting her recommendations.
This led to a discussion about how access and privacy legislation works in other jurisdictions and the approach recently adopted by Newfoundland in its ATIPP legislation. The IPC advised committee that, in some provinces, such as Ontario, Alberta, British Columbia and Prince Edward Island, her counterpart has the authority to make orders on access and privacy matters that are binding on government. In the Northwest Territories, the IPC has the authority to make public recommendations, but these recommendations are not binding on government.
In the NWT, a person who is dissatisfied with the government's response on both access- and privacy-related matters may ask the IPC to undertake a review. If the IPC finds in favour of the applicant, and recommends the same to government, government may disagree with the IPC's recommendations. For access-related matters, this leaves a person with the option to appeal the government's decision to the Supreme Court of the Northwest Territories; a daunting and expensive option for most citizens. For privacy-related matters, even this appeal option is not available, making the government's decision final.
The IPC advised Committee that the "Newfoundland model" places the onus on government so that it must go to court for permission to disregard the IPC's recommendations. Committee subsequently did research and gave a great deal of consideration to this model during its review of Bill 29. In discussions with the Department of Justice during the review of the bill, committee came to the determination that, rather than adopt the Newfoundland model, the ATIPP Act should be amended to provide the IPC with full order-making power. This power will take effect when the associated provisions in the amended legislation come into force.
Amendments made to the ATIPP Act will also require future compliance by municipalities. The IPC was asked to share her thoughts on Nunavut's experience. She noted that, although Nunavut has included municipalities under their ATIPP legislation, those sections of the act have yet to come into force. For both Nunavut and the Northwest Territories, the IPC suggested that it will be easier to implement privacy protections, which primarily require that the appropriate policies are put in place to ensure adequate protections. For access requests, municipalities are facing much larger hurdles, as most will need to put records management systems in place and will need to catalogue historical records so that they may be accessed using that system. She noted that training will be required, and that it may be necessary to put in place restrictions on access to historical information.
The remainder of the public hearing focused largely on the Health Information Act. In her opening remarks, the IPC commented on spike in the number of matters dealt with under the HIA:
"Of the 33 files opened, the vast majority (22) were breach notifications received from the Department of Health and Social Services or another health information custodian under the mandatory breach notification sections of the act. Most of the reported breaches were relatively minor, but each such report has added to our ability to address gaps and holes in the systems and procedures and to adjust practices so as to prevent future breaches. The Department and the NWT Health and Social Services Authority have created a resource in which they summarize each of the incidents that arises and are incorporating these examples into their training materials. This will undoubtedly help to reduce the number of similar breaches going forward."
While Committee was encouraged by the IPC's assessment, Members were concerned about the impact of major breaches, given that, in the weeks preceding the public hearing, a great deal of media attention was focused on a story about health records that had been found in the salvage area of the dump in Fort Simpson.
In response to a question, the IPC advised the committee that these records were subject to the requirements of the HIA, even though they were created before the passage of the legislation. She also advised committee that the Department of Health and Social Services would be undertaking its own investigation and that they were already considering where else they should be looking for similar medical files that may have been in storage for many years in regional offices. She added that she would be making her own recommendations and that the records in question had been transferred to her possession and would remain in her possession.
Committee asked about the continued use of fax machines by health centres, which have been a source of many past privacy breaches. The IPC replied that she had nothing new to report with respect to any progress made by the Department of Health and Social Services to enable the masking of medical records. The IPC noted that the reluctance of the medical profession to move to newer technology is an issue nationwide and that a move to the use of encrypted data will require a change in the way the medical profession does business.
The hearing concluded with a committee member making the observation that the IPC has three lesson plans on her website designed to teach students about the importance of privacy and their privacy rights under law. The IPC advised that the material was developed by a committee of IPC's from across Canada.
Committee encourages the Department of Education, Culture and Employment to have a look at this material and consider making it available to students.
In this final report on the review of the annual reports of the Information and Privacy Commissioner, during the 18th Legislative Assembly, the Standing Committee on Government Operations would like to thank Commissioner Bengts for her unwavering and enthusiastic commitment to access and privacy matters affecting the citizens of the Northwest Territories.
Committee is especially appreciative of the Commissioner's efforts on the review of Bill 29, An Act to Amend the Access to Information and Protection of Privacy Act. The IPC's experience and insight were instrumental in assisting the committee to make amendments to the act that have produced one of the most progressive access and privacy laws in Canada.