PRACTICE PARTNER
Pattern of similar
4 breaches Even if a privacy breach is accidental or insignificant by itself, it must be reported to the Commissioner if it is part of a pattern of similar breaches. The IPC states that such a pattern may reflect systemic issues that need to be addressed, such as inadequate training or procedures. Custodians must use their judgment in deciding if a privacy breach is an isolated incident or part of a pattern; take into account, for instance, the time between the breaches and their similarities. Keeping track of privacy breaches in a standard format will help identify patterns.
Disciplinary action against a
6 non-college member Not all employees or other agents of a custodian are members of a college. If an agent is not such a member, the Commissioner must be notified in the same circumstances that would have triggered notification to a college, had the agent been a member. An example would be a registration clerk who has an unpleasant encounter with a patient and posts information about the patient on social media. Although the clerk is not a member of a college, this privacy breach must be reported.
Disciplinary
5 action against a college member
A duty to report an employee or other agent to a health regulatory college also triggers a duty to notify the Commissioner. Where an employee is a member of a college, the Commissioner must be notified of a privacy breach if:
• The custodian terminated, suspended or disciplined them as a result of the breach
• they resigned and the custodian believes this action is related to the breach
Where a health-care practitioner with privileges or otherwise affiliated with the custodian is a member of a college, the Commissioner must be notified of a privacy breach if:
• the custodian revoked, suspended or restricted their privileges or affiliation as a result of the breach
• they relinquish or voluntarily restricted their privileges or affiliation and it is believed that this action is related to the breach
Similar requirements apply to health-care practitioners employed by a board of health.
Significant breach
7 Even if none of the above six circumstances apply, the Commissioner must be notified if
the privacy breach is significant. In deciding whether a breach is significant, the custodian must consider all the relevant circumstances, including whether: i. the information is sensitive ii. the breach involves a large volume of information iii. the breach involves many individuals’ information iv. more than one custodian or agent was responsible for the breach The IPC provides the example of a physician who posts detailed information on a website about a group of patients receiving specialized treatment for a novel health issue. It then comes to the physician’ s attention that others can easily identify these patients even though there were no names disclosed. This breach involves many patients, whose information has potentially been made widely available. These types of breaches should be reported to the Commissioner. Note that even breaches that cause no particular harm may still be significant. MD
ISSUE 1, 2018 DIALOGUE 43