Oct 2022 Charity & NFP Law Update
Privacy Commissioners Urge Governments & Health Sector to Stop Using Outdated, Old Technology
With new technological solutions available, more can and should be done to protect Canadians’ personal health data, according to the country’s privacy commissioners. Federal, provincial and territorial privacy commissioners published a resolution (the “Resolution”) on September 22, 2022 with a list of 14 recommendations for “governments, health sector institutions and health providers to show concerted effort, leadership, and resolve in implementing modern, secure and interoperable digital health communication infrastructure.” The Resolution states that resource constraints and staff shortages in Canada’s health sector were aggravated by the COVID-19 pandemic, which “spurred innovation and change in the delivery of services, including through virtual care visits and other forms of digital health communications.” Outdated and insecure communication technologies such as fax machines, unencrypted emails, along with employee snooping and cybersecurity attacks, continue to cause breaches of personal health information, which can cause “significant harm to affected individuals, including potential discrimination, stigmatization, financial and psychological distress,” as well as consuming valuable health resources, creating delays in the delivery of care to individuals and damaging the reputation of and public trust in the health system, the Resolution states.
The Resolution’s 14 recommendations are directed to three groups: federal/provincial/territorial governments, health sector institutions and providers, and privacy commissioners and ombudspersons with responsibility for privacy oversight. Recommendations include phasing out traditional fax and unencrypted email use and replacing them with modern, secure, and interoperable ways of transmitting personal health information that is accessible to all Canadians, adopting secure digital technologies and responsible data governance frameworks that have reasonable safeguards to protect personal health information, amending laws and regulations to provide for meaningful penalties, promoting transparency and education, and taking collaborative action “to address systemic practices in the health sector that are unreasonable because they create unacceptable and easily avoidable risks to the privacy and security of personal health information.” Although these recommendations are directed at the health sector, all charities and not-for-profits should take them into account when designing and updating their privacy and data security practices and procedures.
