Ontario privacy commissioner reports jump in snooping cases
CBC
Ontario's public institutions saw more than 10,000 privacy breaches last year, according to the province's privacy watchdog, who is warning of a significant rise of "snooping" in personal records. But that number may only represent a small part of the problem.
Information and Privacy Commissioner Patricia Kosseim's annual report, published in June, said cases of snooping rose 34 per cent in 2023. But only the health and children and youth sectors are obligated to report breaches to her office, she noted.
Snooping involves workers accessing sensitive or personal information even though it isn't required or permitted as part of their job. Kosseim told CBC Toronto she's particularly concerned about a reported rise of such incidents.
"We know that voyeurism is a criminal offence, and you know, to my mind deliberately snooping in someone's record is no less blameworthy than a 'peeping Tom' peering into someone's bedroom," she said.
Kosseim's office found self-reported health privacy breaches of snooping nearly doubled to 197 in 2023, from 104 in 2019. She said such breaches can significantly undermine the public's trust in public health.
The confidential relationship between a person and their health-care provider is fundamental to the system, says Alisha Kapur, an associate lawyer at Rosen Sunshine LLP. The firm focuses on health and regulatory law, and often provides guidance to health-care organizations on privacy best practices.
"If [a patient] feels that the relationship is compromised, it makes people not want to share information, and that can affect their care," Kapur said.
Provincial law mandates that patients be notified if their privacy has been breached. In the instance of a breach, a victim may take civil action if they choose. Kapur noted that it "depends on if the plaintiff, who is the victim, wants to bring that kind of action, because civil actions can be costly and stressful and very drawn out."
Criminal penalties for snooping are also possible if the information was used for criminal purposes, such as fraud or impersonating a victim.
Kapur says one way to prevent breaches is by ensuring policies and procedures are kept updated and reviewed on a regular basis. And training all staff who collect or access personal health information is vital, she says.
"There is no use in having strong policies if the staff who have access to personal health information records don't know what they are required to do to safeguard those records," she said.
Of the 10,770 reported breaches of privacy in 2023 involving personal health information, 6,435 occurred in hospital settings.
In a statement, the president and CEO of the Ontario Hospital Association said its members have "robust policies" in place to ensure staff comply with provincial privacy law.
"All hospital staff with access to personal health information undergo annual training to ensure their ongoing awareness of their responsibilities," said Athony Dale.