Regional Councillor Report

Submitted by: Colleen Jordan, Regional Councillor Wards 3 & 4

Date: March 8, 2010

Health Committee - Feb. 25, 2010

Information and Privacy Commissioner of Ontario Order

Pat Jeselon and Ross Fraser, Privacy and Security Consultants were retained by the Medical Officer of Health to ensure that the Privacy Commissioner’s Orders, regarding the loss of personal health information were complied with and proof of doing so was provided to the Commissioner, as ordered, by the February 16, 2010 deadline. The consultants provided a presentation to the Health Committee, regarding the order and the measures taken by the Region to comply. The Medical Officer of Health also provided information and compliance actions taken, regarding the Privacy Commissioner’s Order.

In summary; all health department mobile devices and media are strongly encrypted. The collection of health card numbers and personal health information relating to priority group status that was not relevant to receiving H1N1 vaccine at the Jan. 2010 immunization clinics was stopped. All health card numbers and personal health information relating to priority group status collected after the H1N1 vaccine was made widely available to the general public has been securely destroyed. A Health Department privacy program is being developed and Health Department training will be strengthened. A dedicated privacy officer position has been approved through the budget process. The role of this new position will be to co-ordinate and maintain the privacy program. The Order was posted on the Region’s website and the public was notified through ads placed in local newspapers about the Order and given information as to how to access it.

The Health Department in its response to the Privacy Commissioner outlined their disagreement with some of the Commissioner’s findings. The Health Department has recognized the importance of protecting personal health information on mobile devices for many years. Documentation of this requirement dates back to 2006. The use of encrypted laptops and USB keys was established in earlier campaigns and had been previously successfully followed. The employee responsible for encrypting the USB key was an employee of the Region, performing duties in the Corporate Information Systems Department and as such was an agent of the Region. The need to encrypt the data was again identified at a meeting between the Health Department and Corporate Information Systems Department in a meeting in October, prior to the H1N1 immunization campaign. The employee in the CIS Department, responsible for encrypting the keys did not do so.

The personal health information was collected in accordance with Ministry of Health and Long Term Care requirements. The client questionnaire was provided through the Niagara Information Immunization computer data system which was recommended for use by Ontario public health units by the Ministry. Boards of Health were also provided funding for IT equipment if they used the Niagara system. Boards of Health were not permitted to make any modifications to the system as stated in the licensing agreements that they were required to sign. The Niagara system was the system utilized by Durham.

The Privacy Commissioner also made a recommendation that the Region develop and implement a comprehensive policy for mobile devices to ensure that to the extent that personal health information must b transported on those devices, it is strongly encrypted.

Recommendations were also made by the Commissioner to the Ministry of Health to request each public health unit to review its practices and procedures with regard to encryption of mobile devices, requesting each medical officer of health to attest that no unencrypted personal health information is being transported on unencrypted devices. The Commissioner also recommended auditing a sample of public health units by the Ministry to verify these practices are followed. In addition; she also recommended resources be provided to develop training material to ensure all public health unit staff are aware of the need for proper safeguards.

Dr. Kyle, Durham’s Medical Officer of Health has committed to sharing his findings and the actions taken by the Health Department and the Region’s Corporate Information Services Department with the Ministry of Health and Long Term Care and other Medical Officers of Health to ensure similar privacy breaches do not occur.

The Health Committee recommended that this presentation be made to Regional Council who acts as the Board of Health for Durham Region to ensure that there is a clear understanding of the recommendations and compliance measures by all Committees and Departments involved in this breach.