In Conversation with Deputy Commissioner Van Den Bulk: Evolving privacy requirements and the role of the HIM professional
The Office of the Information and Privacy Commissioner (OIPC) for British Columbia provides independent oversight and enforcement of BC’s access and privacy laws. It oversees the information and privacy practices of public bodies and private organizations that collect, use, or disclose personal information.
In this interview, OIPC Deputy Commissioner of Policy, Adjudication, and Audit, Jeannette Van Den Bulk, highlights the role of health information professionals in risk assessments and regulation compliance and discusses the commission’s work over the last few years.
CHIMA: Thank you, Deputy Commissioner, for chatting with us today. Can we begin by talking about some of the roles and functions of the Office of the Information and Privacy Commissioner (OIPC)? How do the mandates of the OIPC affect BC residents?
Dep. Comm. Van Den Bulk: Great question! First, I’d like to thank you for inviting me to join you here today. I had the pleasure of presenting at CHIMA’s BCYT Chapter Education Day at the end of March and enjoyed meeting some of your members and learning about their privacy concerns.
A bit about the OIPC: we are an independent office of the legislature. You may be familiar with other independent officers of the legislature, such as the Auditor General, the Ombudsperson, the Chief Electoral Officer, and the Human Rights Commissioner. An important distinction I will make here is that we are not government. We are accountable to the legislature, not to any one sitting government. Our work is about ensuring accountability and transparency. We provide independent, expert oversight of government actions and hold businesses and organizations accountable for their actions under the laws we enforce.
Really, it’s about trust. Independent officers promote transparency and accountability. By doing so, we aim to strengthen the trust between citizens, and the public bodies and private organizations that serve them. Our office enforces BC’s access and privacy laws: the Freedom of Information and Protection of Privacy Act (or FIPPA) for the public sector and the Personal Information Protection Act (or PIPA) for the private sector. We do this by investigating and mediating complaints and issues from people on the collection, use, and disclosure of their personal information and their access to information rights. We also comment on the access and privacy implications of proposed legislation, programs and policies of public bodies and organizations, as well as on new technologies.
Our office research emerging issues that may affect access and privacy rights. We also engage in public education activities to inform and empower people on those rights.
CHIMA: How has the work of the Office of the Information and Privacy Commissioner evolved over the past few years, and what are some of the current challenges?
Dep. Comm. Van Den Bulk: Privacy and access issues are constantly evolving, and because of that, so is our work. I’m glad you asked about the last few years, as they’ve been a time of major change for all of us, including those working in the privacy space.
We’ve seen the rapid acceleration and expanded use of digital tools and services in our lives, remote work settings, education, telehealth services, and so on. This explosion of online services accelerated a trend that was already clearly on our radar, and that is the rapid growth of digital technologies that intersect with people’s privacy rights.
In many cases, we saw a rush to get digital products and services to market to serve pressing demands. This was particularly prevalent in the health space. Privacy considerations were too often an afterthought. So, an urgent priority for us is communicating that privacy needs to be a primary concern in the developmental phase of a tool or an initiative, not an afterthought when something goes wrong. Building privacy into planning may seem challenging and time-consuming, but it doesn’t need to be.
There are straightforward ways to do this. For example, conducting privacy impact assessments (PIAs) before launching an initiative gives you a chance to ask important questions. What personal information are you collecting, using, or disclosing, and why? And are you doing so in compliance with privacy laws? How are you going to protect that information? What are the risks associated with that information, and what is your plan in the event of a privacy breach? PIAs are an integral part of an overall privacy management program. We have resources on our website to guide organizations through creating a robust privacy management program and completing a PIA.
I’d like to note here that FIPPA changes in late 2021 made PIAs and privacy management programs mandatory for public bodies, including health authorities. Public bodies are now also required to notify our office and affected individuals of breaches that could be expected to cause significant harm, whether it’s in the public or private space.
More of our conversations these days involve educating people on the fact that privacy and innovation are not mutually exclusive. Protecting privacy and building it into innovation can set developers apart from competitors and help build stakeholder trust. That has not necessarily been the case these past few years, and I believe that in the years to come, we will face the repercussions of digital tools launched without privacy considerations. These are my concerns at the organization or developer level. When we look at technology’s impact on privacy rights at a broader societal level, there are also challenges.
For example, in April, we released a report on how several Canadian Tire stores were collecting the facial biometrics of everyone walking through their doors. The biometric face prints of staff, delivery personnel, customers, and children were collected and scanned against a database of so-called persons of interest to watch for alleged shoplifters or people making returns falsely. Each human face is unique, so we’re talking about a very sensitive personal identifier. This was done without consent, and the collection itself was not reasonable or proportionate to the intended purposes, such as cutting down on shoplifting.
Those retailers removed their facial recognition technology systems (FRT), and I think the message is now clear for other retailers who might have been considering installing FRT at their stores. We prefer this remedial or educational approach to using our order-making power to legally obligate organizations to follow privacy laws.
Our office is involved in two joint investigations in the technology space. We’re looking into the personal information practices of TikTok and OpenAI, the company behind ChatGPT. I’m unable to comment on these as they are ongoing investigations. Still, I think it’s fair to say that more of our work will be focused on this area as technology advances and the potential threats to people’s privacy grow more varied and complex.
CHIMA: Our CHIM professionals have a focused understanding of privacy requirements, but the benefits of this may not be well understood. Can you shed some light on why the work of health information professionals is so vital and the importance of continuous learning in the field?
Dep. Comm. Van Den Bulk: Certainly. I think it’s important for all of us in the privacy space to reflect on this, especially health information professionals. The work of health information professionals is vital, and a big part of the reason why is that the stakes are incredibly high in the health space. People providing health information are often at their most vulnerable, and health information can reveal intimate details about them, like their physical and mental well-being, medical conditions, and even their genetic makeup.
A fundamental principle of our privacy laws is that the safeguards around personal information should be reasonable relative to the sensitivity of that information. By that standard, personal health information needs the highest level of protection we can provide. Health information professionals are there at the front lines providing that protection, and I hope your members understand just how crucial they are and how we all, as regulators and citizens of BC, appreciate the work they do.
With respect to the importance of the role and continuous learning, as I mentioned, privacy is never static. It’s about constant learning, absorbing new information and adjusting and improving privacy practices in response to ever-evolving threats. And why is that essential?
Privacy professionals help ensure legal compliance. As a regulator enforcing the laws, I would be remiss if I didn’t mention that there are legal consequences for not protecting people’s personal information. Part of the role of health information professionals is ensuring that staff at all levels understand and comply with those rules.
Information professionals also help minimize the risk of privacy breaches. The devastation that could result from a privacy breach in the health care sector is not just something we think about as a hypothetical. In 2021, Newfoundland’s health care system was hit by a cyber attack. Medical procedures, cancer treatments, diagnostic imaging appointments, and more were delayed or cancelled. The cost to taxpayers was enormous, and the impact on human life was even more profound. So, too, was the damage done to people’s trust in the health care system, and I can’t overstate how important that is. As privacy professionals in the health care sector, you are key to building and maintaining public trust in our health care system.
With the rapid expansion of digital health tools, including artificial intelligence, keeping current on new developments and regulations to protect privacy is vital to your role. Canadians will be relying on privacy specialists like you to help them feel that participating in digital health care doesn’t mean choosing to lose their fundamental privacy rights, including control over their personal information.
People who are receiving care do not need the added burden of worrying about the security of the information they give to a care provider. We cannot allow a situation to develop where someone avoids seeking care because they fear that their health information isn’t safe.
CHIMA: In what ways can health information professionals contribute to the success of risk assessments and regulation compliance?
Dep. Comm. Van Den Bulk: Health information professionals are experts with specialized knowledge and can act as privacy ambassadors within their teams or organizations toward creating a broader culture of privacy. Protecting personal information is not a task that can be relegated solely to one individual and carried out in isolation. Rather, understanding and buy-in are required at all levels, and that includes the executives who are making the resource decisions, the frontline workers who are dealing with the information, those on the tech side who are building the solutions, and the doctors and other health care professionals who are treating the patients. There needs to be some knowledge of privacy at all these levels, and information management professionals play an essential role in ensuring that.
Health information professionals play a crucial role in communication and education. They can lead internal training and education on privacy compliance and advise executives on what the law requires. Given their expertise, they can (and should) take a leading role in risk assessment and other crucial internal processes. They can spearhead privacy management programs and, as part of that, PIAs, privacy policies, breach response protocols, and security safeguards. As we’ve discussed, it’s a responsibility that, by nature, needs to shift and adjust to constantly evolving challenges. It’s an understatement to say that their work is never dull, and it’s also greatly rewarding when you think of the potential consequences.
CHIMA: How do you balance the interests of privacy with the needs of organizations to collect and use personal information to operate effectively? Can you discuss the importance of protecting personal information in this context?
Dep. Comm. Van Den Bulk: How to strike that balance is always an important question to us as regulators and to professionals working in health. In the health sector, there’s no question that the collection and use of personal information is necessary for organizations to provide top patient care, operate efficiently, and to carry out important research to evaluate programs, improve health outcomes, and drive innovation. The responsible collection and use of personal information and research in health care delivery contributes tremendously to positive change, including improved patient outcomes.
However, there are also major risks if it is not done right. Organizations need to be upfront and transparent about what information they’re collecting, how they will use or disclose it, and how they will protect it. If they’re not transparent, they risk contravening privacy laws and robbing people of their ability to make informed decisions about their personal information.
As we’ve discussed, trust is what is at stake here. It’s precious and, once lost, it’s very difficult to regain. Ensuring that appropriate protections are in place to protect personal information is crucial. We’ve talked about what happened in Newfoundland, but we don’t need to go beyond BC for an example of why it is important to prioritize safeguarding personal information with appropriate security measures.
We released a report in December detailing security flaws in the Provincial Health Services Authority’s (PHSA) database that left the personal health information of millions vulnerable to attack. The database houses the health information of nearly all BC residents and residents of the Yukon, much of it highly sensitive, including communicable disease and sexual health information. Essentially, the door was wide open, and the sensitive information inside was easily accessible to any hacker who cared to look. After our report was issued, the PHSA agreed to implement long-overdue changes to address the problems noted in our report, and we are pleased to continue to work with them on our recommendations. Our report was not aimed as an attack on the dedicated professionals who work at the PHSA. We appreciate and value their work. Rather, we hoped it would spotlight where resources are needed.
Going back to your question. Yes, the health care sector needs information to function, but considering the potential harms of a breach, protecting privacy needs to be a top priority.
CHIMA: What advice do you have for individuals and organizations who want to improve their privacy practices and stay up to date with privacy regulations?
Dep. Comm. Van Den Bulk: I’m glad you’re asking this. As we’ve discussed today, threats to personal information are constantly changing, and so must our responses to them. It’s an ongoing process and not a box that can be checked once and forgotten about.
There are many resources out there that can help. I would encourage people to seek out the resources within their own institutions—touch base with their privacy officer to see what’s available in terms of ongoing courses and training. I’d also like to say that if you can’t find an answer to your privacy question, we can help. Our team takes questions daily from public and private organizations trying to unravel complex questions related to privacy. We regularly provide feedback on PIAs. While we don’t review them in the sense that we approve or reject projects, we offer our expertise to help organizations navigate thorny questions before launching their programs or initiatives. Our website has a lot of great resources as well. We provide a wealth of resources for privacy professionals, including guidance on setting up a privacy management program, conducting PIAs, writing privacy policies, as well as security self-assessments for public bodies and organizations.
This October, we’ll be holding training sessions on both the public sector (FIPPA) and private sector (PIPA) privacy laws in cities throughout BC. We have sessions scheduled in Nanaimo, Kamloops, Abbotsford, Vancouver, Prince George, and Victoria. I would encourage those interested to visit our website and register for a presentation in their area at: https://www.oipc.bc.ca/news-events/events/.
CHIMA: Still talking about how organizations can improve their privacy compliance, what kind of collaboration does the OIPC engage in to promote privacy awareness and protect individuals’ rights in BC?
Dep. Comm. Van Den Bulk: Collaboration is a core part of the work we do, and that spans the local, national, and international levels. Locally, we believe that most public bodies and organizations in BC want to do the right thing when it comes to protecting people’s personal information—that they see doing so as crucial to building trust with the people they serve. Therefore, our approach is always one of education first, working with organizations to ensure that they understand their obligations under the law and setting them up for success in meeting them. To that end, we deliver dozens of presentations to organizations throughout the year, such as my presentation to CHIMA in May. Like that presentation, these are tailored to the needs of their respective audiences. Our policy and case review officer teams field queries daily from organizations looking to improve their privacy practices, for example, through consulting with organizations on their PIAs, as mentioned. These are not one-way information exchanges. We learn about the most pressing privacy issues from those in many different fields, and we review our guidance and materials to make sure we’re providing the best resources we can.
We also work regularly with independent offices of the legislature. Last year, we worked with Elections BC and three BC political parties on the Political Campaign Activity Code of Practice. The three parties agreed to ten fair campaign practices that respect voters’ privacy rights. Likewise, in 2020, we partnered with the Office of the Seniors Advocate of BC to release a short guidance, Privacy Tips for Seniors. Our June 2021 report, Getting Ahead of the Curve: Meeting the challenges to privacy and fairness arising from the use of artificial intelligence in the public sector, was a collaboration with both our Ombudsperson office and the Yukon Ombudsperson and Information and Privacy Commissioners.
Nationally, as I mentioned, we are currently involved in two joint investigations with our federal and provincial counterparts into the personal information practices at TikTok and OpenAI. In recent years, our joint investigations into Tim Hortons, Clearview AI, and Facebook-Cambridge Analytica have made it clear just how important these joint efforts are in addressing evolving threats to people’s personal information that span jurisdictions.
In recent years, we have also joined our federal, provincial, and territorial colleagues in releasing joint statements on urgent privacy matters. Last September, the Commissioner signed a joint resolution securing trust in digital health care. It outlined measures for government, health institutions, and health care providers to adopt, including promoting the adoption of secure digital technologies, implementing responsible data governance frameworks, and promoting transparency through privacy impact assessments and proactive publication of
plain language summaries of these assessments. These statements have been valuable and timely, providing clarity for organizations and the public on pressing issues and providing an authoritative voice for public policy decision-makers.
Internationally, our office is the secretariat of the Asia Pacific Privacy Forum, or APPA, a network of 20 regulators from around the Asia Pacific region. We host the APPA website and assist in the coordination of the group’s biannual meetings. During the pandemic, we again saw the importance of collaboration and were pleased to be able to facilitate that collaboration by providing a secure space for members to share COVID-19-related resources. Our office is also active in the Global Privacy Enforcement Network (or GPEN) and hosts monthly calls between regulators in the Pacific region on privacy issues.
CHIMA: Any final thoughts for our readers?
Dep. Comm. Van Den Bulk: First, I would like to thank you for this opportunity to speak to your readers. Associations like CHIMA play such an important role in providing information professionals with the support, knowledge, and resources they need to do their important work. To your readers, on behalf of our office, thank you for the work you do. We recognize the importance of it, how challenging it can be, and how absolutely indispensable it is to our public health care system. The challenges are daunting in your work, and that’s because it is so important, and the stakes are so high.
For many of us, public health care is a cornerstone of Canadian identity. It can only remain so if people trust the health care system, and that’s where you come in. As we move forward with online services and into digital spaces, I’m excited about the role that you all can play as champions of privacy in your organizations and the role you will all play in building that trust. Finally, as always, I would like to emphasize that our office is here to help, and we would welcome any questions at info@oipc.bc.ca.