Wait a Minute Mr. Postman … 3 Lessons Health Canada's Privacy Breach Delivers to the Private Sector

More Publications

Publication

Wait a Minute Mr. Postman ... 3 Lessons Health Canada’s Privacy Breach Delivers to the Private Sector

March 25, 2015

By David Fraser, at McInnes Cooper

On March 3, 2015 Canada’s Privacy Commissioner determined that Health Canada breached privacy laws by mailing letters to over 40,000 Marihuana Medical Access Program clients – in envelopes clearly displaying the names of both the Program and the recipients. The Privacy Commissioner’s decision is based on the privacy law applicable to the Federal Government, but similar privacy laws apply to all Canadian private sector organizations – making this decision relevant to all organizations operating in Canada.

These days, electronic communication gives “snail mail” a run for its money when it comes to communicating with customers and contacts. The recent implementation of Canada’s Anti-Spam Legislation (CASL) has focused attention on the privacy laws applicable to electronic communications; for more on CASL, visit McInnes Cooper’s CASL Knowledge Page at www.mcinnescooper.com/services/privacy/casl/.

Despite this, traditional mail is still a significant mode of business communications; the cumbersome CASL rules might even lead to increased use of it. But there are also privacy laws – and risks – applicable to traditional mail, as the Privacy Commissioner’s finding demonstrates.

THE PRIVACY COMPLAINT

Health Canada handles Canada’s Marihuana Medical Access Program. In 2013, Health Canada needed to mail letters to 41,514 of the Program’s clients. It didn’t have a policy about the return address information for its letters, but normally used envelopes preprinted with the recipients’ information and a return address that didn’t reveal the Program name. But this time, there was a problem with the envelopes. Health Canada was in a hurry, so it repackaged the letters in envelopes with oversized windows through which the recipient’s address – and the full Program name – was clearly visible.

Over 300 of the Program members who received the letters lodged privacy complaints. They said Health Canada breached the privacy law by disclosing their personal information (their identity and involvement with the Program) to postal employees and the public without their consent. The Privacy Commissioner of Canada agreed: read his decision in the Marihuana Medical Access Program Complaint under the Privacy Act.

3 LESSONS DELIVERED TO THE PRIVATE SECTOR

The Privacy Commissioner’s decision is based on the privacy law applicable to the Federal Government. However, the federal and provincial privacy laws that apply to the public and private sectors contain similar provisions – making this decision relevant to all organizations operating in Canada. Here are 3 lessons they can learn from Health Canada’s privacy breach:

There’s a lot at stake. A person affected by a breach of privacy laws has a couple of options – and they aren’t mutually exclusive: she can pursue one or both at the same time. She can lodge a complaint with the relevant privacy regulator; every organization operating in Canada is subject to oversight by one or more privacy regulator. She can also sue for financial compensation for the privacy breach, and that compensation can be significant. If multiple people are affected, they can also join together and lodge a class action for the breach – which the Program clients have also done. McInnes Cooper currently acts for Program members in a proposed privacy breach class action against Health Canada seeking financial compensation for its privacy breach.
You might be inadvertently disclosing “personal information”. When sending traditional mail communications to customers or contacts, you might be inadvertently disclosing personal information – and breaching privacy laws in the process. Stop and think about what you send by mail, and the information it discloses about the recipient and to whom. A simple but common example is collection letters. Many businesses extend in-house credit to customers, and not all of them pay on time. So you might be sending letters letting those customers know their accounts are “past due”, giving them “final notice” or informing them their accounts are “in collection”. To make sure they open and read those letters, you might be stamping this information on the outside of the envelopes carrying them. But the recipient isn’t the only person who will see it: postal workers who handle the mail will see it; other household members (spouses, kids, room-mates…) who likely handle the mail will see it; and neighbors who might handle the mail (for example, who do the recipient a favour by picking up their mail while they are away, ill, etc.) will see it. You’ve just disclosed the recipient’s identity and the financial state of their account with you. Is this “personal information”? Yes; a person’s health information is “personal information” (the Health Canada mistake is one example) and so is a person’s financial information (see, for example, McInnes Cooper’s: PIPEDA Leaves Lender Out In The Cold – 5 Reasons To Review Your Loan Agreement). Do you have their consent to disclose it? If not, you might be violating a privacy law.
Create & implement a policy. Maybe you’re regularly disclosing more information to more people than you thought you were – maybe even more than you intended. Maybe it doesn’t happen regularly – but even once, and even accidentally, is enough. In the Health Canada case, the Privacy Commissioner acknowledged Health Canada’s normal practice didn’t disclose personal information, and the disclosure was the result of an administrative error – but even once is a breach of the privacy law. To avoid or minimize the likelihood of a privacy breach, create a policy to deal with mail communications that specifically considers what information your mail communications disclose and to whom. Implement that policy fully, including communicating it to the relevant employees and training them on how to follow it – and why it’s so important to do so.

Please contact your McInnes Cooper lawyer or any member of our McInnes Cooper Privacy Law Team to discuss this topic or any other legal issue.

McInnes Cooper has prepared this document for information only; it is not intended to be legal advice. You should consult McInnes Cooper about your unique circumstances before acting on this information. McInnes Cooper excludes all liability for anything contained in this document and any use you make of it.

© McInnes Cooper, 2015. All rights reserved. McInnes Cooper owns the copyright in this document. You may reproduce and distribute this document in its entirety as long as you do not alter the form or the content and you give McInnes Cooper credit for it. You must obtain McInnes Cooper’s consent for any other form of reproduction or distribution. Email us at publications@mcinnescooper.com to request our consent.