Ontario Privacy Commissioner’s Order Regarding Durham Region Health Data

As a result of a privacy breach involving unencrypted health data from a mobile storage device, Ontario’s Privacy Commissioner (Commissioner) has made an order with wider implications than just for Durham Region. The loss at issue was of a USB key containing the personal information of nearly 84,000 people who had attended H1N1 immunization clinics in Durham Region, a large regional municipality east of Toronto. The Region’s Medical Officer of Health has been ordered to take steps immediately to ensure that any personal health information on mobile devices (such as laptops, and memory sticks) is “strongly encrypted”. In addition, the Commissioner ordered that certain of the information being collected (health card numbers and information relating to priority status to obtain immunization) cease to be collected. Of wider impact, the Commissioner also directed to the relevant Ontario Ministry (Health and Long-Term Care) three recommendations relating to practices and procedures involving information and mobile devices. The basis for these recommendations, says the Commissioner, is that the proliferation of new technologies is going to require what she calls a “privacy by design” approach, so that privacy and security are built in throughout the data lifecycle, from collection to disposal. For the text of the Commissioner’s press release dated January 14, 2010, visit: http://tinyurl.com/y96n4f7 Summary by: The Editor