Privacy commissioner at ‘impasse’ with SGI over collection of health information
Saskatchewan’s privacy commissioner says that the province’s auto insurer needs to change how it collects health information about claimants.
Privacy Commissioner Gary Dickson said his office has received three formal “breach of privacy” complaints that relate to the collection, use and disclosure of personal health information by Saskatchewan General Insurance. He said the complaints alleged “excessive collection of personal health information and improper use and disclosure of that personal health information.”
In one case, the complainant alleged that SGI had disclosed her personal health information without her consent to third parties. The complaint said that SGI’s disclosures had been made in spite of explicit instructions that certain personal information was not to be disclosed. The complainant had been injured in a motor vehicle accident on April 5, 2000. She made a claim to SGI for compensation for her injuries. She expressed concern that too much of her personal health information was collected by SGI. This included information about her daughter and the birth father.
Dickson said that the Office of the Information and Privacy Commissioner (OIPC) started formal investigations into each of the alleged breaches, but says SGI took the position that there is a gap in the province’s legislative scheme for privacy protection.
Dickson said that OIPC has reached an “impasse” with SGI, and that SGI has adopted an interpretation of statues that does not allow for OIPC to investigate any further.
Several recommendations were made by Dickson, including:
That SGI ensure that it has policies and procedures that specifically reflect:
- the type of personal information that will be collected by SGI;
- why consent is not required for collection;
- the data minimization principle and how that is integrated into the work of SGI;
- the need-to-know principle and how that is followed in use by SGI and its staff; and
- the steps taken by SGI to limit the collection, use and disclosure of personal information of claimants consistent with the requirements of FOIP, HIPA and the Privacy Framework (save for provisions promoting consent).
That those policies and procedures are published on SGI’s website so they are available to all claimants and prospective claimants.
That SGI revise its procedure for collection of personal information to ensure that it is not over-collecting the personal information of claimants. This revision should address how SGI will deal with excessive collection of personal information in any case where this is discovered.
That the Legislative Assembly amend FOIP and/or HIPA to clarify the rules that will apply to the personal information collected, used and disclosed by SGI in its activities under the AAIA and the role of our office in overseeing SGI’s statutory responsibilities under FOIP and HIPA.
To read the full report, click here. (PDF)
[...] Saskatchewan Government Insurance’s president and CEO Andrew Cartmell has addressed the “misconceptions” from the province’s Privacy Commissioner. The Office of the Information and Privacy Commissioner said it had reached an “impasse” with SGI, stemming from three formal “breach of privacy” complaints that dealt with the insurer’s collection, use and disclosure of personal health information. (See the ILSTV story here.) [...]