Canada takes pride in its privacy regulation. We claim to have strong privacy laws regulating commerce, health care, and other sectors, which are interpreted and enforced by Information and Privacy Commissioners at the federal and provincial levels. The federal Commissioner oversees commercial activities and federal government, while provincial Commissioners oversee provincial government domains including health care. This multi-level oversight has helped to promote a relatively high level of privacy awareness among government and corporate employees.
Judging by our laws and oversight, most Canadians would consider the state of privacy in our country to be better than in the US. Many Canadian privacy experts distrust US-based computing companies based on their policies of sharing personal information with other corporations and national security agencies. Nova Scotia and British Columbia have laws requiring government organizations to use servers located in Canada for personal information, mainly because of concerns about US privacy laws and surveillance. Yet there may be a significant discrepancy between perception and reality when it comes to privacy enforcement.
Recently, Canada has seen an important privacy enforcement case hit the news, involving a hospital employee selling contact information for new mothers to an RESP sales representative. This case is particularly interesting because it was investigated both by the Information and Privacy Commissioner and the Ontario Securities Commission (OSC). The Information and Privacy Commissioner has ordered the hospital to implement changes to its information management policies and practices. The OSC has gone several steps further by laying criminal and quasi-criminal charges related to breach of trust.
This case is remarkable because Canada has very few court cases concerning privacy on the record. This is not for lack of privacy breaches. Information and Privacy Commissioners conduct investigations and issue compliance orders every year, but have rarely laid charges. Compliance orders are officially legally binding, but there is usually no monitoring to ensure that orders are followed. In the US, on the other hand, criminal and civil cases related to privacy are much more common. The rate of enforcement is much higher per capita than in Canada, and penalties are higher. For example, US civil penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA) can be as high as $15,000 for each violation, to a maximum of $1.5 million per year; in Ontario, corporations are liable only up to $250,000 for PHIPA violations. Consequently, US companies generally spend more money on privacy compliance than Canadian companies do.
The example of health care privacy laws raises another issue: HIPAA covers health care across the US, whereas in Canada each province has its own health care legislation. Provincial laws are generally consistent with each other, but differences exist. These differences may not matter so much for primary health care, but can become significant in the case of initiatives that may cross jurisdictional boundaries, such as cloud information management solutions, telehomecare, and mobile health applications.
As I see it, the US is ahead of Canada with respect to privacy in two areas: enforcement and consistency. The US may have somewhat less stringent privacy laws, but its laws are regularly enforced with actual financial penalties for violators, rather than the typical Canadian approach of issuing compliance orders. And a federal health care privacy law offers greater clarity and consistency for initiatives that cross jurisdictional boundaries. On these specific points, Canada might do well to look south for guidance.
About Wael Hassan:
Waël Hassan, PhD, is the founder of KI DESIGN MAGAZINE an online monthly magazine. In each issue we explore legislative and regulatory changes, new technologies, and the needs and challenges of data custodians provides insight into the development of our approaches to open data access strategies and models. It provides summaries, analyses, insights, and commentaries on business transformation in the areas of Governance, Risk & Compliance, Project & Portfolio Management, IT Strategy & Operations, and Technological Tool Management.
Please join one Waël Hassan’s LinkedIn groups:
Wael Hassan (C), All rights reserved