BC privacy watchdog wants fines for snooping

VICTORIA – B.C. privacy commissioner Michael McEvoy (pictured) says it should be illegal to snoop in a patient’s medical files, as recently happened at Nanaimo Regional General Hospital. “The time has come to act,” McEvoy told the Times Colonist newspaper. “The time is actually well past when we should have acted on this.”

It is illegal under the B.C. Freedom of Information and Privacy Protection Act to disclose or leak personal information in an unauthorized manner; however, it is not an offence to improperly access personal records and information.

B.C. privacy commissioners have long called for the provincial law to be changed to include penalties up to $50,000.

“Nothing has been done. These breaches in Nanaimo are a reminder of British Columbia’s shortcomings. We are behind other provinces in Canada,” McEvoy said. “We are virtually alone now in not having an offence provision.”

A unionized administrative-support worker at Nanaimo Regional General Hospital was fired March 13 after snooping in the medical files of 102 people who had a personal, outside of work, relationship with the former employee.

An investigation of the employee was triggered by a routine surveillance audit looking for anomalies in user-access patterns. Most files were accessed once, but some multiple times, seemingly out of curiosity, Island Health said.

That brings the total to about 485 medical files reported as being improperly accessed in five cases since about 2012.

McEvoy said he’s astonished that despite these high-profile cases resulting in dismissals, others aren’t getting the message about the seriousness of breaching the public trust. Making it an offence would drive the point home, he said.

The need to protect private information is especially important in the health sector “where that information is particularly sensitive,” McEvoy said.

In June 2016, Island Health reported two non-clinical support staff snooped through the files of 198 family, friends and prominent people going back about 16 months. A month later, in an unrelated case, a Victoria-based support staff member misused access privileges to view medical records of 34 patients.

In April 2015, a long-term central Vancouver Island health professional was fired for looking at the records of 39 family, friends and co-workers in 2014.

And in a case uncovered in October 2014, two nurses were fired for viewing the electronic files of 112 family, friends and co-workers since January 2012.

B.C.’s then privacy commissioner, Elizabeth Denham, told the Times Colonist that B.C.’s privacy laws are outdated when it comes to protecting electronic health records from snooping. Denham also called on the province to step up its privacy laws and impose fines of up to $50,000.

As Denham did in the past, McEvoy applauded Island Health for having processes in place to catch and deal with snooping.

McEvoy also wants B.C.’s privacy law updated to compel public and private bodies to report privacy breaches to the office of the privacy commissioner and to the person affected. Currently this is voluntary.