BC’s New Personal Information Protection Act:
Entrenching Common Practice Or Adding New Complexities?
George K. Bryce, BCACC legal counsel
Originally published as part 1 @15:3 Insights at 14, 30 to 32 (Winter 2004),
and part 2 @ 16:1 Insights at 13, 31 to 33 (Summer 2004)
INTRODUCTION
On January 1, 2004, the new Personal Information Protection Act (PIPA) came into force. Counsellors have expressed concerns about this new legislation: Does the new Act apply to their clinical practice? What happens if they provide counselling services through an agency? What sort of information do they or the agency have to make available to the public on request? What policies and procedures do they or an agency have to put in place to meet the new obligations?
In this article, I will summarize the PIPA, outline its general purpose and describe the scope of its application. I will also offer guidance on how a counsellor can meet the new requirements. References to specific sections of the new Act will be noted for those who want to refer to the legislation itself. The government has prepared a lengthy document that provides useful and fairly detailed information on the new legislation. I would encourage all counsellors to read the information posted at the following web page, which also contains a link to the new legislation (introduced by Bill #38 (2003)).
STATUTORY PURPOSE
The purpose of the PIPA is to govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances” (section 2).
From this, two obvious questions arise: Who must comply with the new Act? What constitutes personal information? With answers to these two questions, we can consider some of the Act’s other requirements.
WHO MUST COMPLY?
The PIPA applies to an organization (section 3(1)) and requires an organization to follow general rules in support of the stated purpose.
As defined in section 1, an “organization” would include an agency or non-profit society that provides counselling services to the public. But section 1 also states that an organization includes a person, so individual counsellors who provide therapeutic services to the public as independent service providers are also covered by the Act. To ensure Insight readers do not forget this important point, I will use the phrase “counsellors and counselling agencies” even through the Act uses the defined word organization.
WHAT IS PERSONAL INFORMATION?
The type of information covered by the PIPA is defined in section 1 as information about an identifiable individual and includes employee personal information”. Employee personal information is defined as “personal information about an individual that is collected, used or disclosed solely for the purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual, but does not include personal information that is not about an individual's employment.”
The definition of personal information specifically excludes contact information and work product information. Both of these terms are also defined in section 1. Contact information is “information [that enables] an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address, business email or business fax number of the individual,” Work product information is “information prepared or collected by an individual or group of individuals as a part of the individual's or group's responsibilities or activities related to the individual's or group's employment or business but does not include personal information about an individual who did not prepare or collect the personal information.”
In summary, the type of information that is subject to the new Act is personal information, including information needed for employment, but not business contact or work product information. I would anticipate that most information counsellors obtain from their clients during the course of a counselling session would fall within the definition of personal information, and thus subject to the PIPA requirements.
EXCEPTIONS AND EXEMPTIONS
Despite the broad scope of the PIPA, there are a number of important exemptions in the section 1 definition which are restated in section 3(2). Some of these may apply to counsellors or counselling agencies in particular situations.
For example, under the section 1 definition, a counsellor is not required to comply with the Act when acting in a personal or domestic capacity. Section 3(2)(a) goes on to state that the Act does not apply to the collection, use or disclosure of personal information if those uses are only for personal or domestic purposes.
If a counsellor is employed by a counselling or social service agency, the agency and not the counsellor must comply with the PIPA. This has implications for counsellors who provide counselling services to the public through an agency. If they are employees, their agency must comply with the new Act. If they are independent contractors, they must comply. If the nature of the counsellor-agency relationship in the context of this new legislation is not clear, a counsellor should seek that clarification otherwise the counsellor could be responsible.
The section 1 definition states that a provincial government ministry or an agency which is required to comply with the existing Freedom of Information and Protection of Privacy Act (FIPPA) does not have to comply with the new PIPA if it listed in Schedule 2 of the FIPPA. In turn, section 3(2)(d)) states that, if the FIPPA applies to the personal information, the PIPA does not apply. If a counsellor is not sure whether the agency that he or she is employed by is required to comply with the FIPPA or the PIPA, the counsellor should seek clarification from the agency.
Personal information in documents used in court proceedings or in a judicial administration record are excluded (section 3(2)(e)). Solicitor-client privilege is also not affected by the Act (section 3(3)).
One important exclusion applies to the collection of personal information if it was collected before the Act came into force (section 3(2)(i)), however the subsequent use and disclosure of information that was collected prior to January 1, 2004 is covered under the Act.
Finally, federally regulated agencies must comply with the federal government’s separate Personal Information Protection and Electronic Documents Act. Agencies or individuals that disclose personal information across provincial boarders for commercial purposes must also comply with the federal rather than the provincial legislation.
GENERAL RULES
The PIPA sets out a series of general rules. These rules require counsellors and counselling agencies to act reasonably in meeting the Act’s purpose in regulating the collection, use and disclosure of personal information. For most counsellors and agencies, these rules should not result in a substantial change to their current practices. Common sense and professional ethics have provided a framework for counsellors’ use of a client’s confidential information for many years, and the new legislation entrenches or supports many of those practices. However, it also adds some new requirements.
Section 4(2) requires that counsellors and agencies be responsible for personal information under their control, including information that is not in their custody but under their control. So, for example, personal information a counsellor has collected about a client but stores at an off-site location remains the responsibility of that counsellor.
A counsellor and agency must designate someone to be responsible for ensuring compliance with the Act (section 4(3)). In the case of independent service providers, this could be the counsellor himself or herself, The counsellor or agency must make available to the public the name or title of that designated person and how they can be contacted (section 4(5)).
A counsellor or counselling agency must also develop and follow policies and practices to meet the statutory obligations, as well as establish a process to respond to complaints from the public concerning the application of the Act by that counsellor or agency (sections 5(a) and (b)). The counsellor or agency must make information about these policies, practices and processes available to the public on request (section 5(c)).
OBTAINING CONSENT
Section 6 of the PIPA says that a counsellor or counselling agency must not collect, use or disclose personal information, unless the effected person gives consent to that collection, use or disclosure. (The Act also authorizes such actions without consent and states that consent can be deemed to have been given in specific circumstances prescribed by the Act.) A number of the subsequent requirements are relevant to a counsellor’s clinical practice.
Section 7 sets out the essential requirement for informed consent to the collection, use or disclosure of personal information. Before collecting the information, the counsellor or counselling agency must disclose verbally or in writing the purposes for collecting the information, as well as name a contact person to answer questions about collection (sections 7(1)(a) and 10(1)). The individual must then provide consent.
Consent must be given freely and without coercion. For example, a counsellor or counselling agency cannot demand an individual to consent to the collection, use or disclosure of personal information as a condition for providing counselling services (section 7(2)). Section 7(3) declares that giving false or misleading information about the collection, use or disclosure of the information or using deceptive or misleading practices invalidates any consent that was given.
Implied consent will likely be an important issue for counsellors and counselling agencies, even thought they should establish policies and procedures to obtain expressed consent. Section 8(1) states that an individual is deemed to have given consent to the collection, use or disclosure of personal information by the counsellor or agency if those purposes would be considered to be obvious to a reasonable person, or if the individual voluntarily provides that information for those purposes. But a counsellor or counselling agency cannot collect, use or disclose personal information for a different purpose (section 8(4)).
Consent is also deemed to have been given by the client to the collection, use and disclosure of personal information necessary for the purposes of that individual’s enrollment and coverage under an insurance, pension, benefit or similar plan that individual benefits from (section 8(2)). This deeming provision does not mean that a counsellor may disclose all personal information to the third party payor. Only certain information may be disclosed without expressed consent, such as information that may be necessary to confirm entitlement and provide payments to the insured individual.
While consent can be implied or deemed, it would be best if counsellors and counselling agencies were to follow the guidance provided by section 8(3) covering expressed consent. They can collect, use or disclose personal information about a client for specified and disclosed purposes if four conditions are met:
1) the individual is provided with a notice in a reasonably understandable form that the counsellor or agency intends to collect, use or disclose the individual's personal information for specified purposes;
2) the individual is given a reasonable opportunity to decline within a reasonable time to have his or her personal information collected, used or disclosed for those purposes;
3) the individual does not decline within a reasonable time to the proposed collection, use or disclosure;
4) the collection, use or disclosure of personal information is reasonable having regard to the sensitivity of the personal information in the circumstances.
The PIPA also speaks to withdrawing consent (section 9) and when consent to the collection of personal information is not required, such as if the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way (section 12).
A counsellor or counselling agency must disclose to an individual the purposes for collecting any personal information, and – if so requested – the name of the person who is able to answer questions about that collection (section 10(1)). The purpose of collecting personal information for another organization must be disclosed, in particular if the individual has not already consented to that third-party disclosure (section 10(2)).
USE OF PERSONAL INFORMATION
The PIPA directs that a counsellor or counselling agency can only use personal information for purposes that a reasonable person would consider appropriate in the circumstances, and that also fulfills the purposes disclosed to the individual, or as otherwise permitted under the Act (section 14).
Section 15 lists a number of circumstances when a counsellor or organization may use personal information without consent, such as:
1) if the use is in the individual’s best interest and consent cannot be obtained in a timely way;
2) if obtaining pre-use consent might reasonably compromise an investigation or proceeding and that use relates to the investigation or proceeding;
3) the information is needed in debt payment or collection;
4) the use is necessary to respond to an emergency that threatens someone’s life, health or security;
5) where the use is otherwise permitted by law.
Separate rules apply to a counsellor’s or counselling agency’s use of employee personal information (section 16).
DISCLOSURE OF PERSONAL INFORMATION
A counsellor or counselling agency may disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances, and that also fulfills the purposes disclosed to the individual, or as otherwise permitted under the Act (section 17).
As was the case of use of information without consent, the Act lists various circumstances when a counsellor or organization may disclose personal information without consent (section 18(1)). These circumstances mirror those listed in relation to use of personal information without consent, but add some new circumstances, such as:
1) the disclosure is for the purpose of complying with a subpoena, warrant or order issued or made by a court, person or body with jurisdiction to compel the production of personal information;
2) there are reasonable grounds to believe that compelling circumstances exist that affect the health or safety of any individual and if notice of disclosure is mailed to the last known address of the individual to whom the personal information relates.
The last circumstance would appear to support a counsellor’s common law duty to warn foreseeable victims about the potential violence or serious harm a client may inflict (see "A Counsellor’s Duty to Warn Foreseeable Victims of a Client’s Violence", 14:1 Insights at 10 to 12, & 25, Spring 2002.) While clause 18(1)(k) does not require a counsellor to give a warning, it does provide a statutory basis to claim that a warning was justified in the prescribed circumstances. Once the warning has been given, however, section 18(1)(k) adds a new requirement to the common law - a counsellor must then notify the client that a warning was given.
Thankfully, the content of a third party warning notice to the client is not specified in the legislation. Therefore, all that a counsellor need say in the letter to the client is that a warning was given pursuant to clause 18(1)(k) of PIPA. The legislation does not direct that the notice also specify who received the warning or what specific potential harm was disclosed. The legislation also does not set a deadline for giving the client notice, but a reasonable period of time would probably be allowed. Depending on the circumstances, in particular the nature of the potential risk to the third party, one or two weeks after the warning was given may be sufficient.
Section 20 of the PIPA has implications for counsellors who want to sell or purchase a clinical practice that includes the transfer of client files. This section would allow the selling counsellor to disclose personal information without client consent to the prospective buyer, but only so long as that information was necessary to determine whether the business transaction should proceed. However, before doing so, the buying and selling counsellors would have to enter into an agreement that ensures the use and disclosure of client information was only for the purposes of their business transaction. If the transaction completes, the selling counsellor could then disclose to the buying counsellor all the required personal information about the clients without their consent, but only so long as the buying counsellor uses that information for the same purposes that the selling counsellor collected it. Finally, the counsellors must also notify the clients concerning the completed transaction and that their personal information has been transferred (disclosed) to the buying counsellor. Additional rules apply if the sale of the counselling practice does not complete.
Sections 21 and 22 establish rules concerning the disclosure of personal information for research or statistical purposes, and for archival or historical purposes, respectively.
ACCESS TO AND CORRECTION OF PERSONAL INFORMATION
A counsellor or counselling agency must (a) provide an individual with his or her personal information under the counsellor’s or the agency’s control, (b) explain how that information has or is being used, and (c) identify to whom that information may have been disclosed (section 23(1)).
The PIPA does not go further and specify the specific mechanism a counsellor must follow when providing information to the client. As such, the principles of access that I discussed in an earlier article continue to apply (see "A Client’s Right To Access Clinical Records", part 1 @15:1 Insights at 13 & 14, and part 2 @ 15:2 Insights at 12, 24 & 25 (Spring and Summer of 2003)).
While the PIPA sets out a general duty to access personal information, some noteworthy exceptions to these requirements are set out in sections 23(2) and (3). For example, a counsellor or agency must not disclose personal information if that disclosure would reveal personal information about another individual (section 23(4)(c)) or would reveal the identity of an individual who has provided personal information about another individual and the individual providing that information does not consent to disclosure of his or her identity (section 23(4)(d)).
Two other exceptions may have particular significance for counsellors. Section 23(4)(a) directs that a counsellor or agency must not disclose personal information ifthe disclosure could reasonably be expected to threaten the safety or physical or mental health of an individual other than the individual who made the request. In addition, a counsellor or agency must not disclose personal information is such disclosure can reasonably be expected to cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request. Section 23(5) goes on to say that if the problematic information can be removed from the documents, then access to the remaining information must be allowed.
These requirements appear to entrench the common law exception to a counsellor’s general duty to provide a client with access to or a copy of his or her clinical record that I also discussed in the above referenced two-part article. To quote from that article:
If a counsellor has reason to believe that serious risk of harm will result to the client or others from the client reading the clinical notes, there is a further step that should be taken. Before access or copying is denied, the counsellor should try to sever or block-out the problematic information in the clinical records. It would be a rare situation when all the information in the clinical records would met the threshold tests set out above so as to justify a refusal to access the entire record.
Section 24 sets out the rules that a client may follow to request a counsellor or counselling agency to correct an error or omission in the collected personal information. Normally, such requests must be implemented as soon as possible, with copies of the corrected information forwarded to others to whom that information was disclosed during the year before the correction is made (section 24(2)).
A request by a client to correct personal information does not mean that the counsellor or counselling agency must comply. If the counsellor does not believe that the correction is justified and thus makes no correction, the counsellor need only note in the file that a correction was requested but not made (section 24(3)).
RULES GOVERNING REQUESTS
Requests for access to or correction of personal information is now governed by new rules set out in Part 8 of the PIPA.
In brief, the client must make a request in writing and in sufficient detail to enable the counsellor or counselling agency to be able to identify both the individual and the information or correction being sought (section 27). A counsellor must make reasonable efforts to assist and respond to an access or correction request, and - unless the access exceptions noted above apply – provide the requested information or an opportunity to examine that information (section 28).
Generally speaking, a counsellor or agency will have 30 days to respond to an access or correction request, unless the Privacy Commissioner grants an extension (section 29). Delays of an additional 30 days are permitted in defined circumstances (section 31).
Section 30 sets out what a counsellor or agency must tell the requesting client if the requested access is refused, such as the reason for the refusal, who to contact about the refusal, and the right to a review of that refusal by the Privacy Commissioner. This requirement, however, does not apply if the request is to correct personal information.
A counsellor or counselling agency may charge a minimal fee for access to the requested personal information, but an estimate of those costs must be given before proceeding, and a deposit may be requested for all or part of the fee before proceeding (section 32).
CARE OF PERSONAL INFORMATION
Part 9 of the PIPA sets out general rules concerning the content and care of personal information. For example, section 33 requires that a counsellor or counselling agency make a reasonable effort to ensure that personal information collected by or on its behalf is accurate and complete, if the personal information (a) is likely to be used by the counsellor or agency to make a decision that affects the individual to whom the personal information relates, or (b) is likely to be disclosed to another professional or agency.
A counsellor or agency must also make reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal of the personal information in its custody or under its control (section 34).
Finally, section 35(1) directs that personal information that is used to make a decision that directly affects that individual must be retained for at least one year so as to allow that individual to later access that information. Section 35(2) directs that documents containing personal information be destroyed as soon as it is reasonable to assume the original purpose is no longer being served, and further retention is no longer necessary for legal or business purposes. For many counsellors or counselling agencies, compliance with these requirements should not be a problem. Most will keep their clinical records for at least seven years. (Six years being the most likely applicable limitation period under the Limitations Act for a client to initiate a civil action against the counsellor by filing a writ, plus one year to serve the filed writ on the counsellor.)
CONCLUDING COMMENTS
As suggested by the title of this article, there are aspects of the new PIPA that simply entrench or support the current practice of most counsellors. There are, however, a few areas where counsellor or counselling agencies will have to change or add to their current policies and procedures. Before doing so and because of the varied nature of counselling services provided in BC, it would be useful for counsellors to review the new Act and the reference materials noted in the Introduction. Hopefully this article will encourage counsellors to take a closer look at the way they collect, use and disclose personal information that is provided to them by their clients in light of the new legislative requirements.
|