The Federal Trade Commission (FTC) and New York Attorney General announced today that YouTube and Google will pay a record setting $170 million dollars to settle allegations of violating the Children’s Online Privacy Protection Act (COPPA) Rules.
The settlement comes after a complaint alleged that YouTube was utilizing cookies, for direct advertising and to track users across the internet from child-directed channels, without first notifying parents and obtaining consent to do so. The COPPA Rules require child-directed websites and online services to provide notice of their information practices and obtain parental consent prior to collecting personal information from children under the age of 13.
The complaint also alleged that channel owners told YouTube that their content was directed to children and in some cases that YouTube’s own content rating system identified the content as directed at children. The FTC and NY Attorney General found that despite this knowledge, You Tube collected information and targeted advertisements on these channels, thereby failing to comply with COPPA.
While YouTube claimed that they were a general audience site, the FTC and NY Attorney General noted that YouTube marketed themselves as a top destination for kids in their presentations to makers of popular children’s products and brands.
In addition to the hefty monetary penalty, the proposed settlement requires Google and YouTube to develop, implement, and maintain a system that permits channel owners to identify their child-directed content on the YouTube platform. As well, the companies must notify channel owners that their child-directed content may be subject to COPPA Rules. They must also provide annual training about complying with COPPA for employees who deal with channel owners.
It is almost impossible these days to surf the internet anonymously, in fact many websites require use of cookie tracking before they will allow access to their website. Interestingly, Google Chrome offers an ‘incognito’ mode for user. Unfortunately, some websites have caught on and are implementing tools to detect when a visitor is in private mode.
Suzanne has represented clients at arbirations and mediations as well as prepared written submissions for accident benefit disputes In addition she has represented clients at CPP tribunal hearings regarding CPP disability benefit applications and appeals. Read more ...
Pharmacists have a range of responsibilities including reviewing prescriptions, educating individuals about medication use and side effects, and acting as a last line of defence to ensure that multiple medications...
Pharmacists have a range of responsibilities including reviewing prescriptions, educating individuals about medication use and side effects, and acting as a last line of defence to ensure that multiple medications do not interact with one another. In order to provide these services, pharmacists collect a significant amount of personal health information and are regulated by the Personal Health Information and Privacy Act (PHIPA) in Ontario and the Health Information Act in PEI. So, when a pharmacy’s systems are breached (for instance by way of a hack, a social engineering scam, or unauthorized access), the pharmacy is required to notify affected individuals and report the breach to the Privacy Commissioner to comply with the legislation. This is exactly what happened in a recent privacy investigation against a pharmacy in Prince Edward Island.
A breach notification indicated that in late August 2017, two employees at a pharmacy accessed the personal health information of their former co-worker using the Drug Information System (DIS). The DIS is a provincial database of medication profiles for residents of PEI used by pharmacies to assist with patient care. The Privacy Commissioner conducted an investigation and determined that although one employee had inappropriately accessed the electronic records, the personal health information was not disclosed to other unauthorized individuals.
While the pharmacist did not witness the incident, a staff member reported that in August 2017, two employees accessed the personal health information of the Affected Individual using the DIS and disclosed the information at the work site. In response, the pharmacist spoke to the employees who acknowledged that they had accessed the information without authorization; however, they blamed each other – classic he said she said.
In November 2017, the pharmacist verbally notified the Affected Individual (and former co-worker) of the incident. The pharmacist sent an email to the manager of the pharmacy about this discussion and presumed that the manager was already aware of the incident. The manager advised that they were unaware of the incident. The manager conducted an investigation where one employee admitted the unauthorized access but the other did not. In December 2017, the Pharmacy notified the Commissioner of the incident, four months post-incident.
The Commissioner’s Investigation
When the Commissioner conducted its own investigation, the employees were invited to participate. One employee admitted to the unauthorized access and expressed remorse for the “momentary lapse in judgment.” The second employee denied that they had ever accessed the Affected Individual’s information in the DIS. Neither employee recalled speaking with the pharmacist. The Commissioner attributed the discrepancies to the passage of time and the possibility that the information at issue may have been obtained by other legitimate means.
Based on a DIS audit, the conclusions made by the pharmacy, and the information provided to the Commissioner, it was determined that (1) the first employee inappropriately accessed the personal health information of the Affected Individual; (2) there was insufficient evidence that the second employee accessed the information; and, (3) there was insufficient evidence that either employee disclosed personal health information of the Affected Individual.
Policies, Procedures, and Breach Response
The Commissioner found that at the material time, the pharmacy did not have reasonable information practices in place to identify and prevent privacy breaches. The organization did not have unique User IDs for all those who access the DIS. The organization also did not have staff training and/or educational resources regarding privacy issues. Since the breach, the pharmacy implemented the use of new software and conducted privacy training for employees. They also established reasonable prevention and detection tools.
With respect to the breach response, the Commissioner concluded that the pharmacy took reasonable steps to contain and investigate the breach. However, the pharmacy did not notify the Affected Individual or the Commissioner of the breach within a reasonable time period, as required by law. The late notification appeared to be because of a mistaken belief that the manager was aware of the incident. This demonstrated a lack of procedure by the pharmacy relating to breach notification. Additionally, the pharmacy ought to have followed up with the Affected Individual once the investigation was complete and implemented a clear breach management procedure.
The Commissioner made recommendations for the adoption of privacy breach management procedures, which should include designating a staff member that all employees report to in the event of a suspected privacy breach. The Commissioner also recommended establishing a clear internal process to follow if a privacy breach is discovered. The latter would include reasonable guidelines for notification, containment, investigation and remediation.
If an organization collects, uses, and/or discloses personal health information, it is subject to PHIPA, or an equivalent privacy legislation for the province. This legislationrequires a health information custodian to notify all affected individuals of a privacy breach and report same to the Privacy Commissioner. In order to comply with the notification and reporting requirements, the organization must implement policies and procedures to identify such breaches and properly respond.
It is recommended that organizations assign a Privacy Officer to whom other employees can report actual or suspected breaches. Identifying breaches requires the organization to train and educate their employees regarding their obligations related to the proper handling of private health information. Finally, organizations must prepare breach response plans that will be followed in the event of a breach. This would include containment of a breach, timely notification and reporting of a breach, as well as proper follow-up. Not only is this required by law, it is also a great risk management mechanism that aids in lowering investigation costs, fines, and litigation exposure.
Stas practices in insurance-related litigation. He has a broad range of experience including tort claims, accident benefits, subrogation, priority and loss transfer disputes, WSIB matters, and fraudulent claims. Read more...
Snooping occurs on a regular basis but few organizations are willing to deal with it. Whenever an individual, such as a doctor, a nurse, or a clinic staff member accesses a patient’s record without a work-related need, this is considered snooping. Unless an employee is within the patient’s circle of care (i.e. delivering direct patient care) the individual has no business accessing the personal health information of that individual and is contravening the use for which that information was gathered.
Many, if not most, of these instances go unnoticed, but with the shift to electronic record storage and file management systems, access to records can be tracked by clinic owners/health information custodians. If properly set up, the electrofnic file management system can help identify individuals who are snooping and allow the organization to reprimand those individuals. Even if the organization has not transitioned to electronic file management systems, that does not excuse an ignorance of this problem.
In a recent case, a Complainant requested and obtained an electronic log of access to their personal health information stored in the Health PEI’s Clinical Information System, the agency responsible for delivering publicly funded health services in the province. After reviewing the logs, he noticed that an employee, that the complainant knew, accessed their personal health information multiple times. The log showed that some of the dates when the file was accessed the Complainant was not admitted to a hospital.
The Complainant reported their findings to Health PEI and an investigation ensued. The institution determined that some, but not all of the accesses to the Complainant’s charts were consistent with the performance of the employee’s duties. When consulted about the access, the employee advised that all access to the Complainant’s information was for professional reasons but noted that there was a “long history of a volatile relationship” between the employee and the Complainant. It was suggested that the privacy complaint was made with malicious intent arising from this tenuous relationship.
Ultimately, Health PEI concluded that the employee had accessed the personal health information without authorization. At a minimum, some of the accesses to the Complainant’s records were not authorized based on the determination that in several instances there was no evidence that access to the information was required for the performance of the employee’s duties. Importantly, the employee could not substantiate the claim that all access was for professional reasons.
Aftermath and the Commissioner’s Investigation
As a result of the investigation, Health PEI established a performance management plan for the employee, which included disciplinary measures. The institution was also implementing improvements for privacy awareness and compliance with policies through training and random auditing of access.
During a meeting with the Complainant, Health PEI shared the findings of the investigation and the steps that will be taken. Subsequently, a letter was sent to the Complainant outlining the findings and apologizing for the unauthorized access. In response, the Complainant sought specifics of the disciplinary measures taken, which Health PEI refused to provide.
Health PEI also reported the breach in a timely fashion to the Privacy Commissioner, who conducted its own investigationpursuant to the Health Information Act. The Commissioner concluded that the organization had properly responded to the breach. While the Complainant wanted to know what disciplinary measures were taken, the Commissioner agreed with the refusal but noted that the organization ought to provide assurances that personal health information would be protected in the future. The Commissioner also recommended that Health PEI implement regular auditing of their employee’s access to electronic records.
The Commissioner found that the institution notified the Complainant and the Commissioner at the first reasonable opportunity following the discovery of the breach and that Health PEI established reasonable information practices to protect personal health information from unauthorized access by others. Further, the Commissioner found that Health PEI took reasonable steps to contain the breach and investigate it. While the Commissioner found that implementing staff training and disciplining the employee were reasonable steps to remediate the incident, further assurances needed to be made to the Complainant. Specifically, the Complainant ought to be reassured that their health information was secure. To address this, the Commissioner recommended that Health PEI introduce regular auditing of employee access to the computer system with particular attention to the Complainant’s records.
Although we may not notice it immediately, unauthorized access to personal records, or snooping, are a frequent occurrence. Organizations must implement policies to minimize the frequency of snooping and reprimand the employees that engage in such behaviour. More importantly, these instances are considered breaches of security safeguards and the organization may be required to report the breach to the Privacy Commissioner and notify the affected individual.
As demonstrated in this case, organizations must have a plan in place to respond to such breaches in a timely fashion. If investigated, an organization’s quick response to a breach and proper follow up (i.e. notification and reporting) will be looked at favourably. Organizations can rest assured that their internal sanctioning policies (i.e. reprimanding of their employees) can largely remain confidential. In other words, organizations do not need to report to an affected customer the sanctions that were made against a staff member. This eases the pressure over the organization and allows it to make more sensible and appropriate decisions.
More importantly, an organization must train their staff to appropriately handle and use their customers’/patients’ data. This includes the legal requirements concerning the collection, use, and disclosure of health information. Policies must be put in place and enforced on a regular basis to ensure all employees are on the same non-snooping page.
Fiona, Dan, and Laura have been included in the 2020 Edition of The Best Lawyers in Canada. Since it was first published in 1983, Best Lawyers has become universally regarded as the definitive guide to legal excellence.
Lawyers on The Best Lawyers in Canada list are divided by geographic region and practice areas. They are reviewed by their peers on the basis of professional expertise, and undergo an authentication process to make sure they are in current practice and in good standing. For 2020, our SBA lawyers are ranked, as follows:
In the recent Motion Order of LAT File No. 18-011887/AABS, the LAT concluded that an insurer can resist the unilateral withdrawal of a LAT Application when it included a live issue in the proceeding that has yet to be decided. Further, administrative action and file closure letters are not orders and can be challenged.
On this note, it is important for the insurer to include all potential issues, such as the repayment of benefits or costs, in its Response to an Application. This inclusion gives the insurer the right to have these issues decided by the LAT, even if the applicant chooses to withdraw.
In its LAT Response, the insurer requested repayment of benefits paid to the applicant during the course of his accident benefits claim. After a series of case conferences, and the parties being notified that the LAT would be issuing a Reconsideration decision in favour of the insurer, the applicant withdrew his Application. The insurer advised the LAT in writing that it intended to maintain its claim for repayment. However, the filed was later closed administratively by the LAT, with both parties receiving an administrative closure letter.
The insurer brought a motion for an Order that that LAT Application remain open, as it did not consent to the closure of the file.
The insurer’s motion was granted and an Order was made that the LAT Application remained open. Vice Chair Hunter noted that it is LAT practice that where a file has been administratively closed, it only requires a request by a party to re-open it. The case management officer who administratively closed the LAT Application did not appreciate that the insurer also had a claim in the Application.
Unilateral Withdrawals and Costs
The issue of unilateral withdrawals and administrative closure letters often arises in the context of a party seeking costs. One party will withdraw its Application, and the other will argue the file must remain open in order to deal with the costs issue.
Reconsideration in 16-000474 v Aviva 2016 CanLII 105250 (ON LAT)
The applicant submitted a LAT Application. The insurer made a request for a dismissal with costs, as the applicant failed to produce required documents. Two months later, the applicant submitted a Notice of Withdrawal. After the withdrawal, the insurer further asserted its claim for costs, which the LAT does not appear to have considered initially. The parties were sent an administrative closure letter. The insurer requested Reconsideration, which was allowed. The Vice Chair held that the failure of the LAT to respond to the request for costs, which had been filed prior to the withdrawal, was a breach of procedural fairness. The matter was sent back to an adjudicator for a determination regarding costs; ultimately, the adjudicator hearing the motion ordered no costs.
Reconsideration in 18-000935 v Aviva, 2019 CanLII 58159 (ON LAT)
This matter proceeded to a hearing in writing. After the insurer filed its responding submissions, the applicant withdrew his Application. The LAT subsequently issued an administrative closure letter to the parties. The insurer had requested costs in connection with the proceedings prior to the withdrawal. The insurer requested Reconsideration, which was allowed by the Vice Chair, who held that the Tribunal’s decision to close the file without adjudicating the costs issue violated the rules of natural justice and procedural fairness. However, in the end, the Vice Chair found that the insurer had not met the high onus and did not award any costs.
These decisions highlight that the unilateral withdrawal of a LAT Application and the administrative closure of a case does not dispose of an issue raised by an opposing party. Based on the principles of procedural fairness and natural justice, an insurer is still able to have the LAT decide issues that were raised in the Response or the proceeding. Administrative closures can be reversed on request. One key element appears to be that the party must raise the issue prior to closure. Failure to raise or include an issue may result in the insurer being barred from having it heard by the LAT.