In March 2020, the Ontario government made various amendments to Ontario’s health privacy law, the Personal Health Information Protection Act (PHIPA) – one of which one was to provide the Information and Privacy Commissioner of Ontario with the authority to impose administrative penalties on any person who contravenes PHIPA or its regulations. Proposed regulationsunder PHIPA have now been published, which set maximum amounts for administrative penalties and outline the criteria that the Privacy Commissioner must consider when determining the amount of an administrative penalty.
Notably, the proposed regulations would permit the Privacy Commissioner to increase the amount of an administrative penalty above that limit by an amount equal to the “economic benefit” derived from the contravention of PHIPA – meaning that the amount of an administrative penalty could be significant, depending on the extent to which a person has benefitted from contravening PHIPA. To reduce the risk of an administrative penalty, organizations that are subject to PHIPA (including health care providers in Ontario, their agents, and companies that are service providers to them) should assess their compliance with PHIPA, and in particular, confirm that the ways in which they use personal health information for profit or other economic benefit are permitted under PHIPA.
What are Administrative Penalties?
Administrative penalties are a flexible and increasingly common regulatory compliance tool. They are monetary penalties that can be imposed on individuals or organizations in response to violations of statute, regulation or government orders (e.g., permits or licences). As an administrative rather that prosecutorial compliance tool, administrative penalties can be imposed directly by a regulator, such as the Privacy Commissioner. Unlike criminal or quasi-criminal fines, administrative penalties do not require prosecution by the crown and a finding of guilt before a court. Generally, administrative penalties are used where the violation is less serious; for example, where the violation does not meet the public interest test for criminal prosecution. As noted in the summary of the proposed regulations in Ontario’s Regulatory Registry, imposing an administrative penalty may reinforce compliance and motivate behavioural change.
Administrative penalties are a relatively new phenomenon in Canadian privacy law. Most provincial and territorial health privacy laws, and private-sector privacy law of general application, only set out fines that may be levied by a court for certain statutory privacy offences. However, the proposed federal Consumer Privacy Protection Act (CPPA) and recent amendments to Quebec’s Act respecting the protection of personal information in the private sector (Quebec Act) both contemplate administrative penalties, in addition to fines for statutory offences.
The administrative penalty regime under the Quebec Act will come into force in September 2023, after which date organizations may face monetary penalties up to the greater of $10 million or 2% of the organization’s gross global revenue in the preceding fiscal year for certain contraventions of the Act. The proposed CPPA which, if passed, would replace the federal Personal Information Protection and Electronic Documents Act, includes administrative monetary penalties up to the greater of $10 million or 3% of the organization’s gross global revenue in the preceding fiscal year for certain contraventions of the CPPA.
Administrative Penalties Under PHIPA
Purpose and Parameters
PHIPA currently allows the Privacy Commissioner to issue an order requiring a person to pay an administrative penalty for the purpose of encouraging compliance with PHIPA, or preventing a person from deriving, directly or indirectly, any economic benefit as a result of a contravention of PHIPA. The amount of the administrative penalty must reflect the purposes of the penalty, and be determined in accordance with the regulations.
The limitation period for the Privacy Commissioner to impose an administrative penalty is two years from the date that the Commissioner first became aware of the most recent contravention of PHIPA. An order by the Privacy Commissioner requiring a person to pay an administrative penalty must contain or be accompanied by a description of the contravention and set out the amount of the penalty to be paid and specify the time and manner of the payment. An individual or organization that is ordered to pay an administrative penalty may appeal the order to the Divisional Court (on a question of law) within 30 days.
Maximum Penalty Amounts
The proposed regulations state that the maximum amount of an administrative penalty may not exceed $50,000 for individuals and $500,000 for organizations, except that either amount may be increased by an amount equal to the economic benefit acquired by, or that accrued to, the person as a result of the contravention. If, for example, an organization that is subject to PHIPA used personal health information to market to individuals without their express consent (i.e., in contravention of PHIPA), any economic benefit the organization obtains from such marketing could be added to the total penalty amount.
The proposed regulations also set out the following criteria that the Privacy Commissioner must consider when determining the amount of an administrative penalty:
- The extent to which the contraventions deviate from the requirements of PHIPA or its regulations.
- The extent to which the person could have taken steps to prevent the contraventions.
- The extent of the harm or potential harm to others resulting from the contraventions.
- The extent to which the person tried to mitigate any harm or potential harm or took any other remedial action.
- The number of individuals, health information custodians and other persons affected by the contraventions.
- Whether the person notified the Privacy Commissioner and any individuals whose personal health information was affected by the contraventions.
- The extent to which the person derived or reasonably might have expected to derive, directly or indirectly, any economic benefit from the contraventions.
- Whether the person has previously contravened PHIPA or its regulations.
The Privacy Commissioner may also consider any other criteria that the Commissioner considers relevant.
In light of the above criteria, if an organization determines that it failed to comply with its obligations under PHIPA, it should consider whether remedial actions should be taken to mitigate any harm caused by its non-compliance, and whether it should notify the Privacy Commissioner and/or affected individuals – since both of these factors could reduce any administrative penalty amount payable.
Other Enforcement Mechanisms Under PHIPA
Administrative penalties are not the only enforcement mechanism available under PHIPA. PHIPA also provides for penalties for certain regulatory offences, up to $200,000 for an individual (or up to one year of imprisonment) and up to $1,000,000 for an organization. Unlike administrative penalties, where intent is not necessarily relevant, fines for offences may generally only be imposed in circumstances where a person is found guilty of willfully or knowingly contravening certain sections of PHIPA or its regulations.
The two enforcement mechanisms under PHIPA are not exclusive, so an administrative penalty could conceivably be combined with a penalty for an offence.
Public Consultation & Next Steps
The proposed regulations have been published in Ontario’s Regulatory Registry and the Ministry of Health is accepting public comments on them until July 25, 2023. The content, structure, form and wording of the proposed regulations may therefore change as a result of this consultation process.
Individuals and organizations who are subject to PHIPA, such as health care practitioners, operators of group practices, and hospitals – and also their agents and service providers – may soon face increased financial penalties for failure to comply with PHIPA. While prosecutions under PHIPA’s offences provision have been uncommon, it remains to be seen whether administrative penalties will become a more frequently used enforcement tool, given the relative ease with which they can be imposed (as compared to fines under PHIPA’s offences provisions).