Case considered: Lycka v. Alberta (Information and Privacy Commissioner) and Jane Doe, 2009 ABQB 245
A Court of Queen’s Bench decision on April 20th to quash orders of the province’s Information and Privacy Commissioner (the Commissioner) should prove to be of little, if any, persuasive value outside of Alberta. However, in this province, it may be accorded weight – even precedential value since the decision has not been appealed – that it does not deserve. As a result of Lycka v. Alberta (Information and Privacy Commissioner) and Jane Doe, the name of a person who complains to the Commissioner of a breach of privacy must be disclosed to the party alleged to have committed the breach. Consequently, Alberta residents may be reluctant to bring forward complaints about privacy breaches, especially when physicians are on the other side.
The facts in Lycka are straightforward. The Applicant for judicial review of the Commissioner’s orders, Dr. Barry Lycka, is an Edmonton-based dermatologist. Dr. Lycka runs a clinic that offers patients consultative and diagnostic services – including biopsies – and both therapeutic and cosmetic surgeries as well. The clinic is run through the doctor’s professional corporation, Endermologie Centre Corporation (Endermologie), the operating arm of which is called Corona Rejuvenation Centre and Spa (Corona). Corona offers personal spa and esthetic services, and sells both cosmetic and therapeutic skin products. Dr. Lycka is also one of the founders of the Canadian Skin Cancer Foundation (the Foundation), which is a non-profit charity with its own Board of Directors, operating separately from the clinic and Corona. Among other things, the Foundation’s mandate is to raise awareness among people about ways to prevent skin cancer, and to educate physicians – through seminars and lectures – about ways to prevent and treat skin cancer.
Although the Foundation, Corona, and the clinic are separate entities, according to Dr. Lycka, many of his patients and/or clients of Corona have, over the years, indicated an interest in donating money to the Foundation. Therefore, because of these overlapping interests, information about the various services is periodically sent out to patients and clients. For the past few years, Dr. Lycka’s clinic maintained a database of patient information; i.e. names, phone numbers, gender, addresses, and services requested. Dr.Lycka maintained this database for mailing out information about the clinic, the spa, and the Foundation to his former patients and other interested members of the public. Clinic patients and clients of Corona were asked if they wanted to be included in the database, as were donors to the Foundation.
The privacy of patient health information, the maintenance of files and databases for such information, and the rules for collecting, using and disclosing health information are all regulated by the Health Information Act, R.S.A. 2000, c. H-5 (HIA). The protection of individual privacy and the rules for collecting, using and disclosing personal information for businesses, non-profit organizations and professional regulatory bodies are all regulated by the Personal Information Protection Act, R.S.A. 2003, c. P-6.5 (PIPA).
Before PIPA took effect on January 1, 2004 Dr. Lycka amended the forms used to collect basic demographic information so as to make them compatible with the new legislation. More specifically, these amendments were: i) the Patient History Form gives the choice to clinic patients as to whether they wish to be included in a database mailing list; ii) clinic patients receive consent forms for them to indicate whether they wish to receive information from the Foundation; iii) when people attend a Foundation-sponsored lecture or seminar, they are asked to indicate whether they wish to receive additional information and, if so, their names are included in the database mailing list; and iv) clients of Corona are asked if they would like to receive an informational newsletter. The database mailing list was subsequently updated, to allow information to be sorted by the organization through which the patient and/or client was registered, the date the contact information was entered into the database, and the date a request was made to remove the contact information from the database mailing list. Dr. Lycka’s staff received training in how to remove a person’s contact information from the database mailing list upon receiving a request for such a removal.
In early 2006, a decision was made to celebrate Dr. Lycka’s 50th birthday at an event at the Northern Alberta Jubilee Auditorium. Invitations to attend were mailed to Dr. Lycka’s friends, colleagues, patrons of the Foundation, clients of Corona, and patients past and present. Instead of gifts, patients were asked to consider making a financial contribution to the Foundation to enable it to continue its work with detecting and treating skin cancer. However, if a person decided not to donate, or could not make a donation, s/he could attend the event anyway; there was no fee to do so. Two of Dr. Lycka’s female patients, whose identities were not disclosed, complained to the Commissioner after receiving solicitations from Dr. Lycka and Corona even though they had earlier requested that their contact information be removed from the database mailing list.
This matter would seem to be rather prosaic and uncomplicated. Two patients had communicated to Dr. Lycka’s office that they did not wish to receive unsolicited information not directly related to their health care. They received such unsolicited information anyway. So, they complained to the Commissioner and the Commissioner looked to the legislation relevant to the matter. Two orders were duly issued under the HIA directing Dr. Lycka to do two things: i) submit a privacy impact assessment regarding the health information at issue, and ii) to cease collecting, using and disclosing such information for marketing and fundraising purposes. The Commissioner found that the information was “collected;” that upon such information being entered into a shared database, it was “disclosed;” and that in the compilation of a mass mailing list and subsequent mailing out of the information, the personal information of the two patients was “used.”
Furthermore, the Commissioner found that the HIA did not allow the collection or use of the patients’ information by a “custodian” (as the HIA defined the word) for marketing or fundraising purposes, even if individual consent were given. However, in fact, the Commissioner found that neither patient had consented to disclose her information; nor did Dr. Lycka’s consent forms comply with the requirements as set out in the HIA.
The Commissioner also made an order under PIPA against Endermolgie directing it to cease collecting and using personal information from the database for marketing purposes. The Commissioner found that Endermologie lacked authority under sections 14 and 17 of PIPA to collect and use personal information without consent and that, in any event, consent to use such information had not been obtained under s. 8(1) of PIPA. The Commissioner found that in choosing “No” on the Patient History Form, the complainants had opted out of the database and that, in any event, consent could only extend to the collection and use of personal information within the clinic for the purpose of providing health services, not for mailouts associated with marketing purposes.
In the application for judicial review of these orders, counsel for Dr. Lycka raised three issues:
1. What is the applicable standard of review?
2. Did the Privacy Commissioner breach the rules of natural justice and procedural fairness by refusing to disclose the identity of the complainants?
3. Did the Privacy Commissioner err in finding that the Health Information Act prohibits the collection and use of individually identifying health information, with consent, for the purposes of marketing and soliciting for fundraising?
In addressing the issues of standard of review and procedural fairness, Mr. Justice Gerald Verville was presented with the following judicial authorities: University of Alberta v. Alberta (Information and Privacy Commissioner), 2009 ABQB 112; Dunsmuir v. New Brunswick, [2008] 1.S.C.R. 190; and Stubicar v. Alberta (Office of the Information and Privacy Commissioner), 2008 ABCA 357. Counsel for the Commissioner argued that the decision not to disclose the names of the complainants was in fact a substantive matter, and that the important question was whether the two patients could be put at a disadvantage if Dr. Lycka knew their identities. Counsel for the Commissioner further argued that since this was a question of mixed fact and law, the standard of review analysis invited the standard of reasonableness. However, Mr. Justice Verville saw the non-disclosure of the names as going to the heart of procedural fairness and, as such, the applicable standard of review should be one of correctness.
There is persuasive judicial authority from Ontario courts to support the proposition that although a Privacy Commissioner cannot be regarded as an expert in interpreting statutes all and sundry, in regard to statutes relevant to the legislated mandate to protect privacy interests, the Commissioner can be regarded as an expert. (See John Doe v. Ontario (Information and Privacy Commissioner (1993), 106 D.L.R. (4th) Ont. Div. Ct. and Ontario (Minister of Health and Long-Term Care v. Ontario (Assistant Information and Privacy Commissioner) (2004), 73 O.R. (3d) 321 (C.A.)). There is judicial authority in Alberta that may be regarded as persuasive as well. As Ross, J. said in IMS Health Canada Limited v. Alberta (Information and Privacy Commissioner) 2008 ABQB 213 at paragraph 79: “But while the Commissioner is not expert in statutory interpretation in a general sense, he is expert in relation to this [the HIA] statute. A tribunal’s familiarity with a statute usually results in deference.” Finally, there is binding judicial authority from the Supreme Court of Canada that could be regarded as material and relevant. For example, the court in Pushpanathan v. Canada (Minister of Citizenship and Immigration), [1998] 1 S.C.R. 982 identified, as one of the factors that a court should consider in deciding whether to undertake judicial review over a tribunal’s decision, whether the issue is one that would be best decided by a specialized tribunal with expertise in the subject matter.
However, with regard to the degree of deference – or indeed, even whether deference should be accorded to the Commissioner at all – the judge in Lycka barely alluded to this. Counsel for Dr. Lycka had argued that the question as to whether the HIA prohibited the collection and use of personal identifying health information, even with individual consent, for marketing and fundraising purposes, was a matter of statutory interpretation. Mr. Justice Verville, evidently interested in going behind the Commissioner’s orders, agreed with this approach, and found that the standard of review with regard to the issue of procedural fairness was one of correctness, and then went on to find that Dr. Lycka’s ignorance of the names of the two patients somehow constituted such an egregious affront to procedural fairness that the doctor was effectively denied his right to a fair hearing before the Commissioner.
The obvious question in my mind is this: how would the names of the two patient-complainants be at all relevant in an analysis into whether Dr. Lycka’s clinic breached the rules regarding patient privacy? The Commissioner had all the evidence he needed to make his decision; i.e. the consent forms with the appropriate boxes duly ticked off to indicate that the patients did not want to receive any unsolicited fundraising or marketing information unrelated to their health care. Furthermore, this was not a case where anyone was alleging any breach of professional misconduct or any other serious impropriety that would result in disciplinary consequences for Dr. Lycka or his practice.
Unfortunately, since the Commissioner did not appeal this decision, only negative speculation is invited as to how this will impact the privacy interests of Albertans, especially in the health care setting.