Whether you are an insurance company, hospital or patient, a medical information privacy case in Canada last month illustrates how important is the quality of an organisation’s compliance infrastructure and its response to any breach of such sensitive personal information.

In the Ontario case, a hospital reported to the privacy commissioner three separate medical information privacy breaches under that province’s version of Bermuda’s Personal Information Protection Act 2016. Each involved unauthorised access to a patient’s personal medical information by employees of the hospital who had, in the words of the privacy commissioner, “snooped” those records for non-work-related purposes.

The number of such distinct wrongful access incidents suffered by the hospital aroused the privacy commissioner’s concern that such surreptitious snooping might be systemic across the hospital’s staff so she agreed to hear the complaint against the hospital.

By comparison, under Pipa, all such medical information is defined as sensitive personal information which must be used only for the consented purposes for which it was collected by the retaining organisation.

It must be securely kept to a standard of “safeguard” from unauthorised access that must take into account the likelihood and severity of the harm threatened by any such unauthorised access or misuse, the sensitivity of such personal information and the context in which it is held.

A possible contextual consideration for any hospital is the reasonable patient expectation of confidentiality for such sensitive medical information.

The Ontario privacy commissioner considered whether the hospital had taken reasonable steps to protect the health information, which must include the implementation of administrative and technical measures or safeguards — including policies, procedures, practices, audits, training and awareness programmes.

She also undertook a thorough review, if not audit, of all the hospital’s privacy compliance infrastructure.

Because the hospital in that case had responded diligently when those breaches arose, had taken disciplinary measures against the perpetrators, had increased its staff training on those issues, and had otherwise diligently complied with the security and other measures required by Ontario’s health information protection statute, the Ontario privacy commissioner was “… satisfied that the hospital has adequately addressed the privacy concerns raised by the three breaches … a [conduct] review [of the hospital] is not warranted”.

Although Bermuda and Ontario have different health information privacy laws, they are very similar in their treatment of personal medical information. Certainly, such employee snooping would likely be a violation of Pipa’s medical information privacy protections.

The decisions of the Ontario privacy commissioner are in no way binding in Bermuda, but the case may be instructive about how important preparatory compliance measures can be.

Whether sensitive medical information is in the hands of your healthcare providers, a hospital or your insurance company, the preparatory quality of the organisation’s compliance infrastructure and the diligent nature of its responses to a breach incident may well influence and inform a determination as to whether an organisation has contributed to, or even enabled, such breaches to occur.

First Published In The Royal Gazette, Legally Speaking, May 2023

Locations

Bermuda

Services

Corporate, Regulatory Advice

Sectors

Privacy & Data Protection

Type

Insight

Share
X.com LinkedIn Email Save as PDF
More Publications
Appleby-Website-Bermuda2
30 Oct 2025

Changes to beneficial ownership regime

One of the most notable innovations in the Beneficial Ownership Act 2025, which was passed last mont...

Jarion Richardson
Brad Adderley
John Wasty
Jarion Richardson, Brad Adderley, John Wasty
Appleby-Website-Employment-and-Immigration
29 Oct 2025

Changes to Department of Immigration’s Work Permit Policy Are Here

It has been over ten years since Bermuda’s Department of Immigration released a policy with respec...

Anna Markiewicz
Anna Markiewicz
Appleby-Website-Corporate-Practice
28 Oct 2025

Updates on Hong Kong’s Uncertificated Securities Market Regime from an offshore perspective

Hong Kong’s uncertificated securities market ("USM”) initiative is scheduled to take effect in 2...

Judy Lee
Kelly Tang
Judy Lee, Kelly Tang
Website-Code-Bermuda-1
16 Oct 2025

Privacy issues in new beneficial ownership regime

Bermuda has passed the Beneficial Ownership Act 2025, a landmark reform that consolidates and simpli...

Jarion Richardson
Brad Adderley
John Wasty
Jarion Richardson, Brad Adderley, John Wasty
Regulatory Advice
10 Oct 2025

BMA requires greater operational resilience

Last month, the Bermuda Monetary Authority issued its code of conduct to bolster the resiliency of r...

Duncan Card
Richard Collis
Duncan Card, Richard Collis
Appleby-Website-Insurance-and-Reinsurance
1 Oct 2025

Private Cat Bonds and Casualty Sidecars Gaining Momentum in ILS Space

Following a particularly busy quarter for privately placed catastrophe bond transactions, this appea...

Brad Adderley
Brad Adderley
Technology and Innovation
25 Sep 2025

IT Enables Global Business Alignment

In Bermuda, many — if not most — of our international businesses are part of a multinational ent...

Duncan Card
Duncan Card
Appleby_preview_Bermuda_1
23 Sep 2025

Continuous Compliance: Building Confidence, Reducing Risk

Over the past decade, Bermuda businesses have faced a steady rise in regulatory and legal obligation...

Jarion Richardson
Jarion Richardson
Bermuda-1024x576-1
11 Sep 2025

A guide to selling your Bermuda home

Bermuda homeowners should protect their interests by enlisting expert advice when they decide to sel...

Neil Molyneux
Neil Molyneux
Bermuda-1024x576-1
10 Sep 2025

Discipline Now Key as Pressures on Reinsurers Mount

The reinsurance market is in a strong position after two years of profits and covering its cost of c...

Brad Adderley
Brad Adderley