Ontario Mandates Encryption of Identifiable Personal Health Information

The Information and Privacy Commissioner of Ontario has ordered that Toronto’s SickKids Hospital immediately develop a number of policies to prevent the loss of electronic health records that contain sensitive, identifiable personal information.

The strongly-worded order results from an all-too-familiar scenario: a physician/researcher removed a notebook computer from the hospital to work from home. The notebook, which contained identifiable personal health information of some 2,900 of the hospital’s patients, was stolen from the doctor’s vehicle. The notebook was password-protected, but, beyond that, all the health records were available.

The order stipulates the following:

• A policy be developed and implemented to prohibit the removal of identifiable personal health information in electronic form from hospital premises. If such information must be removed from the hospital, it must be encrypted.
• A policy be developed for all “endpoint” electronic devices (including desktop and portable computers, as well as PDAs) that mandates that all personal health stored on these devices be “de-identified” (i.e., stripped of data that can connect it to an individual) or encrypted.

Although the order technically applies only to SickKids, the Privacy Commissioner, Ann Cavoukian, made it very clear that all health information custodians must learn from SickKids’ experience, and institute such policies within their organizations.

For a link to the Privacy Commissioner’s news release, click here.

Information Technology PolicyPro contains numerous model policies and expert analysis dealing with data protection, physical and systems security, and network security. For more information, click here.

<< Top of Page

Timing of the Fourth Phase of CSA Rules Announced

The Canadian Securities Administrators have announced in Notice 52-317 that they will publish the proposed revisions to National Instrument 52-109 for comment by the end of March.

These revisions will constitute the “fourth phase” of the CSA’s internal control over financial reporting (ICOFR) certification process: the evaluation of the effectiveness of internal controls over financial reporting.

Just to refresh your memory of the four phases of this process:

1. The first phase, which started in 2004, required the CEO and CFO to separately certify that, to the best of their knowledge, there were no material misstatements or omissions in the content of their quarterly and annual regulatory filings, and that the information fairly presented the results of their operations, cash flows and their financial condition.
2. The second phase began in 2005, when annual certificates required a certification that the CEO and CFO had designed disclosure controls and procedures (DC&P) and evaluated their effectiveness to provide reasonable assurance that material information relating to the issuer, including its consolidated subsidiaries, was made known to them by others within those entities. This certification indicated that the CEO and CFO instituted controls that ensure their knowledge is complete.
3. The third phase of the certification applies to the annual certificates for 2006, when the CEO and the CFO are required to state that they have designed internal control over financial reporting (ICOFR) to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP.
4. And now the fourth phase of the certification process is imminent. It will require CEOs and CFOs to evaluate the operating effectiveness of ICOFR on an annual basis. This certification process is intended to apply to all Canadian reporting issuers, including venture issuers.

Notice 52-317 also clarifies the timing of the fourth phase. As it says: “To allow significant lead time for issuers to plan and implement efficiently the activities required to support the additional certifications and disclosure relating to internal control over financial reporting, we intend to propose that the requirements apply in respect of financial years ending on or after June 30, 2008.”

We will report on the details of the new rules in the next edition of the PolicyPro Bulletin.

<< Top of Page

For public companies in Canada, effective internal controls over financial reporting are now the law. Private companies, too, have a audience of interested stakeholders, including investors, insurers, customers and suppliers, who are demanding evidence that the companies' stated results are valid.

In The Role of Information Technology in Achieving Sustained Regulatory Compliance published in March 2006 by ITAC, the Information Technology Advisory Committee of the CICA, the authors argue that, because regulatory compliance requirements Administrators are here to stay, Canadian companies need to find a cost-effective way, not just to comply with the rules on a once-a-year basis, but to build a sustained, continuous compliance process.

And because compliance is all about collecting and reporting information, much of the process is IT’s responsibility. An IT organization can build a sustained compliance process in three key ways:

1. It can help the organization increase the reliability of its control activities, especially by increasing reliance on automated, rather than manual, controls.
2. It can provide a reliable processing environment. In order to ensure this, IT management must focus on IT company-level controls, acquiring and developing systems, managing security, and managing IT operations.
3. It can develop knowledge management solutions to monitor and document key business processes. Because certification requires evidence of the design and operating effectiveness of internal controls, this documentation is essential.

For a link to this interesting paper, click here.

<< Top of Page

In September (Volume I, Issue 6) we published an article about Corporate Social Responsibility, and in January (Volume II, Issue 1) an article about Canada’s Sustainable Business Strategy.

Our interest in these matters is a reflection of the greater attention that business leaders are paying to issues of environmental stewardship and sustainable development. And now, in a press release issued February 12, the Canadian Institute of Chartered Accountants (CICA) has announced that they support the recommendations made by the National Round Table on the Environment and the Economy (NRTEE) for more integration of environmental, social and governance considerations (ESG) into decision making in Canadian capital markets, and the inclusion of ESG information in corporate financial reporting.

For the full CICA press release, click here.

<< Top of Page

March is Fraud Prevention Month, and to mark the occasion, we invite you to take the Online Fraud Quiz, at http://www.abcfraud.ca/.

<< Top of Page

Recycling programs are well established in many communities in Canada. Not only do these communities support recycling initiatives, like the ubiquitous blue box, their citizens are consistently exceeding the predicted recycling targets.

Unfortunately, this passion for recycling is not shared by everyone. On the residential front, people who live in single-family dwellings recycle much more than those who live in multi-family units. And many businesses, especially small businesses, are very slow to come on board.

But things are changing, and governments are, in some places, helping to spur businesses to recycle more. In Ontario, for example, the Waste Diversion Act (2002) requires that many businesses that contribute recyclable materials to the residential waste stream are required to contribute money to the province’s residential blue box program. These companies, called stewards, must register with the province and self-assess their contribution. Non-compliance will result in penalties, including fines.

We are pleased to announce that policy OP 5.03–Recycling has been added to Operations and Marketing PolicyPro(OMPP). For more information about OMPP, click here.

<< Top of Page

About the PolicyPro Bulletin

Editor: Colin Braithwaite, Managing Editor – PolicyPro.

Please do not reply to this Email.

PolicyPro Bulletin is a complimentary service published by First Reference Inc. and is sent to you monthly. Each issue of the PolicyPro Bulletin provides headlines and summaries of news that affects internal controls and policies in Canada.

Please forward this Bulletin to your colleagues.

Please send any comments or suggestions about the PolicyPro Bulletin to editor@policypro.ca. For information about the PolicyPro Library, visit www.PolicyPro.ca. For information about First Reference and our HR-related products, visit www.firstreference.com. To read our Terms of Use, Disclaimer, Privacy Policy and other legal matters, visit PolicyPro.ca.

This publication is written for informational purposes only and should NOT be relied upon as legal advice or opinions. The reader should always obtain legal advice from a qualified lawyer or other qualified professional, which will be responsive to the case or circumstance of the individual. Please note that the content provided in this Bulletin or any content contained in or made available through any third party website linked to from this Bulletin, is provided "as is" without representations or warranties of any kind. All representations and warranties in respect of Content or Third Party Content, express or implied, including, without limitation any representations to warranties or conditions regarding accuracy, timeliness, completeness, non-infringement, merchantability or fitness for any particular purpose are hereby disclaimed.

PolicyPro Bulletin ISSN: 1718-5866 Copyright ©2007, First Reference Inc., All Rights Reserved.