Collection, use and disclosure of personal information:

22  (1) The minister may collect personal information under this Act for one or more of the following purposes:

(c) for a prescribed purpose.

(2) The minister may use and disclose, inside Canada, personal information collected under subsection  (I) for one or more of the following purposes:

(i) to conduct or facilitate research into health issues;

(k) for a prescribed purpose.

(3) The minister may disclose, outside Canada, personal information collected under subsection (1) for one or both of the following purposes:
(a) to conduct or facilitate research into health issues;

This act gives the government and their friends the right to use our information without our knowledge, must less our consent.

How will it be used? We don’t know. For example, as Vincent Gogolek of FIPA states, a prescribed purpose “could be anything”. He also believes that we should have the right to say NO to having our information shared even anonymously. So, in essence the politicians have given themselves, and their friends, the legal right to do whatever they want with our personal/medical information as opposed to doing it illegally as they have in the past.

Personally, if they want my information, I want to answers to questions such as (for starters) who they are (name of research organization), I want to know what type of research they are doing, I want to know if it is being done outside Canada, if it is being done anonymously, how the information is being protected (with proof). If they want my information they should be required to set up a webpage providing this information. Then I can decide if my information is being shared appropriately. I want them to be transparent so they can be held accountable. They don’t want to be transparent, and therefore accountable, which proves I do have reason to be concerned. Also I want to know what money, or other form of gain, is being exchanged, who pays and who receives.

I would also like more details. The Act is vague (do you know what it means to you?) and if the politicians can’t provide more specifics about what they mean then they don’t know what they are doing or they are trying to hide what they are doing.

Even the privacy commissioner Elizabeth Denham states: “In Bill 35, I have a concern about the broad and unfocused authority for the minister to collect and share personal health information under that act,” she said. Again, it appears the politicians have ignored the privacy commissioner when implementing this act. It appears that, as usual, the privacy commissioner wasn’t even consulted.

According to the Vancouver Sun (a paper I never buy) “Hansen says sufficient safeguards are already in place to assure both the anonymity of records and to ensure they will only be released to responsible researchers.” We are not given the opportunity to determine if these researchers are responsible, only the politicians do that and we know how ethical they are. Also, see my next blog about the latest scandal on patient information being shared, apparently illegally, with researchers (which contradicts Colin Hansen’s statement of safeguards). As usual the politicians will ignore the evidence that our information is NOT being protected and just tell you what they want you to believe (brainwashing).

Our information can now go into other countries. What information is going into other countries? Whose laws apply to our information in this other country? Can our information be accessed under the U.S. Patriot Act (I really don’t believe that all the information shared will be anonymous now any more than it has in the past).

The politicians would have you believe that all researchers are ethical, and moral but they are not. I don’t think that anyone who takes my information without my personal knowledge and consent has any ethics, morals or integrity. And pharmacetical companies, one of (if not the) main funder of researchers, have been charged and convicted numerous times for various illegal acts. Not all research benefits society. In fact, some of it harms society.

Information has been shared with researchers in the past and is supposedly done so under specific circumstances. But as shown in the past, for example the Auditor General’s audit of the Vancouver Coastal Health database and the recent scandal, the rules aren’t followed. The hospitals just give the information and nothing is done to ensure that the information is properly used or protected. There are words on paper and there is reality.

Colin Hansen has been pushing to give our information to researchers while he was in the Liberal government and even now that he has left. I will be interested to hear where he gets his next job or directorship.

Again, if they have to take OUR information without our knowledge/consent, if they have to hide what they are doing with OUR information, then they are doing something wrong, something they don’t want you to know about.






– Bill 35 – Pharmacetical Services Act

– FIPA – Piecemeal Repeal of FIPPA? – June 1, 2012

– The Hook – Drug Bill Includes Personal Information Grab: Advocate – Andrew MacLeod, April 30, 2012

– Vancouver Sun, Craig McInnes, May 3, 2012



There was an article in The Province (not a paper I buy) on Aug. 12, 2012. The article was by Geoff Plant, chairman of Providence Health Care, which operates St. Paul’s and other hospitals/clinics. I don’t know if this article was paid for by the taxpayers, but that’s another issue. 

In the article G. Plant extols the virtues of St. Paul’s (a very one-sided view) but what interested me was the statement that St. Paul’s brings in research dollars of $43 million from outside sources annually. So, what are the research companies buying — us?

Is St. Paul’s selling us?? We, of course, are not allowed to know.

Geoff Plant is a former liberal attorney general and teaches at UBC (the university is involved in research with St. Paul’s). Interesting how it’s all connected by the same people.

But, it keeps coming back to the same issue. If everything is above-board, honest, ethical, moral, then why won’t they tell us who they are sharing our information with (names of companies/individuals and under what circumstances); why do they hide this information?

No transparency, no accountability. 



According to Hospital Employee’s Union (HEU) website “a plan by Lower Mainland health authorities to contract out all medical transcription services threatens to put the confidentiality and accuracy of patient records at risk. On Thursday, health authorities issued a request for proposals to contract out the work of more than 130 medical transcriptionists who work out of three hubs located in Vancouver, New Westminster and Abbotsford. HEU secretary-business manager Bonnie Pearson says the move will transfer control over the accuracy and confidentiality of sensitive patient records to a private contractor. “Health authorities have a responsibility to both patients and physicians to maintain close control over highly sensitive patient records,” says Pearson. “This ill-thought out move by health employers comes with an unacceptably high degree of risk.” Medical transcriptionists are responsible for transcribing physicians’ voice-recorded dictation of surgical procedures, consultations, patient histories, laboratory and diagnostic test results, and various reports.”
I have never had any indication that HEU gives a damn about patient privacy (this is a generalized statement about the organization as I believe there are some individuals who do care). HEU is the organization that made sure their employee’s privacy was protected but not the patients. I also don’t recall them starting a “campaign” when the politicians and their friends took away patient rights to their own medical information. Nor do I recall hearing a peep out of them while, for over 10 years, the DNA of babies was being stored by a private contractor and shared without parent knowledge or consent; in fact, some of these HEU members would have been among the people who conveniently all decided that “the parents wouldn’t be interested”in knowing what was happening to their baby’s blood.etc. I only hear about their “concern” for patients when HEU jobs/working conditions are involved.
And to suggest that patient records are confidential, when so much evidence indicates otherwise, is just incredible hypocrisy. But, like the politicians and corporations that run the hospitals, they figure that if they say it often enough people will believe it or, at least, they won’t have to explain why it isn’t confidential (I would like to see their evidence that patient records are protected, not just hear the spin). I believe HEU really only cares about the jobs/working conditions of its members and the privacy angle is simply a means to that end.
Having said that, if what they say is true in terms of contracting out medical transciption it probably will worsen an already bad situation. I was told that the contract will go to Accenture (I don’t know if this is true), a US corporation which means it is subject to the US Patriot Act. This would be the Accenture that, I understand, did not have its contract renewed with BC Hydro.
I heard there will be a documentary on CTV on Sunday night. It will be interesting to see how much of it is about the patients and their loss of rights and privacy vs HEU and their self-interest.


When I am in front of St. Paul’s I get some comments that run in themes. It’s as if some people get together and decide to make very similar comments all within a few days. The latest theme is “You can’t complain because it’s free”. The following are some of the “passer-by” comments and my comments are in brackets.

It’s free (no, the citizens pay for it)
They pay for it (assume she meant the politicians and no, we pay for it), but it comes from out taxes (which we pay)
They need it to pay for health-care (That would imply that they are selling our information which, I understand, is illegal)
Isn’t it great that in Canada you can complain about something that’s free (it isn’t free).

If one takes that line of thinking that it’s free then we can’t complain if the roads are not repaired because their “free”; we cannot complain if the fire department does not go to fires because their “free”; we cannot complain if water doesn’t flow through pipes and through our taps because it’s “free”, and so on.

Then again maybe I’m wrong, maybe our health-care is free. Maybe we don’t pay a dime towards our health-care. In which case, would someone please explain why we pay taxes? Where does the money go? Who does pay for our health-care? Do the medical people work for free?

Then again, maybe I’m right and this is the best excuse “they” can come up with for illegally sharing our information and destroying our rights.
Here’s another comment that was quite bizarre (well, more bizarre than usual). A woman told me she worked in the pharmacy area of the hospital, that she had noticed changes over the last two years and wasn’t that enough for my purposes. I asked her what changes had occurred and could she prove it. She refused to answer either question. It’s like being given a blank piece of paper and having someone tell you there is writing on the paper so isn’t that good enough. Presumably, she operates on the premise that she said it therefore it is. Isn’t that a god complex?​


In BC, a lawsuit is now underway, after it was discovered that about 800,000 newborn blood samples, together with names and birth dates, had been stored on information cards since 1999, in a storage facility operated by a private contractor; and the blood samples had been shared with researchers – WITHOUT THE PARENTS KNOWLEDGE, MUCH LESS THEIR CONSENT. (1)

1. This is, in fact, a DNA database. “DNA is your personal signature, and it uniquely identifies us” (Jennifer Puck, University of California, San Francisco) (5)
2. These spots are being shared with researchers, without the parents knowing who the researchers are, who they work for, what kind of research they are doing, to whom they subcontract, etc.
3. Bill 11, passed in May 4, 2010, gives the Minister of Health power to collect, gather, use and share personal information without any notice to or consent from affected individuals.. In other words, your personal information can be shared with governmental and law enforcement agencies, without notice or consent. The B.C. Civil Liberties Association (BCCLA) is trying to have this reversed. (7)
4. The information may be used to discriminate against the individuals by employers, banks, insurance companies, your child’s future spouse, etc. “You could make inferences about their future health, about their future behaviour, and if you got samples from their parents or a DNA databank, you can make inferences about family relationships.” (4)
5. The DNA also provides information on other family members (8)
6. The researchers/private companies may manipulate, alter or splice the DNA. (3)
7. The amount of information that can be obtained from DNA is expected to increase (8)
8. The genetic information could be used for unethical purposes such as human cloning,etc.(5)
9. De-identified blood samples are linked to personal information and you can trace the link. The blood samples are stored with a code number in one place that can be easily matched to names stored in another place. (4)
10. The blood samples and other information could be accessed by pharmaceutical and biotechnology companies, commercial companies who might bias or manipulate research findings. (10)
11. “The dark side is the commercial value of the human body. If the nature of the specifics of a given individual is available to the people searching for organ matches, the finding of a match might be someone who is not dead. Yet. (Ultra Bob) (5)
12. How securely is access controlled or is it like our hospitals, where audits have shown that almost anyone could access information. It has also been suggested that there isn’t any system, no matter how good, that can’t be abused and “once it’s out there, it’s out there” (10) And it’s not just hackers that are a concern but employees with, for example, a flashdrive which can be put into a database to download information.
13. Conflict of interest – “…Just look at the conflict of interest statement in any pharmacogenomics journal today and you will find that the head of each of the major studies and a select group of investigators, funded by public tax payers money from NIH, and YOUR DNA, are going to make huge profits from royalties and huge salaries these physicians-researchers earn because they control proprietary samples that are otherwise hard to come by. Just by tying a SNP to a treatment outcome or diagnostic outcome, there are big profits in the healthcare business to be made; with no real innovation! Hence, one wonders about the real motivation underlying collection of blood samples with consent and especially without consent – a cure or a profit!” (11)
14. Ownership – Who owns the specimens and anything created from the specimens. (10)
15. Cost – It apparently costs quite a lot to store the blood samples in the right climatic environment. Is this how you want our health care dollars spent? (3)

Medical people certainly had lots of opportunity to tell people and ask for their consent. They verbally explained why the “heel prick” (taking a newborn’s blood) was important for testing for diseases, they handed out pamphlets, and there was a website. But apparently not one person in the medical field, in over 800,000 births, mentioned that the children’s blood was being stored indefinitely and used by others. Apparently no one in the medical field thought people would be interested in knowing the bloodspots were being stored and shared (or so they say), despite the fact that this had become an issue worldwide. (2)

In 2002, the public forced South Carolina to pass a law regulating the collection, storage, and use of blood samples. (9)
In Texas a lawsuit was settled when the state agreed to destroy the stored blood spots. New legislation requires parental consent and allows parents to opt out and all projects must also be published on the agency’s newborn screening website. However, a second lawsuit has been filed because they (the plaintiffs) had not been told, during the first lawsuit, despite asking numerous times, that the blood spots had been sold, traded and bartered. (13)
Blood spot samples apparently were also sent to the U.S. Department of Defense and Homeland Security. The U.S. Department of Defense, who were using the blood samples to build an international database, reportedly destroyed the samples (of course, you never really know, do you???). (13)(6)

A Dublin hospital has stored the DNA of all the people born in the country since 1984, creating a database. This was done without the individual’s or parents knowledge, and apparently in contravention of the law; and despite having an ethics committee. (14)

Now that this issue about the children’s blood spots has been brought into the open by the public, the BC Newborn Screenings Program has a notification on its website regarding storage. But, of course, it only mentions the positive and not the negative aspects of storing the blood samples. It allows parents to fill out and submit a form requesting the destruction of the blood spot (opt out), as opposed to being asked for their written permission to store/use the blood spot (opt in). It seems that the blood spot cannot be stored unless the parent agrees to it being used by others.
What happens if your form gets “lost”. The medical/researcher people could say they never received it. It would be hard to prove them wrong. On the other hand, if they must have a signed paper before storing/sharing the blood samples/name/DOB then they would have to have the paper on file to prove they have a legal right to store/share the blood samples.

So what happens to everyone else’s health samples. For example, when you go for a physical or an operation and blood/tissue samples are taken, are they being stored somewhere? What else has the medical/political people decided we don’t need to know.

Some comments that I thought were particularly interesting:
Researcher | 10:11 a.m. Feb. 9, 2010
“I have worked in research for over 10 years. My job is to make sure that everyone obeys the law. When it comes to human research, the law is designed to protect the people who are the subject of research. Blood and tissue samples are your property even after they have been removed from your body, and researcher(s) can only do with them what they have gained your legal consent to do. That is the issue here. These researcher(s) do not have legal consent to do what they are doing. So many researchers feel like this is a hindrance. They would prefer to just be able to do whatever they want. They all think that what they are doing is for the greater good. If it is going to produce valuable results, it can and should be done legally. If you don’t think these regulations are necessary, do an internet search on the Nuremberg Code, the Tuskeegee experiment, etc. Whether you care what happens to your child’s samples or not, it is in everyone’s best interest that researchers are forced to be accountable for what they do, and gain the proper consent. “(5) In BC, the politicians have taken the right to give legal consent, to decide what happens to your body parts, from you and given it to themselves.

“It’s fine and good to say these can’t be identified, but how real is that?” said Hank Greely, a Stanford University bioethicist. “Just because you don’t have a name or Social Security number doesn’t mean you can’t identify it. Once we start using DNA for more and more things like regular medical records, somebody could do a cross-check and say whose blood it is.” (12)
One: Telling people that their biospecimens are retained and used for important research, that strict privacy and confidentiality protections are in place, and that “we’re good stewards” of the biospecimens without providing accessible, clear information about those policies, fails to meet even minimum standards of transparency.
Two: Failure to acknowledge that public attitudes and values about consent, genetic research, and privacy/confidentiality may conflict with those of researchers and policymakers can lead to public distrust of biospecimen research and impede important research.
Three: Genuine public engagement in developing policies for biobanking initiatives takes time and resources. But the payoff – trust in the research enterprise and willingness to provide biospecimens – is worth the effort. (9)


1. The Globe & Mail, May 11, 2010, Jane Armstrong, Vancouver Parent Challenges Unauthorized Archiving Of Infant’s Genetic Blueprint
2. CBC News, May 12, 2010, Scott Applewhite, Storing B.C. Babies’ blood violates privacy: group
3. Infowars Ireland, February 8, 2010, Newborns’ DNA Routinely Harvested For Government Bio Banks
4. In the Media, February 26, 2009, Barbara Sowell, DNA Testing Without Parental Consent?
5. Deseret News, February 8, 2010, Lauran Neergaard, Blood tests of newborns stirring major ethics debate
6. American-Statesman, May 10,2010, Mary Ann Roser, State agency swaps babies’ blood for supplies
7. British Columbia Civil Liberties Association, May 12, 2010, New law may create largest DNA database in Canada
8. Statement of Claim filed with the Supreme Court of Canada, May 14, 2010, British Columbia Civil Liberties Association website
9. The Hastings Centre Report, September 8, 2009, Karen J. Maschke, Disputes over Research with Residual Newborn Screening Blood Specimens
10. Exploring existing and deliberated community perspectives of newborn screening: informing the development of state and national policy standards in newborn screening and the use of dried blood spots; Ian Muchamore, Luke Morphett and Kristine Barlow-Stewart, December 13, 2006
11. The Scientist – Magazine of the Life Sciences, December 23, 2009, Consent issues nix blood samples, Anonymous poster – Non-Profit banking of DNA from blood for Profit
12. Washington Post, June 30, 2009, Rob Stein, Newborns’ Blood Samples Are Used for Research Without Parents’ Consent
13. Infowars Ireland, NaturalNews, February 20, 2010, Ethan A. Huff, Texas ordered to destroy five million blood samples illegally taken from babies without consent
14. Sunday Times, December 27, 2009, TJ McIntyre, “Is Temple Street Hospital Holding A De Facto National DNA Database


The Auditor General and the Office of the Information and Privacy Commissioner of BC (OIPC) conducted independent audits of one database (called PARIS) of Vancouver Coastal Health Authority (VCH). I commend them, particularly the Auditor General, for finally exposing the truth (or at least a good part of it) — that our privacy within the health care system is virtually non-existent. I highly recommend that you read/skim the reports. Even if you don’t understand it all, it will give you an idea of how badly our privacy and rights have been violated.

I will reiterate some of the findings from the audits, with a few comments of my own. Please note that PARIS is just one of eight core databases operated by VCH. Patients are referred to as clients.

Privacy Commissioner’s Audit:
– “One of the ethical obligations of every health professional is to protect the confidentiality of patient information. The assurance of privacy is essential for patients to be willing to engage in the frank communication with their health care providers that providers rely on to deliver quality care. Patients assume that their personal health information is kept confidential because it is such a well understood hallmark of the provider/patient relationship.” (pg. 5)
The protection of privacy is a fundamental value in modern democracies and is enshrined in ss. 7 and 8 of the Canadian Charter of Rights and Freedoms.2 – (pg. 5)
– “The following types of information are collected into PARIS: Names of clients, contact information of clients, personal health numbers of clients, allergies of clients, employment, funding or eligibility of funding, education, languages, case notes relating to treatment of clients, names of family members or friends of clients (known as “associated persons” in PARIS), contact information of associated persons, whether the associated person is receiving health care from VCH, financial information and social insurance numbers of clients.” (pg. 13)
– Information was illegally shared with other organizations. When the PCO pointed this out, the government just passed legislative amendments making it legal for VCH to share some of the information. (pg. 16) (pg. 27)
– The information provided to clients (pg. 16) by VCH was “incomplete”, in other words VCH wasn’t telling everything about what happened to personal information. You will find this to be a recurring tactic in the health care/government system. It appears that the premise is that the less we know, the less we will question, the more we will trust the system and the more they can hide. And, as you will see, there was/is a lot they didn’t/don’t want us to know.
And, not surprisingly, I didn’t find any reference to the audits on the VCH website.
– “VCH does not have a secondary use policy in place to ensure the conditions for the use of personal information for research are met.” (pg. 34) In other words, when giving research organizations personal information, VCH did not ensure that “high standards for privacy and security” were met. The Auditor General found that they was no follow-up to ensure that the information was used and disposed of appropriately.
– I found this information particularly interesting. “An important privacy principle is that individuals should have control over their own personal information to the maximum extent possible. One mechanism that provides an individual with the ability to control their personal information in an electronic system is a “masking” feature. This allows an individual to restrict access to personal information that is collected by the public body. In order for this option to be meaningful, the public body must inform individuals that the option is available; there should not be any barriers for the individual to exercise it; and the individual must be advised of the implications and have access to clinical advice. The ability of a client to mask their personal information is particularly important when its collection is mandatory.” “In PARIS, there is an Enhanced Information Security Client (“EIS”) flag feature in the system that enhances the ability of clients to control their own personal information in PARIS. “ (pg. 35) However, the only people who could utilize the EIS were “staff or family member of a staff person, notable person, and clients who can demonstrate the the PARIS security model does not provide sufficient security.” It’s been my experience, through Providence Health Care, that VCH keeps its security arrangements, or lack thereof, secret, so how would anyone know if their information was secure, much less prove it. In essence, staff members and “notables” had rights, the rest of us didn’t.
– I had a doctor ask me why I was concerned about my privacy, after all I wasn’t important. I tried to explain that I thought I was a damn important person, just as important as anyone else. This was interpreted by the doctor as meaning that I thought I would be important in the future. The concept that I am important now, just as I am, with the same rights as anyone else, was beyond this doctor’s comprehension. This attitude seems to be pervasive in the medical system, and I suspect, all government.
– “Because of the large number, and serious nature, of the deficiencies in security, we have chosen not to elaborate on them in this report.” (pg. 37) The Auditor General’s report exposes these deficiencies (see below).
– “Archiving records is an effective means to minimize inappropriate access.” “We found that there was no archiving of records in PARIS.” (pg. 42)
– “In our view, the information that is provided to clients about their right to make access requests is inadequate in that it does not inform them about the process for making access requests, the possible scope of the request (e.g. audit logs), timelines, fees and where the request must be made. Improvements are needed to better inform clients about their access rights under FIPPA. With respect to an electronic health record system, clients should have access to the audit logs for their health record so that they are able to monitor disclosure of their own personal information.” (pg. 43)
– “there is so much access to client records that it is impossible to analyze the [audit] reports.” (pg. 51) Except, of course, for those privileged few using EIS.
– “It must be noted that many of the problems were not caused by PARIS, but instead were the result of human decisions in respect of how personal health information would be collected into, made available by and disclosed through the system, which is a human issue.” (pg. 53)
– “We found that VCH is routinely, and without legislative authority, disclosing identifiable data sets to other public and not-for-profit entities…” (pg. 54
– For employee’s, “privacy training and education at VCH is inadequate.” (pg. 52) Actually, it appears to be almost non-existent.
Auditor General’s Report:
– “ Maintaining the confidentiality and integrity of individuals’ health care records is profoundly important. Failure by health care organizations to properly manage and safeguard this information could have serious consequences, from compromising an individual’s privacy to enabling identity theft or other fraudulent use of personal information to occur.” (pg. 1) ” If adequate controls are not in place, the results could be loss of individual privacy, corruption or manipulation of client information, medical identity theft, or system failure.” (pg. 5) Remember that this system has not been properly managed since its inception in 2001 and this probably applies to all health care information in other systems.
– “I undertook an assessment of a clinical information system used by the Vancouver Coastal Health Authority (VCHA)…In every key area we examined — from the management and assignment of user access to security controls within the health authority’s computing environment — we found serious weaknesses.” (pg. 1) (bolding is mine)
– “Because PARIS users are not granted access on a “need-to-know” basis, sensitive and confidential health care records were accessible to thousands of users who have neither the need nor the right to see the information. Security controls throughout the network and over the database were so inadequate that there was a high risk of external and internal attackers being able to access or extract information, without VCHA even being aware of it. Fundamental controls to prevent or detect unauthorized access to the system were lacking, and monitoring to determine what data exchanges occurred was also insufficient.” (pg. 1)
– “In several areas, the governance and direction that staff needed to build a secure environment were not in place. Staff were not provided guidance on security controls to mitigate risks. The organization did not have an IT security policy and basic security practices (such as building layers of defense within the system) were inadequate.” (pg. 1)
– “Due to the seriousness of the deficiencies, I delayed the publication of this audit report to allow sufficient time for VCHA to address the security vulnerabilities we identified, thereby ensuring that this report would not further expose the system to potential compromise. I have been satisfied with the responsiveness and significant effort that VCHA has put into addressing the most significant problems, in a relatively short time. Over the next months, my staff will continue monitoring the actions of the VCHA in addressing the remaining audit findings. Based on the conclusions of this audit and other work performed by my staff, some of the fundamental security weaknesses identified in this information system may be present to some degree in other government systems. The findings and recommendations reported here should therefore be of use to other organizations in the health industry, as well as in other sectors. Adequate security controls should be built into any system, and it is equally important to undertake regular reviews of critical systems to ensure that they remain sufficiently secure.” (pg. 2)
– “We have not published all the details of the findings and recommendations from the detailed management report, to avoid introducing additional security risks. We consolidated the most significant recommendations from the detailed management report into 10 key recommendations.” (pg. 6)

Recommendations (Please go the Auditor General’s Report for the complete version):
“Access is beyond “need-to-know” – Access granted to PARIS client records is excessive, with users in many cases having full, unmonitored access to all client records. ( pg. 6)

System Security is Inadequate – Controls to detect and prevent external or internal attacks are not adequate. (pg. 7)

Security Policies are Lacking – The lack of a comprehensive security policy for PARIS has contributed to the absence of other fundamental security controls in the system and of the processes affecting the network, database, operating system and application security. The overall organizational security culture has not set the right tone for a secure environment. (pg. 7)

The database is not secure – Lack of proper database security controls means that errant data could be input, data could be corrupted, unauthorized viewing or data extraction could occur. There have been several irregularities, including connections made to the production database by non‑production servers; vendors having continuous database access; users gaining access to the database directly through unprotected roles; and support staff having access to powerful database privileges that should be restricted to database administrators. – (pg. 8)

Risk of data leakage – There are insufficient controls to ensure that client information stored on PARIS has been safeguarded from inappropriate disclosure for the personal or financial gain of insiders or external intruders. Logs are not monitored; traffic to the database is not restricted; information extracted from the database is not tracked; default passwords have not been changed; and the database management privileges are not properly restricted. – (pg. 8)

Monitoring is not Adequate – Inadequate visibility, logging, monitoring, analysis and management of audit trails could result in external or internal attacks going undetected. Most logs are not monitored, limited information is collected, and log management capabilities are insufficient for consolidating and analyzing the logs. (pg. 9)

Access Is Not Properly Maintained – Inadequate user ID and password management practices could put the system at risk of unauthorized and undetected access. (pg. 9)

Unsecure network access – Current system settings and practices do not restrict unsecure connections to be made into sensitive systems. Physical connections in meeting rooms allow non-VCHA computers to connect to the internal network and the Internet. Unaccounted-for laptops are able to connect to the internal network, remote access servers are allowing connections to bypass perimeter defences, and Virtual Private Network (VPN) users are granted too much access within the internal network. – (pg. 9)

Inadequate Traffic Control on the internal Network – Within the internal network, there are no access control mechanisms to restrict traffic to critical servers or to reduce the spread of viruses or malicious code throughout the network. (pg. 10)

Record management practices are lacking – No classification system or retention policies are in place to effectively guide or manage the removal or archiving of client records that are no longer relevant. These records therefore remain accessible and viewable in the system indefinitely.” – (pg. 10)

Additionally, on page 20 the report states: “We found that a comprehensive security policy for PARIS does not exist. Only a few security policies are in place, and some of those have only recently been established. In all of the IT areas we assessed, we found little guidance provided to IT support staff to tell them what security controls should be implemented.”
On page 22 the report states “Both IT and application support staff have full, unmonitored access to all information”, and “Open vendor accounts exist, allowing health care data to be copied even outside the VCH at any time.”
On page 24 the report states “We found that some users with former employment or contractual relationships with the Vancouver Coastal Health Authority are still able to access the PARIS network and its resources.
„. Processes are not always followed to remove or change a user’s access when his or her employment or contractual status changes.
„. We found that hundreds of former users, both employees and contractors, still have access to resources through active application accounts, network accounts and Virtual Private Network accounts.
„. Passwords for powerful, privileged IT support accounts have, in some cases, not been changed even though users who know the passwords have left the employment of the health authority.”

After reading this – major deficiencies in every area, 127 recommendations by the Auditor General, you really need to read VCH’s response on pg. 11. I think this is symptomatic of the system – the creation of an illusion. Some quotes from Dr. David Ostrow, President and Chief Executive Officer:
“We also know that safeguarding that information is crucial — not just to comply with legislation, but to build confidence and trust in those we serve.
VCH believes that PARIS has served our community patients and clients well without any demonstrated risk to safety.
As you are aware, VCH has always placed a strong emphasis on the protection and confidentiality of patient/client information.
VCH acknowledges it cannot become complacent in the areas of security, confidentiality and protection of privacy.”

I really think this guy wants an award. There is no apology, no recognition of the damage done. Quite the opposite, he just wants to blow it off, an “oh well, no harm done” and “aren’t we wonderful” attitude, as if his words still had value. Major deficiencies in every area, virtually open access to all our information but he says that “VCH has always placed a strong emphasis on the protection and confidentiality of patient/client information” A complete disconnect between words and actions, to put it politely. Really, how disgusting, how reprehensible.
As one woman, who came up to speak to me at St. Paul’s, pointed out, that even if the security was made perfect today (won’t happen) all our information up to today is “out there”. We don’t know who has it, how it’s being used, or when it will be used against us. Actually, some people I have spoken to have already run into problems.
Dr. Ostrow’s kind of statements I think of as propaganda/brainwashing. If you say something often enough, no matter how far it is from the truth, people will start to believe it. It is the difference between words and actions. It is a recurring tactic in the government system.
The medical/government system has lost and does not deserve our trust. In my opinion, they have lied, manipulated and conned about the status of our personal/medical information. In fact, it appears that our personal/medical information has never been protected, at least since they started using computers, and probably before then.
When I filed my complaint with the OIPC 6 years ago, I was told that the hospitals had never taken steps to determine if they were in compliance with the Privacy Act. So, to the best of my knowledge, this is the first audit that has been done since the Privacy Act came into effect in 1993. So, it took them 15 years to do one audit.

To add insult to injury, I still have people, who say they work at St. Paul’s, tell me that the system is good. One person said that at meetings they are told to “ssh”, they aren’t suppose to say certain things that are private. Presumably I am suppose to believe that our information is safe because they have a “ssh” policy (at least at meetings). This is someone who works in the system and who, therefore, must have a good idea of the lack of privacy.
As pointed out by the Auditor General, the systems will evolve to meet changing needs, and “Any computing environment has risks that must be constantly addressed and managed.” If the medical system has such a complete lack of concern on security issues now, how can we trust that, even if forced to meet minimum standards today, they will do what is required to meet future minimum security standards.. And again I reiterate, only one core database in one health authority as been audited.
“They [VCH] have told us that the most significant deficiencies identified have been fixed.” (pg. 6 – Auditor General) First of all we cannot trust the VCH to tell the truth. Have they fixed the major deficiencies? We don’t really know because it has not been checked by an independent source and VCH has repeatedly lied to us about the security of the system.
The OIPC and Auditor General offers “recommendations”. They will monitor VCH over the next year to see if VCH implements the “recommendations”. Again, I assume they will rely on VCH’s “word”. Will we be told if VCH doesn’t implement some of the recommendations? Quite honestly I doubt it.
The rest of the medical system is presumed to be as bad or worse. Who is going to ensure that they are “fixed”.
While I commend the Auditor General on the audit, I want to point out that I take exception to a statement by the Auditor General that “security is not the main focus of the health care system”, implying that it is understandable that they made these horrendous errors. People walking or driving don’t have the traffic laws as their main focus, but will be fined and even jailed if they break the laws. Most people’s main focus is earning an income, not paying taxes. Yet, they will be fined and even jailed if they break the tax laws. VCH will not be fined (of course they would pay with our money anyways), no one lost their job, was disciplined or was charged. These people who have been violating our rights for years will not be punished in any way. That’s how much our rights matter.
When there is no trust, it leads one to wonder if some of the information collected illegally was done so because people, who had illegal access to our information, wanted it that way. Are tests, not necessary to the patient’s health care, being done for other purposes? Etcetera.
Also, has anyone heard from the doctors or nurses, etc. or their associations or unions? Have you heard of any of these standing up and saying this is wrong and needs to be fixed? I haven’t, with the exception of a report, from the doctor’s association, outlining their concern regarding the central health database, and I don’t believe it addressed the essentially non-existent security in the medical system. I have had some doctors, etc. come to me and tell me that I’m wrong, that our information is safe. But I have also had doctors, etc. tell me, quietly, that I was right. One doctor told me that the loss of information from the hospitals wasn’t a leak but a flood. So true. But the reality is that one person, such as myself, shouldn’t have to spend 5 years, and counting, standing in the streets, bringing this to people’s attention, taking all the abuse, when so many people knew the truth.

Please note that I hope these suggestions are just the start of an open discussion by the people of this province on how best to make the medical system, and the protection of our information, more transparent and accountable to us (ie. all the people).

1. We need to have the medical system continually monitored
2. We need someone who is independent of the government to continually monitor the health system. PCO calls itself independent but when the privacy commissioner is appointed by the politicians and your career advancement is dependent on the politicians, you are not independent. In addition, PCO has to stick to looking at what is legal, what is allowed under legislation. We need someone who can look past that, to what should be made legal, or what legal rights should be revoked, and what other methods/systems could be used to accomplish the same purpose (ex. sharing information) that would not impact our privacy.
3. I am concerned with the frequent reference in the OIPC report that if the hospitals want to share information, just have yourself designated as a health information bank under the E-Health Act, which legally allows sharing. I think this needs to be reviewed.
4. Possibly this person(s), group(s) could be elected. I would suggest we have more than one person/group reviewing different hospitals or they could alternate health authorities so a person (group) does not become embedded. Their findings could be put on a website and/or their could hold public forums to hear people’s concerns and experiences.
And for those of you who would like to accuse me of doing what I do for reasons other than “protecting my rights”, I would not be the slighest bit interested in auditing the hospitals. And my word has value.
5. We should know about any person/group who is looking into privacy issues in the health care sector, who they are, who pays them, and the scope of their mandate. They should not be allowed to hide in the shadows.

6. Information should be shown on a website and/or other means, accessible by the public, sufficient to allow the public to know who has access to their information and under what circumstances. For example, The OIPC has recommended a role-based access control system. “role-based access control (is) capable of mapping each user to one or more roles, and each role to one or more system functions.” (pg. 20). This mapping could be provided to the public.
7. The public should be told, via a website and/or other means, what information is being provided to what research organization for what research. If everything is above board, then there is no need for all the secrecy. The general topic of the research would probably be sufficient.
8. As recommended by the OIPC, people should be informed what to do to mask their personal information.
9. As recommended by the OIPC clients should  receive a copy of audit logs automatically.”(pg. 42). Plus, there shouldn’t be roadblocks to a patient accessing their medical information. One of the most frequent complaints I hear, when I am outside St. Paul’s, is how difficult it is to get access to their own information. Interesting isn’t it, when everyone else has access. I also think of this as a tactic to make it appear that the front door is locked tight so people wouldn’t notice that the back door is wide open.
10. One central committee should prepare the forms for the health authorities. This would help to ensure that all forms ask legal questions, are easy to update and audit, and would save taxpayers a lot of money by reducing redundancy.
11. Efforts should be made to determine who has illegally collected our information, and have it deleted, after informing the “client”. A law should be passed which states that anyone having and using patient information, unless directly related to patient care, will be severely punished. But I don’t know what you do about the information that has gone out of Canada.
The medical system has lost all right to be trusted. I now operate on the basis that if they can’t prove, it isn’t true.
And, in the medical system, the only safe information is that which isn’t given or is false.



People have said to me that we should be grateful for our health care system and not complain because other people don’t have as good a health system. They speak as if this is a gift from the hospitals. It isn’t. The people of this province and this country, in their wisdom, chose this system. The citizens of Canada pay for this system because they want every person who needs health care to have access to it. This health system belongs to the people. The medical system, and the people who work in the medical system, work for the people of British Columbia and Canada. If the people who fund the system want to know where their information is going, why won’t the people we employ provide it?

Tracey Tyler, wrote in the Star, Jan. 14, 2009, of a court ruling in Ontario (in this case regarding the Toronto Police Services Board) that required , “municipal government institutions to produce any electronically stored information the public has a right to see, even if it requires using new technical expertise to develop new software”. So, if the police are required to provide information that the public “has a right to see”, why aren’t the hospitals?



The government has decided to review the Privacy Act for the 3rd time. The committee reviewing the Act is composed entirely of politicians. Needless to say, I don’t have high hopes for any beneficial outcomes (for the general public).

Even if the politicians actually did make a beneficial change, what do we gain.  If you don’t implement the Privacy Act, it is nothing but useless writing on paper.  As we have seen, the government seems to be one of the worst organizations for ignoring the Act.  When I first asked questions about privacy at the hospitals, the hospitals had not brought themselves into conformity with the Act, even though the Privacy Act had been in effect for 13 years.  When I made phone calls to the hospitals inquiring about the Privacy Act, the people I spoke to had no idea what I was talking about.  I was asked what I meant by the Privacy Act, what was the Privacy Act, what is a Privacy officer, etc. These were front line people dealing with the public.  So, if after 13 years, hospital staff had no idea what the Privacy Act was, how could they be expected to implement it, to protect our privacy.

Have you walked into a retail store, or an insurance office, etc. and been asked questions?  If you ask them why they need this information, do you get a straight forward answer, as is your right under the Privacy Act. Or, do you get answers such as “the computer needs it”, “everyone asks these questions”, “I don’t know so just answer it otherwise I won’t sell you the product”?  In most cases, you have to be very persistent to get a real answer; in some cases even that doesn’t work.  Most people (general public) aren’t that knowledgeable regarding the Privacy Act and/or assertive.  And those who are, I suspect often get tired of the fight or, like me, just try to minimize buying anything new.  So, the end result is that people’s privacy rights are not respected or protected because the Privacy Act is, for the most part, not enforced.

I find it ironic that the politicians will be commemorating Remembrance Day, commemorating the people who fought and died for our rights (including our right to privacy), while they make a mockery of those rights.

I continue to receive threats, some subtle and some not so subtle, while handing out information in front of St. Paul’s.  For example, I was told that if I came back again I would be given something to be really concerned about (I have been back since).  I was told by another person that people who do what I do (peacefully exercise my democratic right to hand out information) “often go missing”.  I will not be out as much during the winter months but if I am not in front of St. Paul’s for any length of time — I may have gone missing. This is our democracy.



Today, as I stood outside St Paul’s handing out information, I was approached by two of their security guards, two big guys, who stood in front of me and told me that I was on public property and did I have a permit. Believe me, this was not said nicely; it was said in a tone and manner that I felt to be very threatening. One guy told the other to contact ? (I didn’t catch who they were phoning), as far as I knew it was the police, athough I wish they had been called. I was very confused because I knew that I didn’t need a permit. I thought they mean’t that I was not allowed to have my things on St. Paul’s property so I moved my papers and petition off the ledge and put them on the sidewalk and said “I am on public property, now get the hell out of my face”. They did not move, they didn’t explain what they were doing, just continued with their phone call and I felt as if I was about to be thrown in jail or charged with some crime although I had no idea what that would be.

A few minutes later they walked up the street and talked to someone. This person then walked towards me and told me that he had explained to the security guards that I was on public property and that I had a right to be there, and they didn’t know that. It would appear that he was their supervisor, although he never introduced himself. He did have the courtesy to apologize but then said “no harm done”. Well, there was harm done. When you threaten someone, when you treat them like a criminal, when you demand information you have no right to demand, especially when the person has done nothing wrong, there is harm done. And I am sure the people walking by thought I had done something wrong by the way I was being treated.

The three boys made a rapid retreat into St. Paul’s Hospital.



A woman came up to me and claimed that she worked in a hospital (not St. Paul’s) and said that everything was corrupt so why was I worried about the hospitals.  I find it sad that someone, and I’m sure there are others, believes that everything in our society is corrupt.  Have we really reached that stage?  But, whether you believe that “everything” is corrupt or if you believe that just some things need to be fixed, rather than give up, is it not better to strive to change things?

She also said that I cannot change the world.  I don’t think I’m trying to change the world, only a very small part of it.  But on the other hand, yes I can change the world by doing something positive.  I can do one small thing, even if it’s just raising awareness, and someone else can do one small thing and so on and change will occur.