Megan Brister Michelle Gordon Alain Rocan Miyo Yamashita


In 2012, Ontario will usher in a new era of transparency and oversight by including all public and private hospitals under the scope of the Freedom of Information and Protection of Privacy Act (FIPPA). On December 8, 2010, the Ontario government passed legislation to broaden the scope of FIPPA and designate hospitals as “institutions” under the act. This gives hospitals approximately one year to comply with FIPPA, the changes to which will be effective on January 1, 2012.

“In my 2004 Annual Report, I urged the Ontario government to compile and review institutions that are primarily funded by government but not yet covered by the Acts. One of the foundations underlying FOI is the principle that organizations that exist by virtue of public funding should be subject to public scrutiny through FOI laws. Now, the Ontario Hospital Association has asked the province to place Ontario hospitals under the act.”

—Commissioner Ann Cavoukian, 2009 Annual Report

FIPPA will apply to all records held or under the control of the hospitals. The act will apply retroactively to January 1, 2007. Under the amended FIPPA, the general public will have a right of access to hospital administration, financial and other records, unless the records are excluded from the right of access or subject to an exemption under FIPPA, as would be the case for patients’ personal health information.

Unlike the Personal Health Information Protection Act, which allows a person to access only records about him or herself, the right of access under FIPPA applies to records about every person. The newly revised legislation will allow anyone to access any record held or controlled by an institution on any issue, subject to the exclusions and exceptions set out in the act. A record may include any information concerning procurement, employees, strategic plans and budgets.

What do hospitals need to do to comply?

Hospitals will need to complete a number of operational tasks this year to ensure they are ready for their new obligations under FIPPA in 2012.

“A record number of Freedom of Information requests were filed across Ontario in 2010. A total of 38,903 requests were filed in 2010, eclipsing the previous record of 38,584, set in 2007. The spike in 2010 represented the first increase in FOI requests in three years.”

—Commissioner Ann Cavoukian, 2010 Annual Report

Conduct an inventory of records subject to FIPPA

Deloitte recommends that a hospital begin its FIPPA implementation by conducting an inventory of records that are subject to the act. Records are defined as any information, however recorded, and include correspondence (e.g. e-mails, faxes), notes and working copies of documents. The inventory of records enables a hospital to

  • identify which records are covered by FIPPA and which fall under the mandatory and discretionary exemptions listed in sections 12 through 23 of the act;
  • develop a Directory of Records, including a description of its Personal Information Banks, which makes publicly known the types of records that the hospital holds and enables individuals to better direct their requests for records, and
  • understand where records are located so that the hospital can respond to individuals within the required time limits (i.e. generally 30 days) to make records available or, if appropriate, deny access, cite the extraordinary circumstances that are causing the delay, forward or transfer the request.

Appoint a freedom of information coordinator

Although the responsibilities for requests for access fall to the head of the institution (i.e. the chair of the board of a public hospital or superintendent of a private hospital), organizations typically appoint a freedom of information (FOI) coordinator or manager to ensure compliance with FIPPA. The FOI coordinator’s responsibilities will typically include

  • developing procedures to receive and manage requests for records and requests to correct personal information;
  • working with business areas to compile records to respond to requests;
  • providing notice to individuals to whom information in the record relates and managing any representations made by the individual concerning why the information may not be disclosed;
  • calculating and collecting fees;
  • training business areas on the FOI procedures;
  • communicating the process to request access to the public through, for example, the hospital’s website;
  • making routine disclosures (i.e. those records that may be disclosed without any internal consultation);
  • responding to appeals and liaising with the information and privacy commissioner of Ontario (IPC/Ontario) should an investigation occur, and
  • preparing the annual report that must be submitted to the IPC/Ontario.

The FOI coordinator will also need to evaluate requests to determine whether the request may be filled. This means determining if the records requested fall within the exemptions. For example, records related to law enforcement proceedings; records that reveal a trade secret or scientific, technical, commercial, financial or labour relations information; records that would put the financial interest of the hospital or its staff at risk; records that could reasonably be expected to seriously threaten the safety or health of an individual, or records that are under solicitor-client privilege. When information falls under one of the exemptions, the FOI coordinator may also sever the record and provide only that information that is not exempt to the requestor.

Set up a FOI office to receive and respond to requests for records

Hospitals will need to set up an office to handle requests for information. In some cases, hospitals may choose to expand their health records department to address new access-to-information requirements or expand the function of the privacy office. The FOI office will

  • be the single point of contact for requests for information and investigations concerning requests for records;
  • maintain access to information policies and procedures and monitor compliance with those policies and procedures;
  • work with different areas of the hospital to locate and retrieve records;
  • determine how to respond to requests and liaise internally with business units or externally with experts to determine how to handle requests;
  • manage routine disclosures and provide information in an annual report to the IPC/Ontario, and
  • report to management on the operational effectiveness of access-to-information policies and procedures, nature and disposition of requests and any issues or investigations that may arise.

Make certain information publicly available

Under FIPPA, hospitals will be required to make certain information about the records they retain available to the public and to the ministry. Specifically, hospitals must

  • make a directory of records available to the ministry;
  • publish its personal information banks;
  • make manuals, instructions, directives, guidelines and program applications easily available to the public, and
  • make its annual report to the IPC/Ontario publicly available.

Prepare and submit an annual report

Hospitals will be required to prepare and submit an annual report each year to the IPC/Ontario. This report includes

  • a description of any inconsistent use of personal information;
  • number of requests for personal information and general records completed and the time it took to fill the requests;
  • number of notices of extension of time to fill a request issued;
  • number of notices issued to individuals to whom information in the record relates;
  • the disposition of each request (e.g. filled, withheld, severed, withdrawn, abandoned);
  • the exemptions that were applied to those requests  that were not filled;
  • total additional fees collected or waived and the reasons for collecting or waiving, and
  • number of requests for correction received, processed, withdrawn and denied.

The IPC/Ontario will provide hospitals with an online statistical report tool to submit annual reports.

Evaluate the FOI program before the compliance deadline

Hospitals will need to review their FOI programs and ensure they meet all the requirements under the amended act before the January 1, 2012, compliance deadline. This means not only confirming that the hospital meets its new legal requirements but also testing processes to ensure that the hospital can respond in a timely manner to requests for information, including locating records, consulting internally and communicating with requestors.


The authors are from Deloitte. Megan Brister is senior manager of enterprise risk. Michelle Gordon is senior consultant, enterprise risk. Alain Rocan, CIPP/C, is associate partner of enterprise risk, and Miyo Yamashita is partner, enterprise risk.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»