Megan Brister Michelle Gordon Alain Rocan Miyo Yamashita


In 2012, Ontario will usher in a new era of transparency and oversight by including all public and private hospitals under the scope of the Freedom of Information and Protection of Privacy Act (FIPPA). On December 8, 2010, the Ontario government passed legislation to broaden the scope of FIPPA and designate hospitals as “institutions” under the act. This gives hospitals approximately one year to comply with FIPPA, the changes to which will be effective on January 1, 2012.

“In my 2004 Annual Report, I urged the Ontario government to compile and review institutions that are primarily funded by government but not yet covered by the Acts. One of the foundations underlying FOI is the principle that organizations that exist by virtue of public funding should be subject to public scrutiny through FOI laws. Now, the Ontario Hospital Association has asked the province to place Ontario hospitals under the act.”

—Commissioner Ann Cavoukian, 2009 Annual Report

FIPPA will apply to all records held or under the control of the hospitals. The act will apply retroactively to January 1, 2007. Under the amended FIPPA, the general public will have a right of access to hospital administration, financial and other records, unless the records are excluded from the right of access or subject to an exemption under FIPPA, as would be the case for patients’ personal health information.

Unlike the Personal Health Information Protection Act, which allows a person to access only records about him or herself, the right of access under FIPPA applies to records about every person. The newly revised legislation will allow anyone to access any record held or controlled by an institution on any issue, subject to the exclusions and exceptions set out in the act. A record may include any information concerning procurement, employees, strategic plans and budgets.

What do hospitals need to do to comply?

Hospitals will need to complete a number of operational tasks this year to ensure they are ready for their new obligations under FIPPA in 2012.

“A record number of Freedom of Information requests were filed across Ontario in 2010. A total of 38,903 requests were filed in 2010, eclipsing the previous record of 38,584, set in 2007. The spike in 2010 represented the first increase in FOI requests in three years.”

—Commissioner Ann Cavoukian, 2010 Annual Report

Conduct an inventory of records subject to FIPPA

Deloitte recommends that a hospital begin its FIPPA implementation by conducting an inventory of records that are subject to the act. Records are defined as any information, however recorded, and include correspondence (e.g. e-mails, faxes), notes and working copies of documents. The inventory of records enables a hospital to

  • identify which records are covered by FIPPA and which fall under the mandatory and discretionary exemptions listed in sections 12 through 23 of the act;
  • develop a Directory of Records, including a description of its Personal Information Banks, which makes publicly known the types of records that the hospital holds and enables individuals to better direct their requests for records, and
  • understand where records are located so that the hospital can respond to individuals within the required time limits (i.e. generally 30 days) to make records available or, if appropriate, deny access, cite the extraordinary circumstances that are causing the delay, forward or transfer the request.

Appoint a freedom of information coordinator

Although the responsibilities for requests for access fall to the head of the institution (i.e. the chair of the board of a public hospital or superintendent of a private hospital), organizations typically appoint a freedom of information (FOI) coordinator or manager to ensure compliance with FIPPA. The FOI coordinator’s responsibilities will typically include

  • developing procedures to receive and manage requests for records and requests to correct personal information;
  • working with business areas to compile records to respond to requests;
  • providing notice to individuals to whom information in the record relates and managing any representations made by the individual concerning why the information may not be disclosed;
  • calculating and collecting fees;
  • training business areas on the FOI procedures;
  • communicating the process to request access to the public through, for example, the hospital’s website;
  • making routine disclosures (i.e. those records that may be disclosed without any internal consultation);
  • responding to appeals and liaising with the information and privacy commissioner of Ontario (IPC/Ontario) should an investigation occur, and
  • preparing the annual report that must be submitted to the IPC/Ontario.

The FOI coordinator will also need to evaluate requests to determine whether the request may be filled. This means determining if the records requested fall within the exemptions. For example, records related to law enforcement proceedings; records that reveal a trade secret or scientific, technical, commercial, financial or labour relations information; records that would put the financial interest of the hospital or its staff at risk; records that could reasonably be expected to seriously threaten the safety or health of an individual, or records that are under solicitor-client privilege. When information falls under one of the exemptions, the FOI coordinator may also sever the record and provide only that information that is not exempt to the requestor.

Set up a FOI office to receive and respond to requests for records

Hospitals will need to set up an office to handle requests for information. In some cases, hospitals may choose to expand their health records department to address new access-to-information requirements or expand the function of the privacy office. The FOI office will

  • be the single point of contact for requests for information and investigations concerning requests for records;
  • maintain access to information policies and procedures and monitor compliance with those policies and procedures;
  • work with different areas of the hospital to locate and retrieve records;
  • determine how to respond to requests and liaise internally with business units or externally with experts to determine how to handle requests;
  • manage routine disclosures and provide information in an annual report to the IPC/Ontario, and
  • report to management on the operational effectiveness of access-to-information policies and procedures, nature and disposition of requests and any issues or investigations that may arise.

Make certain information publicly available

Under FIPPA, hospitals will be required to make certain information about the records they retain available to the public and to the ministry. Specifically, hospitals must

  • make a directory of records available to the ministry;
  • publish its personal information banks;
  • make manuals, instructions, directives, guidelines and program applications easily available to the public, and
  • make its annual report to the IPC/Ontario publicly available.

Prepare and submit an annual report

Hospitals will be required to prepare and submit an annual report each year to the IPC/Ontario. This report includes

  • a description of any inconsistent use of personal information;
  • number of requests for personal information and general records completed and the time it took to fill the requests;
  • number of notices of extension of time to fill a request issued;
  • number of notices issued to individuals to whom information in the record relates;
  • the disposition of each request (e.g. filled, withheld, severed, withdrawn, abandoned);
  • the exemptions that were applied to those requests  that were not filled;
  • total additional fees collected or waived and the reasons for collecting or waiving, and
  • number of requests for correction received, processed, withdrawn and denied.

The IPC/Ontario will provide hospitals with an online statistical report tool to submit annual reports.

Evaluate the FOI program before the compliance deadline

Hospitals will need to review their FOI programs and ensure they meet all the requirements under the amended act before the January 1, 2012, compliance deadline. This means not only confirming that the hospital meets its new legal requirements but also testing processes to ensure that the hospital can respond in a timely manner to requests for information, including locating records, consulting internally and communicating with requestors.


The authors are from Deloitte. Megan Brister is senior manager of enterprise risk. Michelle Gordon is senior consultant, enterprise risk. Alain Rocan, CIPP/C, is associate partner of enterprise risk, and Miyo Yamashita is partner, enterprise risk.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»