On December 8, 2016, the Office of the Information and Privacy Commissioner for British Columbia (the "OIPC") issued its first ever Audit and Compliance Report following an audit of a private sector business. In Audit and Compliance Report P16- 01‒ Over-collected and Overexposed: Surveillance and Privacy Compliance in a Medical Clinic (the "Report"), the Commissioner determined that a medical clinic's use of video and audio surveillance was unauthorized and excessive. Concurrent with its release of the Report, the OIPC issued guidelines for implementing overt video surveillance (the "Guidelines"). Taken together, the Report and the Guidelines indicate that the OIPC takes a restrictive approach to video surveillance.
The Report
The audit of the medical clinic (the "Clinic") was undertaken as a result of a complaint made by a former employee about the Clinic's collection of the employee's personal information through both video and audio surveillance. The Clinic has eight video surveillance cameras located throughout the more public areas of the facility, including the lobby, hallways, back exits and workout room. These cameras collect the personal images of patients, employees, contractors, and others. Additionally, the camera in the lobby records audio of those in its proximity, including anyone who enters the Clinic.
The scope of investigation conducted by the OIPC was extensive. The auditors examined the Clinic's policies, practices and training programs. They also did an on- site inspection, an examination of the video and audio surveillance systems, and interviewed key Clinic staff.
One of the Report's key findings was that the Clinic was not authorized under British Columbia's private sector privacy legislation, the Personal Information Protection Act,
S.B.C. 2003, c. 63 ("PIPA"), to record the personal information of individuals through either video or audio surveillance because there wasn't enough evidence of safety or security issues to satisfy the Commissioner that such recordings would be reasonable or appropriate. Other key findings were that the Clinic was not in compliance with PIPA by both failing to get the consent necessary to collect the personal information of individuals and failing to properly protect and safeguard this personal information once it was collected. The Report also found that the Clinic did not have an effective privacy management program.
The Report made a number of recommendations, including that the Clinic immediately cease the collection of personal information through video and audio recordings, that the Clinic's privacy policies and procedures be updated, that privacy risk assessments be regularly conducted, that staff undergo regular privacy training, and that proper information storage, disposal, and security safeguards be implemented and maintained.
The Guidelines
The Guidelines were issued concurrently with the Report, and are intended to assist organizations in adhering to privacy laws and avoiding liability. The OIPC describes video surveillance as a "highly invasive technology" that should only be used as a last resort after less privacy invasive alternatives are exhausted. If the use of video surveillance is reasonable and authorized by the applicable privacy legislation, the OIPC suggests that organizations consider the following steps before the system is installed:
- Develop a surveillance policy
- Limit the time your surveillance is active
- Avoid unintended subjects
- Use adequate signage to notify the public
- Store any recorded images in a secure location
- Destroy recorded images when they are no longer needed
- Limit access to recorded images to authorized individuals
- Open access to your surveillance policy
- Consider right of access
- Periodically re-evaluate your need for video surveillance
If your organization is considering implementing audio or video surveillance of its employees, customers or the general public compliance with the above steps will be critical. We would be pleased to work with you on the implementation of video surveillance policies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
