under what I would call, for lack of knowledge of the terminology, my “health care account” — in other words, all of the payments to doctors, specialists, hospitals, labs, etc. paid out by Health PEI attached to my Health Card account for as long as records are available. Email to Health PEI May 26, 2011 – Day 1
submit a FOIPP (Freedom of Information and Protection of Privacy) request. Attached is the Access to Information form which you can complete and submit to our co-ordinator. Reply from Health PEI May 26, 2011 – Day 1
(PEI Health Card # XXXXXX). I’m interested in all ﬁnancial transactions related to doctors visits, hospital care, emergency room visits, lab tests, etc. with as much detail as available (date, amount, description, account, etc.). I would prefer the information in an open digital format, such as CSV or XML format. FOIPP Request
personal information and is therefore not ours to disclose. General information related to payments for physicians can be found in the Master Agreement between the Medical Society of PEI and the Government of PEI.” But no financial data…
the Minister to release the information I have requested: “the Minister may disclose information obtained in the administration of this Act, to the person who received the basic health services or to the legal representative or guardian of the person” and subsection 17(3) of the same act sets out the information that is authorized to be provided (emphasis mine): (a) basic health services provided; (b) the date on which the basic health services were provided; (c) the name and address of the person who provided the basic health services; (d) amounts paid under the plan; and (e) the person to whom payments were made from the plan. Sent more information… October 17, 2011 – Day 144
the data subject has consented to processing of his or her personal data. • the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. • The data subject shall have the right to withdraw his or her consent at any time.
breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority • When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
to obtain from the controller conﬁrmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: 1. the purposes of the processing; 2. the categories of personal data concerned; 3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; 4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; 5. the existence of the right to request from the controller rectiﬁcation or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; 6. the right to lodge a complaint with a supervisory authority; 7. where the personal data are not collected from the data subject, any available information as to their source; 8. the existence of automated decision-making, including proﬁling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the signiﬁcance and the envisaged consequences of such processing for the data subject.
right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: 1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; 2. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; 3. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); 4. the personal data have been unlawfully processed;
to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine- readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.