On December 13, 2018, the Office of the Information and Privacy Commissioner/Ontario was contacted by a media outlet who advised that the Toronto Cosmetic Surgery Institute (the Clinic) was using surveillance cameras in its examination rooms. This led to an investigation by this office of the Clinic’s practices with respect to its cameras. This decision concludes that the Clinic’s blanket use of surveillance cameras contravened the Personal Health Information Protection Act, 2004. However, in light of the steps taken by the Clinic to amend these practices, this decision finds that a review of this matter is not warranted.
PHIPA DECISION 98
Toronto Cosmetic Surgery Institute
September 20, 2019
Summary: On December 13, 2018, the Office of the Information and Privacy Commissioner/Ontario was contacted by a media outlet who advised that the Toronto Cosmetic Surgery Institute (the Clinic) was using surveillance cameras in its examination rooms. This led to an investigation by this office of the Clinic’s practices with respect to its cameras. This decision concludes that the Clinic’s blanket use of surveillance cameras contravened the Personal Health Information Protection Act, 2004. However, in light of the steps taken by the Clinic to amend these practices, this decision finds that a review of this matter is not warranted.
Statutes considered: Personal Health Information Protection Act, 2004, sections 2(1) definition of collect, 4(1)(a) and (b), 29, 30(2).
 This investigation file was opened after the Office of the Information and Privacy Commissioner/Ontario (the IPC) became aware that the Toronto Cosmetic Surgery Institute  (the Clinic), operated by Dr. Martin Jugenburg, may be breaching the Personal Health Information Protection Act, 2004 (the Act) by using surveillance cameras in its examination rooms.
 The IPC investigated the matter and determines that, in light of the steps taken by the Clinic to address the issues, it is unnecessary to conduct a review under the Act. These steps include ceasing the practice of collecting personal health information through the camera system, having cameras operating only after hours, and no longer using surveillance cameras in the pre-operative, operating and examination rooms.
 The Toronto Cosmetic Surgery Institute is a cosmetic surgery clinic with an operating room and recovery facilities. The Clinic performs a variety of cosmetic surgery procedures and non-surgical cosmetic treatments. 
 On December 13, 2018, the IPC was contacted by a media outlet who advised that the Clinic was using surveillance cameras in its examination rooms. In response, an intake analyst at the IPC contacted the Clinic.
 On December 17, 2018, a legal representative for the Clinic wrote to the IPC and confirmed that, on December 13, 2018, the cameras had been shut down and the Clinic had not recorded any footage since that time. The legal representative also advised that the footage had been seized by the College of Physicians and Surgeons of Ontario (the CPSO). The IPC then asked a series of questions to the Clinic relating to its video surveillance practices. On January 21, 2019, the Clinic responded to the IPC’s initial questions regarding the operation of the cameras, details of which are set out below.
The Clinic’s Initial Response to the IPC
 According to the Clinic’s correspondence, the Clinic operated a network of 24 security cameras that were recording continuously (24 hours a day), and consisted of 16 cameras on one floor and 8 cameras on a second floor of the Clinic. The cameras were present in examination rooms, the operating room, pre-operative room, reception areas, hallways, administrative offices, a computer workroom and the staff kitchen. Footage from these cameras was also available to Dr. Jugenburg through an application on his phone.
 The Clinic confirmed that patients would undress in the examination rooms, operating room and pre-operative room. According to the Clinic, a patient would only undress in examination rooms as warranted for the particular consultation or procedure and for the purpose of examination and/or taking pictures, which typically happens in the presence of Dr. Jugenburg and/or his staff.
 The Clinic advised that the central purpose of the camera system was not for health care but for the security of the Clinic, staff and patients. These security concerns related to the particular location of the Clinic and accessibility by the public. The Clinic explained that it is located in a hotel, and is accessible by public elevators and from a public pedestrian network. The Clinic indicated it has expensive and sensitive medical equipment on site, among other things. The Clinic also advised that Dr. Jugenburg is at the Clinic after hours, and felt unsafe without the cameras. The Clinic referenced a recent event when an intoxicated individual broke into the Clinic.
 The footage captured by the cameras was automatically uploaded to two Network Video Recorders (NVR) located on each floor in a locked closet, accessible only by Dr. Jugenburg and his clinic manager. The Clinic explained that once capacity of the NVRs is reached, old footage is automatically overwritten with new footage (in approximately 30 days). However, the Clinic also noted that it may have been longer than 30 days for one of the NVRs.
 As previously stated, the footage was not recorded for health care purposes and, for this reason, was not kept in patients’ medical records. According to the Clinic, the video footage was not used or disclosed and would only be accessed if a specific issue or need arose.
 The Clinic advised that consent was not obtained from patients with respect to the security camera recordings. The Clinic explained that there were signs at the entrance of the Clinic indicating the area is under surveillance, and in the operating room. In addition, the Clinic stated that the cameras were all visible, such that many patients were aware of the cameras, and any questions about them were answered by staff. The Clinic provided this office with photographs of two signs and a white surveillance camera located in the top corner of what appears to be the entrance of the Clinic.
 The Clinic acknowledged that
The Clinic stated that on December 18, 2018, it had notified all patients over the last two years about the cameras and provided the IPC with some emails from patients about the cameras.
“additional clear notice should have been posted for patients, especially in examination rooms, so that they could opt out of the recordings or refuse to consent.”
Transfer to Investigation Stage at the IPC
 The initial facts gathered by the IPC about the Clinic’s video surveillance practices raised questions that required further inquiries. This matter was therefore moved to the investigation stage of the IPC’s process under the Act and I was assigned as the investigator.
 As part of my investigation, I reviewed the information provided by the Clinic (as described above) and wrote to the Clinic with additional questions about the Clinic’s practices regarding these video cameras and recordings, and related issues. The Clinic’s responses, and my own conclusions with respect to these responses, are set out below.
 There is no dispute that Dr. Jugenburg is the “health information custodian” with respect to the Clinic and that the video recordings at issue contain “personal health information” under the Act. There is also no dispute this video recording amounted to a “collection” under the Act.
 Based on the information set out above, as a preliminary matter, I find that:
 For ease of reading, I will refer to the Clinic and Dr. Jugenburg interchangeably.
Authority to collect and limit on amount of personal health information collected
 Section 29 of the Act prohibits a health information custodian, such as the Clinic, from collecting the personal health information of its patients unless it has their consent (and is necessary for a lawful purpose), or without other authority under the Act. The Act also prohibits a health information custodian from collecting more personal health information
: section 30(2).
“than is reasonably necessary to meet the purpose of the collection”
 The facts that led to this investigation raised a number of questions, including the Clinic’s authority under the Act to collect the personal health information of its patients through its video surveillance system, and whether its extensive video camera network was justified.
 During the investigation stage, the Clinic once again confirmed that the central purpose of the camera system was not for health care purposes and referenced security reasons. The first set of cameras was installed in 2012, when the Clinic was located only on one level. According to the Clinic, these cameras stopped functioning sometime later in 2012 (unbeknownst to the Clinic). They remained non-functioning until January 2017, when the Clinic expanded to a second level. As part of that renovation, cameras were installed on the new level and the entire system was reset and made operational again.
 With respect to why the security cameras needed to operate 24 hours a day, the Clinic provided three examples of thefts from “intruders”, one of which occurred during Clinic hours and valuables were stolen from both patients and Clinic staff. The Clinic indicated that there were
and also provided four examples of when video surveillance system recordings had been reviewed. The examples were: verifying particular statements made by staff during consultations with specific patients on two occasions, reviewing staff conduct, and lastly to respond to a media investigation where two undercover reporters attended the Clinic with one posing as a patient.
“incidents of patients stealing electronic equipment from consultation rooms”
 In my questions, I asked whether any of the cameras could be viewed as a live feed. In response, the Clinic confirmed that Dr. Jugenburg’s phone does have this capability and that the video feeds are viewed through a secure access application on his phone. A notification is sent if a camera detects motion, allowing Dr. Jugenburg to limit his access to potential incidents that occur after the Clinic has closed.
 Lastly, in relation to why the Clinic required cameras in the examination rooms, operating room and pre-operative rooms, the Clinic advised that
“…prior to January 2019, [the Clinic] had security cameras operating in these rooms for the same security purposes as described above. In the event of a security incident occurring in these rooms, whether committed by staff, patients, or a member of the public, this footage was available to review and respond to the incident”
 It is also important to note the Clinic’s statement that, because the video surveillance system was not operating and recording for health care purposes,
. The Clinic acknowledged that its prior video surveillance system was capturing and recording the personal health information of patients. The Clinic states that it did not obtain express or implied consent from patients for the operation of the security camera system. The Clinic has not suggested that this collection of personal health information was authorized by the Act.
“regard had not previously been given to the application and requirements of the Act”
 As previously noted, the Clinic advised the IPC that the cameras were shut down on December 13, 2018, and that the Clinic had not recorded any footage since that time. The Clinic also confirmed that it has destroyed all footage recorded prior to January 2019 (except for the footage seized by the CPSO) and advised of the Clinic’s intention to securely destroy any footage seized by the CPSO and returned to the Clinic upon the conclusion of the CPSO proceeding (subject to a review of and compliance with legal obligations).
 The Clinic advised the IPC that in January of 2019, with the approval of the CPSO, the Clinic reactivated a limited security camera system together with what the Clinic described as “better notice and signs to clients”. In response to my request for information about the current cameras and notices, the Clinic explained that:
There are now only two cameras used at the Clinic. One is located at the reception desk on Level D, covering the entrance, and one is located at the reception desk on Level B… The cameras are programmed to only be running after office hours…To the extent that there are surgical procedures completed in the Clinic after hours, which occurs only on Level B, patients are not captured as the camera faces the […] area rather than the hallway/entrance area.
 The new sign(s) indicate
. The Clinic also stated that:
“For security, these premises are under closed circuit audio/video security surveillance”
The signs are displayed in all areas where the Clinic has security cameras installed and operating, as well as a few additional areas for enhanced notice. The Notices are prominently displayed in their respective locations and printed in large font. Any individual entering the Clinic on either floor must pass by an entrance sign. Any individual who checks in at the reception desk (which is all patients), would also see the sign posted at reception. Any individual in the waiting room on Level D would, in addition, see the sign posted there. In short, it is not possible to enter or pass through the Clinic without noticing one or more of the signs.
 The Clinic submits that, under this new system, there are no recordings of attending patients, and therefore no collection of personal health information.
 The Clinic also advised this office that, in addition to reducing the number of cameras, limiting their locations and operating hours, and providing better notice to patients about the cameras, they will be amending their privacy related policies and consent forms.
The IPC’s Findings
 There does not appear to be any dispute, and I find, that the collection of personal health information through the Clinic’s prior video surveillance system was done without authority under the Act. As indicated above, the Clinic relied on neither consent nor other authority under the Act for collecting its patients’ images through this system. I also find that, even if the Clinic was authorized to use some cameras for security purposes, the extensive network of cameras, and particularly the placement of cameras in consultation and examination rooms, was not in keeping with requirements of section 30(2).
 I accept that the Clinic has valid security concerns (such as, for example, potential theft of expensive equipment). However, it would be an understatement to call the Clinic’s response to these concerns ‘excessive’. The Clinic’s solution to its security concerns was to record throughout large portions of its premises, including in those areas where patients would be disrobed and at their most vulnerable. Its security concerns do not justify such broad-scale, intrusive measures, and I find this approach in conflict with the requirements of the Act.
 It should have been obvious that less intrusive measures, such as the use of chaperones or a significantly more limited video surveillance system, could have addressed the same security concerns. As noted above, the Clinic has now addressed its security concerns in a way that does not violate the privacy rights of its patients: cameras are only on after hours, cameras are no longer in examination rooms (among other places), and the Clinic has indicated that they do not collect personal health information.
 In light of the Clinic’s current limited video surveillance system, I am satisfied that the Clinic has adequately responded to the IPC’s concerns about its authority and justification for placing cameras throughout its premises.
 After becoming aware of this investigation, a number of the Clinic’s patients contacted the IPC.
 One individual filed her own complaint with this office raising concerns about the Clinic’s use of video surveillance in the consultation room and the surgery preparation room without her knowledge or consent. This patient also raised additional privacy concerns, regarding the Clinic’s use of social media. During my investigation, I discussed these additional issues with the Clinic and the patient. The patient was satisfied with the Clinic’s responses to her concerns about its use of social media and that part of her complaint was thus fully resolved. I will deal with the Clinic’s use of social media in more detail below.
 With respect to the patient’s concerns about being recorded during her appointments at the Clinic, I also discussed the Clinic’s response with the patient, including its confirmation that
The patient was also satisfied with the response to this part of her complaint. More general issues relating to the Clinic’s use of video surveillance have been addressed as described above. As a whole, I am satisfied that the Clinic has adequately responded to this complaint.
“at no time did [Dr. Jugenburg] or his staff ever access or review any records related to [the complainant]. These recordings would have been securely retained on the NVR system before being automatically overwritten and deleted…”
The Clinic’s use of social media
 In the course of investigating the complainant’s concerns, I requested information from the Clinic about its practices and policy regarding the use of social media. In reviewing the Clinic’s Social Media Transparency Policy, I observed that it did not adequately describe all of the social media platforms used by the Clinic. I requested that the Clinic amend its Policy to specifically reference every social media platform used by the Clinic.
 Further, the Clinic’s Social Media Consent Form states that the Clinic “documents surgical procedures for education purposes.” After reviewing some of the Clinic’s social media communications, it was apparent to me that the purposes of some of these communications extend beyond “educational” purposes, and include marketing and promoting the Clinic’s services. I therefore also requested that the Clinic’s Social Media Consent Form and Social Media Transparency Policy be revised to inform patients that the purposes of the Clinic’s activities on social media are also to market and promote the Clinic’s services. I also requested that the Social Media Consent Form more clearly indicate that no images or recordings of a patient would be posted to social media without consent.
 The Clinic agreed to revise its Social Media Transparency Policy to reference the Clinic’s general use of social media, and list specific examples that met my concerns. It has also agreed to revise the Social Media Consent Form and Social Media Transparency Policy to state that photos and videos posted on social media may be used to inform others about the Clinic’s services, in addition to educational purposes. The Clinic also agreed to revise its Social Media Consent Form to explain that no images or other recordings of a patient will be posted to social media without consent.
Is a review warranted under Part VI of the Act?
 The blanket use of surveillance cameras for non-health care purposes in this context (particularly in pre-operative, operating and examination rooms where a patient is most vulnerable and has a higher expectation of privacy) is unacceptable. As a result of my investigation, I found that the Clinic’s prior video surveillance practices contravened the Act.
 While there is no evidence of it, the Clinic’s previous practices also raised potential questions about whether images and videos of disrobed patients could have been viewed or disclosed for unauthorized purposes. As noted above, the IPC understands that the CPSO has taken the footage of the patients from the Clinic as part of its proceeding. As such, this potential area of concern did not form part of this investigation.
only video recording after hours,
limiting its video surveillance cameras to the entrance and reception desk,
not recording personal health information,
confirming the destruction of all footage recorded prior to January 2019  (except for the footage seized by the CPSO),
advising of the Clinic’s intention to securely destroy any footage seized by the CPSO and returned upon the conclusion of the CPSO proceeding (subject to a review of and compliance with legal obligations), and
improving notices and committing to amend its privacy policies and consent forms.
For the foregoing reasons, no review of this matter will be conducted under Part VI of the Act.
Original signed by
September 20, 2019
Manager of Investigations
 The IPC has departed from its usual practice and identified the health information custodian by name in this decision issued at the investigative stage. Given the public interest in this matter, the Clinic and Dr. Jugenburg would be readily identifiable from the facts of this decision in any event. The Clinic was given prior notice of this intention and did not object.
 Including footage of the Complainant.