I promised a little more Canadian Privacy content this year, and I’ve been doing some more homework in the field, so here is an update on the topic of Privacy. Below are some summaries and resources that I have found useful in staying abreast of this complicated area of law and regulation. I like to gather this sort of information into one place for reference. If you have something to add, feel free to send me your useful links and descriptions.
In Canada, the federal Personal Information Protection and Electronic Documents Act sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities. The law gives individuals the right to access and request correction of the personal information these organizations may have collected about them.
Provinically, Ontario and several other provinces have specific privacy legislation for organizations operating in the public sector, and has adopted specific provincial privacy legislation for health service providers.
The Information and Privacy Commissioner of Ontario enforces PHIPA, FIPPA, and MFIPPA.
Although the federal Personal Information Protection and Electronic Documents Act was passed just a few months before PHIPA, it was noted that the provisions made in PIPEDA were problematic for the health care sector. PIPEDA was not developed with consideration for the specific needs of health care, or for other organizations that collect, consume, or disclose, personal health information.
The general rule is, where there are conflicts between PHIPA and any other legislation, PHIPA will prevail, unless both legislations can be upheld. However, there are certain situations that PHIPA does not interfere with:
- Legal privileges, such as lawyer-client privilege or mediation privilege.
- Law of evidence.
- Power of a court of tribunal to compel testimony or evidence.
- Law or court orders prohibiting publication of information.
- Regulatory activities of a body of a health profession or social workers.
PHIPA provides privacy protection that is consistent with and equivalent or better than the federal PIPEDA protection, embodying the 10 key principles outlined in PIPEDA .
The Region of Peel is providing access to a series of IPC videos to promote an understanding of the Personal Health Information Protection Act. The videos were designed and distributed by the Information and Privacy Commissioner (IPC) of Ontario to provide a guide for training and education of PHIPA. The video segments depict real life health scenarios and how PHIPA applies to those scenarios. Additional information regarding PHIPA can be obtained from the IPC website www.ipc.on.ca
FIPPA / MFIPPA
The Freedom of Information and Protection of Privacy Act is an act of the provincial legislature governing public sector access to information. It applies to Ontario’s provincial ministries and most provincial agencies, as well as Colleges, Universities, and Local Health Integration Networks.
The Municipal Freedom of Information and Protection of Privacy Act is FIPPA’s municipal counterpart. It applies to municipal agencies, local boards, and commissions. These include School Boards, Board of Health, Libraryies, Police Commissions, etc.
There are two main governing principles behind FIPPA/MFIPPA:
- With a few notable exclusions and specific exemptions, the records of public institutions should be available to members of the public.
- The privacy of individuals should be protected.
Taken together, these acts for a privacy protection strategy that the government must follow to protect an individual’s right to privacy and information access. This includes rules regarding collection, retention, use, disclosure, and disposal of personal information.
Personal Information Protection and Electronic Documents Act – PIPEDA is federal law, and applies to every Canadian organization with respect to the collection, use and disclosure of personal information in commercial activities. PIPEDA defines personal information as:
- Factual or subjective information, recorded or unrecorded, about an identifiable individual
- Name, race, ethnicity, religion, marital status, education level
- E-mail addresses, e-mail messages, IP addresses
- Medical records, age, height, weight, blood type, DNA code, fingerprints, voiceprint
- Financial information: income, purchases, spending habits, credit/debit card data, banking information, tax returns, credit reports
- Social Insurance Number (SIN), or other identification numbers
PIPEDA requires organizations to comply with ten key principles:
- Identifying purposes
- Limiting collection
- Limiting use, disclosure and retention
- Individual access
- Challenging compliance
Certain provincial legislation in Alberta, British Columbia, Quebec and Ontario have been ruled “substantially similar” to PIPEDA. As a result, privacy issues in the private sector of these provinces fall under the jurisdiction of provincial legislation, unless:
- the organization is a federal department, work or business or,
- the information is disclosed outside of the originating province throughout the course of commercial activity
The mission of the Office of the Privacy Commissioner of Canada is to protect and promote the privacy rights of individuals. The OPC’s mandate is overseeing compliance with both the Privacy Act, covering the personal information-handling practices of federal government departments and agencies, and PIPEDA, Canada’s federal private sector privacy law. PIPEDA also applies to all personal data that flows across provincial or national borders, in the course of commercial transactions involving organizations subject to the Act or to substantially similar legislation.
Securing Personal Information: A Self-Assessment Tool for Organizations How well is your organization protecting personal information? The personal information security requirements under BC’s Personal Information Protection Act, Alberta’s Personal Information Protection Act, and PIPEDA require organizations to take reasonable steps to safeguard the personal information in their custody or control from such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction.
Irwin Law’s Ten Things to Know to Make PHIPA Compliance Easier(PDF) outlines ten important things that health information custodians should keep in mind to help simplify their compliance with PHIPA.
The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, adopted in 1980, continue to represent international consensus on general guidance concerning the collection and management of personal information. By setting out core principles, the guidelines play a major role in assisting governments, businesses and consumer representatives in their efforts to protect privacy and personal data, and in obviating unnecessary restrictions to transborder data flows, both on and offline.
The Access to Information Act gives every Canadian citizen, permanent resident and individual or corporation present in Canada the right to access records—in any format—that are held under the control of a government institution subject to certain specific and limited exceptions.
Frequently Asked Questions: Personal Health Information Protection Act. Last Updated February 2005.