CANADIAN PRIVACY LAW
Personal Information Protection and Electronic Documents Act, 2000 (PIPEDA)
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle personal information during commercial activity.
PIPEDA applies to all personal information, health or otherwise regardless of the entity. This data must be:
- collected with consent and for a reasonable purpose
- used and disclosed for the limited purpose for which it was collected
- accurate
- accessible for inspection and correction
- stored securely
Under PIPEDA, the following is protected as Personally Identifiable Information (PII):
- Age, name, ID numbers, income, ethnic origin, or blood type
- Opinions, evaluations, comments, social status, or disciplinary actions
- Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs)
(I) KEY POINTS FOR CANADIAN LAW COMPLIANCE
- Applicability:
Any organization that collects, uses or discloses personal information during commercial activities, excluding government institutions to which the Privacy Act (RSC 1985, c. P-21) applies Possibility of exclusion from the application of PIPEDA in certain provinces. (by decree)
2. Definition of Personal Information:
Any information about an identifiable individual Whatever the physical form or characteristics Particular regime for “business contact information” (name, position, title, address, professional phone number, etc.)
Only covers employees of, or applicants for employment with, an organization that collects, uses or discloses personal information in connection with the operation of a federal work, undertaking or business.
3. Consent under PIPEDA
May be express or implied depending on the circumstances and the type of information, considering the reasonable expectations of the individual concerned. Should generally be express when processing sensitive information. May be withdrawn at any time, subject to legal or contractual restrictions and reasonable notice.
4. Protective of Sensitive Information
No hard and fast rule. Only a higher degree of care needs to be maintained when dealing with personal information.
5. Transfer of Personal Information to a 3rd Country
By way of contract or otherwise, provided that a comparable level of protection is provided for the personal information. The individuals must be informed that their information may be sent to a foreign country for processing purposes and that it may be accessible to the courts and the law enforcement and national security authorities of that jurisdiction (according to the Processing Personal Information Across Borders Guidelines).
6. Right to Processing Restriction
Request for access in writing. Response within 30 days (this period may be extended). A charge may be required subject to certain conditions. An organization shall assist any individual who requests assistance. Right to correct/rectify if the information is inaccurate or incomplete.
7. Right to be Forgotten
PIPEDA also contains a basic right to erasure. Principle 4.5 of Schedule 1 of PIPEDA states that “personal information shall be retained only as long as necessary for the fulfilment of those purposes.” The word “shall” in principle 4.5 is a mandatory obligation and is one of the provisions that can be enforced in court under an application under s. 14 of PIPEDA.
8. Data Portability
The data subject shall have the right to receive the personal information concerning him or her and have the right to transmit those data to another controller without hindrance.
9. Data Breach Notification
Notification to the Office of the Privacy Commissioner as soon as feasible of any breach that creates a “real risk of significant harm”. Notification to the individual as soon as feasible of any breach that creates a “real risk of significant harm” to him/her. Keep a record of every data breach and, on request, provide the Office of the Privacy Commissioner with access to the record.
10. Employee Data (Very important)
For Canadian organizations, it is important to recognize that PIPEDA only regulates the collection, use and disclosure of employee personal information for federal works, undertakings and businesses. These are usually employers such as airlines, banks, shipping companies and other federally regulated employers. However, this covers a very limited subset of the Canadian economy. The vast majority of employers are regulated by provincial legislation.
11. Canadian Data Protection Officer
Obligation to designate an individual who is accountable for compliance with PIPEDA and to disclose such individual’s identity.
(II) HIPAA EQUIVALENT IN CANADA (PIPEDA)
Canada’s federal law, the Personal Information Protection and Electronic Documents Act (PIPEDA), is comparable in many ways to the Health Insurance Portability and Accountability Act (HIPAA) in the United States.
Contractual and Technical Safeguards to Protect Canadian Healthcare Data
A) Segregate Data Assets and Support
Whether your organization chooses to procure cloud application services (software as a service – SaaS), cloud platform services (PaaS), or cloud infrastructure services (IaaS), personal health data need to be segregated from other cloud customers’ data at all three levels: application, platform, and infrastructure. Healthcare organizations should also choose cloud service providers with support services located in Canada or the U.S., and support technicians’ access to health data should be segregated.
B) Choose Database Level Encryption
When healthcare organizations employ cloud services, it is essential that health data be encrypted at the database level, before data leave the source computer. Database-level encryption tools may be built into the original database, or may function as a separate engine, producing an encrypted version of the database.
C) Sign Business Associate Agreements
The HIPAA Privacy Rule recognizes that most healthcare providers employ third party service providers, including information service providers. HIPAA allows healthcare providers to disclose protected health information to these “business associates” if the providers “obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.” These assurances are to be documented in a contract or agreement, commonly known as a Business Associate Agreement (BAA). Business associates that have signed a BAA are directly liable under HIPAA rules. If a Canadian Health care provider signs a BAA with a US based telehealth service provider then the provider will be subject to HIPAA and in turn provide HIPAA-level PHI protection to the patients of Canadian Health care providers.
D) Privacy Protection Provisions in the Service Agreements:
To comply with PIPEDA, the privacy protection provisions taken to keep personal health information safe should be included in the patient’s and doctor’s service agreements.
If you have any questions about this Memo, please email us at privacy@inventuslaw.com.
Disclaimer: The information on this page is being provided for information purposes only and is drafted entirely on the basis of public resources. Information contained on or made available herein is not intended to and does not constitute legal advice, recommendations, mediation or counseling under any circumstance. This information and your use thereof do not create an attorney-client relationship. You should not act or rely on any information provided herein without seeking the advice of a competent attorney licensed to practice in your jurisdiction for your particular business.