Executive Summary
We came across some useful information from Privacy Horizon and supplementary sources and have combined it into the summary below on the topic of Canadian Healthcare Privacy Legislation. Please refer to the original sources below for more detailed information.
With the development and pace of new technologies able to track and store vast amounts of information, privacy in Canadian healthcare has emerged as a growing and important topic. Canadian health care privacy legislation is comprised of 14 government jurisdictions (the Federal Government, 10 Provinces, and 3 Territories) each with its own legislative framework for protecting the privacy of personal information ("PI"), or personal health information ("PHI").
There are 32 separate statutes, each with their own respective regulations, addressing privacy at the national, provincial/territorial, and in some cases, municipal levels. From there, most jurisdictions with the exception of Quebec and Nunavut, have legislation in place specifically dealing with the health sector and the protection of PHI. In some provinces, the health legislation has been deemed "substantially similar" to the Personal Information Protection and Electronic Documents Act ("PIPEDA") and takes precedence over PIPEDA for health information activity in those jurisdictions.
Supplementary Contact Organizations:
- For PIPEDA – Ontario Ministry of Agriculture, Food and Rural Affairs
- For the Privacy Act and Healthcare Privacy Legislation in Canada's provinces – Office of the Privacy Commissioner of Canada
We are interested in generating some discussion on this topic in our Healthcare Privacy Community. Please visit this space to join the conversation.
- Privacy Issues and Technology in Healthcare Organizations
- Informed Consent: Express or Implied Consent?
- Personal Health Information and Consent
The Privacy Act
The Privacy Act came into effect in 1983 and is the law governing the personal information handling practices of federal government institutions. This Act applies to all personal information the federal government collects, uses and discloses regardless of if they are regular individuals or federal employees. This legislation applies directly to any federal body. The Act also gives people the right to access and request correction of personal information held by federal institutions.
The Privacy Act is also comprised of a number of leading court cases. An overview of these cases can be found here.
The Personal Information Protection And Electronic Documents Act ("PIPEDA")
PIPEDA is federal legislation implemented in 2004. The purpose of this Act is "to establish an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes that right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances." 2
- Consent Management in Health Care Privacy
- Personal Health Information and Consent
- Consent Management Implementation Guide
Healthcare Privacy Legislation in Canada's Provinces
Each province and territory have their own public sector legislation that applies to provincial government agencies, not the Privacy Act. For the private-sector, some provinces have legislation in place that is "substantially similar" to PIPEDA and therefore takes precedent in those provinces. This legislation includes:
- Alberta's Personal Information Protection Act
- British Columbia's Personal Information Protection Act
- Quebec's An Act Respecting the Protection of Personal Information in the Private Sector
Other provinces have health care privacy legislation that is "substantially similar" to PIPEDA and therefore takes precedence. This legislation includes:
- Ontario's Personal Health Information Protection Act
- New Brunswick's Personal Health Information Privacy and Access Act
- Newfoundland and Labrador's Personal Health Information Act
A full list of Legislation including those that do not substitute for PIPEDA include:
Each province and territory in Canada also have a Commissioner or Ombudsman responsible for overseeing this legislation. A full list of these can be found here. For more detailed information about the legislature, visit Privacy Legislation and Oversight in Canada.
To read about Canadian-specific guidelines for conducting Privacy Impact Assessments, see the following resource: Country Specific Guidelines for Conducting a Privacy Impact Assessment.
