Healthcare Privacy Legislation in Canada

Executive Summary

We came across some useful information from Privacy Horizon and supplementary sources and have combined it into the summary below on the topic of Canadian Healthcare Privacy Legislation. Please refer to the original sources below for more detailed information.

With the development and pace of new technologies able to track and store vast amounts of information, privacy in Canadian healthcare has emerged as a growing and important topic. Canadian health care privacy legislation is comprised of 14 government jurisdictions (the Federal Government, 10 Provinces, and 3 Territories) each with its own legislative framework for protecting the privacy of personal information ("PI"), or personal health information ("PHI").

There are 32 separate statutes, each with their own respective regulations, addressing privacy at the national, provincial/territorial, and in some cases, municipal levels. From there, most jurisdictions with the exception of Quebec and Nunavut, have legislation in place specifically dealing with the health sector and the protection of PHI. In some provinces, the health legislation has been deemed "substantially similar" to the Personal Information Protection and Electronic Documents Act ("PIPEDA") and takes precedence over PIPEDA for health information activity in those jurisdictions. 

Supplementary Contact Organizations:


We are interested in generating some discussion on this topic in our Healthcare Privacy Community. Please visit this space to join the conversation.


The Privacy Act

The Privacy Act came into effect in 1983 and is the law governing the personal information handling practices of federal government institutions. This Act applies to all personal information the federal government collects, uses and discloses regardless of if they are regular individuals or federal employees. This legislation applies directly to any federal body. The Act also gives people the right to access and request correction of personal information held by federal institutions.

The Privacy Act is also comprised of a number of leading court cases. An overview of these cases can be found here.

The Personal Information Protection And Electronic Documents Act ("PIPEDA")

PIPEDA is federal legislation implemented in 2004. The purpose of this Act is "to establish an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes that right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances." 2

Healthcare Privacy Legislation in Canada's Provinces

Each province and territory have their own public sector legislation that applies to provincial government agencies, not the Privacy Act. For the private-sector, some provinces have legislation in place that is "substantially similar" to PIPEDA and therefore takes precedent in those provinces. This legislation includes: 

Other provinces have health care privacy legislation that is "substantially similar" to PIPEDA and therefore takes precedence. This legislation includes:

A full list of Legislation including those that do not substitute for PIPEDA include: 

Each province and territory in Canada also have a Commissioner or Ombudsman responsible for overseeing this legislation. A full list of these can be found here. For more detailed information about the legislature, visit Privacy Legislation and Oversight in Canada.

To read about Canadian-specific guidelines for conducting Privacy Impact Assessments, see the following resource: Country Specific Guidelines for Conducting a Privacy Impact Assessment