Canadian Privacy Laws
1. Privacy Act
Known as the Privacy Act.
2. Personal Information Protection and Electronic Documents Act
Also known as PIPEDA. (Not for Alberta, British Columbia, and Quebec)
1. The Freedom of Information and Protection of Privacy Act
Also known as FIPPA. Freedom of Information and Protection of Privacy Act
2. The Personal Health Information Act
Also known as PHIPA. (for Ontaria) Personal Health Information Protection Act
What is personal information?
Personal information is data about an “identifiable individual”. It is information that on its own or combined with other pieces of data, can identify you as an individual.
- race, national or ethnic origin,
- age, marital status,
- medical, education or employment history,
- financial information,
- identifying numbers such as your social insurance number, or driver’s licence,
- views or opinions about you as an employee.
What is generally not considered personal information can include:
- Information that is not about an individual, because the connection with a person is too weak or far-removed (for example, a postal code on its own which covers a wide area with many homes)
- Information about an organization such as a business.
- Information that has been rendered anonymous, as long as it is not possible to link that data back to an identifiable person
- Certain information about public servants such as their name, position and title
- A person’s business contact information that an organization collects, uses or discloses for the sole purpose of communicating with that person in relation to their employment, business or profession.
- Government information. Occasionally people contact us for access to government information. This is different from personal information. For access to government information, contact the Information Commissioner of Canada.
OPS Privacy Breach Protocol - from ipc.on.ca (Information and Privacy Commissioner of Ontario)
Privacy breach protocol
The IPC strongly recommends that you develop a privacy breach protocol. As a custodian, you must take immediate action upon learning of a privacy breach. The following steps may need to be carried out simultaneously and in quick succession in the event of a privacy breach.
- Notify all relevant staff of the breach, including your Chief Privacy Officer or PHIPA contact person, and determine who else from within your organization should be involved in addressing the breach.
- Develop and execute a plan designed to contain the breach and notify those affected.
- It is also highly recommended that you contact the IPC and provide our office with details of what happened.
Identify the scope of the breach and take the necessary steps to contain it, including:
- Retrieve and secure any personal health information that has been disclosed.
- Ensure that no copies of the personal health information have been made or retained by the individual who was not authorized to receive the information. Their contact information should be obtained, in the event that follow-up is required.
- Determine whether the privacy breach would allow unauthorized access to any other personal health information (e.g. an electronic information system) and take necessary steps, such as changing passwords, identification numbers and/or temporarily shutting your system down.
You must take the necessary steps to notify those individuals whose privacy was breached, including:
- Identify all affected individuals and notify them of the breach at the first reasonable opportunity. PHIPA does not specify the manner in which notification must be carried out. For example, notification can be by telephone or in writing, or depending on the circumstances, a notation made in the individual’s file to be discussed at his/her next appointment. There are numerous factors that may need to be taken into consideration when deciding on the best form of notification, such as the sensitivity of the personal health information.
- When notifying individuals affected by a breach:
- Provide details of the breach to affected individuals, including the extent of the breach and what personal health information was involved.
- Advise all affected individuals of the steps that you are taking to address the breach, and that they are entitled to make a complaint to the IPC. If you have reported the breach to the IPC, advise them of this fact.
- Provide contact information for someone within your organization who can provide additional information, assistance and answer questions.
Note: If you are a custodian who is a researcher and have received personal health information for research purposes from another custodian, you must not notify an individual about whom the personal health information relates, unless you are informed that the individual has given consent to being contacted.
You will be expected to conduct an internal investigation, including:
- Ensure that the immediate requirements of containment and notification have been met.
- Review the circumstances surrounding the breach.
- Review the adequacy of your existing policies and procedures in protecting personal health information.
- Ensure all staff are appropriately educated and trained with respect to compliance with the privacy protection provisions of PHIPA.
For more information, refer to our guidance document, Responding to a Health Privacy Breach: Guidelines for the Health Sector.
When investigating a privacy breach, the IPC may, depending on the circumstances:
- Ensure any issues surrounding containment and notification have been addressed.
- Interview individuals involved with the privacy breach or individuals who can provide relevant information.
- Receive representations from individuals whose privacy has been breached.
- Obtain and review your position on the privacy breach.
- Ask for a status report of any actions that you have taken.
- Review and provide input and advice on your current information management policies and procedures.
- Issue a PHIPA Decision that may contain recommendations and/or orders that require proof of compliance.