This document outlines Ontario's privacy laws regarding personal health information. It summarizes that several statutes regulate privacy and disclosure of medical information in Ontario, notably the Personal Health Information Protection Act. This act regulates collection, use and disclosure of personal health information by health information custodians like hospitals, doctors, and pharmacies. It aims to balance privacy rights with the needs of the healthcare system. The document then discusses enforcement of these laws through complaints, penalties, lawsuits and reputational harm for non-compliance.
Mattingly "AI & Prompt Design: Limitations and Solutions with LLMs"
Rajeev Sharma - Ontario health privacy law
1. Ontario Health Privacy Law
Rajeev Sharma
416 775 8828
rsharma@torkinmanes.com
December 4, 2014
2. Presentation Outline
I. A summary of Ontario’s privacy laws
II. Privacy law enforcement
III. How to comply
IV. What happens when things go wrong
V. Issues that may arise in the future
VI. Appendix – a detailed explanation of federal
and provincial privacy laws
3. I. A summary of Ontario’s privacy laws
Several statutes regulate the privacy and disclosure of
medical information in Ontario:
Personal Health Information Protection Act
Freedom of Information and Protection of Privacy Act
Municipal Freedom of Information and Protection of
Privacy Act
The Occupational Health and Safety Act
Mental Health Act
Regulated Health Professions Act
Medicine Act Professional Misconduct Regulations
4. I. A summary of Ontario’s privacy laws
Personal Health Information Protection Act (“PHIPA”)
Regulates the collection, use, and disclosure of
personal health information by health information
custodians
Sets rules to balance the needs
of our health care system with
the individual’s right to privacy
Designed to enhance privacy
while minimizing the impact on
the patient-provider relationship
5. I. A summary of Ontario’s privacy laws
“Personal Health Information” includes oral or written
information that
relates to the individual’s physical or mental state;
relates to the provision of health care;
relates to payment or eligibility for health care;
relates to donation of body parts or bodily substances;
is a plan of service for long-term care;
is the individual’s health number; or
identifies the individual’s substitute decision-maker.
6. I. A summary of Ontario’s privacy laws
“Health Information Custodians” are anyone who is
involved in delivering health care services, such as:
health care practitioners (e.g. nurses, physicians, or
anyone who provides health care for payment);
long-term-care service providers;
community care access corporations;
hospitals and other facilities;
pharmacies and laboratories;
a medical officer of health or a board of health;
The Ministry of Health and Long-Term Care.
7. I. A summary of Ontario’s privacy laws
“Agents” of Health Information Custodians
are authorized to act on behalf of a custodian; and
perform activities for the purposes of a custodian.
An individual or organization may be considered an agent
regardless of whether it
has the authority to bind the custodian;
is employed by the custodian; and
is receiving remuneration.
8. I. A summary of Ontario’s privacy laws
Collection, Use, and Disclosure
A custodian may only collect, use, or disclose personal
health information if the individual consents or PHIPA
otherwise permits it.
A custodian must not collect,
use, or disclose personal health
information if
other information will serve the
purpose, or
the information is not necessary
to meet the purpose.
9. I. A summary of Ontario’s privacy laws
How do I know if the individual consents?
1. Express consent
If the disclosure is not to provide health care.
If the information is being provided to a non-custodian.
e.g. marketing, fundraising
2. Implied consent
If the disclosure is for the purpose of providing health care
Assumed if the individual is within the custodian’s
“circle of care.”
If the individual lacks capacity, the consent may be given by
a substitute decision-maker.
10. I. A summary of Ontario’s privacy laws
Implied Consent & the “Circle of Care”
To be within the circle of care and rely on implied consent,
the information must
be received from the individual, a substitute decision-
maker, or another custodian;
have the purpose of providing or assisting in the
individual’s health care; and
be disclosed from one custodian to another custodian.
Note that some custodians cannot rely on implied consent,
such as Canadian Blood Services and the Ministry of
Health and Long-Term Care.
11. I. A summary of Ontario’s privacy laws
Implied Consent & the “Circle of Care”
The PHIPA does not
define “circle of care” but
it is a useful way to
describe situations where
custodians can rely on
implied consent.
12. I. A summary of Ontario’s privacy laws
Collection
Custodians should collect personal health information
directly from individuals; however, it may be collected
indirectly if
the individual consents;
the information is necessary to provide health care and
direct collection is not reasonably possible;
a government institution needs the information an
investigation or proceeding;
the information will be used for research purposes or
for managing the health system; or
indirect collection is otherwise authorized.
13. I. A summary of Ontario’s privacy laws
Use
Custodians may use personal health information without
consent for
the purpose for which it was collected or created;
planning or delivering programs and services;
risk and error management;
improving the quality of care;
obtaining payment for health care or related goods and
services; and
educating agents and research purposes.
14. I. A summary of Ontario’s privacy laws
Disclosure
Custodians may disclose personal health information without
consent that relates to
providing health care;
obtain the identity or make decisions for a deceased
individual;
health programs or research;
eliminating or reducing a significant risk of bodily harm;
the care or custody of persons in a custodial institution or
psychiatric facility;
15. I. A summary of Ontario’s privacy laws
Disclosure
Custodians may disclose personal health information without
consent that relates to
a legal proceeding or potential successor;
planning and management of health systems;
the government’s analysis of the health system;
monitoring health payments; and
contacting next of kin if the individual is unable to give
consent.
16. I. A summary of Ontario’s privacy laws
Protecting Information
Once personal health information is collected, custodians
must take “reasonable steps” to ensure the information
is as accurate, complete and up-to-date as necessary;
is protected from theft, loss and unauthorized use or
disclosure (if it is in your custody or control);
records are protected against unauthorized copying,
modification or disposal.
17. I. A summary of Ontario’s privacy laws
Mandatory Breach Notification
Custodians must notify the individual if his or her
personal health information is stolen, lost or accessed
by authorized persons (e.g. University Health Network
has logged 258 privacy incidents since 2012).
Custodians may also voluntarily report privacy breaches
to the Privacy Commissioner, who will include the
breaches in their annual report (e.g. Mount Sinai has
reported 20 privacy breaches every year since 2010).
In 2004 Ontario was the first jurisdiction in Canada to
implement this notice requirement.
18. I. A summary of Ontario’s privacy laws
Information Technology Service Providers
IT Service Providers that are not agents
must ensure their employees and other persons acting on
their behalf comply with PHIPA restrictions on the
collection, use, and disclosure of information;
can only use personal health
information as it is necessary to
provide the IT service; and
cannot disclose personal health
information under any
circumstances.
19. I. A summary of Ontario’s privacy laws
Information Technology Service Providers
All IT Service Providers that allow two or more custodians to
share personal health information electronically must:
notify the custodian of any unauthorized access;
provide public information about safeguards and policies;
keep electronic records of all accesses and transfers;
perform a risk and privacy impact assessment;
enter into an agreement with the custodian and any third
parties requiring the provider to comply with PHIPA.
20. I. A summary of Ontario’s privacy laws
Health Records
Individuals can generally access records of their own
personal health information (and not someone else’s)
Before providing access, the
custodian must take
reasonable steps to determine
the individual’s identity.
21. I. A summary of Ontario’s privacy laws
Health Cards
Non-custodians can only collect or use a health number
to provide provincially funded health resources;
for the purpose the individual provided the health number;
for purposes relating to regulating health professionals; or
for purposes relating to health administration, health planning,
research, or epidemiological studies.
Individuals can only be required
to produce health cards for
provincially funded resources.
22. I. A summary of Ontario’s privacy laws
Accountability & Transparency
Custodians must designate a contact person who
ensures the custodian and its agents comply with PHIPA;
responds to inquiries about the custodian’s practices;
responds to requests for access or correction of records; and
Receives complaints about non-compliance.
Custodians must issue a public written statement describing
the custodian’s information practices;
how to reach the custodian and/or its contact person;
how to obtain access to a request or make a correction; and
how to make a complaint to the custodian and privacy
commissioner.
23. II. Privacy Law Enforcement
Privacy laws may be
enforced with
Complaints
Statutory penalties
Civil lawsuits
Reputational Harm
24. II. Privacy Law Enforcement
Complaints
A person who believes PHIPA has been violated may
file a complaint with Ontario’s Information and Privacy
Commissioner.
Custodians may be liable or
found guilty of an offence if
they do not act in good faith,
act unreasonably, or do not
comply with the legislation.
25. II. Privacy Law Enforcement
Complaints
In 2013 more than 400 health-related privacy violation
complaints were lodged with Ontario’s Privacy
Commissioner.
Examples of privacy breaches from 2014:
Hospitals inappropriately provided patient information to baby
photographers
Hospitals were handing out patient contact information to
private marketing companies
Individuals may also complain to the custodian or agent
themselves.
26. II. Privacy Law Enforcement
Statutory Penalties
PHIPA contains many offences, such as
wilfully collecting, using or disclosing personal health
information in contravention of PHIPA;
disposing of a record with the intent to evade an access
request; and
wilfully obstructing or making a false statement to the privacy
commissioner.
Individuals found guilty may be fined up to $50,000
Organizations found guilty may be fined up to $250,000
27. II. Privacy Law Enforcement
Civil Lawsuits
A person or entity may be sued for breach of privacy in
contract and tort law using the following causes of
action: breach of contract, trespass, negligence, breach
of fiduciary duty, or the tort of “intrusion upon
seclusion.”
“Intrusion upon seclusion” is a new tort that allows for
lawsuits based on the invasion of personal privacy
(Jones v. Tsige, 2012 ONCA 32).
28. II. Privacy Law Enforcement
Reputational Harm
In addition to the risk of complaints, statutory
penalties, and civil lawsuits, a custodians that
breaches privacy laws risks harming their
reputation and that of their organization.
Privacy breaches often become public, resulting in
headline news and trending social media stories.
Harm to the reputations of hospitals, individuals,
and other organizations can be significant.
29. III. How to comply
Privacy Policies & Procedures
Does your organization have them?
Are the they up to date?
Is the content adequate?
Can anyone in the organization access them
readily?
Are they updated and communicated regularly?
30. III. How to comply
Privacy Compliance Committee
Do you have one?
Does it meet regularly?
Does it keep minutes or records?
Do its members represent all functional areas
of the organization? (e.g. IT, HR, etc.)
What is their mandate?
Are the members senior enough in the
organization?
31. III. How to comply
Privacy Compliance Audits
Do you have regular audits?
What do you do with the results?
Are complaints responded to promptly?
Are there internal consequences for non-
compliance?
32. III. How to comply
Privacy Training & Communication
Do you regularly train employees on privacy?
Is your training recorded and logged?
Are new employees
trained right away?
Are there regular
communications/updates?
33. IV. What happens when things go wrong
Case study: Rouge Valley
Patients who gave birth at Rouge Valley Centenary
Hospital between 2009 and 2013 brought a $412
million class action lawsuit against the hospital
The patients allege that Rouge Valley employees sold
their personal information to private companies that
market RESP investments to new parents.
34. IV. What happens when things go wrong
Case study: Rouge Valley
The class action exposes the hospital to liability based on
the tort of intrusion upon seclusion, negligence, vicarious
liability or breach of contract
Rouge Valley has provided
disclosure notice on its
webpage in keeping with
PHIPA regarding the possible
breach of patient information
35. IV. What happens when things go wrong
Internal Protocol
Who is in charge of privacy? Who do they
report to?
How often is legal counsel engaged? How
involved are they?
Does the organization have a critical action
committee when things go wrong? Who’s on
the committee? What is the standard operating
procedure?
36. V. Issues that may arise in the future
Genetic Information
Canada has not yet legislated how health insurers
and employers may use genetic testing information
In the US and in many European countries use of
genetic information by insurers and employers is
prohibited
Canada’s privacy commissioner has concerns, but
the last action taken was a Task Force on
Insurance and Genetics in 2004
37. V. Issues that may arise in the future
Genetic Information
Genetic testing may be governed by PIPEDA and
PHIPA and possibly provincial Human Rights Codes
The Canadian Life Health Insurance Association has
issued a Position Statement on the use of genetic
information stating that
“if genetic testing has been done and the
information is available to the applicant for
insurance and/or the applicant’s physician, the
insurer would request access to that information
just as it would for other aspects of the applicant's
health history.”
38. VI. Appendix
i. Federal Privacy Laws
ii. Ontario Privacy Laws
iii. Other Provincial Privacy Laws
39. VI. Appendix – Federal Privacy Laws
Privacy Act, RSC, 1985, c. P-21
Imposes obligations on the collection, use and disclosure of
personal information by federal government departments
and agencies
Gives individuals the right to access and request personal
information held by federal governmental organizations
The Privacy Act is administered by the head of the
government institutions who are subject to the Act
Each institution listed in the Schedule to the Act (e.g.
Health Canada) is required to respond to requests for
information from individuals
40. VI. Appendix – Federal Privacy Laws
Privacy Act, RSC, 1985, c. P-21
“personal information” means information about an
identifiable individual that is recorded in any form including,
without restricting the generality of the foregoing,
(a) information relating to the race, national or ethnic origin, colour,
religion, age or marital status of the individual,
(b) information relating to the education or the medical, criminal
or employment history of the individual or information relating to
financial transactions in which the individual has been involved,
(c) any identifying number, symbol or other particular assigned to
the individual,
(d) the address, fingerprints or blood type of the
individual…[emphasis added] (S. 3)
41. VI. Appendix – Federal Privacy Laws
Personal Information Protection and Electronic
Documents Act [PIPEDA] SC 2000, c 5
Provides rules for how private sector organizations may
collect, use or disclosure personal information in the
course of their commercial activities as well as federal
works, undertakings and businesses who hold
employee personal information
Does not apply in provinces that have substantially
similar private sector privacy legislation
42. VI. Appendix – Federal Privacy Laws
Personal Information Protection and Electronic
Documents Act [PIPEDA] SC 2000, c 5
Gives individuals the right to access and request
correction of personal information held by these
organizations
Does not have any mandatory data breach notification
requirements yet
43. VI. Appendix – Federal Privacy Laws
The Office of the Privacy Commissioner of Canada
The Commissioner oversees compliance with the Privacy
Act and PIPEDA.
The Commissioner investigates complaints made by
individuals about Government of Canada institutions
pursuant to S. 29 of the Privacy Act
The Commissioner can investigate complaints made by
individuals about private sector organizations pursuant to
Section 11 of PIPEDA except in provinces that have
substantially similar legislation
The Commissioner has made findings under both PIPEDA
and the Privacy Act and has handed down decisions for
cases where challenges were made by individuals
44. VI. Appendix – Ontario Privacy Laws
Freedom of Information and Protection of Privacy Act
(FIPPA)
Originally applied to provincial government and public
institutions, now applies to most of the public sector
including Local Health Integration Networks (LHINS)
which include hospitals, long-term care homes and
mental health and addiction agencies
Purpose is 1) to provide a right of access to records
and information and 2) to protect the privacy of
individuals
45. VI. Appendix – Ontario Privacy Laws
Municipal Freedom of Information and Protection of
Privacy Act (MFIPPA)
Applies to all local government organizations such as
municipalities, school boards, police services board,
boards of health etc.
Purpose is 1) to provide a right of access to records
and information and 2) to protect the privacy of
individuals
46. VI. Appendix – Ontario Privacy Laws
FIPPA and MFIPPA – Using Information
Government organizations are only permitted to use
personal information if the individual consents to the
use; for the purpose for which it was obtained or
compiled or for a consistent purpose; or for a purpose
for which the information may be disclosed to the
government organization (S. 41 FIPPA)
Government organizations must take reasonable steps
to ensure that personal information is not used unless it
is accurate and up to date (S. 40(2) FIPPA)
47. VI. Appendix – Ontario Privacy Laws
FIPPA and MFIPPA – Collecting Information
Government organizations (including hospitals and
LHINs) are required to collect personal information as
part of their role in providing services to the public and
shall not collect personal information unless expressly
authorized by statute (S. 38(2) FIPPA)
Government organizations must provide notice to
individuals whenever personal information is collected
and must specify the legal authority for the collection,
the purpose of collection and who to contact about the
collection (S. 39(2) FIPPA)
48. VI. Appendix – Ontario Privacy Laws
FIPPA and MFIPPA – Accessing Information
Provincial government organizations are required
to list their personal information banks in the
Directory of Records (Ss. 44-45 FIPPA)
The directory describes the kinds of personal
information kept by each provincial government
organization.
Municipal government organizations should have
their own directories available (S. 34 MFIPPA)
49. VI. Appendix – Ontario Privacy Laws
FIPPA and MFIPPA – Disclosing Information
Under FIPPA and MFIPPA, some of the
circumstances in which government organizations
are permitted to disclose personal information
include:
where the individual has consented to the disclosure;
for the purpose for which the personal information was
obtained or compiled or for a consistent purpose;
where the disclosure is necessary and proper in the
discharge of the organization’s functions;
for the purpose of complying with another Act;
50. VI. Appendix – Ontario Privacy Laws
FIPPA and MFIPPA – Disclosing Information
Circumstances in which government organizations are
permitted to disclose personal information:
for law enforcement purposes;
in compelling circumstances affecting the health or safety of an
individual;
in compassionate circumstances, to facilitate contact with the
next of kin or a friend of an individual who is injured, ill or
deceased;
to the Information and Privacy Commissioner; and
to the Government of Canada in order to facilitate the auditing
of shared cost programs. (S. 42 FIPPA, S. 32 MFIPPA)
51. VI. Appendix – Ontario Privacy Laws
Mental Health Act (MHA)
MHA governs psychiatric facilities and the
admission, detention, treatment, and release of
psychiatric patients.
PHIPA repealed several sections of the MHA and
amended others, most notably, those relating to
confidentiality, disclosure, access, and correction of
records.
The obligations created by PHIPA apply in addition
to those created by MHA.
If the provisions of MHA and PHIPA conflict, PHIPA
prevails unless otherwise stated in the Acts.
52. VI. Appendix – Ontario Privacy Laws
Mental Health Act (MHA)
“patient” includes a current or former patient or out-
patient, and anyone who is or has been detained in
a psychiatric facility
The officer in charge (OIC) of a psychiatric facility
may collect, use and disclose personal health
information about a patient, with or without the
patient’s consent, for the purposes of,
examining, assessing, observing or detaining the patient
in accordance with the MHA; or
complying with an order or disposition made under the
Criminal Code
53. VI. Appendix – Ontario Privacy Laws
Mental Health Act (MHA)
The MHA sets out mandatory disclosure of personal
health information for:
Capacity and Consent Board proceedings
Persons entitled to have access under s. 83 of the Substitute
Decisions Act
Compliance with summons, order, direction, notice or similar
requirement in respect of matter that may be in issue in a court
of competent jurisdiction or under any Act
except where the attending physician states in writing that he or she
is of the opinion that the disclosure is likely to result in harm to the
treatment or recovery of the patient or is likely to result in injury to the
mental condition of a third person, or bodily harm to a third person.
54. VI. Appendix – Ontario Privacy Laws
Mental Health Act (MHA)
The MHA sets out permissible disclosure of
personal health information to:
A physician who is considering issuing or renewing, or
who has issued or renewed, a CTO;
A physician appointed to act as a substitute of the CTO’s
issuing physician;
Where requested by the issuing physician or a person
named in the CTP, to another person named in a
person’s CPT; and
A prescribed person who is providing advocacy services
to patients in prescribed circumstances, i.e., a rights
adviser.
55. VI. Appendix – Ontario Privacy Laws
Public Hospitals Act (PHA)
PHA applies to all public hospitals in Ontario, but not to
private hospitals under the Private Hospitals Act or
independent health facilities under the Independent Health
Facilities Act (S. 2)
PHA only briefly refers to record keeping, confidentiality,
disclosure, and related issues, leaving these to be spelled
out in Regulation 965 – Hospital Management
PHIPA replaces the term “medical record” in PHA with the
term “record of personal health information
The obligations created by PHIPA apply in addition to those
created by PHA.
if the provisions of PHA and PHIPA conflict, PHIPA prevails unless
otherwise stated.
56. VI. Appendix – Ontario Privacy Laws
Occupational Health and Safety Act (OHSA)
Except where allowed under the OHSA or as
required by another law, worker health and safety
representatives:
must not disclose any information about any workplace
tests or inquiries conducted under the Act;
must not reveal the name of any person from whom
information is received;
may disclose the results of any medical examinations or
tests of workers only in a way that does not identify
anyone. (S. 63(1))
57. VI. Appendix – Ontario Privacy Laws
Occupational Health and Safety Act (OHSA)
No employer shall seek to gain access,
except by an order of the court or other tribunal
or in order to comply with another statute, to a
health record concerning a worker without the
worker’s written consent (S. 63(2))
58. VI. Appendix – Ontario Privacy Laws
Regulated Health Professionals Act
Various acts are specific to different health
professionals and provide protection based on the
duties and requirements of confidentiality by the
members of those professions, as well as
regulations that outline disciplinary action for
breaches of health care provider confidentiality
such as the Medicine Act Professional Misconduct
Regulations
59. VI. Appendix – Ontario Privacy Laws
Personal Health Information Protection Act (PHIPA)
Deemed substantially similar to Part 1 of PIPEDA
Health information custodians (“HICs”) are exempt from PIPEDA
Anyone described in Section 3. (1) of PHIPA is considered a health
information custodian, e.g.
health care practitioners or a group practice of health care practitioners
persons or organizations providing a community service under the Long-
Term Care Act, 1994
a community care access corporation under the Community Care Access
Corporations Act, 2001
public or private hospitals
psychiatric facilities under the Mental Health Act
an institution under the Mental Hospitals Act
an independent health facility under the Independent Health Facilities Act,
etc.
60. VI. Appendix – Ontario Privacy Laws
PHIPA – Consent to Collection
Collection may happen only when the individual consents or
if PHIPA permits collection without consent, and consent
may be express or implied depending on the circumstances
(Ss. 18 - 29)
HICs must collect the health information directly from the
individual except in limited circumstances (S. 36), such as:
Where the individual consents to indirect collection;
The information is reasonably necessary for providing health care
and cannot reasonably be collected directly from the individual
accurately or in a timely manner
Custodians must take reasonable steps to inform the public
about their collection practices
61. VI. Appendix – Ontario Privacy Laws
PHIPA – Accessing Health Information
The right of access does not apply to records
that contain:
quality of care information;
information required for quality assurance programs;
raw data from psychological tests or assessments;
other specified types of information (i.e., information
that is used solely for research purposes and
laboratory test results) (S. 51(1)).
62. VI. Appendix – Ontario Privacy Laws
PHIPA – Mandatory Data Breach Notification
Requirements
A privacy breach occurs whenever a person has
contravened or is about to contravene a provision of the
PHIPA or its regulations, including s. 12(1)
S. 12(1) requires HICs to take steps that are reasonable in
the circumstances to ensure personal health information in
their custody or control is protected against theft, loss and
unauthorized use or disclosure and to ensure that records
containing personal health information are protected against
unauthorized copying, modification or disposal
63. VI. Appendix – Ontario Privacy Laws
PHIPA – Retaining and Disposing of Information
PHIPA requires that health information custodians
ensure records of personal health information are
retained, transferred and disposed of in a secure
manner, and that if any personal health information
is the subject of a request for access, that it be
retained for as long as necessary to allow the
individual to exhaust any recourse under the Act
that he or she may have with respect to the
request. (S. 13)
64. VI. Appendix – Ontario Privacy Laws
Electronic PHIPA – Bill 78
EPHIPA proposes to amend three statutes, and
create a new Part V.1, Electronic Health
Records, under existing the PHIPA
First reading of Bill 78 was May 29, 2013
Second Reading started on October 10, 2013
and continued on November 20, 2013 and April
28, 2014
65. VI. Appendix – Ontario Privacy Laws
Electronic PHIPA – Bill 78
EPHIPA is intended to provide a framework for
electronic health records (EHRs) and enable
prescribed organizations to create and maintain
EHRs, define the EHRs and specify parameters
for the creation and maintenance of EHRs
EPHIPA would permit prescribed persons who
are not HICs to collect and use health numbers
for the purpose of creating or maintaining the
EHR
66. VI. Appendix – Ontario Privacy Laws
Electronic PHIPA – Bill 78
Prescribed organizations would be required to assume
all responsibilities relating to the creation and
maintenance of the HER
While these organizations have not yet been identified,
the legislation sets out parameters in which they can
manage PHI as non-HICs.
Existing regulations under PHIPA clarify that eHealth Ontario
has the authority as a Health Information Network Provider
(HINP) to create and maintain EHRs.
This authority expired as of December 31, 2013, and our
understanding is that eHealth Ontario will be named as the
initial prescribed organization under this new legislative
framework.
67. VI. Appendix – Ontario Privacy Laws
Electronic PHIPA – Bill 78
The collection, use, disclosure and access of
personal health information in the EHR context
would be further clarified in EPHIPA
The definition and functioning of individual
consent and consent overrides are proposed to
be modified under EPHIPA
Electronic Health Records requirements and
standards will be presented by Fida Hindi in
more detail later today
68. VI. Appendix – Ontario Privacy Laws
Information and Privacy Commissioner (“IPC”) of Ontario
The IPC of Ontario is an officer of the legislature pursuant to
Section 4 of FIPPA
The Commissioner investigates privacy complaints and
resolves appeals between government organizations and
individuals
Decisions of the Commissioner rule on access and privacy
decisions and practices of governmental organizations
The Commissioner reviews the personal health information
policies of certain entities and investigates complaints under
PHIPA
69. VI. Appendix – Other Provincial Privacy Laws
British Columbia, Alberta and Quebec have their own
private-sector privacy rights legislation that has been
deemed “substantially similar” to PIPEDA, and are exempted
from PIPEDA application in the private business sector
There is a mandatory data breach notification requirement
under Alberta’s PIPA
Ontario, Alberta, Manitoba, Saskatchewan, New Brunswick
and Newfoundland and Labrador have sector specific health
information privacy legislation that has been deemed
“substantially similar” to PIPEDA, and are exempt from
PIPEDA’s application to personal health information
70. VI. Appendix – Other Provincial Privacy Laws
Manitoba has enacted health privacy legislation but it has
not yet been deemed to be substantially similar to PIPEDA
Prince Edward Island, Northwest Territories, Nunavut and
Yukon do not have any private sector privacy legislation and
are governed by PIPEDA