The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Saturday, February 05, 2005
Industry Canada has gazetted its proposed cabinet order exempting Ontario's "health information custodians" from the application of Part I of PIPEDA. It is no surprise that the federal goverment considers that the Personal Health Information Protection Act to be "substantially similar" to PIPEDA.
The notice in the Canada Gazette is soliciting comments within the next fifteen days.
"Vol. 139, No. 6 — February 5, 2005
Health Information Custodians in the Province of Ontario Exemption Order
Personal Information Protection and Electronic Documents Act
Department of Industry
REGULATORY IMPACT ANALYSIS STATEMENT
(This statement is not part of the Order.)
Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) establishes rules to govern the collection, use and disclosure of personal information by organizations in the course of commercial activity. Part 1 of the Act was implemented in two stages. On January 1, 2001, the Act applied to the collection, use and disclosure of personal information in connection with the operation of federal works, undertakings or businesses and to the disclosure of personal information for consideration outside a province. On January 1, 2004, the Act's reach was extended to all collections, uses and disclosures of personal information in the course of commercial activity, either within, or outside a province. Pursuant to paragraph 26(2)(b) of the Act, the Governor in Council may, by order, if satisfied that legislation of a province that is substantially similar to PIPEDA applies to an organization, a class of organizations, an activity or a class of activities, exempt the organization, activity or class from the application of PIPEDA in respect of the collection, use and disclosure of personal information within the province.
Under the trade and commerce power conferred on Parliament by subsection 91(2) of the Constitution Act, 1867, PIPEDA establishes a set of economy-wide principles and rules for the protection of personal information. The Act helps to build trust and confidence in the Canadian marketplace, while encouraging provinces and territories to develop their own privacy laws in a manner that addresses their particular needs and circumstances. To this end, the Government of Canada included provisions in PIPEDA to exempt from the federal Act organizations or activities subject to provincial or territorial laws that are deemed to be substantially similar.
On August 3, 2002, Industry Canada published the policy and criteria used to determine whether provincial or territorial legislation would be considered as substantially similar. PIPEDA provides a standard around which provinces can legislate. Under the policy, laws that are substantially similar provide privacy protection that is consistent with and equivalent to that in the federal Act; incorporate the ten principles in the CSA Model Code for the Protection of Personal Information, CAN/CSA-Q830-96, found in Schedule 1 of PIPEDA; provide for an independent and effective oversight and redress mechanism with powers to investigate; and restrict the collection, use and disclosure of personal information to purposes that are appropriate or legitimate. In recognizing such laws as substantially similar, PIPEDA provides a common standard for privacy protection across both federal and provincial domains.
The Ontario Personal Health Information Protection Act, 2004 (PHIPA) which came into force on November 1, 2004, sets rules that health information custodians must abide by when collecting, using and disclosing personal health information within the Ontario health care system. PHIPA is substantially similar to PIPEDA. The purpose of this Order is thus to exempt from PIPEDA those health information custodians, as defined in PHIPA, in respect of the collection, use and disclosure of personal health information that occurs within the province of Ontario, in the course of commercial activity. PIPEDA will continue to apply to the collection, use and disclosure of personal health information outside the province, in the course of commercial activity.
The legislative framework in Part 1 of PIPEDA requires that exemptions for organizations, classes of organizations or an activity or class of activities subject to provincial or territorial laws that are substantially similar to the federal Act be done through Order in Council. There are no alternatives to exempt from PIPEDA health information custodians subject to the Ontario PHIPA.
Benefits and costs
The alignment of federal and provincial/territorial legislative regimes for the protection of privacy makes privacy laws easier for individuals to understand and simpler for organizations to implement. Harmonization of privacy rules within the Ontario health care system creates a consistent and seamless set of rules with regard to the protection of personal health information, covering all custodians operating in the province, thereby increasing the efficiency with which they collect, use and disclose personal health information as part of their care and treatment activities.
The Order will have no adverse cost impact on the activities of health information custodians in Ontario. To the extent that they collect, use and disclose personal health information within the Ontario health care system, health information custodians are expected to comply with the privacy rules established by PHIPA. These privacy requirements are based on the national standard set in the CSA Model Code for the Protection of Personal Information, CAN/CSA-Q830-96 that is embedded in PIPEDA and in the Ontario PHIPA. Both laws establish a set of ten fair information principles, and both have set up an independent oversight and redress mechanism.
Provincial and territorial governments, along with the general public, the health care sector and the business community have already been made aware of the federal government's commitment to exempt from PIPEDA organizations subject to provincial/territorial laws that are substantially similar to PIPEDA. During parliamentary consideration of the legislation, which included extensive hearings before the Standing Committee on Industry and the Senate Standing Committee on Social Affairs, Science and Technology, taking place between October 1998 and April 2000, and through speeches, press releases and other communications to the public, the Government of Canada has clearly indicated its intention to encourage provinces and territories to develop substantially similar privacy legislation. It further confirmed that PIPEDA would not apply to organizations subject to these laws in respect of the collection, use and disclosure of personal information, including personal health information, taking place within a province or territory.
Information was also provided on the Act's substantially similar provision when Industry Canada published its policy and criteria for determining substantially similar provincial and territorial legislation in Part I of the Canada Gazette in August 2002.
The government of Ontario, as well as the Information and Privacy Commissioner of Ontario made the request to the Government of Canada that the substantially similar nature of PHIPA be recognized and that an Order in Council be passed exempting health information custodians from PIPEDA. The Privacy Commissioner of Canada, Jennifer Stoddart, also communicated with the Government of Canada on the issue, indicating that in her opinion PHIPA meets the criteria for recognizing its substantially similar nature. She also expressed her support for an exemption order exempting health information custodians in Ontario from the federal Act.
Compliance and enforcement
This Order will confirm that Ontario health information custodians will not be subject to PIPEDA in respect of the collection, use and disclosure of personal health information. Compliance with privacy rules and enforcement of the Ontario PHIPA is delivered through the Information and Privacy Commissioner of Ontario. Following the issuance of this Order, complaints and investigations about the practices of health information custodians in respect of the collection, use and disclosure of personal health information taking place within the province in the course of commercial activity will be handled exclusively by the Ontario Information and Privacy Commissioner. The Privacy Commissioner of Canada will continue to be responsible for providing oversight in relation to the collection, use and disclosure of personal health information that crosses provincial boundaries in the course of commercial activity.
Mr. Richard Simpson, Director General, Electronic Commerce Branch, Industry Canada, 300 Slater Street, Room D2090, Ottawa, Ontario K1A 0C8, (613) 990-4292 (telephone), (613) 941-0178 (facsimile), firstname.lastname@example.org (electronic mail).
PROPOSED REGULATORY TEXT
Notice is hereby given that the Governor in Council, pursuant to paragraph 26(2)(b) of the Personal Information Protection and Electronic Documents Act (see footnote a), proposes to make the annexed Health Information Custodians in the Province of Ontario Exemption Order.
Interested persons may make representations with respect to the proposed Order within 15 days after the date of publication of this notice. All such representations must cite the Canada Gazette, Part I, and the date of publication of this notice, and be addressed to Mr. Richard Simpson, Director General, Electronic Commerce Branch, Industry Canada, 300 Slater Street, Room D2090, Ottawa, Ontario K1A 0C8.
Ottawa, January 31, 2005
Assistant Clerk of the Privy Council
HEALTH INFORMATION CUSTODIANS IN THE PROVINCE OF ONTARIO EXEMPTION ORDER
1. Any health information custodian to which the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Schedule A, applies is exempt from the application of Part 1 of the Personal Information Protection and Electronic Documents Act in respect of the collection, use and disclosure of personal information that occurs within the Province of Ontario.
COMING INTO FORCE
2. This Order comes into force on the day on which it is registered.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.