Canada Privacy Laws

PIPEDA may extend to an Organization if personal information crosses provincial or national borders. PIPEDA does not apply to not-for-profits, charities and other organizations not engaged in commercial activity in which case provincial or territorial privacy legislation may apply. PIPEDA is overseen by the Office of the Privacy Commissioner of Canada. Health Organizations and their Vendors must have measures in place of the protection and security of personal information.

Organization must keep internal records of its personal information management practices. The Office of the Privacy Commissioner of Canada (the “OPC”) has the right to audit an Organization’s records. Organizations have the right to inspect or audit the Vendor’s policies and procedures for handling and protection of personal information.

Organizations and their Vendors processing personal information in the course of commercial, for profit activities must designate an individual(s) to be responsible for personal information under the Organization’s control. Organizations and their Vendors must have policies and procedures in place for handling of and protection and security of personal information.

Consumers have the right to request access to their personal information, request correction of their personal information, withdraw consent or have their personal information deleted, and know it will be safeguarded. Organizations must establish a process to ensure all Vendors processing that consumer’s information update the information as necessary.

PIPEDA requires organizations to obtain individuals’ consent to collect, use or disclose their personal information. Individuals have the right to know what personal information is being collected, and for what purposes it is being collected and used. Organizations transferring personal information to a Vendor located in a foreign jurisdiction are required to inform consumers that their personal information may be accessed by foreign courts, law enforcement an national security authorities in the foreign Vendor’s jurisdiction.

Breach reporting and consumer notification are mandatory. If a Vendor experiences a breach of security safeguards involving and Organization’s personal information, the Vendor must notify the Organization. An Organization required to complete breach notification must also notify any entities or governmental institutions it believes can assist with reducing the risk of harm to the affected individuals (e.g., law enforcement, Vendors). Organizations must keep internal records of every breach incident involving personal information under its control (even if it was determined that there was no real risk of significant harm and did not have to report to the OPC).

Organizations transferring personal information to a Vendor located in a foreign jurisdiction are required to inform consumers that their personal information may be accessed by foreign courts, law enforcement and national security authorities in the foreign Vendor’s jurisdiction. The Organization in control of the personal information is responsible for any necessary consumer notifications and/or breach reporting to the OPC if it is determined that the breach will create a real risk of significant harm (RROSH) to an individual(s).

Organizations with the direct consumer relationship are responsible for personal information its possession and custody, including information it transfers to Vendors for processing. Organizations must contract with Vendors for the processing of personal information or must have strict oversight (e.g., auditing) of Vendors if no contract exists. Vendors processing personal information in an international jurisdiction are subject to the laws of its country and a contract cannot override those laws. It is important for Organizations to pay close attention to the legal requirements within each foreign Vendor’s jurisdiction.

Failure to comply with PIPEDA’s data breach notifications and record keeping requirements can result in fines of up to $100,000. PIPEDA is overseen by the Office of the Privacy Commissioner of Canada.