Federal and Provincial Privacy Protection – Private Sector
There are privacy laws in Canada that apply to:
- the private sector(businesses and non-profit organizations),
- others that apply to the public sector(government and government agencies),
- and in some provinces there are also privacy laws that apply specifically to personal health information.
Private Sector
Federal Law
The federal law is called the Personal Information Protection and Electronic Documents Act (PIPEDA). It applies to organizations that collect, use and disclose personal information in the course of commercial activity, except when a provincial privacy law applies.
PIPEDA applies to personal information collected, used or disclosed by all businesses in industries that are federally regulated, including personal information about their employees. Provincial privacy law does not generally apply to these organizations. Federally regulated industries include telecommunications (including phone and internet providers), interprovincial transportation (including railways, airlines and trucking), maritime industries (shipping and fishing) banks and some Indian Bands.
Most businesses in Canada are covered by provincial regulation, but certain types of businesses are deemed to have a national scope and effect, so they are regulated by the federal government. The legal term for businesses operating in these federally regulated industries is “federal works, undertakings or businesses.” These industries include telecommunications, maritime industries, interprovincial transportation, and banking.
PIPEDAalso applies to all personal information that flows across provincial or national borders in the course of commercial transactions regardless of what type of business the sender or recipient is in. All personal information that flows across a border is covered by PIPEDA.
Provincial Laws
In British Columbia the law that protects privacy in the private sector is called the Personal Information Protection Act (PIPA). It applies to “every organization” except governments in the province, including municipal governments and the Nisga’a government and the courts.
All types of organizations are covered, including for-profit businesses and non-profit organizations, associations, teams and clubs. PIPA applies to organizations when they collect, use or disclose personal information in the course of their operations.
PIPA does not apply if:
- the collection, use or disclosure of personal information is for personal purposes, (for example, keeping a phone book of friends’ numbers, researching and recording a family history); or
- the collection, use or disclosure of personal information is for journalistic, artistic or literary purposes, or
- another privacy law applies to the information, for example, if PIPEDA applies, PIPA will not apply.
The Privacy Act (BC) – the Tort of Invasion of Privacy
BC has a little-used law – called the Privacy Act – which gives an individual a right to sue for invasion of privacy. This law makes it a civil wrong for a person to wilfully violate the privacy of another person.
This law has been used infrequently in British Columbia, but there are a few cases which give us some guidance about what ‘wilfully violate the privacy of another’ means. It means that the person intentionally did an act that he knew or ought to have known would violate the privacy of the other person. *
Health Sector – Provincial Law
In early 2008, the British Columbia government enacted the E-Health (Personal Information Access and Protection of Privacy) Act. This law allows the Minister of Health to designate certain health care databases as “health information banks”.
The Minister’s designation order must specify the purposes for which the information in the health information bank may be used and those purposes are limited by the Act. The information that gets put into the health information bank can be shared and used by various health care providers and administrators for purposes ranging from providing you with health care to managing the health care system. Your consent is not required, and there is no requirement for you to be told that your health information has been put into a health information bank.
The Act provides for the creation of a data stewardship committee to oversee the disclosure of personal health information from a health information bank for a planning or research purpose. The law gives you a limited right to restrict who can see and use your health information, by allowing you to put a “disclosure directive” on your health information which will specify to whom the information may or may not be disclosed.
You will also have a limited right of access to your health information held in a health information database.
- E-Health (Personal Information Access and Protection of Privacy) Act
- Big Opt Out: find out more about your rights and how to make a disclosure directive
* Watts v. Klaemt, 2007 BCSC 662 (BCSC)