FEDERAL REG

SOR/2016-62: Personal Health Information Custodians in Nova Scotia Exemption Order Personal Information Protection and Electronic Documents Act

REGISTRATION OF FEDERAL REGULATION - VIA PART II OF THE GAZETTE

Registered
March 30, 2016


REGULATORY IMPACT ANALYSIS STATEMENT (This statement is not part of the Order.) Issues The proposed Order will specify that the Nova Scotia Personal Health Information Act (PHIA) is substantially similar to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). Background Part 1 of PIPEDA establishes rules to govern the collection, use and disclosure of personal inform... (Click for more)


Published on March 30, 2016

Bill Summary

SOR/2016-62: Personal Health Information Custodians in Nova Scotia Exemption Order Personal Information Protection and Electronic Documents Act

REGULATORY IMPACT ANALYSIS STATEMENT (This statement is not part of the Order.) Issues The proposed Order will specify that the Nova Scotia Personal Health Information Act (PHIA) is substantially similar to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). Background Part 1 of PIPEDA establishes rules to govern the collection, use and disclosure of personal information by organizations in the course of commercial activity. On January 1, 2004, PIPEDA’s reach extended to all collections, uses and disclosures of personal information in the course of commercial activity, either within, or outside a province. Pursuant to paragraph 26(2)(b), the Governor in Council may, by order, if satisfied that the legislation of a province that is substantially similar to PIPEDA applies to an organization, a class of organizations, an activity or class of activities, exempt the organization, activity or class from the application of PIPEDA in respect of collection, use and disclosure of personal information within the province. The PHIA came into force in Nova Scotia on June 1, 2013. The Province has requested from the Minister of Industry recognition that PHIA is substantially similar to PIPEDA. Objectives The objective of this Order is to exempt from the application of Part 1 of PIPEDA all personal health information custodians to whom the PHIA is applicable, in respect of the collection, use and disclosure of personal information that occurs within the Province of Nova Scotia in the course of commercial activity. Specifically, the goals are to demonstrate the federal government’s commitment to ensure that a patchwork of legislation of differing standards does not occur; and to signal that custodians of personal health information in Nova Scotia would no longer be subject to Part 1 of PIPEDA for intra-provincial transactions. The Order will ensure that Nova Scotia health information custodians meet the same standards as other provinces and that there is a level playing field for personal information protection. Other provinces that have been recognized by order as having substantially similar legislation include British Columbia, Alberta, Ontario, Quebec, New Brunswick and Newfoundland and Labrador. Description PIPEDA establishes a set of economy-wide principles and rules for the protection of personal information collected, used or disclosed in the course of commercial activity. PIPEDA helps to build trust and confidence in the Canadian marketplace, while encouraging provinces and territories to develop their own privacy laws in a manner that addresses their particular needs and circumstances. To this end, the Government of Canada included provisions in PIPEDA to exempt organizations or activities subject to provincial or territorial laws that are deemed to be substantially similar. Until this exemption is provided, PIPEDA applies in provinces and territories. In August 2002, Industry Canada published the policy and criteria used to determine whether provincial or territorial legislation would be considered as substantially similar. PIPEDA provides a standard around which provinces can legislate. Under the policy, laws that are substantially similar provide privacy protection that is consistent with and equivalent to that in PIPEDA; incorporate the 10 principles in the National Standard of Canada entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-96, found in Schedule 1 of PIPEDA; provide for an independent and effective oversight and redress mechanism with powers to investigate; and restrict the collection, use and disclosure of personal information to purposes that are appropriate or legitimate. Consultation Provincial and territorial governments, along with the general public, the health care sector and business community have long been aware of the federal government’s commitment to exempt from PIPEDA organizations subject to provincial/territorial laws that are substantially similar to PIPEDA. The legislation has been in place since 2000. Quebec (2003), Alberta and British Columbia (2004), Ontario and New Brunswick (2005 and 2011, for health information custodians only), Newfoundland and Labrador (2012, for health information custodians only) have been granted exemptions. Information was also provided to the general public when Industry Canada published its policy and criteria for determining substantially similar provincial and territorial legislation in Part I of the Canada Gazette on August 3, 2002. The standard procedure for assessing applications for recognition of provincial legislation protecting personal information is to consult with the Office of the Privacy Commissioner (OPC). The OPC has been consulted on this review and supports the recognition of the Nova Scotia PHIA as substantially similar to PIPEDA. “One-for-One” Rule The “One-for-One” Rule does not apply, as there is no change in administrative costs to business. Small business lens This Order does not require a small business lens review, as it is aimed at provincial governments. Rationale In recognizing provincial laws as substantially similar, PIPEDA provides a common standard for privacy protection across both federal and provincial domains. Where federal and provincial territorial regimes for the protection of personal information are in alignment, it ensures that organizations may be subject to a single set of rules throughout the marketplace. Such a regime also provides assurances to individuals that, regardless of where they are located, their personal information will be given the same level of protection. PIPEDA will continue to apply to the collection, use and disclosure of personal health information outside the province, in the course of commercial activity. It will also apply to personal health information collected, used or disclosed by non-custodians and federal works and undertakings and their employees. Agents of health information custodians, who are brought within the purview of the PHIA in section 52, would also be included. Implementation, enforcement and service standards As an independent officer of Parliament, working independently from the government, the Privacy Commissioner of Canada investigates complaints from individuals with respect to the information-handling practices or organizations engaged in commercial activity. The Commissioner may investigate all complaints under section 12 of PIPEDA, except those pertaining to organizations subject to privacy laws that have been deemed substantially similar to PIPEDA, namely Quebec, British Columbia, and Alberta. Ontario, New Brunswick and Newfoundland and Labrador fall into this category with respect to personal health information held by health information custodians under their health sector privacy law. PIPEDA continues to apply to the collection, use or disclosure by federal works, undertakings and businesses, including personal information about their employees. PIPEDA also continues to apply to the collection, use and disclosure of personal information across provincial or national borders, in the course of commercial activity involving organizations subject to PIPEDA or to substantially similar provincial legislation. Complaints in respect of these applications of PIPEDA are also investigated by the Privacy Commissioner of Canada. The Commissioner focuses on resolving complaints through negotiation and persuasion, using mediation and conciliation, if appropriate. In conducting investigations, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence. The Commissioner or a complainant may take any matter related to a complaint to the Federal Court, which has the power to order an organization to change its practices and award damages to the aggrieved. Contact John Clare Director Privacy and Data Protection Directorate Digital Policy Branch Spectrum, Information Technologies and Telecommunications Industry Canada 235 Queen Street, 1st Floor Ottawa, Ontario K1A 0H5 Telephone: 343-291-3796 Fax: 343-291-3802 Email: [email protected] Footnote a S.C. 2000, c. 5

This Bill does not amend any statutes.

Sign up for alerts on this Bill

Receive emails tracking this Bill's progress.

See all your alerts in a dashboard.

Set an alert with one click and you're done!