Vol. 150, No. 8 — April 20, 2016
Registration
SOR/2016-62 March 29, 2016
PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT
Personal Health Information Custodians in Nova Scotia Exemption Order
P.C. 2016-161 March 24, 2016
Whereas the Governor in Council is satisfied that the Personal Health Information Act, SNS 2010, c. 41, of Nova Scotia, which is substantially similar to Part 1 of the Personal Information Protection and Electronic Documents Act (see footnote a), applies to the personal health information custodians referred to in the annexed Order;
Therefore, His Excellency the Governor General in Council, on the recommendation of the Minister of Industry, pursuant to paragraph 26(2)(b) of the Personal Information Protection and Electronic Documents Act a, makes the annexed Personal Health Information Custodians in Nova Scotia Exemption Order.
Personal Health Information Custodians in Nova Scotia Exemption Order
Exemption
1 Any personal health information custodian to which the Personal Health Information Act, SNS 2010, c. 41, of Nova Scotia applies is exempt from the application of Part 1 of the Personal Information Protection and Electronic Documents Act in respect of the collection, use and disclosure of personal health information that occurs in Nova Scotia.
Coming into Force
2 This Order comes into force on the day on which it is registered.
REGULATORY IMPACT ANALYSIS STATEMENT
(This statement is not part of the Order.)
Issues
The proposed Order will specify that the Nova Scotia Personal Health Information Act (PHIA) is substantially similar to the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
Background
Part 1 of PIPEDA establishes rules to govern the collection, use and disclosure of personal information by organizations in the course of commercial activity. On January 1, 2004, PIPEDA’s reach extended to all collections, uses and disclosures of personal information in the course of commercial activity, either within, or outside a province. Pursuant to paragraph 26(2)(b), the Governor in Council may, by order, if satisfied that the legislation of a province that is substantially similar to PIPEDA applies to an organization, a class of organizations, an activity or class of activities, exempt the organization, activity or class from the application of PIPEDA in respect of collection, use and disclosure of personal information within the province.
The PHIA came into force in Nova Scotia on June 1, 2013. The Province has requested from the Minister of Industry recognition that PHIA is substantially similar to PIPEDA.
Objectives
The objective of this Order is to exempt from the application of Part 1 of PIPEDA all personal health information custodians to whom the PHIA is applicable, in respect of the collection, use and disclosure of personal information that occurs within the Province of Nova Scotia in the course of commercial activity. Specifically, the goals are
- to demonstrate the federal government’s commitment to ensure that a patchwork of legislation of differing standards does not occur; and
- to signal that custodians of personal health information in Nova Scotia would no longer be subject to Part 1 of PIPEDA for intra-provincial transactions.
The Order will ensure that Nova Scotia health information custodians meet the same standards as other provinces and that there is a level playing field for personal information protection. Other provinces that have been recognized by order as having substantially similar legislation include British Columbia, Alberta, Ontario, Quebec, New Brunswick and Newfoundland and Labrador.
Description
PIPEDA establishes a set of economy-wide principles and rules for the protection of personal information collected, used or disclosed in the course of commercial activity. PIPEDA helps to build trust and confidence in the Canadian marketplace, while encouraging provinces and territories to develop their own privacy laws in a manner that addresses their particular needs and circumstances. To this end, the Government of Canada included provisions in PIPEDA to exempt organizations or activities subject to provincial or territorial laws that are deemed to be substantially similar. Until this exemption is provided, PIPEDA applies in provinces and territories.
In August 2002, Industry Canada published the policy and criteria used to determine whether provincial or territorial legislation would be considered as substantially similar. PIPEDA provides a standard around which provinces can legislate. Under the policy, laws that are substantially similar
- provide privacy protection that is consistent with and equivalent to that in PIPEDA;
- incorporate the 10 principles in the National Standard of Canada entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-96, found in Schedule 1 of PIPEDA;
- provide for an independent and effective oversight and redress mechanism with powers to investigate; and
- restrict the collection, use and disclosure of personal information to purposes that are appropriate or legitimate.
Consultation
Provincial and territorial governments, along with the general public, the health care sector and business community have long been aware of the federal government’s commitment to exempt from PIPEDA organizations subject to provincial/territorial laws that are substantially similar to PIPEDA. The legislation has been in place since 2000. Quebec (2003), Alberta and British Columbia (2004), Ontario and New Brunswick (2005 and 2011, for health information custodians only), Newfoundland and Labrador (2012, for health information custodians only) have been granted exemptions. Information was also provided to the general public when Industry Canada published its policy and criteria for determining substantially similar provincial and territorial legislation in Part I of the Canada Gazette on August 3, 2002.
The standard procedure for assessing applications for recognition of provincial legislation protecting personal information is to consult with the Office of the Privacy Commissioner (OPC). The OPC has been consulted on this review and supports the recognition of the Nova Scotia PHIA as substantially similar to PIPEDA.
“One-for-One” Rule
The “One-for-One” Rule does not apply, as there is no change in administrative costs to business.
Small business lens
This Order does not require a small business lens review, as it is aimed at provincial governments.
Rationale
In recognizing provincial laws as substantially similar, PIPEDA provides a common standard for privacy protection across both federal and provincial domains. Where federal and provincial territorial regimes for the protection of personal information are in alignment, it ensures that organizations may be subject to a single set of rules throughout the marketplace. Such a regime also provides assurances to individuals that, regardless of where they are located, their personal information will be given the same level of protection.
PIPEDA will continue to apply to the collection, use and disclosure of personal health information outside the province, in the course of commercial activity. It will also apply to personal health information collected, used or disclosed by non-custodians and federal works and undertakings and their employees. Agents of health information custodians, who are brought within the purview of the PHIA in section 52, would also be included.
Implementation, enforcement and service standards
As an independent officer of Parliament, working independently from the government, the Privacy Commissioner of Canada investigates complaints from individuals with respect to the information-handling practices or organizations engaged in commercial activity. The Commissioner may investigate all complaints under section 12 of PIPEDA, except those pertaining to organizations subject to privacy laws that have been deemed substantially similar to PIPEDA, namely Quebec, British Columbia, and Alberta. Ontario, New Brunswick and Newfoundland and Labrador fall into this category with respect to personal health information held by health information custodians under their health sector privacy law. PIPEDA continues to apply to the collection, use or disclosure by federal works, undertakings and businesses, including personal information about their employees. PIPEDA also continues to apply to the collection, use and disclosure of personal information across provincial or national borders, in the course of commercial activity involving organizations subject to PIPEDA or to substantially similar provincial legislation. Complaints in respect of these applications of PIPEDA are also investigated by the Privacy Commissioner of Canada.
The Commissioner focuses on resolving complaints through negotiation and persuasion, using mediation and conciliation, if appropriate. In conducting investigations, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence. The Commissioner or a complainant may take any matter related to a complaint to the Federal Court, which has the power to order an organization to change its practices and award damages to the aggrieved.
Contact
John Clare
Director
Privacy and Data Protection Directorate
Digital Policy Branch
Spectrum, Information Technologies and Telecommunications
Industry Canada
235 Queen Street, 1st Floor
Ottawa, Ontario
K1A 0H5
Telephone: 343-291-3796
Fax: 343-291-3802
Email: john.clare@canada.ca
- Footnote a
S.C. 2000, c. 5