The Personal Information Protection and Electronic Documents Act (PIPEDA) governs how Canadian businesses manage the collection, use, and disclosure of personal information. It is a significant concern to not only commercial organizations, but to their customers as well. This multi-part series is designed to help Canadian businesses better understand these laws and provide direction in applying them to their organizations and ensuring compliance.
British Columbia’s Personal Information Protection Act (PIPA) is similar to PIPEDA in that it protects personal data collection within the private sector. Organizations considered to be public bodies, as well as the public sector, must comply with the Freedom of Information and Protection of Privacy Act (FIPPA). FIPPA requires that public bodies store any personal information that is under its control or custody exclusively in Canada and it can only be accessed in Canada. There are exceptions but they are few.
The province of Alberta has a law similar to PIPEDA that protects personal data collection within the private sector called the Personal Information Protection Act (PIPA). The Freedom of Information and Protection of Privacy (FOIP) governs the public sector.
Ontario’s Personal Health Information Protection Act (PHIPA) works in conjunction with PIPEDA. PHIPA governs custodians of health information (hospitals, long term care service providers, pharmacies, health care practitioners, etc.) as well as their agents (insurance companies, information processors, employees, information managers, and volunteers) regarding the disclosure and use of personal health information. It ensures that when they have personal health information in their control or custody it is protected from loss, theft, and unauthorized disclosure or use.
The Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information of Québec requires that personal information cannot be released outside of Québec or entrusted to a body or person outside of Québec to hold, use, or release the information on its behalf until the information is protected at a level that is equivalent to that of provincial law. It is intended to prevent personal data from being exported to other Canadian provinces or other countries that fail to provide the protection that is equivalent to that of Québec law.