The following overview draws attention to the legislative instruments that govern the collection, use and disclosure of personal information in Canada. For clarity, we have separated out applicable legislation by province or territory according to three categories of personal information:
- health information (which concerns the collection or storage of personal information in healthcare);
- personal information held by public bodies (including specific rules applicable to the municipal bodies); and
- the use, collection and disclosure of personal information by private entities.
These categories are not necessarily exclusive. Especially in the context of health, various laws can apply. Clinicians or practitioners that collect, use and disclose healthcare data may be subject to several legislative instruments. For further information, please consult with the Office of the Privacy Commissioner's information guide on personal health information. If you have additional questions about the impact of legislation on your specific circumstances, you should seek out legal advice.
Federal Government (CAN)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | Health information is only subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) if it is used, collected or disclosed in the course of a commercial activity. | Office of the Privacy Commissioner of Canada |
| Public Bodies (Use, Collection and/Or Disclosure By) | The Privacy Act applies to the collection, use and retention or disposal of personal information by federal government institutions in the course of providing services. The Access to Information Act provides a right of access to government records, which may include reference to personal information. Municipal entities may also, however, be subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) to the extent that (a) they engage in a non-core commercial activity and (b) the activity is not covered by a similar provincial jurisdiction. See: The Application of PIPEDA to Municipalities, Universities, Schools, and Hospitals. | Office of the Privacy Commissioner of Canada / Information Commissioner of Canada |
| Private Entities (Use, Collection and/Or Disclosure By) | PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity. Where the commercial activity is subject to regulation by substantially similar provincial privacy legislation, PIPEDA may not necessarily apply. It is, however, possible for both federal and provincial legislation to apply. | Office of the Privacy Commissioner of Canada |
Quebec (QC)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health |
The Act respecting health services and social services applies to health and social services bodies that hold health information. It establishes rules for the collection, use and disclosure of health information, mandates that providers undertake actions to reduce privacy risk and mandates that patients can transfer their health information between institutions. There are various other legislative sources that may apply to personal information in the healthcare domain. The Act to Establish a Legal Framework for Information Technology governs the "creation of a database of biometric characteristics and measurements" (art 45). |
|
| Public Bodies (use, Collection and/Or Disclosure By) |
The Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information regulates the collection, use, and disclosure of personal information by public bodies. It also provides individuals with a right to access personal information held by public bodies. |
Commission d’accès à l’information |
| Private Entities (use, Collection and/Or Disclosure By) | The Act Respecting the Protection of Personal Information in the Private Sector governs the use, collection and disclosure of personal information by persons "carrying on an enterprise." It applies broadly, including to healthcare practitioners such as psychiatrists. See: Learning From a Decade of Experience: Quebec's Private Sector Privacy Act. | Commission d’accès à l’information |
Ontario (ON)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The Personal Health Information Protection Act (PHIPA) governs personal health information collected, used, or disclosed by health information custodians in the province. | Information and Privacy Commissioner of Ontario |
| Public Bodies (Use, Collection and/Or Disclosure By) | There are two pieces of legislation that govern the use, collection and disclosure of personal information by public bodies in Ontario and establish a right of access. The Municipal Freedom of Information and Protection of Privacy Act governs municipal bodies such as school boards, transit commissions or municipalities while the Freedom of Information and Protection of Privacy Act governs provincial bodies, including universities, colleges, hospitals and ministries. | Information and Privacy Commissioner of Ontario |
| Private Entities (Use, Collection and/Or Disclosure By) | PIPEDA applies to most private-sector organizations operating for a commercial purpose. Where personal information is collected by private entities for health purposes, however, pursuant to an order of the Governor in Council, only PHIPA applies. See: Declaration of PHIPA as substantially similar to PIPEDA. | Information and Privacy Commissioner of Ontario |
New Brunswick (NB)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The Personal Health Information Privacy and Access Act governs information collected, used, stored, disclosed and maintained in the health system. See: Important Facts for Custodians. | New Brunswick Ombud’s Office |
| Public Bodies (Use, Collection and/Or Disclosure By) | The Right to Information and Protection of Privacy Act governs personal information collected, used and disclosed by provincial bodies and provides a right to access records under the control of the provincial government. | New Brunswick Ombud’s Office |
| Private Entities (Use, Collection and/Or Disclosure By) | PIPEDA applies to the use, collection and disclosure of personal information in the course of commercial activity within the province in the absence of an equivalent provincial statute. | Office of the Privacy Commissioner of Canada |
Nova Scotia (NS)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The Personal Health Information Act (PHIA) governs the use, collection and disclosure of personal health information within the province of Nova Scotia. See: What You Need to Know. | The Information and Privacy Commissioner for Nova Scotia |
| Public Bodies (Use, Collection and/Or Disclosure By) | The Act Respecting Municipal Government governs the use, collection and disclosure of personal information held by municipal bodies in the province while the the Freedom of Information and Protection of Privacy Act governs the use, collection and disclosure of personal information held by provincial public bodies. | The Information and Privacy Commissioner for Nova Scotia |
| Private Entities (Use, Collection and/Or Disclosure By) | PIPEDA applies to the use, collection and disclosure of personal information in the course of commercial activity within the province in the absence of an equivalent provincial statute. | Office of the Privacy Commissioner of Canada |
British Columbia (BC)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The E-Health (Personal Health Information Access and Protection of Privacy) Act governs the use, collection and disclosure of personal health information within the province of British Columbia. | Office of the Information & Privacy Commissioner of British Columbia |
| Public Bodies (Use, Collection and/Or Disclosure By) | The Freedom of Information and Protection of Privacy Act governs the collection, use and disclosure of personal information by public bodies, such as boards of education and francophone educational authorities. | Office of the Information & Privacy Commissioner of British Columbia |
| Private Entities (Use, Collection and/Or Disclosure By) | The Personal Information Protection Act governs the collection, use and disclosure of personal information by private organizations located within the province of British Columbia. | Office of the Information & Privacy Commissioner of British Columbia |
Alberta (AB)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The Health Information Act governs the collection, use and disclosure of health information. See: Legislative Overview. | Office of the Information and Privacy Commissioner of Alberta |
| Public Bodies (Use, Collection and/Or Disclosure By) | The Freedom of Information and Protection of Privacy Act (FOIP) governs the collection, use and disclosure of personal information by public bodies and provides provides individuals with the right to request access to information in their custody or control within the province of Alberta. | Office of the Information and Privacy Commissioner of Alberta |
| Private Entities (Use, Collection and/Or Disclosure By) | The Personal Information Protection Act governs the collection, use and disclosure of personal information by private-sector organizations in the province and provides provides individuals with the right to request access to their own personal information. | Office of the Information and Privacy Commissioner of Alberta |
Saskatchewan (SK)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The Health Information Protection Act governs the collection, use and disclosure of personal health information in the province of Saskatchewan. | Saskatchewan Information and Privacy Commissioner |
| Public Bodies (Use, Collection and/Or Disclosure By) | The Freedom of Information and Protection of Privacy Act and the Local Authority Freedom of Information and Protection of Privacy Act regulate the collection, use and disclosure of personal information by provincial and municipal bodies and provide citizens with a framework for accessing information held by public bodies. | Saskatchewan Information and Privacy Commissioner |
| Private Entities (Use, Collection and/Or Disclosure By) | In Saskatchewan, PIPEDA applies to personal information held by private-sector organizations and federally-regulated organizations (banks, airlines, telecommunications, etc.). See: Saskatchewan Business and Privacy. | Office of the Privacy Commissioner of Canada |
Manitoba (MB)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The Personal Health Information Act establishes rules for trustees of personal health information within the province of Manitoba. | Manitoba Ombudsman |
| Public Bodies (Use, Collection and/Or Disclosure By) |
The Freedom of Information and Protection of Privacy Act regulates how public bodies manage personal information and provides a right of access to records held by public bodies within the province. It also sets out an independent review process for people who disagree with access and privacy decisions made by public bodies. See: FIPPA for the Public. |
Manitoba Ombudsman |
| Private Entities (Use, Collection and/Or Disclosure By) | In Manitoba, PIPEDA applies to personal information held by private-sector organizations and federally-regulated organizations (banks, airlines, telecommunications, etc.). | Office of the Privacy Commissioner of Canada |
Northwest Territories (NT)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The Health Information Act governs the collection, use and disclosure of personal health information within the Northwest Territories. | Office of the Information and Privacy Commissioner (OIPC) |
| Public Bodies (Use, Collection and/Or Disclosure By) | The Access to Information and Protection of Privacy Act governs the collection, use and disclosure of personal information held by public bodies and provides a right of access to their records within the Northwest Territories. |
Office of the Information and Privacy Commissioner (OIPC) |
| Private Entities (Use, Collection and/Or Disclosure By) | Because the Northwest Territories is not a province under the Canadian constitution, the federal government maintains a larger share of jurisdictional competence. Private organizations operating in the Northwest Territories are considered to be "federal works, undertakings or businesses" under PIPEDA and are therefore subject to the federal rules for the collection, use and disclosure of personal information. | Office of the Privacy Commissioner of Canada |
Newfoundland & Labrador (NL)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The Personal Health Information Act governs the collection, use and disclosure of confidential personal health information by custodians within the province. | Office of the Information and Privacy Commissioner Newfoundland and Labrador |
| Public Bodies (Use, Collection and/Or Disclosure By) | The Access to Information and Protection of Privacy Act governs the privacy of individuals whose personal information is collected, used and disclosed by public bodies and provides the public with a right of access to records held by public bodies. | Office of the Information and Privacy Commissioner Newfoundland and Labrador |
| Private Entities (Use, Collection and/Or Disclosure By) | In Newfoundland & Labrador, PIPEDA applies to personal information held by private-sector organizations and federally-regulated organizations (banks, airlines, telecommunications, etc.). | Office of the Privacy Commissioner of Canada |
Yukon (YT)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The Health Information Privacy and Management Act (HIPMA) establishes a framework to regulate the collection, use and disclosure of personal health information. It applies to health custodians and their agents (e.g. hospitals, healthcare facilities, relevant government departments and most healthcare providers). | Office of the Yukon Information and Privacy Commissioner |
| Public Bodies (Use, Collection and/Or Disclosure By) | The Access to Information and Protection of Privacy Act (ATIPPA) and the associated Regulations govern the collection, use and disclosure of data by public bodies in the territory of Yukon. | Office of the Yukon Information and Privacy Commissioner |
| Private Entities (Use, Collection and/Or Disclosure By) | Because the Yukon is not a province under the Canadian constitution, the federal government maintains a larger share of jurisdictional competence. Private organizations operating in the Yukon are considered to be "federal works, undertakings or businesses" under PIPEDA and are therefore subject to the federal rules for the collection, use and disclosure of personal information. | Office of the Privacy Commissioner of Canada |
Nunavut (NU)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The Access to Information and Protection of Privacy Act (ATIPPA) is the only provincial legislative instrument regulating the collection, use and disclosure of data in Nunavut. It governs access to personal information collected, used or held by public bodies, including records about health. | Office of the Information & Privacy Commissioner of Nunavut |
| Public Bodies (Use, Collection and/Or Disclosure By) | The Access to Information and Protection of Privacy Act (ATIPPA) is the only provincial legislative instrument regulating the collection, use and disclosure of data in Nunavut. It governs access to personal information collected, used or held by public bodies. | Office of the Information & Privacy Commissioner of Nunavut |
| Private Entities (Use, Collection and/Or Disclosure By) | Because Nunavut is not a province under the Canadian constitution, the federal government maintains a larger share of jurisdictional competence. Private organizations operating in Nunavut are considered to be "federal works, undertakings or businesses" under PIPEDA and are therefore subject to the federal rules for the collection, use and disclosure of personal information. | Office of the Privacy Commissioner of Canada |
The content of Datum's website is provided for informational purposes only and does not constitute legal advice or the practice of law. While every effort is made to ensure the accuracy of information on this website, Datum does not warrant that any of the materials on its website are accurate, complete or current.