Maintaining Privacy and Confidentiality

Table of Contents

Introduction

Overview

Federal Laws

Provincial Laws

Best Practices

Provincial Privacy Laws

Alberta

British Columbia

Manitoba

New Brunswick

Newfoundland and Labrador

Northwest Territories

Nova Scotia

Nunavut

Ontario

Prince Edward Island

Quebec

Saskatchewan

Yukon
 

Introduction

Privacy and confidentiality must be carefully considered in research, data collection and assessment processes that use personal information from individuals. This guidance document describes what you will need to consider in this area as part of developing reporting and monitoring systems within your social enterprise.

This guide includes: 1) an overview issues and legal requirements; 2) best practices regarding information collection and use; 3) an overview of provincial privacy laws, with links to further information.

This guide is meant as an information resource that highlights general issues and can lead you to additional resources. It is for for general information only. It is not intended to be, and cannot be relied upon as, legal advice or other advice.


Overview

When you establish monitoring and reporting systems within your enterprise, you may decide that you will need to collect information from your stakeholders. These stakeholders might include your customers, clients, staff, Board or membership, to name a few. Depending on what information you require, your techniques for collection will vary. For example, you may choose to use questionnaires, one-on-one or group interviews, site visits, document analysis or case studies. Regardless of how you choose to collect information, you will need to consider how you protect the privacy and confidentiality of those you collect information from.

If you have not already done so, take steps to implement a sound privacy policy. A sound privacy policy will provide both structure to your organization’s information collection procedures, and protection from public complaints and legal sanctions. In Canada, different laws apply depending on where you are located, and the type of organization you are (private, public, non-profit). There are both federal and provincial privacy-related laws.


Federal Laws

In Canada, The Privacy Act creates obligations for the federal government to respect the privacy rights of Canadians by placing limits of the collection, use, disclosure, retention, and disposal of personal information.1 Companies, associations, labour unions, and non-profit groups must also operate within the law. The private sector law related to privacy is called the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies rules to any organization involved in commercial activity for the collection, use, and disclosure of personal information. 2 The application of PIPEDA to charities, non-profit organizations, associations and other similar organizations is not clear cut. According to an Office of the Privacy Commissioner Factsheet, the presence of commercial activity is the most important consideration in determining whether or not an organization is subject to the Act.3 Non-profit status does not automatically exempt an organization.

The requirements of the Act are that organizations must obtain an individual's consent when they collect, use or disclose the individual's personal information. The individual has a right to access personal information held by an organization and to challenge its accuracy, if need be. Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, consent must be obtained again. Individuals should also be assured that their information will be protected by specific safeguards, including measures such as locked cabinets, computer passwords or encryption.

More specifically, The Act requires organizations to comply with the 10 principles incorporated in Schedule 1 of the Act. This sets out the following 10 principles:
 

  • Accountability – An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
  • Identifying Purposes – The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
  • Consent – The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
  • Limiting Collection - The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
  • Limiting Use, Disclosure, and Retention – Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
  • Accuracy – Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
  • Safeguards – Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
  • Openness – An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
  • Individual Access – Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
  • Challenging Compliance – An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.


Provincial Laws

The Federal PIPEDA applies to the collection, use or disclosure of personal information in the course of any commercial activity within a province, except where the federal government has exempted organizations and/or activities in provinces from PIPEDA because they have adopted substantially similar privacy legislation. This has occurred for Quebec, British Columbia and Alberta. In these provinces, PIPEDA still applies in inter-provincial and international transactions. Individual provinces have also developed privacy laws that relate to non-commercial transactions, for instance the use of health and education information.

Brief summaries of provincial privacy laws and relevant links are included in the final section of this document.


Best Practices

Beyond the consideration of basic legal requirements regarding privacy and confidentiality, consider the following ‘best practices’ principles when developing your privacy policy:
 

  • Respect for Human Dignity: The idea of this principle is that we conduct our work with the understanding that each person is a human being who should be treated with care and dignity, understanding their cultural, psychological, physical and other features. It expects that people be treated as individuals not objects.
  • Respect for Free and Informed Consent: Based on the understanding that every human being has the capacity to make their own decisions. Therefore they should be given the opportunity to be informed and to freely consent to participation in research, data collection etc.
  • Respect for Vulnerable Persons: The expectation is that we will use high ethical standards regarding human dignity when dealing with vulnerable people including those with diminished capacity and children. The goal is to avoid abuse, exploitation or discrimination of these populations.
  • Respect for Privacy and Confidentiality: Self explanatory as the topic in question but it must be said.
  • Balancing Harms and Benefits: There should be no harm to individuals as a result of data collection. If some form of harm is anticipated, it should be clearly explained to the participant and should not outweigh the benefit of data collection.
  • Respect for the Broad Dissemination of Research Findings: The findings of research/data collection should be made accessible to a broad audience in anticipation that it will contribute to learning. However, this dissemination of findings must be done in a way that respects the confidentiality agreements made with the participants and stakeholders, without exception.
     

*Adapted from the Social Research and Demonstration Corporation Code of Practice.5


Provincial Privacy Laws


Alberta

Freedom of Information and Protection of Privacy Act
The FOIP Act provides individuals with the right to request access to information in the custody or control of public bodies while providing public bodies with a framework within which they must conduct the collection, use and disclosure of personal information. Public bodies are defined in section 1(1)(p) of the FOIP Act.

Health Information Act
The HIA provides individuals with the right to request access to health records in the custody or under the control of custodians, while providing custodians with a framework within which they must conduct the collection, use and disclosure of health information.

In addition, the HIA also covers the actions of affiliates including employees, volunteers, contractors and agencies under contract to the custodian. Some examples of affiliates can include reception and nursing staff at a doctor’s office, pharmacy technicians or information desk and food service workers in a hospital.

Ultimately, custodians are responsible for the information collected, used and disclosed by their affiliates.

Personal Information Protection Act
The purpose of PIPA is to govern the means by which private sector organizations handle personal information in a manner that recognizes both the right of an individual to have his or her personal information protected and the need of organizations to collect, use or disclose personal information for purposes that are reasonable.

PIPA will provide individuals the opportunity to request access to their own personal information, and will include provisions regarding the correction and care of personal information by organizations. PIPA will also apply to personal employee information.

Websites for more information:

British Columbia

Freedom of Information and Protection of Privacy Act
The purpose of this Act is to govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. PIPA also gives individuals the right to access the personal information an organization has about them and to ask for the information to be corrected if they think their personal information is incorrect or incomplete.

The Personal Information Protection Act (PIPA)
The Personal Information Protection Act (PIPA) sets out requirements for how organizations may collect, use, disclose and secure personal information. (Click here for the legislation itself and here for a Guide to PIPA for more detailed information).

Websites for more information:

Manitoba

Freedom of Information and Protection of Privacy Act
The Freedom of Information and Protection of Privacy Act (FIPPA) provides people in Manitoba and others with a right of access to records of public bodies, subject to certain specified exceptions, and with protection for personal information held by public bodies. The Act also provides for independent review by the Manitoba Ombudsman of the decisions and actions of public bodies relating to access to records and personal information protection. Final appeals about denial of access to information may be made under FIPPA to the Court of Queen’s Bench.

Personal Health Information Act
The Personal Health Information Act (PHIA) provides you with the right to access your personal health information, and have your personal health information kept private, when that information is held by a health care provider, health care facility or public body (referred to in the Act as "trustees").

Websites for more information:

New Brunswick

Protection of Personal Information Act
The Act is designed to regulate the collection, confidentiality, correction, disclosure, retention and use of personal information. The Act applies to those public bodies set out under the Right to Information Act and to any other public body that may be designated by regulation.

Website for more information:

Newfoundland and Labrador

Access to Information and Protection of Privacy Act
The ATIPPA governs access to records in the custody of or under the control of a public body and sets out requirements for the collection, use, storage and disclosure of personal information contained in the records they maintain. The purpose of Newfoundland and Labrador’s ATIPPA is to make public bodies more open and accountable and to protect individual privacy.

Website for more information:

Northwest Territories

Access to Information and Protection of Privacy Act
The Access to Information and Protection of Privacy Act gives individuals a legal right to request access to information held by Northwest Territories public bodies. Information may only be withheld if it falls under one of the limited and specific exceptions set out in the Act. The Act also provides for the correction and protection of personal information collected, used and disclosed by public bodies. It gives the individual to whom the information relates to, the right to access and correct this information. It also sets the conditions for when a public body may collect, use and disclose personal information.

Website for more information:

Nova Scotia

Freedom of Information and Protection of Privacy Act
Pursuant to the Acts, all public bodies, municipalities and local public bodies are obliged to adopt a policy of accountability, openness and transparency and to provide a right of access to information with limited exceptions. They are also obliged to ensure the protection of individuals' personal privacy.

Website for more information:

Nunavut

Access to Information and Protection of Privacy Act
The Access to Information and Protection of Privacy Act has two objectives. The first is to allow the public a means to obtain information which the government or a government body holds. The second is to ensure that private, personal information which is held by a government agency is used only for the purpose it was intended and is not improperly disclosed to anyone either inside or outside of government.

Website for more information:

Ontario

Freedom of Information and Protection of Privacy Act
The Freedom of Information and Protection of Privacy Act applies to Ontario’s provincial ministries and most provincial agencies, boards and commissions, as well as community colleges, universities and Local Health Integration Networks (LHINs). The Act requires that the government protect the privacy of an individual’s personal information existing in government records. It also gives individuals the right to request access to government information, including general records and records containing their own personal information.

Municipal Freedom of Information and Protection of Privacy Act
The Municipal Freedom of Information and Protection of Privacy Act applies to municipalities, local boards, agencies and commissions. This may include information held by a city clerk, a school board, board of health, public utility or police commission. The Act requires that local government organizations protect the privacy of an individual’s personal information existing in government records. It also gives individuals the right to request access to municipal government information, including most general records and records containing their own personal information.

Personal Health Information Protection Act, 2004
The purposes of this Act are: (a) to establish rules for the collection, use and disclosure of personal health information about individuals that protect the confidentiality of that information and the privacy of individuals with respect to that information, while facilitating the effective provision of health care; (b) to provide individuals with a right of access to personal health information about themselves, subject to limited and specific exceptions set out in this Act; (c) to provide individuals with a right to require the correction or amendment of personal health information about themselves, subject to limited and specific exceptions set out in this Act; (d) to provide for independent review and resolution of complaints with respect to personal health information; and (e) to provide effective remedies for contraventions of this Act. 2004, c. 3, Sched. A, s. 1.

Websites for more information:

Prince Edward Island

Freedom of Information and Protection of Privacy Act
The Freedom of Information and Protection of Privacy Act has two purposes: To make government more open and accountable to the citizens of Prince Edward Island. To insure that the personal information held by government is protected.

Website for more information:

Quebec

Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information
The Act is divided into two components. The first gives individuals a right of access to documents held by public bodies, while the second is designed to give maximum protection to personal information held by public bodies. The second component also recognizes a right of access for all individuals, as well as a right of correction of their personal information.

Act Respecting the Protection of Personal Information in the Private Sector
The CAI is also responsible for the application of the Act respecting the protection of personal information in the private sector. All enterprises supplying goods and services must comply with this Act if they collect, store, use or communicate personal information. To ensure control of the information concerning them, all individuals have the right to examine their own file, in particular through their right of access and their right of correction, as well as the right to have removed from a nominative list any information held or used by an enterprise for commercial or philanthropic prospecting purposes.

Website for more information:

Saskatchewan

Freedom of Information and Protection of Privacy Act
The Act requires that the government protect the privacy of an individual’s personal information existing in government records. It also gives individuals the right to request access to government information, including general records and records containing their own personal information.

Local Freedom of Information and Protection of Privacy Act
The Act requires that local government organizations protect the privacy of an individual’s personal information existing in government records. It also gives individuals the right to request access to municipal government information, including most general records and records containing their own personal information.

Health Information Protection Act
The Act outlines expectations for the collection, storage, use and disclosure of Personal Health Information, Access to Personal Health Information and the Privacy of Individuals with respect to Personal Health Information and making consequential amendments to other Acts.

Websites for more information:

Yukon

Access to Information and Protection of Privacy Act
The legislation is in place to make public bodies more accountable to the public and to protect personal privacy. In other words, the ATIPP Act attempts to strike a balance between access to government records and the protection of personal privacy. It also controls how personal information is collected, used and disclosed, and prevents other people from seeing information about you without your consent.

Websites for more information: