Overview
The following overview draws attention to the legislative instruments that govern the collection, use and disclosure of personal information in Canada. For clarity, we have separated out applicable legislation by province or territory according to three categories of personal information:
- health information (which concerns the collection or storage of personal information in healthcare);
- personal information held by public bodies (including specific rules applicable to the municipal bodies); and
- the use, collection and disclosure of personal information by private entities.
These categories are not necessarily exclusive. Especially in the context of health, various laws can apply. Clinicians or practitioners that collect, use and disclose healthcare data may be subject to several legislative instruments. For further information, please consult with the Office of the Privacy Commissioner's information guide on . If you have additional questions about the impact of legislation on your specific circumstances, you should seek out legal advice.
Federal Government (CAN)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | Health information is only subject to the (PIPEDA) if it is used, collected or disclosed in the course of a commercial activity. | |
| Public Bodies (Use, Collection and/Or Disclosure By) | The applies to the collection, use and retention or disposal of personal information by federal government institutions in the course of providing services. The provides a right of access to government records, which may include reference to personal information. Municipal entities may also, however, be subject to the (PIPEDA) to the extent that (a) they engage in a non-core commercial activity and (b) the activity is not covered by a similar provincial jurisdiction. See: . | / |
| Private Entities (Use, Collection and/Or Disclosure By) | applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity. Where the commercial activity is subject to regulation by substantially similar provincial privacy legislation, may not necessarily apply. It is, however, possible for both federal and provincial legislation to apply. |
Quebec (QC)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health |
The applies to health and social services bodies that hold health information. It establishes rules for the collection, use and disclosure of health information, mandates that providers undertake actions to reduce privacy risk and mandates that patients can transfer their health information between institutions. There are various other legislative sources that may apply to personal information in the healthcare domain. The governs the "creation of a database of biometric characteristics and measurements" (art 45). |
|
| Public Bodies (use, Collection and/Or Disclosure By) |
The regulates the collection, use, and disclosure of personal information by public bodies. It also provides individuals with a right to access personal information held by public bodies. |
|
| Private Entities (use, Collection and/Or Disclosure By) | The governs the use, collection and disclosure of personal information by persons "carrying on an enterprise." It applies broadly, including to healthcare practitioners such as psychiatrists. See: . | [PDF] |
Ontario (ON)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The (PHIPA) governs personal health information collected, used, or disclosed by health information custodians in the province. | |
| Public Bodies (Use, Collection and/Or Disclosure By) | There are two pieces of legislation that govern the use, collection and disclosure of personal information by public bodies in Ontario and establish a right of access. The governs municipal bodies such as school boards, transit commissions or municipalities while the governs provincial bodies, including universities, colleges, hospitals and ministries. | |
| Private Entities (Use, Collection and/Or Disclosure By) | PIPEDA applies to most private-sector organizations operating for a commercial purpose. Where personal information is collected by private entities for health purposes, however, pursuant to an order of the , only PHIPA applies. See: . |
New Brunswick (NB)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The governs information collected, used, stored, disclosed and maintained in the health system. See: [PDF]. | |
| Public Bodies (Use, Collection and/Or Disclosure By) | The [PDF] governs personal information collected, used and disclosed by provincial bodies and provides a right to access records under the control of the provincial government. | |
| Private Entities (Use, Collection and/Or Disclosure By) | applies to the use, collection and disclosure of personal information in the course of commercial activity within the province in the absence of an equivalent provincial statute. |
Nova Scotia (NS)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The (PHIA) governs the use, collection and disclosure of personal health information within the province of Nova Scotia. See: . | |
| Public Bodies (Use, Collection and/Or Disclosure By) | The [PDF] governs the use, collection and disclosure of personal information held by municipal bodies in the province while the the governs the use, collection and disclosure of personal information held by provincial public bodies. | |
| Private Entities (Use, Collection and/Or Disclosure By) | applies to the use, collection and disclosure of personal information in the course of commercial activity within the province in the absence of an equivalent provincial statute. |
British Columbia (BC)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The governs the use, collection and disclosure of personal health information within the province of British Columbia. | |
| Public Bodies (Use, Collection and/Or Disclosure By) | The governs the collection, use and disclosure of personal information by public bodies, such as boards of education and francophone educational authorities. | |
| Private Entities (Use, Collection and/Or Disclosure By) | The governs the collection, use and disclosure of personal information by private organizations located within the province of British Columbia. |
Alberta (AB)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The governs the collection, use and disclosure of health information. See: . | |
| Public Bodies (Use, Collection and/Or Disclosure By) | The (FOIP) governs the collection, use and disclosure of personal information by public bodies and provides provides individuals with the right to request access to information in their custody or control within the province of Alberta. | |
| Private Entities (Use, Collection and/Or Disclosure By) | The governs the collection, use and disclosure of personal information by private-sector organizations in the province and provides provides individuals with the right to request access to their own personal information. |
Saskatchewan (SK)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The governs the collection, use and disclosure of personal health information in the province of Saskatchewan. | |
| Public Bodies (Use, Collection and/Or Disclosure By) | The and the regulate the collection, use and disclosure of personal information by provincial and municipal bodies and provide citizens with a framework for accessing information held by public bodies. | |
| Private Entities (Use, Collection and/Or Disclosure By) | In Saskatchewan, PIPEDA applies to personal information held by private-sector organizations and federally-regulated organizations (banks, airlines, telecommunications, etc.). See: . |
Manitoba (MB)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The establishes rules for trustees of personal health information within the province of Manitoba. | |
| Public Bodies (Use, Collection and/Or Disclosure By) |
The [PDF] regulates how public bodies manage personal information and provides a right of access to records held by public bodies within the province. It also sets out an independent review process for people who disagree with access and privacy decisions made by public bodies. See: . |
|
| Private Entities (Use, Collection and/Or Disclosure By) | In Manitoba, PIPEDA applies to personal information held by private-sector organizations and federally-regulated organizations (banks, airlines, telecommunications, etc.). |
Northwest Territories (NT)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The [PDF]governs the collection, use and disclosure of personal health information within the Northwest Territories. | |
| Public Bodies (Use, Collection and/Or Disclosure By) | The [PDF] governs the collection, use and disclosure of personal information held by public bodies and provides a right of access to their records within the Northwest Territories. | |
| Private Entities (Use, Collection and/Or Disclosure By) | Because the Northwest Territories is not a province under the Canadian constitution, the federal government maintains a larger share of jurisdictional competence. Private organizations operating in the Northwest Territories are considered to be "federal works, undertakings or businesses" under PIPEDA and are therefore subject to the federal rules for the collection, use and disclosure of personal information. |
Newfoundland & Labrador (NL)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The governs the collection, use and disclosure of confidential personal health information by custodians within the province. | |
| Public Bodies (Use, Collection and/Or Disclosure By) | The governs the privacy of individuals whose personal information is collected, used and disclosed by public bodies and provides the public with a right of access to records held by public bodies. | |
| Private Entities (Use, Collection and/Or Disclosure By) | In Newfoundland & Labrador, PIPEDA applies to personal information held by private-sector organizations and federally-regulated organizations (banks, airlines, telecommunications, etc.). |
Yukon (YT)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The  (HIPMA) [PDF] establishes a framework to regulate the collection, use and disclosure of personal health information. It applies to health custodians and their agents (e.g. hospitals, healthcare facilities, relevant government departments and most healthcare providers). | |
| Public Bodies (Use, Collection and/Or Disclosure By) | The (ATIPPA) [PDF] and the associated [PDF] govern the collection, use and disclosure of data by public bodies in the territory of Yukon. | |
| Private Entities (Use, Collection and/Or Disclosure By) | Because the Yukon is not a province under the Canadian constitution, the federal government maintains a larger share of jurisdictional competence. Private organizations operating in the Yukon are considered to be "federal works, undertakings or businesses" under PIPEDA and are therefore subject to the federal rules for the collection, use and disclosure of personal information. |
Nunavut (NU)
|
Categories of Personal Information |
Applicable Legislation |
Regulatory Body |
|---|---|---|
| Health | The (ATIPPA) is the only provincial legislative instrument regulating the collection, use and disclosure of data in Nunavut. It governs access to personal information collected, used or held by public bodies, including records about health. | |
| Public Bodies (Use, Collection and/Or Disclosure By) | The (ATIPPA) is the only provincial legislative instrument regulating the collection, use and disclosure of data in Nunavut. It governs access to personal information collected, used or held by public bodies. | |
| Private Entities (Use, Collection and/Or Disclosure By) | Because Nunavut is not a province under the Canadian constitution, the federal government maintains a larger share of jurisdictional competence. Private organizations operating in Nunavut are considered to be "federal works, undertakings or businesses" under PIPEDA and are therefore subject to the federal rules for the collection, use and disclosure of personal information. |
The content of Datum's website is provided for informational purposes only and does not constitute legal advice or the practice of law. While every effort is made to ensure the accuracy of information on this website, Datum does not warrant that any of the materials on its website are accurate, complete or current.