The Federal government has expanded the list of organizations that are exempt from the Personal Information Protection and Electronic Documents Act (PIPEDA) on the basis that similar provincial legislation sufficiently protects the relevant personal information. As of October 10, 2012, health care organizations subject to Newfoundland and Labrador’s Personal Health Information Act (PHIA) are exempt from PIPEDA because provincial legislation is “substantially similar”.
Newfoundland and Labrador is now the sixth province to be granted an exemption from some or all of Part I of PIPEDA, and the third to enact exempted personal health information legislation.
Under s. 26(2)(b) of PIPEDA, organizations or activities subject to provincial privacy legislation that is substantially similar to Part I of PIPEDA can be exempted from PIPEDA for the collection, use or disclosure of personal information within that province. This ensures that organizations will not have to comply with two sets of rules that provide the same or greater protection for personal information.
It is important to note that exemptions from PIPEDA are granted only to relevant organizations for their activities within the relevant province. PIPEDA continues to apply to personal information collected, used or disclosed by federal works, undertakings and businesses, as well as to personal information collected, used or disclosed across provincial or Canadian borders in the course of business. The Newfoundland and Labrador exemption is therefore limited in scope as PIPEDA continues to apply to health care organizations’ collection, use and disclosure of personal health information from/into other provinces.
Newfoundland and Labrador’s PHIA has been in force since April 1, 2011. The legislation provides rules for organizations that collect, use and disclose health information that (i) could identify an individual, and (ii) relates to delivering or administering health care. Such organizations include health care providers and operators, provincial agencies involved in health care and health information, ambulance services, pharmacies and others. PHIA provides that consent from the individual must be obtained to collect, use and disclose health information except in specific circumstances. PHIA also provides that applicable organizations must take reasonable steps to secure health information and prevent its disclosure, failing which a fine of not more than $10,000 or imprisonment for a term not exceeding 6 months is possible. However, an organization will not be liable if they demonstrate that reasonable steps were taken to prevent the contravention.
Comprehensive personal information legislation in three provinces has already been declared to be substantially similar to PIPEDA: the Personal Information Protection Act, in British Columbia, the Personal Information Protection Act in Alberta, and An Act respecting the protection of personal information in the private sector in Quebec. Personal health information legislation of two other provinces, in addition to Newfoundland and Labrador, has been declared substantially similar: the Personal Health Information Privacy and Access Act in New Brunswick and the Personal Health Information Protection Act in Ontario. In light of this most recent exemption, it will be interesting to see if similar exemptions are granted in other provinces, leading to fewer organizations which are subject to PIPEDA.