Canadian HIPAA: PIPEDA and the Provinces

By | April 29, 2020

Canadian HIPAA: PIPEDA and the Provinces

The “Canadian HIPAA” is known as the Personal Information Protection and Electronic Documents Act, or PIPEDA. This “Canadian HIPAA” is notably different from HIPAA in several aspects. Most significantly, under PIPEDA, the data that is protected is not limited to individual health information. All personal data, health or otherwise, is protected by Canadian HIPAA,  or PIPEDA.

“Canadian HIPAA”: How Does PIPEDA Work?

The Personal Information Protection and Electronic Documents Act (PIPEDA), colloquially referred to as “Canadian HIPAA,” is a Canadian data privacy law that governs how private businesses collect, use, and disclose personal information in the course of commercial activity. How and when PIPEDA applies to Canadian provinces is discussed below.

What is “Personal Information” Under PIPEDA?

Under PIPEDA, “personal information” includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:

  • Age, name, ID numbers, income, ethnic origin, or blood type;
  • Opinions, evaluations, comments, social status, or disciplinary actions; and
  • Employee files, credit records, loan records, medical records, the existence of a dispute between a consumer and a merchant; and “commercial intentions” (e.g., intent to acquire goods or services, or to change jobs). 

What is “Commercial Activity” Under PIPEDA?

The law defines a commercial activity as:

  • A transaction, act, conduct, or regular course of conduct, that
  • Is of a commercial character

Commercial activities include general sales activities. Commercial activities also include the selling, bartering, or leasing of donor, membership or other fundraiser lists. 

Is Personal Information That Crosses Provincial or National Borders Subject to PIPEDA?

All businesses operating in Canada that handle personal information that crosses provincial or national borders, are subject to PIPEDA. This is so regardless of the province or territory in which the business operates or is based.

All businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA, regardless of the province or territory in which they are based (including provinces with substantially similar legislation).

Does PIPEDA Apply to Federally Regulated Organizations?

Canada regulates a number of organizations at the federal level. These organizations include (among others): 

  • Airports airlines;
  • Banks and authorized foreign banks;
  • Inter-provincial (between-province) or international transportation companies; 
  • Telecommunications companies;
  • Offshore drilling operations; and
  • Radio and television broadcasters

If a business is federally regulated, and that business conducts business in Canada, the business is subject to PIPEDA. PIPEDA also applies to the personal information of such business’ employees. 

When Does PIPEDA NOT Apply?

PIPEDA does not apply to:

  • Personal information handled by federal government organizations listed under the Canadian Privacy Act
  • Provincial or territorial governments and their agents
  • Business contact information (e.g., employee name, title, business address, telephone number, or email address) that:
    • Is collected, used, or disclosed, solely
    • For the purpose of communicating with a person,
    • In relation to their employment or profession 
  • An individual’s collection, use or disclosure of personal information strictly for personal (as opposed to commercial) purposes (e.g., a personal greeting card list)
  • An organization’s collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes (as opposed to commercial purposes)

PIPEDA also does not apply to not-for profits, charity groups, or political parties and associates, provided:

  • These entities are not engaging in commercial activities, that
  • Are not central to their mandate, and involve
  • Personal information