Saturday, February 05, 2005

Industry Canada proposes PIPEDA exemption for Ontario "health information custodians"

Industry Canada has gazetted its proposed cabinet order exempting Ontario's "health information custodians" from the application of Part I of PIPEDA. It is no surprise that the federal goverment considers that the Personal Health Information Protection Act to be "substantially similar" to PIPEDA.

The notice in the Canada Gazette is soliciting comments within the next fifteen days.

Canada Gazette:

"Vol. 139, No. 6 — February 5, 2005

Health Information Custodians in the Province of Ontario Exemption Order

Statutory authority

Personal Information Protection and Electronic Documents Act

Sponsoring department

Department of Industry

REGULATORY IMPACT ANALYSIS STATEMENT

(This statement is not part of the Order.)

Description

Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) establishes rules to govern the collection, use and disclosure of personal information by organizations in the course of commercial activity. Part 1 of the Act was implemented in two stages. On January 1, 2001, the Act applied to the collection, use and disclosure of personal information in connection with the operation of federal works, undertakings or businesses and to the disclosure of personal information for consideration outside a province. On January 1, 2004, the Act's reach was extended to all collections, uses and disclosures of personal information in the course of commercial activity, either within, or outside a province. Pursuant to paragraph 26(2)(b) of the Act, the Governor in Council may, by order, if satisfied that legislation of a province that is substantially similar to PIPEDA applies to an organization, a class of organizations, an activity or a class of activities, exempt the organization, activity or class from the application of PIPEDA in respect of the collection, use and disclosure of personal information within the province.

Under the trade and commerce power conferred on Parliament by subsection 91(2) of the Constitution Act, 1867, PIPEDA establishes a set of economy-wide principles and rules for the protection of personal information. The Act helps to build trust and confidence in the Canadian marketplace, while encouraging provinces and territories to develop their own privacy laws in a manner that addresses their particular needs and circumstances. To this end, the Government of Canada included provisions in PIPEDA to exempt from the federal Act organizations or activities subject to provincial or territorial laws that are deemed to be substantially similar.

On August 3, 2002, Industry Canada published the policy and criteria used to determine whether provincial or territorial legislation would be considered as substantially similar. PIPEDA provides a standard around which provinces can legislate. Under the policy, laws that are substantially similar provide privacy protection that is consistent with and equivalent to that in the federal Act; incorporate the ten principles in the CSA Model Code for the Protection of Personal Information, CAN/CSA-Q830-96, found in Schedule 1 of PIPEDA; provide for an independent and effective oversight and redress mechanism with powers to investigate; and restrict the collection, use and disclosure of personal information to purposes that are appropriate or legitimate. In recognizing such laws as substantially similar, PIPEDA provides a common standard for privacy protection across both federal and provincial domains.

The Ontario Personal Health Information Protection Act, 2004 (PHIPA) which came into force on November 1, 2004, sets rules that health information custodians must abide by when collecting, using and disclosing personal health information within the Ontario health care system. PHIPA is substantially similar to PIPEDA. The purpose of this Order is thus to exempt from PIPEDA those health information custodians, as defined in PHIPA, in respect of the collection, use and disclosure of personal health information that occurs within the province of Ontario, in the course of commercial activity. PIPEDA will continue to apply to the collection, use and disclosure of personal health information outside the province, in the course of commercial activity.

Alternatives

The legislative framework in Part 1 of PIPEDA requires that exemptions for organizations, classes of organizations or an activity or class of activities subject to provincial or territorial laws that are substantially similar to the federal Act be done through Order in Council. There are no alternatives to exempt from PIPEDA health information custodians subject to the Ontario PHIPA.

Benefits and costs

Benefits

The alignment of federal and provincial/territorial legislative regimes for the protection of privacy makes privacy laws easier for individuals to understand and simpler for organizations to implement. Harmonization of privacy rules within the Ontario health care system creates a consistent and seamless set of rules with regard to the protection of personal health information, covering all custodians operating in the province, thereby increasing the efficiency with which they collect, use and disclose personal health information as part of their care and treatment activities.

Costs

The Order will have no adverse cost impact on the activities of health information custodians in Ontario. To the extent that they collect, use and disclose personal health information within the Ontario health care system, health information custodians are expected to comply with the privacy rules established by PHIPA. These privacy requirements are based on the national standard set in the CSA Model Code for the Protection of Personal Information, CAN/CSA-Q830-96 that is embedded in PIPEDA and in the Ontario PHIPA. Both laws establish a set of ten fair information principles, and both have set up an independent oversight and redress mechanism.

Consultation

Provincial and territorial governments, along with the general public, the health care sector and the business community have already been made aware of the federal government's commitment to exempt from PIPEDA organizations subject to provincial/territorial laws that are substantially similar to PIPEDA. During parliamentary consideration of the legislation, which included extensive hearings before the Standing Committee on Industry and the Senate Standing Committee on Social Affairs, Science and Technology, taking place between October 1998 and April 2000, and through speeches, press releases and other communications to the public, the Government of Canada has clearly indicated its intention to encourage provinces and territories to develop substantially similar privacy legislation. It further confirmed that PIPEDA would not apply to organizations subject to these laws in respect of the collection, use and disclosure of personal information, including personal health information, taking place within a province or territory.

Information was also provided on the Act's substantially similar provision when Industry Canada published its policy and criteria for determining substantially similar provincial and territorial legislation in Part I of the Canada Gazette in August 2002.

The government of Ontario, as well as the Information and Privacy Commissioner of Ontario made the request to the Government of Canada that the substantially similar nature of PHIPA be recognized and that an Order in Council be passed exempting health information custodians from PIPEDA. The Privacy Commissioner of Canada, Jennifer Stoddart, also communicated with the Government of Canada on the issue, indicating that in her opinion PHIPA meets the criteria for recognizing its substantially similar nature. She also expressed her support for an exemption order exempting health information custodians in Ontario from the federal Act.

Compliance and enforcement

This Order will confirm that Ontario health information custodians will not be subject to PIPEDA in respect of the collection, use and disclosure of personal health information. Compliance with privacy rules and enforcement of the Ontario PHIPA is delivered through the Information and Privacy Commissioner of Ontario. Following the issuance of this Order, complaints and investigations about the practices of health information custodians in respect of the collection, use and disclosure of personal health information taking place within the province in the course of commercial activity will be handled exclusively by the Ontario Information and Privacy Commissioner. The Privacy Commissioner of Canada will continue to be responsible for providing oversight in relation to the collection, use and disclosure of personal health information that crosses provincial boundaries in the course of commercial activity.

Contact

Mr. Richard Simpson, Director General, Electronic Commerce Branch, Industry Canada, 300 Slater Street, Room D2090, Ottawa, Ontario K1A 0C8, (613) 990-4292 (telephone), (613) 941-0178 (facsimile), simpson.richard@ic.gc.ca (electronic mail).

PROPOSED REGULATORY TEXT

Notice is hereby given that the Governor in Council, pursuant to paragraph 26(2)(b) of the Personal Information Protection and Electronic Documents Act (see footnote a), proposes to make the annexed Health Information Custodians in the Province of Ontario Exemption Order.

Interested persons may make representations with respect to the proposed Order within 15 days after the date of publication of this notice. All such representations must cite the Canada Gazette, Part I, and the date of publication of this notice, and be addressed to Mr. Richard Simpson, Director General, Electronic Commerce Branch, Industry Canada, 300 Slater Street, Room D2090, Ottawa, Ontario K1A 0C8.

Ottawa, January 31, 2005

EILEEN BOYD
Assistant Clerk of the Privy Council

HEALTH INFORMATION CUSTODIANS IN THE PROVINCE OF ONTARIO EXEMPTION ORDER

EXEMPTION

1. Any health information custodian to which the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Schedule A, applies is exempt from the application of Part 1 of the Personal Information Protection and Electronic Documents Act in respect of the collection, use and disclosure of personal information that occurs within the Province of Ontario.

COMING INTO FORCE

2. This Order comes into force on the day on which it is registered.

No comments: