1. Governing Texts

This is a high-level overview of privacy and data protection as it relates to the health and pharmaceutical industries in Alberta. For the purpose of this Guidance Note, we have primarily focused on the requirements under Alberta's provincial private sector privacy statute, the Personal Information Protection Act 2003 ('PIPA') and Alberta's healthcare sector specific legislation, the Health Information Act 2000 ('HIA').

This Guidance Note does not address restrictions regarding the collection, use, or disclosure of personal information by public bodies governed by the Freedom of Information and Protection of Privacy Act 2000.

1.1. Legislation

In Alberta, PIPA and its regulations govern the ability of private sector organisations to collect, use, and disclose personal information. PIPA applies to private sector organisations, such as businesses, employees, and partnerships, and has been deemed to be substantially similar to Canada's federal Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA'). PIPA generally applies to businesses involved in the manufacture, distribution, and provision of health and pharmaceutical products or services in Alberta.

HIA and its regulations, conversely, govern the collection of health information by specific healthcare sector practitioners and organisations. HIA applies uniquely to prescribed organisations, entities, or healthcare practitioners, including Alberta Health Services ('AHS'), pharmacies and pharmacists, physicians, optometrists, registered nurses, dentists, etc. ('custodians'), and individuals or organisations under a contract or agency relationship with custodians ('affiliates'). HIA also applies in certain situations to persons carrying out research using health information in the custody or control of custodians.

Both PIPA and HIA provide individuals with rights relating to their personal information, including individual rights of access to, and correction of, personal information. Both PIPA and HIA also include breach notification obligations to affected individuals and the Office of the Information and Privacy Commissioner of Alberta ('OIPC') in the event of unauthorised access, use, or disclosure of an individual's personal information or health information, respectively.

1.2. Supervisory authorities

PIPA and HIA grant regulatory authority to the OIPC to investigate alleged breaches of that legislation. The OIPC is separate from Alberta government ministers and departments, and functions as an Independent Officer of the Alberta Legislative Assembly.

The OIPC has order making powers. Organisations are required to comply with an OIPC order within a specified time period. Orders may be filed with the Court of Queen's Bench of Alberta and become enforceable as a judgment.

1.3. Guidelines

Relevant Alberta guidance documents from the OIPC relating to PIPA include:

• A guide for businesses and organisations on PIPA;
• Collecting Personal Information under PIPA;
• Advisory for Notifying Affected Individuals under PIPA;
• Key Steps in Responding to Privacy Breaches;
• Ten Steps to Implement PIPA;
• Getting Accountability Right with a Privacy Management Program; and
• Guidelines for Obtaining Meaningful Consent.

Relevant Alberta guidance documents from the OIPC relating to HIA include:

• HIA guidelines and practices manual;
• Health Information: A Personal Matter – A Practical Guide to the HIA;
• HIA: Use and Disclosure of Health Information for Research;
• Alberta Netcare: Know Your Rights Guide;
• Guidance for Electronic Health Record Systems;
• Key Steps in Responding to Privacy Breaches;
• Privacy Impact Assessment Requirements; and
• Advisory for Communicating with Patients Electronically.

1.4. Definitions

PIPA

Organisation: Includes:

• a corporation;
• an unincorporated association;
• a trade union as defined in the Labour Relations Code 2000;
• a partnership as defined in the Partnership Act 2000; and
• an individual acting in a commercial capacity.

However, this does not include an individual acting in a personal or domestic capacity.

Personal information: Information about an identifiable individual.

Record: A record of information in any form or in any medium, whether in written, printed, photographic, electronic form, or any other form, but does not include a computer program or other mechanism that can produce a record.

Service provider: Any organisation, including, without limitation, a parent corporation, subsidiary, affiliate, contractor, or subcontractor that, directly or indirectly, provides a service for or on behalf of another organisation.

HIA

Affiliate: Includes:

• an individual employed by the custodian;
• a person who performs a service for the custodian as an appointee, volunteer, student, or under a contractual or agency relationship with the custodian;
• a health services provider who is exercising the right to admit and treat patients at a hospital, as defined in the Hospitals Act 2000;
• an information manager; and
• a person who is designated under the regulations to be an affiliate.

However, this does not include an agent, as defined in the Health Insurance Premiums Act 2000, or a health information repository other than a health information repository that is designated in the regulations as an affiliate.

Custodian: Means:

• the board of an approved hospital, as defined in the Hospitals Act, other than an approved hospital that is owned and operated by a regional health authority established under the Regional Health Authorities Act 2000;
• the operator of a nursing home, as defined in the Nursing Homes Act 2000, other than a nursing home that is owned and operated by a regional health authority established under the Regional Health Authorities Act;
• an ambulance operator, as defined in the Emergency Health Services Act 2008;
• a provincial health board established pursuant to regulations made under Section 17(1)(a) of the Regional Health Authorities Act;
• a regional health authority established under the Regional Health Authorities Act;
• a community health council, as defined in the Regional Health Authorities Act;
• a subsidiary health corporation, as defined in the Regional Health Authorities Act;
• a board, council, committee, commission, panel, or agency that is created by a custodian referred to in any of the points above, if all or a majority of its members are appointed by, or on behalf of, that custodian, but does not include a committee that has as its primary purpose the carrying out of quality assurance activities within the meaning of Section 9 of the Alberta Evidence Act 2000;
• a health services provider who is designated in the regulations as a custodian, or who is within a class of health services providers that is designated in the regulations for the purpose of this subclause;
• the Health Quality Council of Alberta;
• a licensed pharmacy, as defined in the Pharmacy and Drug Act 2000;
• the Department as defined by HIA;
• the Minister as defined by HIA; or
• an individual or board, council, committee, commission, panel, agency, corporation, or other entity designated in the regulations as a custodian.

Data matching: The creation of individually identifying health information by combining individually identifying or non‑identifying health information or other information from two or more electronic databases, without the consent of the individuals who are the subjects of the information.

Diagnostic, treatment, and care information: Information about any of the following:

• the physical and mental health of an individual;
• a health service provided to an individual, including the following information in regard to a health services provider who provides a health service to that individual:
  • name, business title, business mailing address and building electronic address, business telephone number and business facsimile number, type of health services provider, license number or any other number assigned to the health services provider by a health professional body to identify that health services provider, profession, job classification, employer, municipality in which the health services provider's practice is located, provincial service provider identification number that is assigned to the health services provider by the Minister to identify the health services provider, or any other information specified in the regulations;
• the donation by an individual of a body part or bodily substance, including information derived from the testing or examination of a body part or bodily substance;
• a drug as defined in the Pharmacy and Drug Act provided to an individual;
• a health care aid, device, product, equipment, or other item provided to an individual pursuant to a prescription or other authorisation;
• the amount of any benefit paid or payable under the Alberta Health Care Insurance Act 2000 or any other amount paid or payable in respect of a health service provided to an individual; and
• any other information about an individual that is collected when a health service is provided to the individual, but does not include information that is not written, photographed, recorded, or stored in some manner in a record.

Health information: Diagnostic, treatment, and care information and/or registration information.

Health information repository: An agency, corporation, or other entity designated by the Minister of Health to act as a health information repository.

Health service: A service that is provided to an individual for any of the following purposes:

• protecting, promoting, or maintaining physical and mental health;
• preventing illness;
• diagnosing and treating illness;
• rehabilitation; or
• caring for the health needs of the ill, disabled, injured, or dying.

However, this does not include a service excluded by the regulations.

Individually identifying: When used to describe health information, this means that the identity of the individual who is the subject of the information can be readily ascertained from the information.

Information manager: A person or body that:

• processes, stores, retrieves, or disposes of health information;
• in accordance with the regulations, strips, encodes, or otherwise transforms individually identifying health information to create non‑identifying health information; or
• provides information management or information technology services in a manner that requires the use of health information.

This does not include an individual employed by a custodian who performs any of these functions.

Non-identifying: When used to describe health information, this means that the identity of the individual who is the subject of the information cannot be readily ascertained from the information.

Record: A record of health information in any form and includes notes, images, audiovisual recordings, x-rays, books, documents, maps, drawings, photographs, letters, vouchers and papers, and any other information that is written, photographed, recorded, or stored in any manner, but does not include software or any mechanism that produces records.

Registration information: Information relating to an individual that falls within the following general categories and is more specifically described in the regulations:

• demographic information, including the individual's personal health number;
• location information;
• telecommunications information;
• residency information;
• health service eligibility information; and
• billing information.

This does not include information that is not written, photographed, recorded, or stored in some manner in a record.

Research: Academic, applied, or scientific research that necessitates the use of individually identifying health information.

Research ethics board: A body designated by the regulations as a research ethics board, and under the Designation Regulation, Alberta Regulation 69/2001 means:

• the Health Research Ethics Board of Alberta;
• the University of Alberta – Research Ethics Board; and
• the University of Calgary – Conjoint Health Research Ethics Board.

2. Clinical Research and Clinical Trials

Clinical trials of drugs are regulated under the federal Food and Drug Regulations 2009. HIA includes additional requirements relating to research and data-matching involving health information by both custodians and other persons.

HIA

Custodian research involving non-identifying health information

In general, HIA permits custodians to collect, use, and disclose non-identifying health information for any purpose. However, if a custodian intends to disclose non-identifying health information to a person who is not a custodian, the custodian must inform the person of the trailing obligation to notify the OIPC of an intention to use the information for data matching purposes.

Custodian research involving individually identifying health information

HIA includes restrictions regarding the use of individually identifying health information for research and data matching undertaken by custodians.

Custodians may collect and use individually identifying health information for research purposes where the collection of that information is specifically authorised by law, or when conducting research or performing data matching or other services to facilitate another person's research. If engaged in research, data matching, or facilitating another person's research, a custodian must:

• submit a proposed research protocol to a research ethics board, which includes:
  • objectives, background, methods, recruitment, consent/assent, harms and benefits, privacy and confidentiality, biases and limitations, knowledge translation and dissemination plan, budget, references, and any other information required by the research ethics board or HIA regulations;
• satisfy the research ethics board that:
  • the proposed research is of sufficient importance that the public interest in the proposed research outweighs, to a substantial degree, the public interest in protecting the privacy of the individuals who are the subjects of the health information to be used in the research;
  • the researcher is qualified to carry out the research;
  • adequate safeguards will be in place at the time the research will be carried out to protect the privacy of the individuals who are the subjects of the health information to be used in the research and the confidentiality of that information, and either:
    • that the custodian will obtain consent for the disclosure of the health information to be used in the research from the individuals who are the subjects of the information; or
    • that obtaining the consent above would be unreasonable, impractical, or not feasible;
• comply with, or undertake to comply with, the conditions, if any, suggested by the research ethics board; and
• where the research ethics board recommends that consent should be obtained from the individuals who are the subjects of the health information to be used in the research, ensure that those consents are obtained.

In determining whether the proposed research protocol satisfies the requirement above, the research ethics board will consider the degree to which the proposed research would contribute to:

• identification, prevention, or treatment of illness or disease;
• scientific understanding relating to health;
• promotion and protection of the health of individuals and communities;
• improved delivery of health services; and
• improvements in health system management.

The research board then prepares a response setting out its recommendations and assessments, and any conditions to be imposed on the proposed research protocol. The research ethics board provides a copy of the response to the OIPC, which may publish the response publicly.

Researcher research involving health information

HIA requires that any person, whether an individual or corporation, who intends to conduct research using health information in the custody or control of a custodian or health information repository, submit a research protocol to a research ethics board using the same process identified in the bullet list above, under the subsection on Custodian Research and Trials Involving Individually Identifying Health Information.

If the research ethics board is not satisfied with any of the requirements of the proposed research protocol, the researcher may be prohibited from applying for access to personal health information from custodians or health information repositories to conduct research.

If the research ethics board is satisfied with all of the requirements of the proposed research protocol, the researcher may forward to one or more custodians or health information repositories:

• the researcher's research protocol;
• the response of the research ethics board to the researcher's research protocol; and
• a written application for:
  • disclosure of the health information to be used in the research;
  • performance of data matching; or
  • performance of any other service to facilitate the research.

Custodians who receive such requests may, but are not required to, disclose the health information or perform the data matching or other services required to facilitate the research. If the custodian determines to disclose the health information or perform data matching or other services, the custodian:

• must impose on the researcher any conditions suggested by the research ethics board;
• may impose other conditions on the researcher the custodian sees fit; and
• if the research ethics board recommends that consent be obtained, the researcher must obtain the requisite consent before the disclosure of health information or performance of data matching or other services.

Custodians who opt to disclose health information to a researcher or perform data matching or other services to facilitate research must first enter into an agreement with the researcher in which the researcher agrees:

• to comply with:
  • HIA and its regulations;
  • any conditions imposed by the custodian relating to the use, protection, disclosure, return, or disposal of the health information; and
  • any requirement imposed by the custodian to provide safeguards against the identification, direct or indirect, of an individual who is the subject of the health information;
• to use the health information only for the purpose of conducting the research and in accordance with the research protocol;
• not to publish the health information in a form that could reasonably enable the identity of an individual who is the subject of the information to be readily ascertained;
• not to make any attempt to contact an individual who is the subject of the health information to obtain additional health information unless the individual has provided the custodian with necessary consent;
• to allow the custodian to access or inspect the researcher's premises to confirm that the researcher is complying with the enactments, conditions, and requirements; and
• to pay the actual costs associated with:
  • preparing information for disclosure, or performing data matching or other services;
  • making copies of health information; and
  • obtaining any necessary consent from individuals whose personal information would be disclosed.

Researchers who enter into such agreements must comply with the terms of the agreements and the conditions set out in the research ethics board's response to the research protocol, and collect, use, and disclose health information only in accordance with the agreement and the approved research protocol.

If there is a failure to comply with the terms and conditions of such an agreement or the conditions of the research ethics board's response to the research protocol, the agreement may be cancelled, and the researcher required to destroy any health information or return it to the custodian.

PIPA

Research and trials involving personal information

PIPA does not specifically address the collection, use, or disclosure of personal information involved in research or trials. While PIPA does not apply to health information as defined in HIA, personal information under the custody or control of organisations, including private companies, which are neither affiliates nor custodians under HIA, will generally be subject to PIPA.

Personal information, which is distinct from health information as defined in HIA, under the custody or control of an organisation engaged in research or trials is to be subject to the general restrictions on collection, use, and disclosure of personal information under PIPA. 

2.1. Data collection and retention

The collection and retention of health information in connection with a trial must be carried out in accordance with good clinical practices and the federal Food and Drug Regulations. In Alberta, additional restrictions regarding the collection and retention of research or trial data may apply under HIA and PIPA.

HIA

Health information collection and retention

Custodians

Custodians must only collect individually identifying health information in connection with research or data matching as described in the section on Clinical Research and Clinical Trials above, under the subsection on Custodian Research and Trials Involving Individually Identifying Health Information.

Custodians must also only collect individually identifying health information directly from the individual who is the subject of the information, except for specific situations, such as where the custodian is conducting research or data matching in compliance with HIA (i.e., if the consent requirement has been waived by the research ethics board).  

When collecting individually identifying health information directly from the individual, the custodian must take reasonable steps to inform the individual of:

• the purposes for which the information is being collected;
• the specific legal authority for the collection; and
• the title, business address, and business phone number of an affiliate of the custodian who can answer the individual's questions about the collection.

HIA does not explicitly speak to records retention periods, which are sometimes set by other legislation or professional regulatory bodies.

Researchers

Researchers must only collect, use, disclose, and retain health information as permitted under the applicable agreement with the custodian and the research protocol.  

PIPA

Personal information collection and retention

PIPA limits the collection of personal information by organisations. Organisations are only permitted to collect personal information for purposes that are objectively reasonable. Where personal information is collected, the specific personal information collected must be reasonable for the specific purpose for which it was collected (i.e., the purpose must be objectively reasonable, and the personal information must be minimised to achieve that specific reasonable purpose).

Generally, personal information must only be collected with the consent of an individual, and from the individual themselves, subject to limited exceptions which are not usually applicable to clinical research and trials. Organisations are required to only keep personal information for as long as reasonably required for business or legal purposes, but there are no express retention periods under PIPA.

2.2. Consent

Federally, participants must generally provide free and informed consent to participate in a trial, in accordance with the Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans and legal requirements.

The Alberta specific consent obligations relating to the collection, use, and disclosure of health information and personal information stipulated in HIA and PIPA are substantially similar to those in the federal legislation, PIPEDA.

Custodians and organisations are generally required to obtain meaningful consent prior to the collection, use, and disclosure of health information or personal information, subject to limited exceptions. For consent to be valid, it must be reasonable to expect that individuals would understand the nature, purpose, and consequences of the collection, use, or disclosure of the personal information to which they are consenting.

Under HIA, regarding the disclosure of health information for research or data matching purposes:

• a research ethics board may dispense with the requirement for consent from individuals regarding the disclosure of their health information in connection with the research or data matching; or
• a research ethics boards may require the custodian to obtain consent regarding the disclosure of health information to a researcher, that consent must include:
  • an authorisation for the custodian to disclose the health information specified in the consent;
  • the purpose for which the health information may be disclosed;
  • the identity of the person to whom the health information may be disclosed;
  • an acknowledgment that the individual providing the consent has been made aware of the reasons why the health information is needed and the risks and benefits to the individual of consenting or refusing to consent;
  • the date the consent is effective and the date, if any, on which the consent expires; and
  • a statement that the consent may be revoked at any time by the individual providing it.

Individuals lacking capacity

Capacity to consent to medical treatment and/or research is a complex and a fact-specific determination, and depends on the nature and extent of the incapacity, the consent being sought, the treatment or research opportunity offered, and myriad other factors which generally warrant discussion with legal counsel.

Withdrawals of consent

Under HIA, individuals may revoke consent in writing or electronically, provided that such revocation is signed by the person providing it. Under PIPA, individuals may withdraw consent at any time regarding the collection, use, or disclosure of personal information by an organisation. Neither HIA nor PIPA consider whether such revocations are retroactive, nor has that issue been specifically considered by the OIPC.

2.3. Data obtained from third parties

As noted in the section on Consent above, in Alberta, HIA allows custodians to disclose, and researchers to collect, health information without consent in connection with research or data matching initiatives, provided that a research ethics board approved protocol addresses the impracticality of obtaining consent.

In terms of collection of health information, HIA allows custodians to collect individually identifying health information from someone other than the person seeking health services in limited situations, including where:

• the individual authorises collection from someone else;
• the individual is unable to provide the information and the custodian collects it from an authorised representative such as a trustee or guardian of a person under the age of 18, or an agent under a personal directive, although individuals under 18 years of age that are capable of making their own medical choices must be permitted to do so; or
• the custodian reasonably believes that direct collection would result in the collection of inaccurate information. 

Under PIPA, organisations may collect personal information from a source other than the individual in limited situations which are not usually applicable to clinical research and trials.

3. Pharmacovigilance

In addition to federal pharmacovigilance programs, AHS has published the Adverse Events Following Immunization (AEFI) Policy for Alberta Immunization Providers, last updated in July 2021. In it, AHS requires that health practitioners report to it any adverse events following immunisation within three days of determining or being informed that a patient has experienced an AEFI. The Public Health Act 2000 and the Immunization Regulation, Alberta Regulation 182/2018 require the same.

The Immunization Regulation requires that an AEFI report includes the patient's first and last name, personal health number or unique lifetime identifiers, date of birth, and sex at birth. The report must also include a description of the adverse event including symptoms or diagnoses and the onset and duration of the AEFI, the vaccine code if available, the lot number of the vaccine if available, the vaccine manufacturer if available, the date of the immunisation, the delivery management site code for the immunisation if available, and the first name, last name, and phone number of the person making the report.

AHS must then submit an AEFI report to the Chief Medical Officer with the same information as set out above minus the description of symptoms or diagnosis, instead they must select a condition from the schedule, optionally, the site code, and the personal information of the person that made the initial report. AHS must also include in their report any recommendations in respect of a patient's future immunisation or follow-up.

HIA allows for the collection of individually identifying health information and personal health numbers, and for a custodian to use such information to carry out any purpose authorised by provincial or federal legislation, and the disclosure of individually identifying diagnostic, treatment, and care information without the consent of the individual if the disclosure is authorised or required by an enactment of Alberta or Canada.

4. Biobanking

There are no specific requirements under Alberta's legislation regarding biobanking, although federal rules apply.

HIA includes 'donations by an individual of a body part or bodily substance, including information derived from the testing or examination of a body part or a bodily substance', under the definition of health information. Accordingly, any collection, use, or disclosure of biological materials by custodians or affiliates would be subject to HIA, and individuals would be required to give their informed consent prior to the collection, use, and disclosure of such material, or derived information, as part of a biobanking program.

5.Data Management

In general, the data management obligations and requirements of Alberta's private and healthcare specific legislation are substantially similar to the principles expressed on a federal level.

6. Outsourcing

Outsourcing refers to the transfer or sharing of information between a custodian or organisation and authorised persons for purposes consistent with its initial collection. Canadian privacy law generally views transfers of personal data to service providers to be a consistent use of personal information or health information by the initial entity, rather than a disclosure to a subsequent entity. Such transfers do not generally require the consent of individuals to whom the personal information or health information relates.

HIA outsourcing

HIA permits affiliates to process health information on behalf of their custodian. Custodians are required to adopt policies and procedures that will facilitate the implementation of HIA and its regulations, which apply equally to their affiliates. Affiliates include individuals employed by custodians, persons who perform a service for custodians under contract, and information managers (see additional information under the section on Data Transfers below relating to information managers).

PIPA outsourcing

Organisations which transfer personal information to their service providers for processing remain liable for any potential unauthorised access or misuse of that personal information. As a best practice, companies often enter into an agreement when transferring personal information to service providers for processing. Depending on the size and the context of the data transfer arrangement in question, there are a number of measures that companies take to establish an appropriate vendor management framework, including:

• due diligence, in particular with respect to security safeguards;
• contractual arrangements setting out requisite controls and conditions;
• appropriate notice to employees or consumers; and
• appropriate monitoring of the service provider arrangement.

7. Data Transfers

HIA data transfers

Under HIA, information managers are permitted to process information on behalf of custodians by storing, retrieving, or disposing of health information, striping, encoding, or otherwise transforming individually identifying health information to create non‑identifying health information, or providing information management or information technology services in a manner that requires the use of health information. Information managers are only permitted to provide such services pursuant to written information manager agreements, which address the services to be provided by the information manager, compliance with the HIA and its regulations, and other specific requirements specifically set out in the Health Information Regulation, Alberta Regulation 70/2001.   

PIPA data transfers

See the section on Outsourcing above, under 'PIPA Outsourcing'. Under PIPA, if an organisation uses a service provider outside Canada to collect, use, disclose, or store personal information, the organisation must specify, in its privacy policies and practices, the foreign jurisdictions in which the collection, use, disclosure, or storage is taking place, and the purposes for which the foreign service provider has been authorised to collect, use, or disclose personal information on its behalf. Organisations are obligated to notify individuals that they are transferring personal information to a service provider outside of Canada.

8. Breach Notification

PIPA breach notification

Under PIPA, it is mandatory for an organisation to notify the OIPC, without reasonable delay, of any incident involving the loss of, unauthorised access to, or disclosure of personal information under its control where a reasonable person would consider that there exists a real risk of significant harm. Practically, the 'real risk of significant harm' threshold is a low one. Even minor breaches of personal information often trigger the reporting requirement.

A breach report to the OIPC must be in writing and include:

• circumstances of the breach;
• date or time period when the incident occurred;
• personal information involved;
• risk assessment of harm to individuals as a result;
• estimated number of individuals who are impacted;
• steps taken to reduce risk of harm;
• steps taken to notify impacted individuals; and
• a contact person.

If not already carried out prior to the OIPC notification, the OIPC may require the organisation to notify affected individuals. Individual notifications require that the following information be provided to the individual:

• the circumstances of the breach;
• date or time period when the incident occurred;
• personal information involved;
• steps taken to reduce the risk of harm; and
• a contact person who can respond to individual inquiries.

HIA breach notification

Under HIA, it is mandatory for a custodian having individually identifying health information in its custody or control, to notify the OIPC of any loss, unauthorised access to, or disclosure of individually identifying health information if there is a risk of harm to an individual as a result of the loss,  unauthorised access, or disclosure. In determining whether there is a 'risk of harm' a custodian must consider mandatory factors specified in the Health Information Regulation, which include:

• whether there is a reasonable basis to believe that the information has been or may be accessed by or disclosed to a person;
• whether there is a reasonable basis to believe that the information has been misused or will be misused;
• whether there is a reasonable basis to believe that the information could be used for the purpose of identity theft or to commit fraud;
• whether there is a reasonable basis to believe that the information is of a type that could cause embarrassment or physical, mental or financial harm to, or damage the reputation of the individual who is the subject of the information;
• whether there is a reasonable basis to believe that the loss of or unauthorised access to or disclosure of the information has adversely affected or will adversely affect the provision of a health service to the individual who is the subject of the information;
• in the case of electronic information, whether the custodian is able to demonstrate that the information was encrypted or otherwise secured in a manner that would:
  • prevent the information from being accessed by a person who is not authorised to access the information; or
  • render the information unintelligible by a person who is not authorised to access the information;
• in the case of a loss of information, whether the custodian is able to demonstrate that the information was lost in circumstances in which the information was:
  • destroyed; or
  • rendered inaccessible or unintelligible;
• in the case of a loss of information that is subsequently recovered by the custodian, whether the custodian can demonstrate that the information was not accessed before it was recovered;
• in the case of an unauthorised access to, or disclosure of information, whether the custodian is able to demonstrate that the only person who accessed the information or to whom the information was disclosed:
  • is a custodian or an affiliate;
  • is subject to confidentiality policies and procedures that meet the requirements of Section 60 of HIA;
  • accessed the information in a manner that is in accordance with the person's duties as a custodian or affiliate and not for an improper purpose; and
  • did not use or disclose the information except in determining that the information was accessed by or disclosed to the person in error and in taking any steps reasonably necessary to address the unauthorised access or disclosure.

In addition to notifying the OIPC of the privacy breach, the custodian is also required to notify the Minister of Health and the affected individuals of the privacy breach. Applicable breach notification contents are set out under the Health Information Regulation.

An affiliate of the custodian is also required to notify the custodian as soon as practicable of any loss of individually identifying health information or any unauthorised access to or disclosure of individually identifying health information in the custody or control of the custodian.

9. Data Subject Rights

Requirements under Alberta's laws are consistent with federal requirements in Canada.

10. Penalties

Typically, well founded privacy complaints are resolved by the organisation making commitments to change its practices and detailing such steps. This occurs after an investigation and report of findings are released by the OIPC. However, there are penalties and statutory fines stipulated in both PIPA and HIA for offences.

Anyone who believes an organisation has violated PIPA may notify that organisation and report it to the OIPC. There are offences and penalties for a person who fails to comply with PIPA or deliberately contravenes it. For an individual, the fine is up to CAD 10,000 (approx. €7,000). For a person other than an individual, such as a corporation, the fine is up to CAD 100,000 (approx. €70,100).

An individual who contravenes the HIA is guilty of an offence and liable to a fine of not more than CAD 200,000 (approx. €140,300). For any other person other than an individual, such as a corporation, the fine is not more than CAD 1,000,000 (approx. €701,900).

11. Other Areas of Interest

Not applicable.

Brian Thiessen Managing Partner
[email protected]
Adam LaRoche Associate
[email protected]
Erika Romanow Legal Assistant
[email protected]
Osler, Hoskin & Harcourt LLP, Calgary