Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
Jun 2022
LinkedIn Created with Sketch. Twitter Created with Sketch.

Canada: Health and Pharma Overview

Health and Pharmaceutical
MF3d / Signature collection / istockphoto.com

1. Governing Texts

This is a high-level overview of privacy and data protection as it relates to the health and pharmaceutical industries in Canada. This is a complex area of law, with numerous statutes applicable to the private, public, and healthcare sectors, both federally and provincially. For the purposes of this guidance note, we have primarily focused on the requirements under Canada's federal private sector privacy statute, the Personal Information Protection and Electronic Documents Act, SC 2000 c 5 ('PIPEDA') and Ontario's Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A ('PHIPA').

On 16 June 2022, the Government of Canada introduced Bill C-27, the Digital Charter Implementation Act of 2022 ('Bill C-27') to amend PIPEDA by enacting the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, the Artificial Intelligence and Data Act, and to make consequential and related amendments to other Acts. Bill C-27 passed first reading in the House of Commons on 16 June 2022 and is currently at second reading in the House of Commons. As the House of Commons will soon be rising for a summer break, Bill C-27 will likely not see much debate until the fall.

1.1. Legislation

Privacy and data protection in Canada is subject to both federal and provincial legislation, with some overlap. In Canada, there are close to 30 privacy statutes that govern the protection of personal information in the private, public, and health care sectors at the federal and provincial level1.

At the federal level, there are separate statutes governing the public and private sectors. The public sector is governed by the Privacy Act, RSC 1985 c P-21 ('the Privacy Act') which applies to federal government departments or ministries and crown corporations. PIPEDA governs the collection, use, and disclosure of personal information by private sector entities engaged in commercial activities, except where a province has enacted legislation that has been deemed 'substantially similar' to PIPEDA. PIPEDA also applies to trans-border personal information flows (i.e., between provinces/territories and outside of Canada). The private sector privacy statutes in British Columbia, Alberta, and Quebec have been deemed to be substantially similar to PIPEDA2, as have the health privacy statutes in Ontario, Nova Scotia, New Brunswick, and Newfoundland and Labrador3.

Private sector privacy laws will generally apply to businesses involved in the manufacture, distribution, and provision of health and pharmaceutical products or services. Clinical research and trials are subject to the federal Food and Drugs Act, RSC 1985 c F-27 ('the Food and Drugs Act') and the corresponding regulations (as discussed further in section the Clinical Research and Clinical Trials below). Additional privacy legislation applies to both public and private organisations involved in clinical research and trials.

The information below shows that every province and territory has its own public sector privacy legislation, which applies to government agencies, Crown corporations, and public-sector organisations such as hospitals. Many also have similar municipal legislation. Apart from Nunavut, every province and territory also has health-sector specific legislation that covers a range of issues. As mentioned above, four provinces have health-specific privacy statutes that are substantially similar to PIPEDA while others have narrower statutes to deal with record keeping or the dispensing of prescription drugs. In addition, four provinces have legislation with statutory torts for breach of privacy: British Columbia, Saskatchewan, Manitoba and Newfoundland and Labrador (For more information on privacy torts see the section on Penalties below.)

The following is a non-exhaustive list of the provincial privacy legislation:

*substantially similar to PIPEDA

British Columbia

Alberta

Saskatchewan

Manitoba

Ontario

Quebec

New Brunswick

Nova Scotia

Prince Edward Island

Newfoundland and Labrador

Yukon

Northwest Territories

Nunavut

1.2. Supervisory authorities

Privacy Commissioners

The OPC has enforcement jurisdiction over the federal Privacy Act and PIPEDA, both federally and in all provinces and territories, except British Columbia, Alberta, and Quebec. Additionally, every province and territory has its own Privacy Commissioner (or equivalent), who has enforcement jurisdiction over the provincial/territorial public sector and health privacy statutes:

Health Canada

Health Canada, a federal government department, has enforcement jurisdiction over the Food and Drugs Act, as well as the associated regulations governing food, drugs, medical devices, and cosmetics.

1.3. Guidelines

There are a number of helpful non-binding guidance documents and webpages to help parties understand their rights, obligations, and standards related to privacy in the health and pharma industries. The guidance documents provide insight into emerging privacy issues such as genetic testing, biometrics, and the applicability of privacy laws in the context of a public health crisis. Some of the most relevant guidance documents include:

OPC Guidance Documents

Information and Privacy Commissioner of Ontario Guidance Documents

Health Canada Guidance Documents

Canada's three federal research agencies4 ('the Tri-Council') also provide guidance for research involving human participants in the Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans ('the Tri-Council Policy Statement'). The Tri-Council Policy Statement contains rules concerning privacy and confidentiality in research that have been widely endorsed by the medical research community in Canada5. Any organisation that receives research funds from the Tri-Council must comply with the Tri-Council Policy Statement.

1.4. Definitions

While the applicable statutes may contain different definitions of each of the following key terms, the definitions typically share certain common elements, as set out below:

'Biometrics': refers to a range of techniques, devices, and systems that enable machines to recognise and authenticate the identity of individuals. Biometric data is collected at the point of enrolment (for example, getting a driver's licence photo taken or setting up a fingerprint ID on a mobile device). Identities are authenticated when new data is collected and compared with the stored records. Biometric data can also include analysis of voice patterns, gait, finger and palm vein patterns, and structures of the eye.

'Consent': while not typically defined in privacy statutes, based on guidelines issued by privacy commissioners, consent must be meaningful and informed, voluntary, related to the information in question, and must generally be collected directly from the individual. The concept of 'meaningful consent' is discussed further in the section on Data Management below.

'Custodian': a person or organisation listed in the applicable statute that, as a result of their power, duties, or work has custody or control of personal health information; also referred to as 'health information custodian' or 'trustee' in certain statutes. Examples of custodians include health care practitioners (including but not limited to doctors, nurses, chiropractors, dental professionals, dieticians, medical laboratory technologists, physiotherapists, etc.); hospitals, psychiatric facilities, and long-term care homes; pharmacies; laboratories; ambulance services; retirement homes and homes for special care; medical officers of health of boards of health; ministers of health; and prescribed bodies.

'Genetic test': means a test that analyses deoxyribonucleic acid ('DNA'), ribonucleic acid ('RNA'), or chromosomes for purposes such as the prediction of disease or vertical transmission risks, or monitoring, diagnosis, or prognosis.

'Healthcare': generally includes but is not limited to any observation, examination, assessment, care, service, or procedure that is done for a health-related purpose and that is carried out or provided for diagnosis, treatment, or maintenance of an individual's physical or mental condition, for prevention of disease or injury, or the promotion of health or as part of palliative care; the compounding, dispensing, or selling of a drug, device, or equipment pursuant to a prescription; a community service that may be prescribed; and taking blood or a blood product donation from an individual.

'Individual': while not typically defined in privacy statutes, means the natural person whose personal information is being collected, used, or disclosed (i.e., equivalent to the 'data subject' under other privacy regimes).

'Organisation': while not typically defined in privacy statutes, means the organisation responsible for the collection, use, and disclosure of personal information and would also include a custodian (i.e., equivalent to a 'controller' under other privacy regimes).

'Personal information': means information about an identifiable individual. Some statutes specify that such information must be in recorded form, while others do not. Personal information includes information that reasonably could be used on its own, or in combination with other information, to identify an individual.

'Personal health information' ('PHI'): is considered sensitive personal information; also referred to as 'health information' under certain statutes. It is typically broadly defined to include, among other things, the individual's physical or mental condition, including family medical history; the provision of health care to the individual; and a plan of service for the individual. It may also include the individual's eligibility for health care coverage and the individual's health number issued by the provincial government, as well as the identity of a health care provider or a substitute decision-maker for the individual. The definition of personal health information may also include identifying information that is not personal health information but that is contained in a record that contains personal health information.

'Service provider': while not typically defined in privacy statutes, means an organisation, such as a contractor or subcontractor, that provides services for or on behalf of another organisation to assist it in fulfilling its purpose; also referred to as a 'provider' or 'information manager' under certain health privacy statutes (i.e., equivalent to a 'processor' under other privacy regimes).

2. Clinical Research and Clinical Trials

Clinical trials of drugs are regulated under Part C, Division 5 of the Food and Drug Regulations, CRC c 870 ('the Food and Drug Regulations') enacted under the federal Food and Drugs Act. These regulations apply to the sale or importation of drugs used in clinical trials involving human subjects. In order to sell or import a drug for the purposes of a clinical trial, the person must be authorised under Division 5 and in compliance with the obligation in Part C of the Food and Drug Regulations. Further, if the drug is to be imported, the person must have a representative in Canada who is responsible for the sale of the drug.

Registration of the Trial

To receive authorisation to sell or import a drug for a clinical trial, the individual or entity conducting a clinical trial ('the Sponsor') must apply to the Minister of Health. The application must include:

  • the protocol for the trial;
  • the statement of risks that will be presented to trial participants;
  • a clinical trial attestation, signed by the designated medical or scientific officer, containing detailed information about the classification of the drug along with a statement affirming that the trial will be conducted in accordance with the Food and Drug Regulations and good clinical practices;
  • an investigator's brochure (i.e., a document containing the preclinical and clinical data on the drug) that contains detailed information about the drug and its properties; and
  • whether a research ethics board has previously refused the proposed protocol.

The complete list of application requirements can be found under s. C.05.005 of the Food and Drug Regulations.

Notification Requirements

The sponsor must notify Health Canada of any proposed changes to the trial protocol, or the chemistry or manufacturing information about the drug. Some changes require an amendment of the authorisation, especially changes that:

  • affect the selection, monitoring, or dismissal of a clinical trial subject;
  • affect the evaluation of the safety or clinical efficacy of the drug;
  • alter the risk to the health of a clinical trial subject; and
  • extend the duration of the clinical trial.

Periodic Reporting Requirements

Sponsors must report any 'serious unexpected adverse drug reaction' within seven or 15 days, depending on the severity of the reaction. For fatal or life-threatening reactions, the sponsor must also submit a report on the reactions that includes an assessment of the findings.

Upcoming Regulatory Changes

Health Canada is in the process of modernising the regulations of clinical trials in order to 'align Health Canada's clinical trials framework across its business lines (human drug clinical trials, medical device investigational testing, non-prescription drugs and natural health product clinical trials and food clinical trials)', and to 'better align Canada with global best practices regarding oversight and public access to information on clinical trials6'. The public comment period is expected to take place in the spring of 2022.

2.1. Data collection and retention

Sponsors must keep detailed records to establish that the trial is conducted in accordance with good clinical practices and the Food and Drug Regulations. The Health Minister may ask the sponsor to submit any information or records to assess the safety of the drug and the health of the participants. All records referred to in the Food and Drug Regulations must be kept for 25 years.

The Food and Drug Regulations set out the good clinical practices at s. C.05.010, which includes the following:

  • the clinical trial is scientifically sound and clearly described in a protocol;
  • the clinical trial is conducted and the drug is used, in accordance with the protocol and the Food and Drug Regulations;
  • systems and procedures that assure the quality of every aspect of the clinical trial are implemented;
  • for each clinical trial site, the approval of a research ethics board is obtained before the clinical trial begins at the site;
  • at each clinical trial site, there is no more than one qualified investigator;
  • at each clinical trial site, medical care and medical decisions, in respect of the clinical trial, are under the supervision of the qualified investigator;
  • each individual involved in the conduct of the clinical trial is qualified by education, training, and experience to perform their respective tasks;
  • written informed consent, given in accordance with the applicable laws governing consent, obtained from every person before that person participates in the clinical trial but only after that person has been informed of:
    • the risks and anticipated benefits to their health arising from participation in the clinical trial; and
    • all other aspects of the clinical trial that are necessary for that person to make the decision to participate in the clinical trial;
  • the requirements respecting information and records are met; and
  • the drug is manufactured, handled, and stored in accordance with the applicable good manufacturing practices (referred to in the Food and Drug Regulations).

2.2. Consent

Clinical trials in Canada generally require researchers to disclose all material risks in order for participants to provide informed consent. With respect to personal health information, the test for informed consent considers both what the specific individual would have decided had all relevant risks been known and what a reasonable person in the individual's circumstances would have decided with the same information.

The Tri-Council Policy Statement requires participants to provide free, informed consent unless it would be impractical to test the research question if prior consent was required (for example, where a study concerns human behaviour that may be altered if the participants knew what the researchers were studying). Such a situation is uncommon in most areas of health and pharma. Under the Tri-Council Policy Statement, trials must be approved by a Review Ethics Board ('REB'). The REB also requires researchers to detail their proposed confidentiality measures and reasonably foreseeable disclosure requirements to both the REB and prospective participants.

Under PIPEDA, personal information may be used or disclosed without the knowledge or consent of the individual for statistical or scholarly study or research purposes, where the purposes cannot be achieved without using or disclosing the information, the information is used in a manner that will ensure its confidentiality, it is impracticable to obtain consent, and the organisation informs the OPC of the intended use or disclosure beforehand.

Ontario's PHIPA permits the collection, use, or disclosure of personal health information for research purposes without an individual's consent, only if strict conditions are met. According to the IPC, a REB will consider the following when deciding whether to approve a research plan involving the use or disclosure of personal health information without the participant's consent:

  • the public interest in conducting the research and in protecting privacy;
  • whether the research can be reasonably accomplished without using the personal health information;
  • whether obtaining consent is impractical; and
  • whether adequate safeguards will be in place to protect the privacy of individuals and the confidentiality of their personal health information7.

The research plan must include a description of why the researcher is not seeking an individual's consent to the disclosure of personal health information, a description of how it will be used, a list of people who will have access to the information, and a description of the measures that will be implemented to protect the confidentiality and security of the information.

If an REB decides to approve a research plan involving the use or disclosure of personal health information without the individual's consent, in addition to adhering to any conditions imposed by the REB or the custodian providing the information, the researcher must not:

  • use personal health information for a purpose that was not disclosure in the research plan;
  • publish information in a form that could reasonably cause a participant to be identified;
  • disclose information unless required by law or unless the disclosure is to prescribed persons; and
  • contact the individual to whom the personal information belongs unless the custodian has obtained the individual's consent to being contacted.

Generally, consent must be documented. Written, informed consent is expressly required under the Food and Drug Regulations. Both Health Canada and the REBs must approve a disclosure statement of risks and benefits of the trial that is given to each participant in an informed consent form. Participants must sign the informed consent form before they participate in the trial and the procedures used to obtain consent must be documented.

Under PIPEDA, for consent to be valid it must be reasonable to expect participants to understand the nature, purpose, and consequences of the collection, use, or disclosure of the personal information to which they are consenting. As PHI is almost always sensitive, express consent is generally required when collecting and using PHI for research purposes. (See the section on Data Management for more information about consent under PIPEDA).

Capacity to Consent

Every province has legislation that addresses the issue of capacity for consent to make healthcare decisions based on the individual's ability to understand the information that is relevant to the decision in question, as well as the individual's ability to appreciate the corresponding reasonably foreseeable consequences. An individual's capacity to consent may vary depending on what is being asked and may change over time. For example, an individual may have capacity to consent to some disclosure of their health information and not others. Further, the individual's capacity may change over time. Ontario is the only province with health-specific privacy legislation that explicitly addresses the issue of incapacity and substitute decision-making. The principles articulated in Ontario's PHIPA mirror guidance statements from the OPC and the Tri-Council Policy Statement, and would likely be instructive in other provinces as well.

With respect to minors, the OPC takes the position that where children are unable to provide meaningful consent to the collection, use, and disclosure of personal information (which in all but exceptional circumstances, means anyone under the age of 13), consent must be obtained from their parents or guardians. For minors who are able to provide meaningful consent, 'consent can only be considered meaningful if organisations have reasonably taken into account their level of maturity in developing their consent processes and adapted them accordingly8'.

With respect to participation in clinical trials, the Tri-Council Policy Statement states that where prospective participants do not possess the capacity to consent, researchers should obtain consent from an authorised third party in accordance with the best interests of the participants. Further, researchers should try to determine the wishes of the participants if they have the ability to express those wishes. If a participant expresses or indicates that they do not want to participate, researchers must respect that decision.

Withdrawal of Consent

As noted in the section on Data Subject Rights below, privacy laws generally permit individuals to withdraw consent to the collection, use, or disclosure of their personal information and personal health information.

Virtually every provincial/territorial health privacy statute address when individuals may withdraw or revoke consent. Ontario's PHIPA states that the individual may withdraw consent, whether the consent is express or implied, by providing notice to the health information custodian. However, the withdrawal of consent will not have retroactive effect. There are comparable provisions in Saskatchewan, Manitoba, Nova Scotia, Newfoundland and Labrador, Yukon, and the Northwest Territories.

The Tri-Council Policy Statement frames the ability to withdraw consent as a requirement to maintaining the voluntariness of consent. It provides that consent can be withdrawn at any time and, if a participant withdraws consent, the participant can also request the withdrawal of their data or biological samples9.

2.3. Data obtained from third parties

As noted in the section on Consent above, in Ontario, PHIPA allows health custodians to permit disclosure of an individual's personal health information to researchers in some circumstances, provided the REB has approved a research plan that explains why an individual's consent is not being obtained.

The Tri-Council Policy Statement again provides useful guidelines to follow with respect to disclosing data to third parties without having obtained a participant's consent. Specifically, per Article 5.5A of the Tri-Council Policy Statement, researchers should only provide the personal information to third parties if they have satisfied the REB that:

  • the identifiable information is essential to the research;
  • the use of identifiable information without the participants' consent is unlikely to adversely affect the welfare of individuals to whom the information relates;
  • the researchers will take appropriate measures to protect the privacy of individuals and to safeguard the identifiable information;
  • the researchers will comply with any known preferences previously expressed by individuals about any use of their information;
  • it is impossible or impracticable to seek consent from individuals to whom the information relates; and
  • the researchers have obtained any other necessary permission for secondary use of information for research purposes.

If the above conditions are met, the REB may approve the sharing of personal information without the concerned individuals' consent.

3. Pharmacovigilance

Health Canada's Marketed Health Products Directorate ('MHPD') oversees the 'Canada Vigilance Program', the federal pharmacovigilance program that collects reports on adverse reactions ('ARs') to marketed health products in order to monitor the safety of such products on an ongoing basis. These reports are stored in a combined database. AR reports can be sent by consumers and health professionals on a voluntary basis or by Market Authorisation Holders10 ('MAHs') on a mandatory basis. As of 16 December 2019, hospitals are also required to report serious adverse drug reactions to the MHPD.

Health Canada issued guidance document on Reporting Adverse Reactions to Marketed Health Products in 2018 ('the Guidance')11. The Guidance states that all parties submitting an AR report (i.e., the patient and the reporter) should be identifiable to allow the MHPD to contact the party or parties. Wherever possible, Health Canada requests as much patient information as possible with the exception of a patient's full name. Instead, each case is given a unique identifier to locate a case for follow-up purposes and avoid duplication of reports. Specifically, the following information is requested: gender; age category/age; height/weight; medical history; pre-existing conditions; and relevant family history. For drugs, the MAH must retain records for 25 years. The same retention period is recommended for natural health products.

In April 2021, Health Canada concluded a consultation for the draft of the revised Guidance document. While this could change, the current draft does not differ from the Guidance on the subject of identifiable information.

The Guidance on reporting ARs states that all personal information must be collected, used, retained, and disclosed in accordance with PIPEDA or the provincial equivalent (see the legislative information in the section above for further information). The database of adverse reaction reports is governed by the Privacy Act.

4. Biobanking

A biobank is a 'collection of biological material and the associated data and information stored in an organised system' for a population or a subset of a population12. There is no statutory definition of biobanking or any legislation specific to biobanking in Canada, but it is generally understood that biobanks store biological materials for the purpose of advancing medical research13. At present, there are 14 biobanks across Canada14.

Biobanks may be disease-specific or pertain to a broader population. They may store different types of biological materials including blood, urine, cheek or organ tissue, or tumour samples. Biobanks may be linked to databases of identifiable or non-identifiable information and the purposes of the stored samples could be for a specific project or held for numerous projects over an indefinite period. Biobanks may obtain samples directly from the individuals from whom the samples were derived or from a custodian, such as a hospital or a laboratory.

In Ontario, PHIPA includes any information that relates to an individual's biological samples in the definition of personal health information. The regulations corresponding to PHIPA provide a list of 'prescribed persons' authorised to maintain registries of personal health information, including those relating to the storage or donation of 'bodily parts or substances', such as the Ontario Tumour Bank. Custodians may provide personal health information to prescribed persons without obtaining consent of the individual. Prescribed persons may use or disclose personal health information for the storage or donation of bodily parts or substances15.

The Tri-Council Policy Statement also provides guidance on the treatment of biological materials, including secondary use of biological materials for research purposes, which could include biobanks. Privacy concerns only arise where the samples provided could be traced back to the individual, however, researchers who are subject to the Tri-Council Policy Statement must always obtain REB approval for the secondary use of biological materials. The REB will impose additional requirements for researchers who are seeking secondary use of identifiable biological material without the individual's consent.

The Tri-Council Policy Statement requires that the institutions and researchers who maintain biobanks establish appropriate physical, administrative, and technical safeguards to protect biological materials and any personal information about participants from unauthorised access and use16.

As noted in the section on Definitions above, the persons or organisations in control of an individual's personal health information are referred to as custodians or trustees. This implies that they do not have ownership rights over the information. The data and information that comes from samples would be considered PHI and subject to the applicable statutory regime for the particular jurisdiction and organisation type. However, the ownership of the biological samples themselves is more complicated. In 2014, an Ontario court determined that tissue sample taken from a since-deceased patient belonged to the hospital that preserved the sample rather than the patient's estate17. In this case, the question of ownership centred on a civil procedure issue and concerned a sample that was taken for diagnostic rather than research purposes. The decision would not necessarily be instructive to other cases involving the legal ownership issues of biological samples, and the Ontario decision is not binding on other Canadian jurisdictions.

5. Data Management

PHI is considered one of the most sensitive types of personal information because it includes the physical, mental, and emotional status of individuals. Canadian health privacy laws generally attempt to balance the privacy rights of individuals with the legitimate need of the responsible organisations or custodians to collect, use, and disclose PHI in order to deliver effective and timely health care.

Canada has generally adopted a principles-based approach to its privacy statutes, using the national standard of Canada entitled the Model Code for the Protection of Personal Information18 ('the Model Code'). The Model Code requires organisations, including custodians in the case of personal health information, to adhere to the following ten principles19:

  1. Accountability: an organisation is responsible for personal information under its control and must designate an individual or individuals who are accountable for the organisation's compliance with the following principles (See the section on Outsourcing and Data Transfers below).
  2. Identifying purposes: the purposes for which personal information is collected must be identified by the organisation at or before the time the information is collected. Prior consent must be obtained for any additional purpose for which the organisation wishes to use or disclose personal information.
  3. Consent: the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except when inappropriate (See the discussion below).
  4. Limiting collection: the collection of personal information must be limited to that which is necessary for the purposes identified by the organisation. Information must be collected by fair and lawful means.
  5. Limiting use, disclosure, and retention: personal information must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information must be retained only as long as necessary for the fulfilment of those purposes (See the discussion below).
  6. Accuracy: personal information must be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used (See the section on Data Subject Rights below).
  7. Safeguards: personal information must be protected by security safeguards appropriate to the sensitivity of the information (See the discussion below).
  8. Openness: an organisation must make readily available to individuals specific information about its policies and practices relating to the management of personal information.
  9. Individual access: upon request, an individual must be informed of the existence, use, and disclosure of their personal information and must be given access to that information. An individual must be able to challenge the accuracy and completeness of the information and have it amended as appropriate (See the section on Data Subject Rights below).
  10. Challenging compliance: an individual must be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organisation's compliance (See the section on Data Subject Rights).

Meaningful Consent

The Guidelines for obtaining meaningful consent20 ('the Consent Guidelines'), jointly issued in May 2018 by the OPC and privacy commissioners of Alberta and British Columbia, stipulate that 'meaningful consent is an essential element of Canadian private sector privacy legislation', and 'organisations are generally required to obtain meaningful consent for the collection, use, and disclosure of personal information'. The Consent Guidelines establish seven guiding principles for meaningful consent:

  1. to receive meaningful consent, organisations must generally put additional emphasis on the following key elements: (i) what personal information is being collected; (ii) with which parties personal information is being shared; (iii) for what purposes personal information is collected, used, or disclosed; and (iv) risk of harm and other consequences;
  2. allow individuals to control the level of detail they get and when;
  3. provide individuals with clear options to say 'yes' or 'no';
  4. be innovative and creative by using: (i) 'just-in-time' notices; (ii) interactive tools; and (iii) customised mobile interfaces;
  5. consider the consumer's perspective;
  6. make consent a dynamic and ongoing process; and
  7. be accountable: stand ready to demonstrate compliance.

As set out in the Consent Guidelines, while consent should generally be express (i.e., explicitly provided), it can be implied (i.e., based on an individual's action or inaction) in strictly defined circumstances. The Supreme Court of Canada has confirmed that in making this determination, organisations need to take into account the sensitivity of the information and the reasonable expectations of the individual, both of which will depend on context21.

Consent is implied if an individual voluntarily provides personal information for an obvious purpose, and was provided with a reasonable opportunity to decline. For implied consent to be meaningful, the individual has to know that they have the right to expressly withhold or withdraw consent at any time without fear of retribution. Regardless of how it is obtained, the consent must be meaningful and informed, voluntary, related to the information in question, and must generally be collected directly from the individual.

When dealing with personal health information, subject to very limited exceptions, express consent (i.e., opt-in) is generally required:

  • where PHI is disclosed to a person or an organisation that is not a custodian (e.g., an employer or insurance company);
  • where information is disclosed by one custodian to another for a purpose other than providing or assisting in providing healthcare;
  • where the PHI is intended to be collected, used, or disclosed for secondary purposes, such as education or marketing; and
  • where a custodian collects, uses, or discloses personal information for research purposes, unless certain conditions and restrictions are met22 (as described in the section on Clinical Research and Clinical Trials above).

Custodians may rely on the implied consent (i.e., opt-out) of an individual to collect and use PHI for direct healthcare purposes and with respect to individuals who are within the 'circle of care' as described under Principle 5 below.

Data Minimisation - Limiting Use, Disclosure, and Retention

As a general rule, consent is required for any use or disclosure of an individual's PHI unless the applicable statute allows the use or disclosure without consent. Custodians must not use PHI if other information will serve the purpose of the use and may only use as much information as is necessary to meet the purpose of the use of personal health information.

Custodians may generally rely on an individual's implied consent when collecting, using, or disclosing PHI for the purpose of providing or assisting in providing healthcare to the individual (i.e., to other medical professionals within the individual's 'circle of care,' such as the attending doctor, nurses, pharmacists, physiotherapists, etc.). The 'circle of care' does not extend to custodians who are not part of the direct care or follow-up treatment of the individual. The disclosure must be reasonably necessary for the provision of health care and the individual must not have expressly withheld or withdrawn consent with respect to the personal health information in question23.

Subject to limited exceptions, a custodian cannot disclose PHI to a non-custodian (even where the custodian is employed by a non-custodian, such as a school nurse for instance), unless the individual whose PHI is at issue has given express consent or the disclosure is permitted or required by law.

Privacy statutes generally permit an organisation, including a custodian, to disclose personal information or PHI without consent, if it believes on reasonable grounds that the disclosure is necessary for eliminating or reducing a significant risk of serious bodily harm to a person, or under some statutes, a group of persons. A custodian may also disclose PHI without consent in order to contact a relative, friend, or potential substitute decision-maker, if an individual is injured, incapacitated, or ill and unable to consent.

Canadian privacy laws do not stipulate specific retention periods for personal information. Rather, personal information, including PHI, may only be kept for as long as needed to fulfil the purpose(s) for which it was collected, or to allow an individual to exhaust any legal recourse regarding an access request. Organisations must develop guidelines and implement procedures with respect to the retention of personal information, including minimum and maximum retention periods and for the safe disposal of such material at the end of the retention period. The governing legislation of certain custodians (e.g., hospitals) may specify how long such custodians must keep records of personal health information and the custodian's record keeping practices would have to comply with such requirements.

Security Safeguards

Organisations must protect personal information within their care and custody with physical, organisation, and technical safeguards that are appropriate to the sensitivity of the information. Specific data security requirements are not prescribed under Canadian privacy laws. Instead, the organisation has the discretion to determine what security safeguards are appropriate, based on prevailing industry standards.

Organisations must take reasonable steps to ensure that all personal information in their custody or under their control is protected against theft, loss, and unauthorised use and disclosure, and to ensure that such information is protected against unauthorised copying, modification, or disposal. They must also ensure that personal information is retained, transferred and disposed of in a secure manner. PHI is considered to be sensitive personal information, as such custodians and other organisations are required to treat it as confidential, with a heightened level of security.

Anonymisation/De-identification

Certain privacy statutes, including PIPEDA, permit the anonymisation of personal information rather than its deletion or erasure. Others, such as PHIPA and the private sector privacy statutes in Alberta and British Columbia permit organisations to render such information 'non-identifying' or 'remove the means of association'. True anonymity or de-identification is only achieved where information can never be linked to an individual, either directly or indirectly. The OPC has issued guidelines stating that 'personal information that has been de-identified does not qualify as anonymous information if there is a serious possibility of linking the de-identified data back to an identifiable individual'24.

Pursuant to Bill 64, which recently introduced significant amendments to Quebec's privacy statutes that will be phased in over the next three years, information will be considered to be de-identified 'if it no longer allows the person concerned to be directly identified'. De-identified information may only be used for study or research purposes, or for the production of statistics, and any person that uses de-identified information must take reasonable steps to reduce the risk of anyone identifying an individual using de-identified information. Bill 64 also indicates that 'information concerning a natural person is anonymised if it is, at all times, reasonably foreseeable in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly'. Anonymised information may only be used for 'serious and legitimate purposes'. Further, information must be anonymised according to 'generally accepted best practices and in accordance with criteria and procedures' that will be prescribed by regulation to be released at a later unspecified date.

Ontario's PHIPA defines 'de-identify' in relation to the PHI of an individual as meaning 'to remove any information that identifies the individual or for which it is reasonably foreseeable in the circumstances that it could be utilised, either alone or with other information, to identify the individual'. PHIPA also provides that (except for limited exceptions such as for custodians or prescribed persons who compile or maintain a registry of personal health information), de-identified information cannot be used (alone or with other information) to identify an individual. On 25 March 2020, significant amendments were made to PHIPA, some of which will come into effect upon the issuance of future regulations at an unspecified date. Such future regulations will include specific de-identification standards for custodians and their service providers that are subject to PHIPA. It is expected that such standards will be consistent with or build on the IPC's existing de-identification guidelines25.

The amendments to PHIPA will also require custodians who use electronic means to handle PHI to maintain an electronic audit log (or to require their electronic service provider to do so) once future regulations are released. It is expected that the electronic audit logs will be required to track all activity relating to a record or part of a record of PHI that is accessible by electronic means, including every instance that a record or part of a record is viewed, handled, modified, or otherwise dealt with. Custodians will also be required to audit and monitor the audit log and to provide a copy to the IPC upon request. Additional requirements about the log and the frequency of audits or monitoring, may also be set out in future regulations.

Privacy/Data Protection Officer

Each organisation must designate a contact person who is authorised on behalf of the organisation to facilitate compliance with privacy laws. The organisation must provide the public with a written statement that is readily available that describes the organisation's information practices and how to reach the contact person for questions, concerns, or complaints or to exercise an individual's privacy rights.

6. Outsourcing

Generally under Canadian privacy laws, the transfer or sharing of information between a custodian and its service provider is considered to be a 'use' and not a 'disclosure' of personal information. The organisation that collected and is entitled to use the personal information remains responsible for personal information in its possession or custody, including personal information that has been transferred to a service provider. As such, the responsible organisation generally obtains meaningful contractual commitments from its service providers, including but not limited to, the following:

  • the service provider may only use the personal information for the purpose(s) specified in the agreement and in accordance with instructions provided by the organisation;
  • the service provider must provide a comparable level of data security, including administrative, technological, and physical security safeguards, as would be required of the organisation;
  • the service provider must inform the organisation of any requests for access to, or production of, the personal information;
  • the service provider must notify the organisation of any data breaches and cooperate with the organisation with respect to mitigation strategies and breach notification and reporting requirements; and
  • the organisation must have audit or other assessment rights that would permit ongoing diligence of security protections, as well as the use being made of the personal information.

With respect to PHI in particular, health privacy statutes generally regulate not only custodians but also individuals and organisations that receive PHI from custodians, including certain types of service providers. For instance, Ontario's PHIPA imposes prescribed requirements on electronic service providers who are described as 'a person who supplies services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain, or dispose of personal health information, and who is not an agent of the custodian'. Such electronic service providers may not:

  • use any PHI to which it has access in the course of providing the services for the custodian, except as necessary in the course of providing the services;
  • disclose any such PHI; and
  • permit its employees or any person acting on its behalf to be able to have access to the PHI, unless the employee or person acting on its behalf agrees to comply with these restrictions.

PHIPA also imposes more onerous requirements on an electronic servicer provider who is a 'health information network provider' ('HINP'), meaning 'a person who provides services to two or more health information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians'.

HINPs must comply with the following requirements in the course of providing services to enable a custodian to use electronic means to collect, use, disclose, retain, or dispose of personal health information:

  • notify every applicable custodian of any breaches;
  • provide to every applicable custodian a plain language description of its services that is appropriate for sharing with individuals to whom the PHI relates, including a general description of security safeguards in place;
  • make the above description available to the public, along with any applicable directives, guidelines, and policies;
  • upon request, provide an electronic record to each applicable custodian of all accesses and transfers of the PHI related to the particular custodian;
  • perform and provide to each applicable custody, a written copy of the results of threat risk assessments, and Privacy Impact Assessments ('PIAs');
  • ensure that retained third parties comply with necessary restrictions and conditions; and
  • enter into a written agreement with each custodian concerning the HINP services and the HINP's compliance with the foregoing requirements.

Currently, developers of mobile device applications or online portals that process PHI on behalf of individuals are subject to little or no requirements under privacy laws. However, once pending amendments to Ontario's PHIPA come into force at a future unspecified date, companies that provide consumer-facing services involving electronic records of PHI will be directly subject to PHIPA and regulated as 'consumer electronic service providers' ('CESPs'). A CESP is defined as 'a person who provides electronic services to individuals at their request, primarily for, the purpose of allowing those individuals to access, use, disclose, modify, maintain or otherwise manage their records of personal health information'. A custodian that provides personal health information to a CESP will also have to comply with prescribed requirements and procedures that will be set out in future regulations.

7. Data Transfers

Private sector privacy legislation does not prohibit an organisation from transferring personal information to service providers in another domestic or foreign jurisdiction for processing and storing, provided that:

  • the transferring organisation remains accountable for the protection of the personal information that has been transferred;
  • the transfer does not entitle the organisation receiving the personal information to use that information for purposes other than those for which individuals expressly or impliedly consented, without the consent of the individual to whom the personal information belongs; and
  • the transferring organisation must use contractual or other means to: (i) require the service provider to provide a comparable level to data security as required under Canadian laws to protect the personal information from unauthorised uses and disclosures; and (ii) obtain the right to audit and inspect how the service provider handles and stores the personal information, and to exercise the right to audit and inspect when warranted.

The OPC has also issued guidelines, which provide that the responsible organisation must notify individuals that their personal information will be transferred to another jurisdiction from which it was originally collected and as a result, may be subject to the laws of such foreign jurisdiction and may be accessible without notice to the individual by the courts, law enforcement, and national security authorities of such foreign jurisdiction26. In addition, the Alberta private sector privacy statute explicitly requires responsible organisations to provide notice of the use of service providers located outside of Canada prior to any transfer of data and to disclose the countries in which processing will occur. Further, pursuant to Quebec's Bill 64, effective 22 September 2023, in order to transfer the personal information of Quebec residents outside of that province, organisations will need to conduct a PIA, taking into account, among other factors, the sensitivity of the information and the legal framework applicable in the other jurisdiction including the personal information protection principles applicable in the foreign jurisdiction.

Health privacy statutes also do not prohibit the transfer of personal health information to an agent or service provider in another domestic or foreign jurisdiction for processing or storage. However, some statutes explicitly require that the custodian enter into a written agreement with the service provider that contains prescribed information, similar to those listed above.

The public sector privacy statutes in British Columbia and Nova Scotia impose specific restrictions on the cross-border transfer of personal information by a 'public body' in those provinces, including government departments and agencies, as well as hospitals and universities. A public body may only allow personal information to be stored and/or accessed outside of Canada, if the individual has identified the personal information and consented to it being stored or accessed in another jurisdiction.

As previously noted, the transfer of personal information to an agent or service provider is considered a use and not a disclosure of personal information. Health privacy statutes also generally permit custodians to disclose PHI to a person outside of the province in which such information was collected under prescribed circumstances, including but limited to, if the individual consents to the disclosure, or the disclosure is reasonably necessary for the provision of health care to the individual and the individual has not expressly instructed the custodian not to make the disclosure.

8. Breach Notification

Mandatory breach notification regimes are in place under PIPEDA and the Alberta private sector privacy statute. In the public sector, mandatory breach reporting obligations apply to custodians of personal health information in Alberta, Ontario, New Brunswick, and Newfoundland and Labrador. Quebec's Bill 64 implements a mandatory breach notification regime for both the private and public sectors effective 22 September 2022.

Under PIPEDA, an organisation must report a privacy breach to the OPC and also notify affected individuals, unless prohibited by law, where:

  • there has been a loss of, unauthorised access to, or unauthorised disclosure of personal information resulting from:
    • a breach of an organisation's security safeguards; or
    • a failure to establish those safeguards;
  • the personal information is under the organisation's control; and
  • it is reasonable in the circumstances to believe the breach creates a 'real risk of significant harm' to an individual.

For the purposes of the 'real risk of significant harm' test, significant harm includes 'bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property'. Factors relevant to the analysis include the sensitivity of the personal information involved in the breach of security safeguards (viewed in the totality of its circumstances) and the probability of personal information misuse.

Privacy breach reports and notifications under PIPEDA must 'be given as soon as feasible after the organisation determines that the breach has occurred'. An organisation is also required to keep and maintain a record of every loss of, unauthorised access to, or unauthorised disclosure of personal information resulting from a breach of its security safeguards or from a failure to establish those safeguards and the personal information that is under the organisation's control, regardless of whether they give rise to a real risk of significant harm to an individual. An organisation must keep and maintain such breach records for a minimum of 24 months and provide the OPC with access to, or a copy of, such records upon request.

The Alberta breach reporting regime is also triggered by the same 'real risk of significant harm' test. However, organisations are only required to report the privacy breach to the Alberta privacy commissioner, unless that commissioner determines that notification of individuals is required.

With respect to PHI, breach notification requirements are generally imposed on both custodians and agents of custodians under health privacy statutes. Under PHIPA, a custodian must notify the IPC 'as soon as reasonably practical' of a privacy breach resulting from:

  • use or disclosure without authority;
  • stolen information;
  • further use or disclosure without authority after a breach;
  • pattern of similar breaches;
  • disciplinary action taken against an employee or other agent that triggers a duty to report to a health regulatory college;
  • disciplinary action against other employees or agents that would have triggered the report in the above point had the employee or agent been a member of a health regulatory college; and
  • significant breach, taking into consideration whether:
    • the information is sensitive;
    • the breach involves a large volume of information;
    • the breach involves many individuals' information; and
    • more than one custodian or agent was responsible for the beach27.

An agent must notify the custodian if PHI handled by an agent on behalf of a custodian is stolen, lost, or accessed by unauthorised persons, at the first reasonable opportunity. Custodians must also notify affected individuals at the first reasonable opportunity if PHI is stolen, lost, or accessed by an unauthorised person. In addition, a custodian must count every breach, including those that did not meet the threshold for reporting, in its annual statistics report to the IPC.

9. Data Subject Rights

Privacy laws generally provide individuals with the right to:

  • consent or be informed of the purposes for the collection, use, and disclosure of their PHI;
  • access and request correction of their personal information and PHI;
  • withhold or withdraw consent to the collection, use or disclosure of their personal information and PHI;
  • expressly instruct custodians not to use or disclose their PHI for healthcare purposes; and
  • complain to their applicable privacy commissioner about the practices of organisations or custodians and when their privacy rights have been violated.

PIPEDA does not currently contain a right of erasure (although the OPC has previously interpreted the right to withdraw consent as requiring deletion of personal information in certain circumstances), nor a right to data portability.

Organisations and custodians may refuse access to PHI or personal health information in limited situations as prescribed by the applicable statute, including if:

  • the information in question is subject to a legal privilege;
  • in the case of PHI, access could reasonably be expected to result in a risk of serious harm to the treatment or recovery of the individual, or serious bodily harm to the individual or another person;
  • the information was collected in the course of an ongoing inspection, investigation, or similar procedure; or
  • another law prohibits the disclosure of that information.

An individual may still have a right of access to the part of a record of PHI that can reasonably be severed from such parts. A custodian may refuse to correct a record of PHI that was not originally created by the custodian, or if the record consists of a medical diagnosis or other professional opinion or observation made in good faith28.

10. Penalties

Generally, Canadian privacy commissioners have not historically had the jurisdiction to issue penalties or award damages. Instead, most privacy complaints are resolved by the organisation or offending party making commitments to change its practices, after an investigation and report of findings are released by the privacy commissioner.

After the privacy commissioner has either conducted or discontinued an investigation into an organisation's privacy practices, an individual or the commissioner may bring a court application for a hearing on how the organisation handles personal information and for damages for actual harm suffered. Among other things, the court may order the organisation to:

  • correct its practices to comply with the applicable privacy statute;
  • publish a notice of any of the actions taken or proposed to be taken to correct its practices to comply; and
  • pay damages, including damages for humiliation or mental anguish suffered by the complainant.

Privacy statutes also include offences and statutory fines for actions found by a court to be in breach of such laws, for example, wilfully collecting, using, or disclosing PHI in contravention of the statute, or obstructing the privacy commissioner in the performance of its oversight functions. Fines under Ontario's PHIPA were doubled with recent amendments that came into effect in 2020, with fines now up to CAD 200,000 (approx. €146,500) for an individual found guilty of committing an offence and up to CAD 1,000,000 (approx. €732,400) for an organisation or institution. PHIPA now also provides for the possibility of up to one year of imprisonment. Additionally, any officer, member, employee, or agent of a corporation found to have authorised or acquiesced to a breach of PHIPA can be held personally liable.

Canadian privacy laws are currently in a state of flux with several provinces either implementing or proposing significant changes to their privacy laws. In addition to doubling its statutory fines, on 25 March 2020, PHIPA became the first Canadian privacy statute to implement an administrative monetary penalty ('AMP') regime. This regime will permit the IPC to make an order imposing AMPs directly against any person whose activities the commissioner has reviewed, if the commissioner is of the opinion that the person has contravened PHIPA or its regulations. The penalty amounts and their administration will be determined by future regulation.

Quebec's Bill 64 also introduces a significant AMP regime effective 22 September 2023, with AMPs of up to CAD10 million (approx. €7,322,300) or 2% of worldwide turnover. It also creates penal offences with fines of up to CAD 25 million (approx. €18,310,100) or 4% of worldwide turnover, as imposed by the Court of Quebec.

Moreover, on 19 May 2020, the Competition Bureau Canada announced that it had entered into a settlement agreement with Facebook, Inc. whereby the company agreed to pay a CAD 9 million (approx. €6,591,400) penalty and an additional CAD 500,000 (approx. €36,600) in costs. The settlement was reached after the Competition Bureau concluded that the company made false or misleading claims about the privacy of Canadians' personal information on Facebook and Messenger in relation to the Cambridge Analytica data scandal. This is the first time the Competition Bureau has exercised its powers under the deceptive marketing practices provisions of the Competition Act, RSC 1985 c 34 to investigate a privacy matter. However, the Commissioner of Competition was quoted stating that "Canadians expect and deserve truth from businesses in the digital economy and claims about privacy are no exception. The Competition Bureau will not hesitate to crack down on any business that makes false or misleading claims to Canadians about how they use personal data, whether they are multinational corporations like Facebook or smaller companies29".

In addition to the above remedies, persons who are convicted of an offence under privacy statutes may be subject to a civil suit for damages for breach of privacy. Private rights of action based on various statutory torts for breach of privacy30 or common law torts stemming from the concept of 'invasion of privacy' have been recognised by Canadian courts in recent years. To date, four different common law privacy torts have been recognised by Ontario courts:

  • intrusion upon seclusion31;
  • misappropriation of personality32;
  • public disclosure of private facts33; and
  • publicity placing a person in false light34.

Privacy class action lawsuits may also potentially award damages arising from breach of privacy rights. However, while many class actions have been certified, it is unusual for any to make it to trial.35  As an Ontario judge previously noted, class members have been "confronted with ultra-enormous difficulty in establishing specific causation" and have instead been forced to settle for "very modest per capita recoveries for class members36".

11. Other Areas of Interest

Virtual Healthcare

Virtual healthcare, including telemedicine, has become increasingly prevalent in recent years and essential during the COVID-19 pandemic. However, the exchange of PHI via messaging, telephone, and videoconferencing consultations gives rise to unique privacy concerns and cybersecurity risks.

In February 2021, the IPC released the Virtual Healthcare Guidance. The Virtual Healthcare Guidance remind custodians that PHIPA 'applies to virtual care as it does to in-person care' and custodians must comply with PHIPA, in addition to all other applicable laws and regulations, as well as guidance issued by relevant professional regulators. The Virtual Healthcare Guidance provides that, to enhance privacy and security in virtual healthcare, custodians should:

  • determine which statutory rules and professional or other regulatory guidelines apply to them and ensure they understand these obligations;
  • conduct PIAs to identify and manage the specific privacy and information security risks associated with providing virtual healthcare37;
  • develop and implement a virtual healthcare policy;
  • provide comprehensive privacy and security training for employees and other agents;
  • have a robust information security management framework to regularly monitor, assess, and mitigate any security risks that may arise in the course of using the virtual platform; and
  • have a privacy breach management protocol in place.

The Virtual Healthcare Guidance also indicate that to assist custodians in choosing virtual visit solutions, Ontario Health has developed a Virtual Visits Solution Standard. This provincial standard was developed to help custodians and vendors deliver secure virtual health care by using 'safe, secure, and interoperable platforms'.

In addition to the usual responsibilities of custodians, the Virtual Healthcare Guidance details additional responsibilities that are unique to the provision of virtual healthcare, including but not limited to, the following:

  • using plain language, custodians should inform their patients of the limitations and risks of virtual care visits, including potential privacy breaches resulting from physical or electronic eavesdropping, hacking and software exploits, technical failures, and configuration errors;
  • custodians must have the patient's consent to collect, use, and disclose PHI through virtual care technologies and services. Custodians should document the discussion of the limitations and risks of virtual care visits, including the potential for privacy breaches, and the consent obtained. The patient should be informed that they can withdraw this consent at any time;
  • custodians should avoid using personal email, unencrypted text messaging, or free cloud-based videoconferencing platforms to communicate with patients, as these platforms raise serious privacy risks. Instead, custodians should use only organisation-approved email, messaging, or videoconferencing accounts, software, and related equipment;
  • custodians must implement additional safeguards when communicating PHI via email or secure messaging, to ensure the exchange is with the correct person and to authenticate identity. Encryption should be the default for emails38 and custodians must be vigilant of phishing attempts designed to trick the recipient into revealing confidential information or downloading malware39; and
  • the guidelines also set out additional safeguards for videoconferencing and patient portals.

Virtual healthcare will likely become more entrenched in the Canadian healthcare system. The IPC's guidelines provide useful information for custodians, service providers, and all other participants in virtual health care.

Endnotes

1. This does not include privacy requirements under other legislation.

2. Manitoba introduced the Personal Information Protection and Identity Theft Prevention Act, CCSM c P33.7 ('PIPITPA') in 2013, but it has not yet come into force. It was modelled after Alberta's privacy legislation, though there are some differences. PIPEDA will continue to apply until the Governor in Council recognises PIPITPA as substantially similar to Part 1 of PIPEDA.

3. Office of the Privacy Commissioner of Canada, Provincial laws that may apply instead of PIPEDA, May 2020.

4. The three federal research agencies are the Canadian Institute of Health Research, the Natural Sciences and Engineering Research Council of Canada, and the Social Sciences and Humanities Research Council of Canada.

5. Barbara McIsaac et al., The Law of Privacy in Canada, 6.2.2 — The Canadian Health Privacy Map (Thomson Reuters, 2020).

6. Forward Regulatory Plan 2020-2022: Modernization of the Regulation of Clinical Trials, https://www.canada.ca/en/health-canada/corporate/about-health-canada/legislation-guidelines/acts-regulations/forward-regulatory-plan/plan/modernization-regulation-clinical-trials.html

7. IPC FAQs.

8. OPC, Guidelines for obtaining meaningful consent, May 2018.

9. Tri-Council Policy Statement, Chapter 3 – The Consent Process, Article 3.1.

10. 'Market Authorization Holder' (also referred to as a sponsor or manufacturer) means the legal entity that holds the Notice of Compliance, the Drug Identification Number (DIN), the medical device licence number, the product licence number, or that has received approval to initiate clinical trials in Canada.

11. Health Canada, Reporting Adverse Reactions to Marketed Health Products, 2018.

12. OECD, Creation and Governance of Human Genetic Research Databases, 2006.

13. Eleana Rodriguez, “Who Monitors Biobanks? The Need for an Oversight Authority,” Master of Laws Thesis, University of Toronto, 2014.

14. Global Directory of Biobanks, Tissue Banks and Biorepositories. Note that this section on biobanks does not apply to facilities that store reproductive materials, such as sperm banks, which are regulated by Health Canada.

15. IPC FAQs.

16. Tri-Council Policy Statement, Chapter 12 — Human Biological Materials Including Materials Related to Human Reproduction.

17. Piljak Estate v. Abraham (2014 ONSC 2893); this decision has not been considered or cited in subsequent cases.

18. CAN/CSA-Q830-96; published March 1996; reaffirmed 2001.

19. See for instance: OPC, PIPEDA Fair Information Principles, Revised: May 2019

20. OPC, Guidelines for obtaining meaningful consent, May 2018.

21. Royal Bank of Canada v. Trang, 2016 SCC 50 § 23.

22. IPC FAQs.

23. IPC FAQs.

24. OPC, Personal Information, October 2013.

25. See for instance, IPC, De-identification Guidelines for Structured Data, June 8, 2016, which applies to Ontario's provincial and municipal public bodies.

26. OPC, Guidelines for processing personal data across borders, January 2009.

27. IPC, Reporting a Privacy Breach to the IPC – Guidelines for the Health Sector, September 2019.

28. IPC FAQs.

29. Competition Bureau Canada, News Release: Facebook to pay $9 million penalty to settle Competition Bureau concerns about misleading privacy claims, May 19, 2020.

30. As set out in section 1.1 - Legislation, the Privacy Act of each of British Columbia, Saskatchewan, Manitoba and Newfoundland and Labrador, incudes a statutory tort for breach of privacy.

31. Jones v. Tsige, 2012 ONCA 32.

32. Krouse v. Chrysler Can. Ltd. [1972] 2 OR 133 and Athans v. Canadian Adventure Camps Ltd. [1977] 2 A.C.W.S. 1065 (Ont HCJ).

33. Jane Doe 464533 v. ND, 2016 ONSC 4920 and Jane Doe 72511 v. Morgan, 2018 ONSC 660.

34. Yenovkian v Gulian, 2019 ONSC 7279.

35. See Douez v Facebook, Inc., 2022 BCSC 914 (CanLII) where a trial decision was rendered on summary judgement.

36. Karasik v. Yahoo! Inc., 2021 ONSC 1063 at para. 139.

37. See IPC, Privacy Impact Assessment Guidelines for the Ontario Personal Health Information Protection Act, October 2005.

38. See IPC, Communicating Personal Health Information by Email, September 2016.

39. See IPC, Protect against Phishing, July 2019.

Peter Ruby Partner
[email protected]
Monique McAlister Partner
[email protected]
Meghan King Associate
[email protected]
Goodmans LLP, Toronto

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback