Canadian privacy laws can be quite confusing. We want to try to provide a bit of clarity on these laws, and explain how Cliniko can help you stay compliant with both the national and provincial laws.
To get started, it would be best to understand the difference between the two types of laws: National and Provincial. The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's national law on privacy. This act applies to any private-sector organization, or nationally funded entity. It is also the act that provinces will defer to, when they do not have their own act in place.
Alberta, British Columbia, New Brunswick, Newfoundland and Labrador, Nova Scotia, Ontario, and Quebec all have their own privacy acts. Thankfully, these acts have all been deemed substantially similar to PIPEDA. If an organization is compliant with their provincial act, they are exempt from PIPEDA.
As of March 2020, any new Cliniko account created in Canada will have the option to have its clinic data stored in Canada. This is not a requirement of PIPEDA, but it will assist in ensuring that data collected in Canada, is only subjected to Canadian laws. In the future, we will have the ability for accounts created before March 2020, to move their data to Canada.
Below, you'll be able to view the specifics surrounding each of Canada's National and Provincial laws. Use the table of contents to skip through the one that applies to you:
National: PIPEDA (Personal Information Protection and Electronic Documents Act)
British Columbia: PIPA (Personal Information Protection Act)
Ontario: PHIPA (Personal Health Information Protection Act)
Alberta: HIA (Health Information Act)
Novia Scotia/Newfoundland and Labrador: PHIA (Personal Health Information Act)
New Brunswick: PHIPAA (Personal Health Information Privacy and Access Act)
PIPEDA (Personal Information Protection and Electronic Documents Act)
Following the Office of the Privacy Commissioner of Canada's documents, we have pulled together the requirements for PIPEDA as well how each provincial law differs from PIPEDA. Below you find each principle in PIPEDA and a few points on how Cliniko can help you stay compliant.
An organization is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.
At Cliniko, we have appointed our data privacy officer (DPO) to be accountable for our compliance. They will ensure that we are maintaining compliance with anything that may be added into Cliniko, and they will be responsible for keeping up-to-date on any changes to these.
We ensure that all personal information is encrypted, and stored with industry leading measures. Clinics will need to ensure that they are also protecting the information they collect.
We have set up policies to ensure that all Cliniko staff remain compliant with PIPEDA.
If you are having trouble creating a privacy plan, you can check out https://services.priv.gc.ca/outil-tool/en. The government has created an assessment to help you create your policies.
The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.
We outline everything that we collect in our terms of service and privacy policies. Aside from Online bookings, all patient data is collected by the practitioner. Online bookings are not required to be used, and are set up by the clinic. Online bookings do not store cookies, and information is saved within the clinic's Cliniko account. All of this information is also submitted by the patient.
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
If a patient consented in-person, you can update their patient details, and even attach the consent form as a patient file. This can make it easy if you ever need to find that consent form!
Consent can be withdrawn, and clinics have the ability to delete and anonymize data of a patient should a patient withdraw their consent.
If a clinic would like to have their data deleted, they can contact the Cliniko support team, and we will help them.
The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.
In Cliniko, we ensure that we are only collecting personal information that is necessary and appropriate. The information needed is used to create the account and user's accounts in Cliniko.
A clinic will need to be sure they are only collecting information that is needed for their clinic. The information that is collected differs between clinics depending on their healthcare needs.
Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.
Cliniko will never use or disclose personal information outside of what it was originally collected for. Should this change, we would contact all clinics, and have them agree to the new terms
Each clinic will need to have their own guidelines for following this principle. Be sure to consult with your legal experts for advice on the use, disclosure, and retention of personal information. The government has some guidelines here.
All clinics have the ability to delete and anonymize the data should they be required to. It is the responsibility of the clinic to delete any data that they no longer require.
Personal information must be as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used.
We have the ability to edit or update any information within in your Cliniko account. This is only done when requested by an account owner.
Admins and account owners have the ability to edit or update nearly anything within their Cliniko account. If you require help with this, please contact our support team, and they'd be happy to assist!
Personal information must be protected by appropriate security relative to the sensitivity of the information.
In Cliniko, privacy and security are always our top priority. It’s the cornerstone of everything we build in Cliniko. We have outlined our security details here.
PIPEDA does not specify particular security safeguards that must be used. Your Clinic must ensure that you are adequately protecting the personal information in your care as technology evolves and as new risks emerge.
The Privacy Commissioner has a few tips that may help you when protecting personal information.
An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
Our privacy policies are clearly outlined, here: https://www.cliniko.com/policies/privacy/
Each clinic is responsible for their own privacy policies
Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
If requested by a patient, a clinic has the ability to export all data that they have stored in Cliniko on a particular patient. Details on how to do this can be found here.
Information stored outside of Cliniko will need to be managed by the clinic.
Data exports are also available for a practitioner should they require all their data.
An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer.
All challenges can be made to firstname.lastname@example.org. That mailbox is monitored by our DPO (who is also acting as our Chief Privacy Officer) and you will receive a response shortly after a challenge is made.
A clinic will also need to be sure they have means of allowing someone to challenge their compliance. The act does not specify how the challenge needs to be made, but you'll need to be clear on how one would be able to challenge compliance.
PIPA (Personal Information Protection Act)
This is British Columbia's provincial act. The act has been declared to be substantially similar to PIPEDA. PIPA will apply to any provincially regulated private sector organizations.
If you want more details on this specific act, you can visit the British Columbia government page.
PHIPA (Personal Health Information Protection Act)
This is Ontario's provincial act. The act has been declared to be substantially similar to PIPEDA. PHIPA applies to health information custodians that collect, use and disclose personal health information, whether or not in the course of commercial activities.
More details on how these regulations were deemed substantially similar can be found on Ontario's Ministry of Health.
Please note: As of March 25, 2020, Bill 188 received Royal Assent in Ontario. This bill introduces section 10.1 into the Act, and outlines the need to maintain an Electronic Audit Log. We have confirmed with the The Information and Privacy Commissioner of Ontario, that this requirement is not currently in effect, and more details are to come. We plan to have this feature in Cliniko once these details are available.
HIA (Health Information Act)
This is Alberta's provincial act. The act has been declared substantially similar to PIPEDA. This act was designed to provide residents of Alberta with the right to access their own health information and to request corrections.
For more details on how this act would apply to you, and to get resources that will help you achieve compliance, please visit Alberta's public service page.
PHIA (Personal Health Information Act)
This act is used by two provinces; Nova Scotia and Newfoundland and Labrador. In both provinces, PHIA has been deemed similar to PIPEDA.
The act recognizes both the right of individuals to protect their personal health information and the need of clinics to collect, use and disclose personal health information to provide, support and manage health care.
Details on Nova Scotia's act can be found here, and details for Newfoundland and Labrador can be found here.
PHIPAA (Personal Health Information Privacy and Access Act)
This act is used by New Brunswick. It was determined that this act is similar to PIPEDA, so the above breakdown will also apply for this act.
This act provides a set of rules that protects patients' privacy and the confidentiality of their personal health information
Details about this act, can be found on the New Brunswick Department of Health website.
As always, if you have questions about any of this, reach out to our support team via the chat bubble in the lower-right corner of your screen! We'll be more than happy to discuss things with you! 😊