What is the Personal Information Protection Act?
The Personal Information Protection Act (PIPA) outlines the responsibilities a business has regarding personal information, including that of staff and clients (patients). As community-based clinics are small businesses, they are required to ensure privacy and security measures are in place to protect against unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction of individual’s information.
What is personal information?
Any data that could be used to identify an individual is considered personal information. This includes name, address, contact information, date of birth, etc.
PIPA in your clinic
As a business, you are collecting, using, and disclosing personal information from employees (staff, contractors, students, volunteers) and patients. You are responsible for adhering to PIPA and have an obligation to protect your staff and patients. Part of your professional duty is to ensure your business is safeguarding the personal data you are collecting, including human resources information.
Storing personal information
Under PIPA, personal information is to be maintained and stored in Canada. If you are using international services, you must notify all individuals that are affected that their information is being housed outside of Canada. You must also provide them with the opportunity to opt-out if they choose.
Ten PIPA Principles
These ten key PIPA principles can help your clinic maintain compliance and build strong day-to-day privacy practices.
- Accountability and Management
- You are accountable for the personal information individuals give you.
- Notice
- You will explain why you collect personal information before you collect it.
- Collection
- You limit the amount and type of personal information you collect.
- Use and Disclosure
- You will use and disclose personal information only for the reasons for which it was provided to you, unless otherwise permitted by law.
- Consent
- You must obtain consent to collect, use or disclose any personal information.
- Access
- Individuals have a right to access their personal information that is in your organization.
- Safeguards
- You will protect individuals’ personal information from unauthorized access, use, disclosure or destruction.
- Quality and Accuracy
- You take efforts to ensure that the personal information in your organization is accurate and complete.
- Storage
- Personal information should be stored in Canada. Otherwise, all individuals must be notified if you have a services provider outside of Canada.
- Challenge to Compliance
- Individuals have the right to challenge an organization’s collection, use and disclosure of personal information.
It is a clinic’s responsibility to regularly assess personal information safeguards and ensure that all physicians and staff are properly trained in privacy best practices. All privacy complaints and suspected breaches must be investigated, reviewed and handled as outlined by the Office of the Information and Privacy Commissioner of Alberta (OIPC).