In Canada, there are a number of laws that govern privacy rights and personal information including provincial laws (please click on the links for further information) including:
- Alberta’s Personal Information Protection Act
- British Columbia’s Personal Information Protection Act
- Québec’s An Act Respecting the Protection of Personal Information in the Private Sector
- Ontario's - Personal Health Information Protection Act
- New Brunswick's - Personal Health Information Privacy and Access Act
- Newfoundland and Labrador's - Personal Health Information Act
There is one federal privacy law - the Personal Information Protection and Electronic Documents Act (PIPEDA)
Please note: PIPEDA will not apply to an organization that operates wholly within a province that has legislation that has been deemed substantially similar to the PIPEDA, unless the personal information crosses provincial or national borders. Alberta, British Columbia and Québec all have private-sector legislation which has been declared to be “substantially similar” to PIPEDA. Additionally, Ontario's, New Brunswick's and Newfoundland's and Labrador's privacy legislation for health information that has been declared substantially similar to PIPEDA. The other provinces and territories legislation have not been declared substantially similar to PIPEDA, therefore in some cases PIPEDA may still apply.
Personal Information Protection and Electronic Documents Act (PIPEDA)
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal legislation that governs how private sector organizations - such as private healthcare practices, may collect, use or disclose "personal information" in the course of commercial activities. "Personal Information" is defined in PIPEDA as "information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization."
The PIPEDA gives individuals the right to:
- Understand the reasons why organisations collect, use, or disclose personal information.
- Expect organisations to collect, use or disclose personal information in a reasonable and appropriate way.
- Understand who in the organisations pays the responsibility for protecting individuals' personal information.
- Expect organisations to protect the personal information in a reasonable and secure way.
- Expect the personal information held by the organisations to be accurate, complete, and up-to-date.
- Have the access to their personal information and ask for any corrections or have the right to make complain towards the organizations.
The PIPEDA requires organizations to:
- Obtain consent before they collect, use, and disclose any personal information.
- Collect personal information in a reasonable, appropriate, and lawful ways.
- Establish personal information policies that are clear, reasonable,and ready to protect individuals' person information.
Kalix and Canadian Data & Privacy Law
Here at Kalix we take data security and privacy very seriously. We have the most stringent procedures and cutting edge technology in place, making sure Kalix meets all government privacy and security requirements. We also request all paying Kalix users based in Canada to enter into a Data and Privacy Agreement with us. The purpose of this agreement is to make sure you as a Kalix user and us as your software vendor meets Canadian data and privacy laws.
A summary of Kalix's privacy and security practices are listed below:
Data is encrypted in transit
- All data is encrypted in transit (to and from the cloud) using TLS (Transport Layer Security).
- Data is encrypted in transit between Kalix and our third party messaging providers.
Data is encrypted at rest
- All data is encrypted at rest including all backup copies.
- We use certificate based encryption methods which means that the keys to access your records are stored in a special area of the operating system that is inaccessible to an outside attacker.
- We also use higher levels of encryption that the current standards recommend to make sure your records stay secure.
- All data is stored in triple redundancies in two data centers 500 miles apart (hence x6 redundancies).
- We take snapshots of every change you make to every file in Kalix.
- We run a service to backup files to a third data center that is not related to Microsoft, the hosting provider Amazon.
- In the case of a catastrophic failure by Microsoft, we still have your data available on a third party.
- If you accidentally delete saved information we are able to recover it from a previous snapshot of your data.
Monitoring for suspicious activity
- Daily operational procedures are in place to log and monitor data 24/7 looking for any suspicious activities.
- Kalix accounts with multiple users, each user has their own account log in. Kalix tracks each users activity.
- Incident response process procedures are in place for containing the incident and notification of covered entities.
- Plans are in place to address the recovery or continuation of technology infrastructure critical to a covered entity (you) after a natural or human-induced disaster.
- At Kalix, access controls are in place that include the electronic identification and limiting physical on-site data access to a restricted list of people.
- Kalix users must log into Kalix (therefore verify their identity) to access their accounts.
Return or destruction
- Upon receiving a written request from you at any time and for any reason whatsoever, we will promptly return to you all Personal Health Information in our possession or control. Alternatively, if specifically instructed by you in writing, we will securely dispose of any Personal Health Information in our possession or control.
Disclosure to third parties
- If we become legally compelled to disclose any of the Personal Health Information, we will, to the extent permitted by law, provide you with prompt written notice prior to disclosure.
Assistance with complaints/investigations
- We will co-operate with, and assist in, any investigation of a complaint that any Personal Health Information has been collected, used or disclosed contrary to Privacy Laws or other applicable laws, whether such investigation is conducted by you or a body having the legal authority to conduct the investigation.
Kalix and Cloud Hosting
We host, possess and maintain Kalix and the Personal Health Information provided through Kalix on Windows Azure servers located in the United States of America. It is not against PIPEDA, and provincial laws for private organizations such as health practices to transfer Canadian personal health information out of Canada. In fact, it is fairly common practice. However, it is your responsibility as a private organization to expressly inform and gain the consent of all your clients/patients before the collection, use and disclosure their data. You should provide the individual with a Personal Health Information Patient Consent to Disclosure that explains the potential consequences of providing consent. An example consent form is available in Kalix's template library under the heading Agreements & Notices.
Your Obligations and Responsibilities
As stated above it is as a private sector organization, you also have responsibilities under the Privacy Laws. Please see below for details.
You are responsible for obtaining all consents and approvals required under Privacy Laws from any third party (including clients/patients) to enable you to use and access Kalix, or in any way connected with you use and access of Kalix.
Protection of Personal Health Information
You must safeguard the Personal Health Information in your custody and control as outlined in the Privacy Laws and only use and disclose Personal Health Information on a need-to-know basis.
You agree not to use or further disclose Personal Health Information other than as specifically permitted or required by Privacy Laws or other applicable law.
You agree to use appropriate and reasonable safeguards to prevent unauthorized use or disclosure of Personal Health Information.
You are responsible for providing training to all of your employees, contractors, subcontractors, agents and corporate officers regarding the appropriate collection and disclosure of Personal Health Information. This includes maintaining the privacy of passwords, not leaving active workstations or devices unattended for prolonged periods of time, and positioning workstations and devices so that Personal Health Information cannot be seen by anyone other than those with a need-to-know that have been authorized by you.
The content here is intended only to provide a summary and general overview on matters of interest as at 30/01/2015.
It is neither intended to be comprehensive, nor to constitute legal advice.
You should always obtain legal or other professional advice, appropriate to your own circumstances, before acting or relying on any content here.
We may expand or amend this content from time to time by updating this section or by posting on our website or knowledge base.