Data Privacy, Security & Residency
Legislation
Alberta has 3 access and privacy laws:
Health Information Act
Freedom of Information and Protection of Privacy Act
Personal Information Protection Act
Alberta’s Information and Privacy Commissioner is an Officer of the Legislature who works to protect the information access and privacy rights of Albertans. The Office of the Information and Privacy Commissioner (OIPC) is the regulator responsible for ensuring compliance with Alberta's access and privacy laws.
Health Information Act
The Health Information Act (Alberta) (HIA) governs and regulates access to and the collection, use and disclosure of health information. "Health information" means one or both of the following:
diagnostic, treatment and care information; and
registration information (e.g., demographics, residency, health services eligibility, or billing).
Alberta Health Services is a "custodian" under the Act and must therefore comply with the Act.
The HIA also enables 3 regulations:
Alberta Electronic Health Record Regulation
Governs and manages the use of Alberta Netcare.Designation Regulation
Identifies which health professions can qualify for access to Alberta Netcare as a custodian.Health Information Regulation
Outlines relationships between custodians, affiliates, information managers, and patients rights to request their information.
Related Resource(s):
A Practical Guide to the Health Information Act (OIPC Alberta)
Health Information Act - Guidelines and Practices Manual (Government of Alberta)
Freedom of Information and Protection of Privacy Act
The Freedom of Information and Protection of Privacy Act (Alberta) (FOIP) governs and regulates access to and the collection, use and disclosure of personal information by public bodies. FOIP applies to AHS as a public body.
As per FOIP section (1)(n):
Personal Information Protection Act
The Personal Information Protection Act (Alberta) (PIPA) governs and regulates the collection, use and disclosure of personal information by provincially-regulated private sector organizations, including:
Corporations
Unincorporated associations
Professional regulatory associations
Trade unions
Partnerships
Private schools or colleges
Any individual acting in a commercial capacity
Related Resource(s):
A Guide for Businesses and Organizations on the Personal Information Protection Act (OIPC Alberta)
Personal Information Protection and Electronic Documents Act
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Federal law that governs how private-sector organizations collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada.
Unless the personal information crosses provincial or national borders, PIPEDA does not apply to organizations that operate entirely within Alberta, British Columbia or Quebec. Please refer to the Officer of the Privacy Commissioner of Canada Q&A document regarding PIPEDA and Provincial Privacy Laws for additional information.
AHS Policies
AHS has policies in place to ensure compliance with HIA as well as other legislation such as the Freedom of Information and Protection of Privacy Act (Alberta) (FOIP). The following policies may pertain to your innovation:
Collection, Access, Use, and Disclosure of Information Policy #1112
Privacy Impact Assessment Policy #1145
Privacy Impact Assessments
AHS departments are expected to ensure that any innovation or initiative is reviewed for risks and impacts to data privacy and security through a consultative process with the AHS Privacy Office. They help determine whether a privacy impact assessment (PIA) should be conducted. A PIA is a documented process to assist AHS in reviewing the impact new projects might have on individual privacy.
When is a PIA Required?
When identifiable health information is involved, a PIA is mandatory.
Under the Health Information Act 64(1): "Each custodian must prepare a PIA that describes how proposed administrative practices and information systems relating to the collection, use and disclosure of individually identifying health information may affect the privacy of the individuals who are the subject of the information."
As per the AHS Privacy Impact Assessment Policy #1145:
Do I need a PIA if I my innovation only uses personal information?
AHS is also governed by FOIP and whether you need a PIA will be determined by the AHS Privacy Office.
What kind of information do I need to provide for a PIA?
Please refer to the OIPC PIA Requirements Guide.
How long does the PIA process take?
Depending on volumes, and the completeness of the PIA submission, the PIA acceptance process could take up to 12 months.
Data Security
Personal Information
The Personal Information Protection Act (Alberta) (PIPA) governs and regulates the collection, use and disclosure of personal information by provincially-regulated private sector organizations. As an innovator, you are required to take reasonable security measures to protect personal information at all times.
Please refer to Organization Responsibilities for Protecting Personal Information for more information.
Health Information
As a custodian under the HIA, AHS has a duty to protect health information using administrative, technical and physical safeguards. Custodians are responsible for the actions of their affiliates, including information managers.
What is an information manager?
As per HIA section (66)(1):
If your innovation is an information manager, then an agreement between the custodian and the information manager must be in place. For more information about the Information Manager Agreement, please refer to section (7.2) of the Health Information Regulation.
Data Residency
It is generally recommended that innovators consider keeping their data operations within Canada.
Personal Information
Although it is not prohibited to collect, process, transfer and store your data outside of Canada, there are guidelines and rules.
Under PIPEDA, organizations are responsible for the data that they collect, process, transfer and store. This means that if you are held accountable for the protection of personal information transfers under each individual outsourcing arrangement.
Related Resource(s):
Guidelines for processing personal data across borders (Office of the Privacy Commissioner of Canada)
Under PIPA, organizations that will be transferring personal information to another a service provider outside of Canada, must provide prior notice to the individuals before or at the time of collecting or transferring the information. The notice must be in writing or orally delivered and must include:
the way in which the individual may obtain access to written information about the organization’s policies and practices with respect to service providers outside Canada
the name or position name or title of a person who is able to answer on behalf of the organization the individual’s questions about the collection, use, disclosure or storage of personal information by service providers outside Canada for or on behalf of the organization.