Patient Privacy Regulations in Canada: Safeguarding the Public’s Information

By Evra Taylor

legalangleAmid growing concern about access to patient information, questions have been raised about how to protect patients’ privacy in terms of information gathering, record keeping and safeguarding confidentiality.

David Fraser, a Halifax-based privacy lawyer with the firm of McInnis Cooper is familiar with the ins and outs of Canada’s privacy laws and their application for optometrists and opticians. He points out that one cannot refer to “a privacy act” in Canada because the laws that govern privacy in this country are a patchwork of provincial and federal acts and updates that compose a tapestry of legislation.

Interestingly,Quebec was the first province to enact privacy legislation. However, the legislative principles are the same across the country and Canada’s privacy regulations are quite comprehensive, according to Fraser. The laws encompass patient information from the moment it’s collected, through its lifecycle in a professional’s practice.

“Some pharmacies, for example, have consulting rooms so that if the client has questions about their prescription, they can address them privately. If such a room isn’t available, that may be an infraction,” he explained. In addition, the practitioner must obtain the individual’s consent for disclosure of personal information. The optician or optometrist must collect and disclose only the minimum amount of information about patients and their practice must have safeguards in place against the loss or misuse of patient records.

One of the most important privacy requirements is that an optician with a retail practice is obliged to designate an individual who is responsible for privacy regulation compliance. This can be the optometrist-owner, an administrator or an office manager. Fraser points out that in the case of a multi-location optical chain, it makes sense to have someone responsible for compliance onsite at each location; this is essential in creating accountability.

Staff training – and refresher sessions – in issues relating to safeguarding patient information are crucial, he adds. In fact, this training is recommended by Jennifer Stoddart, the Privacy Commissioner of Canada. “In my experience, people become de-sensitized and deal with private data quite casually. Sometimes you lose sight of how sensitive this information is,” explains Fraser.

Naturally, any healthcare professional needs to be aware of their reputation. If an optician becomes known for not caring about consumer privacy, their practice will no doubt suffer. And for regulated professionals, engaging in unprofessional conduct can expose them to discipline by a regulator.

A highly publicized breach of privacy occurred in 2010 when a Canadian optical firm disclosed a client’s personal information without his consent and subsequently failed to provide him with access to that information. The firm didn’t suffer any real consequences; as Fraser points out, the Privacy Commissioner doesn’t have any powers to levy fines or to issue orders. “The worst consequence in a case like this is to name and shame the company.”

Is Canada’s privacy legislation adequate? “Yes,” Fraser contends. “If the legislation is followed, it’s adequate”. That’s a big ‘if’, however. “Breaches occur every day. Awareness of privacy issue laws isn’t high, particularly in smaller practices, which probably are not even aware of them and most likely inadvertently breach these laws all the time.”

Fraser advises optical practitioners to take time to educate themselves about their obligations.Canada’s Privacy Commissioner has helpful resources, “and people should also be looking to their provincial regulators and associations. Some of them have made the effort to put together materials for opticians,” notes Fraser, adding, “Complying with Canada’s privacy legislation is not that difficult.”

For more information on Canada’s privacy legislation, visit the Office of the Privacy Commissioner of Canada’s web site at