Upload
omar-ha-redeye
View
178
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Talk by Rajeev Sharma of Torkin Manes.
Citation preview
Presentation Outline
I. A summary of Ontario’s privacy laws
II. Privacy law enforcement
III. How to comply
IV. What happens when things go wrong
V. Issues that may arise in the future
VI. Appendix – a detailed explanation of federal
and provincial privacy laws
I. A summary of Ontario’s privacy laws
Several statutes regulate the privacy and disclosure of medical information in Ontario:
Personal Health Information Protection Act
Freedom of Information and Protection of Privacy Act
Municipal Freedom of Information and Protection of Privacy Act
The Occupational Health and Safety Act
Mental Health Act
Regulated Health Professions Act
Medicine Act Professional Misconduct Regulations
I. A summary of Ontario’s privacy laws
Personal Health Information Protection Act (“PHIPA”)
Regulates the collection, use, and disclosure of
personal health information by health information
custodians
Sets rules to balance the needs
of our health care system with
the individual’s right to privacy
Designed to enhance privacy
while minimizing the impact on
the patient-provider relationship
I. A summary of Ontario’s privacy laws
“Personal Health Information” includes oral or written
information that
relates to the individual’s physical or mental state;
relates to the provision of health care;
relates to payment or eligibility for health care;
relates to donation of body parts or bodily substances;
is a plan of service for long-term care;
is the individual’s health number; or
identifies the individual’s substitute decision-maker.
I. A summary of Ontario’s privacy laws
“Health Information Custodians” are anyone who is
involved in delivering health care services, such as:
health care practitioners (e.g. nurses, physicians, or
anyone who provides health care for payment);
long-term-care service providers;
community care access corporations;
hospitals and other facilities;
pharmacies and laboratories;
a medical officer of health or a board of health;
The Ministry of Health and Long-Term Care.
I. A summary of Ontario’s privacy laws
“Agents” of Health Information Custodians
are authorized to act on behalf of a custodian; and
perform activities for the purposes of a custodian.
An individual or organization may be considered an agent
regardless of whether it
has the authority to bind the custodian;
is employed by the custodian; and
is receiving remuneration.
I. A summary of Ontario’s privacy laws
Collection, Use, and Disclosure
A custodian may only collect, use, or disclose personal health information if the individual consents or PHIPAotherwise permits it.
A custodian must not collect,
use, or disclose personal health
information if
other information will serve the
purpose, or
the information is not necessary
to meet the purpose.
I. A summary of Ontario’s privacy laws
How do I know if the individual consents?
1. Express consent
If the disclosure is not to provide health care.
If the information is being provided to a non-custodian.
e.g. marketing, fundraising
2. Implied consent
If the disclosure is for the purpose of providing health care
Assumed if the individual is within the custodian’s
“circle of care.”
If the individual lacks capacity, the consent may be given by
a substitute decision-maker.
I. A summary of Ontario’s privacy laws
Implied Consent & the “Circle of Care”
To be within the circle of care and rely on implied consent, the information must
be received from the individual, a substitute decision-maker, or another custodian;
have the purpose of providing or assisting in the individual’s health care; and
be disclosed from one custodian to another custodian.
Note that some custodians cannot rely on implied consent, such as Canadian Blood Services and the Ministry of Health and Long-Term Care.
I. A summary of Ontario’s privacy laws
Implied Consent & the “Circle of Care”
The PHIPA does not
define “circle of care” but
it is a useful way to
describe situations where
custodians can rely on
implied consent.
I. A summary of Ontario’s privacy laws
Collection
Custodians should collect personal health information directly from individuals; however, it may be collected indirectly if
the individual consents;
the information is necessary to provide health care and direct collection is not reasonably possible;
a government institution needs the information an investigation or proceeding;
the information will be used for research purposes or for managing the health system; or
indirect collection is otherwise authorized.
I. A summary of Ontario’s privacy laws
Use
Custodians may use personal health information without
consent for
the purpose for which it was collected or created;
planning or delivering programs and services;
risk and error management;
improving the quality of care;
obtaining payment for health care or related goods and
services; and
educating agents and research purposes.
I. A summary of Ontario’s privacy laws
Disclosure
Custodians may disclose personal health information without
consent that relates to
providing health care;
obtain the identity or make decisions for a deceased
individual;
health programs or research;
eliminating or reducing a significant risk of bodily harm;
the care or custody of persons in a custodial institution or
psychiatric facility;
I. A summary of Ontario’s privacy laws
Disclosure
Custodians may disclose personal health information without
consent that relates to
a legal proceeding or potential successor;
planning and management of health systems;
the government’s analysis of the health system;
monitoring health payments; and
contacting next of kin if the individual is unable to give
consent.
I. A summary of Ontario’s privacy laws
Protecting Information
Once personal health information is collected, custodians
must take “reasonable steps” to ensure the information
is as accurate, complete and up-to-date as necessary;
is protected from theft, loss and unauthorized use or
disclosure (if it is in your custody or control);
records are protected against unauthorized copying,
modification or disposal.
I. A summary of Ontario’s privacy laws
Mandatory Breach Notification
Custodians must notify the individual if his or her personal health information is stolen, lost or accessed by authorized persons (e.g. University Health Network has logged 258 privacy incidents since 2012).
Custodians may also voluntarily report privacy breaches to the Privacy Commissioner, who will include the breaches in their annual report (e.g. Mount Sinai has reported 20 privacy breaches every year since 2010).
In 2004 Ontario was the first jurisdiction in Canada to implement this notice requirement.
I. A summary of Ontario’s privacy laws
Information Technology Service Providers
IT Service Providers that are not agents
must ensure their employees and other persons acting on
their behalf comply with PHIPA restrictions on the
collection, use, and disclosure of information; can only use personal health
information as it is necessary to provide the IT service; and
cannot disclose personal health information under any circumstances.
I. A summary of Ontario’s privacy laws
Information Technology Service Providers
All IT Service Providers that allow two or more custodians to
share personal health information electronically must:
notify the custodian of any unauthorized access;
provide public information about safeguards and policies;
keep electronic records of all accesses and transfers;
perform a risk and privacy impact assessment;
enter into an agreement with the custodian and any third
parties requiring the provider to comply with PHIPA.
I. A summary of Ontario’s privacy laws
Health Records
Individuals can generally access records of their own
personal health information (and not someone else’s)
Before providing access, the
custodian must take
reasonable steps to determine
the individual’s identity.
I. A summary of Ontario’s privacy laws
Health Cards
Non-custodians can only collect or use a health number
to provide provincially funded health resources;
for the purpose the individual provided the health number;
for purposes relating to regulating health professionals; or
for purposes relating to health administration, health planning,
research, or epidemiological studies.
Individuals can only be required
to produce health cards for
provincially funded resources.
I. A summary of Ontario’s privacy laws
Accountability & Transparency
Custodians must designate a contact person who
ensures the custodian and its agents comply with PHIPA;
responds to inquiries about the custodian’s practices;
responds to requests for access or correction of records; and
Receives complaints about non-compliance.
Custodians must issue a public written statement describing
the custodian’s information practices;
how to reach the custodian and/or its contact person;
how to obtain access to a request or make a correction; and
how to make a complaint to the custodian and privacy
commissioner.
II. Privacy Law Enforcement
Privacy laws may be
enforced with
Complaints
Statutory penalties
Civil lawsuits
Reputational Harm
II. Privacy Law Enforcement
Complaints
A person who believes PHIPA has been violated may
file a complaint with Ontario’s Information and Privacy
Commissioner.
Custodians may be liable or
found guilty of an offence if
they do not act in good faith,
act unreasonably, or do not
comply with the legislation.
II. Privacy Law Enforcement
Complaints
In 2013 more than 400 health-related privacy violation complaints were lodged with Ontario’s Privacy Commissioner.
Examples of privacy breaches from 2014: Hospitals inappropriately provided patient information to baby
photographers
Hospitals were handing out patient contact information to private marketing companies
Individuals may also complain to the custodian or agent themselves.
II. Privacy Law Enforcement
Statutory Penalties
PHIPA contains many offences, such as
wilfully collecting, using or disclosing personal health
information in contravention of PHIPA;
disposing of a record with the intent to evade an access
request; and
wilfully obstructing or making a false statement to the privacy
commissioner.
Individuals found guilty may be fined up to $50,000
Organizations found guilty may be fined up to $250,000
II. Privacy Law Enforcement
Civil Lawsuits
A person or entity may be sued for breach of privacy in
contract and tort law using the following causes of
action: breach of contract, trespass, negligence, breach
of fiduciary duty, or the tort of “intrusion upon
seclusion.”
“Intrusion upon seclusion” is a new tort that allows for
lawsuits based on the invasion of personal privacy
(Jones v. Tsige, 2012 ONCA 32).
II. Privacy Law Enforcement
Reputational Harm
In addition to the risk of complaints, statutory
penalties, and civil lawsuits, a custodians that
breaches privacy laws risks harming their
reputation and that of their organization.
Privacy breaches often become public, resulting in
headline news and trending social media stories.
Harm to the reputations of hospitals, individuals,
and other organizations can be significant.
III. How to comply
Privacy Policies & Procedures
Does your organization have them?
Are the they up to date?
Is the content adequate?
Can anyone in the organization access them
readily?
Are they updated and communicated regularly?
III. How to comply
Privacy Compliance Committee
Do you have one?
Does it meet regularly?
Does it keep minutes or records?
Do its members represent all functional areas of the organization? (e.g. IT, HR, etc.)
What is their mandate?
Are the members senior enough in the organization?
III. How to comply
Privacy Compliance Audits
Do you have regular audits?
What do you do with the results?
Are complaints responded to promptly?
Are there internal consequences for non-
compliance?
III. How to comply
Privacy Training & Communication
Do you regularly train employees on privacy?
Is your training recorded and logged?
Are new employees
trained right away?
Are there regular
communications/updates?
IV. What happens when things go wrong
Case study: Rouge Valley
Patients who gave birth at Rouge Valley Centenary
Hospital between 2009 and 2013 brought a $412
million class action lawsuit against the hospital
The patients allege that Rouge Valley employees sold
their personal information to private companies that
market RESP investments to new parents.
IV. What happens when things go wrong
Case study: Rouge Valley
The class action exposes the hospital to liability based on
the tort of intrusion upon seclusion, negligence, vicarious
liability or breach of contract
Rouge Valley has provided
disclosure notice on its
webpage in keeping with
PHIPA regarding the possible
breach of patient information
IV. What happens when things go wrong
Internal Protocol
Who is in charge of privacy? Who do they report to?
How often is legal counsel engaged? How involved are they?
Does the organization have a critical action committee when things go wrong? Who’s on the committee? What is the standard operating procedure?
V. Issues that may arise in the future
Genetic Information
Canada has not yet legislated how health insurers
and employers may use genetic testing information
In the US and in many European countries use of
genetic information by insurers and employers is
prohibited
Canada’s privacy commissioner has concerns, but
the last action taken was a Task Force on
Insurance and Genetics in 2004
V. Issues that may arise in the future
Genetic Information
Genetic testing may be governed by PIPEDA and PHIPA and possibly provincial Human Rights Codes
The Canadian Life Health Insurance Association has issued a Position Statement on the use of genetic information stating that
“if genetic testing has been done and theinformation is available to the applicant forinsurance and/or the applicant’s physician, theinsurer would request access to that informationjust as it would for other aspects of the applicant'shealth history.”
VI. Appendix
i. Federal Privacy Laws
ii. Ontario Privacy Laws
iii. Other Provincial Privacy Laws
VI. Appendix – Federal Privacy Laws
Privacy Act, RSC, 1985, c. P-21
Imposes obligations on the collection, use and disclosure of personal information by federal government departments and agencies
Gives individuals the right to access and request personal information held by federal governmental organizations
The Privacy Act is administered by the head of the government institutions who are subject to the Act
Each institution listed in the Schedule to the Act (e.g. Health Canada) is required to respond to requests for information from individuals
VI. Appendix – Federal Privacy Laws
Privacy Act, RSC, 1985, c. P-21“personal information” means information about an identifiable individual that is recorded in any form including, without restricting the generality of the foregoing,
(a) information relating to the race, national or ethnic origin, colour, religion, age or marital status of the individual,
(b) information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
(c) any identifying number, symbol or other particular assigned to the individual,
(d) the address, fingerprints or blood type of the individual…[emphasis added] (S. 3)
VI. Appendix – Federal Privacy Laws
Personal Information Protection and Electronic
Documents Act [PIPEDA] SC 2000, c 5
Provides rules for how private sector organizations may
collect, use or disclosure personal information in the
course of their commercial activities as well as federal
works, undertakings and businesses who hold
employee personal information
Does not apply in provinces that have substantially
similar private sector privacy legislation
VI. Appendix – Federal Privacy Laws
Personal Information Protection and Electronic
Documents Act [PIPEDA] SC 2000, c 5
Gives individuals the right to access and request
correction of personal information held by these
organizations
Does not have any mandatory data breach notification
requirements yet
VI. Appendix – Federal Privacy Laws
The Office of the Privacy Commissioner of Canada
The Commissioner oversees compliance with the Privacy Act and PIPEDA.
The Commissioner investigates complaints made by individuals about Government of Canada institutions pursuant to S. 29 of the Privacy Act
The Commissioner can investigate complaints made by individuals about private sector organizations pursuant to Section 11 of PIPEDA except in provinces that have substantially similar legislation
The Commissioner has made findings under both PIPEDAand the Privacy Act and has handed down decisions for cases where challenges were made by individuals
VI. Appendix – Ontario Privacy Laws
Freedom of Information and Protection of Privacy Act
(FIPPA)
Originally applied to provincial government and public
institutions, now applies to most of the public sector
including Local Health Integration Networks (LHINS)
which include hospitals, long-term care homes and
mental health and addiction agencies
Purpose is 1) to provide a right of access to records
and information and 2) to protect the privacy of
individuals
VI. Appendix – Ontario Privacy Laws
Municipal Freedom of Information and Protection of
Privacy Act (MFIPPA)
Applies to all local government organizations such as
municipalities, school boards, police services board,
boards of health etc.
Purpose is 1) to provide a right of access to records
and information and 2) to protect the privacy of
individuals
VI. Appendix – Ontario Privacy Laws
FIPPA and MFIPPA – Using Information
Government organizations are only permitted to use personal information if the individual consents to the use; for the purpose for which it was obtained or compiled or for a consistent purpose; or for a purpose for which the information may be disclosed to the government organization (S. 41 FIPPA)
Government organizations must take reasonable steps to ensure that personal information is not used unless it is accurate and up to date (S. 40(2) FIPPA)
VI. Appendix – Ontario Privacy Laws
FIPPA and MFIPPA – Collecting Information
Government organizations (including hospitals and LHINs) are required to collect personal information as part of their role in providing services to the public and shall not collect personal information unless expressly authorized by statute (S. 38(2) FIPPA)
Government organizations must provide notice to individuals whenever personal information is collected and must specify the legal authority for the collection, the purpose of collection and who to contact about the collection (S. 39(2) FIPPA)
VI. Appendix – Ontario Privacy Laws
FIPPA and MFIPPA – Accessing Information
Provincial government organizations are required to list their personal information banks in the Directory of Records (Ss. 44-45 FIPPA)
The directory describes the kinds of personal information kept by each provincial government organization.
Municipal government organizations should have their own directories available (S. 34 MFIPPA)
VI. Appendix – Ontario Privacy Laws
FIPPA and MFIPPA – Disclosing Information
Under FIPPA and MFIPPA, some of the circumstances in which government organizations are permitted to disclose personal information include: where the individual has consented to the disclosure;
for the purpose for which the personal information was obtained or compiled or for a consistent purpose;
where the disclosure is necessary and proper in the discharge of the organization’s functions;
for the purpose of complying with another Act;
VI. Appendix – Ontario Privacy Laws
FIPPA and MFIPPA – Disclosing Information
Circumstances in which government organizations are permitted to disclose personal information: for law enforcement purposes;
in compelling circumstances affecting the health or safety of an individual;
in compassionate circumstances, to facilitate contact with the next of kin or a friend of an individual who is injured, ill or deceased;
to the Information and Privacy Commissioner; and
to the Government of Canada in order to facilitate the auditing of shared cost programs. (S. 42 FIPPA, S. 32 MFIPPA)
VI. Appendix – Ontario Privacy Laws
Mental Health Act (MHA)
MHA governs psychiatric facilities and the admission, detention, treatment, and release of psychiatric patients.
PHIPA repealed several sections of the MHA and amended others, most notably, those relating to confidentiality, disclosure, access, and correction of records.
The obligations created by PHIPA apply in addition to those created by MHA. If the provisions of MHA and PHIPA conflict, PHIPA
prevails unless otherwise stated in the Acts.
VI. Appendix – Ontario Privacy Laws
Mental Health Act (MHA)
“patient” includes a current or former patient or out-patient, and anyone who is or has been detained in a psychiatric facility
The officer in charge (OIC) of a psychiatric facility may collect, use and disclose personal health information about a patient, with or without the patient’s consent, for the purposes of, examining, assessing, observing or detaining the patient
in accordance with the MHA; or
complying with an order or disposition made under the Criminal Code
VI. Appendix – Ontario Privacy Laws
Mental Health Act (MHA)
The MHA sets out mandatory disclosure of personal health information for:
Capacity and Consent Board proceedings
Persons entitled to have access under s. 83 of the Substitute Decisions Act
Compliance with summons, order, direction, notice or similar requirement in respect of matter that may be in issue in a court of competent jurisdiction or under any Act
except where the attending physician states in writing that he or she is of the opinion that the disclosure is likely to result in harm to the treatment or recovery of the patient or is likely to result in injury to the mental condition of a third person, or bodily harm to a third person.
VI. Appendix – Ontario Privacy Laws
Mental Health Act (MHA)
The MHA sets out permissible disclosure of personal health information to:
A physician who is considering issuing or renewing, or who has issued or renewed, a CTO;
A physician appointed to act as a substitute of the CTO’s issuing physician;
Where requested by the issuing physician or a person named in the CTP, to another person named in a person’s CPT; and
A prescribed person who is providing advocacy services to patients in prescribed circumstances, i.e., a rights adviser.
VI. Appendix – Ontario Privacy Laws
Public Hospitals Act (PHA)
PHA applies to all public hospitals in Ontario, but not to private hospitals under the Private Hospitals Act or independent health facilities under the Independent Health Facilities Act (S. 2)
PHA only briefly refers to record keeping, confidentiality, disclosure, and related issues, leaving these to be spelled out in Regulation 965 – Hospital Management
PHIPA replaces the term “medical record” in PHA with the term “record of personal health information
The obligations created by PHIPA apply in addition to those created by PHA. if the provisions of PHA and PHIPA conflict, PHIPA prevails unless
otherwise stated.
VI. Appendix – Ontario Privacy Laws
Occupational Health and Safety Act (OHSA)
Except where allowed under the OHSA or as
required by another law, worker health and safety
representatives:
must not disclose any information about any workplace
tests or inquiries conducted under the Act;
must not reveal the name of any person from whom
information is received;
may disclose the results of any medical examinations or
tests of workers only in a way that does not identify
anyone. (S. 63(1))
VI. Appendix – Ontario Privacy Laws
Occupational Health and Safety Act (OHSA)
No employer shall seek to gain access,
except by an order of the court or other tribunal
or in order to comply with another statute, to a
health record concerning a worker without the
worker’s written consent (S. 63(2))
VI. Appendix – Ontario Privacy Laws
Regulated Health Professionals Act
Various acts are specific to different health
professionals and provide protection based on the
duties and requirements of confidentiality by the
members of those professions, as well as
regulations that outline disciplinary action for
breaches of health care provider confidentiality
such as the Medicine Act Professional Misconduct
Regulations
VI. Appendix – Ontario Privacy Laws
Personal Health Information Protection Act (PHIPA)
Deemed substantially similar to Part 1 of PIPEDA
Health information custodians (“HICs”) are exempt from PIPEDA
Anyone described in Section 3. (1) of PHIPA is considered a health information custodian, e.g.
health care practitioners or a group practice of health care practitioners
persons or organizations providing a community service under the Long-Term Care Act, 1994
a community care access corporation under the Community Care Access Corporations Act, 2001
public or private hospitals
psychiatric facilities under the Mental Health Act
an institution under the Mental Hospitals Act
an independent health facility under the Independent Health Facilities Act, etc.
VI. Appendix – Ontario Privacy Laws
PHIPA – Consent to Collection
Collection may happen only when the individual consents or if PHIPA permits collection without consent, and consent may be express or implied depending on the circumstances (Ss. 18 - 29)
HICs must collect the health information directly from the individual except in limited circumstances (S. 36), such as:
Where the individual consents to indirect collection;
The information is reasonably necessary for providing health care and cannot reasonably be collected directly from the individual accurately or in a timely manner
Custodians must take reasonable steps to inform the public about their collection practices
VI. Appendix – Ontario Privacy Laws
PHIPA – Accessing Health Information
The right of access does not apply to records
that contain:
quality of care information;
information required for quality assurance programs;
raw data from psychological tests or assessments;
other specified types of information (i.e., information
that is used solely for research purposes and
laboratory test results) (S. 51(1)).
VI. Appendix – Ontario Privacy Laws
PHIPA – Mandatory Data Breach Notification
Requirements
A privacy breach occurs whenever a person has
contravened or is about to contravene a provision of the
PHIPA or its regulations, including s. 12(1)
S. 12(1) requires HICs to take steps that are reasonable in
the circumstances to ensure personal health information in
their custody or control is protected against theft, loss and
unauthorized use or disclosure and to ensure that records
containing personal health information are protected against
unauthorized copying, modification or disposal
VI. Appendix – Ontario Privacy Laws
PHIPA – Retaining and Disposing of Information
PHIPA requires that health information custodians
ensure records of personal health information are
retained, transferred and disposed of in a secure
manner, and that if any personal health information
is the subject of a request for access, that it be
retained for as long as necessary to allow the
individual to exhaust any recourse under the Act
that he or she may have with respect to the
request. (S. 13)
VI. Appendix – Ontario Privacy Laws
Electronic PHIPA – Bill 78
EPHIPA proposes to amend three statutes, and
create a new Part V.1, Electronic Health
Records, under existing the PHIPA
First reading of Bill 78 was May 29, 2013
Second Reading started on October 10, 2013
and continued on November 20, 2013 and April
28, 2014
VI. Appendix – Ontario Privacy Laws
Electronic PHIPA – Bill 78
EPHIPA is intended to provide a framework for electronic health records (EHRs) and enable prescribed organizations to create and maintain EHRs, define the EHRs and specify parameters for the creation and maintenance of EHRs
EPHIPA would permit prescribed persons who are not HICs to collect and use health numbers for the purpose of creating or maintaining the EHR
VI. Appendix – Ontario Privacy Laws
Electronic PHIPA – Bill 78
Prescribed organizations would be required to assume all responsibilities relating to the creation and maintenance of the HER
While these organizations have not yet been identified, the legislation sets out parameters in which they can manage PHI as non-HICs. Existing regulations under PHIPA clarify that eHealth Ontario
has the authority as a Health Information Network Provider (HINP) to create and maintain EHRs.
This authority expired as of December 31, 2013, and our understanding is that eHealth Ontario will be named as the initial prescribed organization under this new legislative framework.
VI. Appendix – Ontario Privacy Laws
Electronic PHIPA – Bill 78
The collection, use, disclosure and access of personal health information in the EHR context would be further clarified in EPHIPA
The definition and functioning of individual consent and consent overrides are proposed to be modified under EPHIPA
Electronic Health Records requirements and standards will be presented by Fida Hindi in more detail later today
VI. Appendix – Ontario Privacy Laws
Information and Privacy Commissioner (“IPC”) of Ontario
The IPC of Ontario is an officer of the legislature pursuant to
Section 4 of FIPPA
The Commissioner investigates privacy complaints and
resolves appeals between government organizations and
individuals
Decisions of the Commissioner rule on access and privacy
decisions and practices of governmental organizations
The Commissioner reviews the personal health information
policies of certain entities and investigates complaints under
PHIPA
VI. Appendix – Other Provincial Privacy Laws
British Columbia, Alberta and Quebec have their own
private-sector privacy rights legislation that has been
deemed “substantially similar” to PIPEDA, and are exempted
from PIPEDA application in the private business sector
There is a mandatory data breach notification requirement
under Alberta’s PIPA
Ontario, Alberta, Manitoba, Saskatchewan, New Brunswick
and Newfoundland and Labrador have sector specific health
information privacy legislation that has been deemed
“substantially similar” to PIPEDA, and are exempt from
PIPEDA’s application to personal health information
VI. Appendix – Other Provincial Privacy Laws
Manitoba has enacted health privacy legislation but it has
not yet been deemed to be substantially similar to PIPEDA
Prince Edward Island, Northwest Territories, Nunavut and
Yukon do not have any private sector privacy legislation and
are governed by PIPEDA
Torkin Manes LLP
151 Yonge Street, Suite 1500
Toronto, ON M5C 2W7
www.torkinmanes.com
Rajeev Sharma
416 775 8828
Questions?
Thank you!