Some of the provincial privacy protection laws in Canada cause confusion for therapists.
Q: Does BC’s Freedom of Information and Protection of Privacy Act (FOIPPA) apply to me?
Freedom of Information and Protection of Privacy Act (FOIPPA): BC's provincial law that applies to public bodies is FOIPPA. Public bodies are defined as any organization that carries out the functions of government, like a public-school board, a public hospital or health authority.
FOIPPA states that personal information collected by a public body must be stored on a server in Canada. Nova Scotia, Quebec and Alberta have similar provincial laws, also stating that public data must stay in Canada.
SLPs employed in public jobs are being told that most online telepractice platforms are not secure enough and therefore not permitted. Likewise, they face prohibitions against using email with clients or saving any data to a cloud-based application.
Personal Information Protection Act (PIPA): Private sector organizations in BC are required to comply with PIPA BC. Note that private practices in audiology and speech language pathology, healthcare companies and private treatment centers are all private sector organizations. Private hospitals, unlike public hospitals, are not government operated. Even BC’s doctor’s offices are private businesses and are therefore not required to comply with FOIPPA but are required to comply with PIPA.
A key difference is that there is no requirement to store data on servers located in Canada. There are no prohibitions against using online telepractice platforms, email and cloud-based data storage.
PIPA BC outlines how all of BC’s private sector organizations must handle the personal information of its employees and the public (i.e. customers) and creates common-sense rules about collecting, using and disclosing that personal information. Many other provinces have laws for the private sector that cover the same principles as Canada’s federal law known as PIPEDA.
Q: I’m a private practice SLP working as a service provider for WorkSafe BC. Why does WorkSafe BC expect me to comply with FOIPPA?
WorkSafe BC is a provincial agency which gets involved when workers are injured on the job. WorkSafe BC has case coordinators and managers who arrange rehab contracts with service providers. As part of the referral process, these WorkSafe BC employees send case files to service providers.
Rehab professionals go through an application process to become WorkSafe BC service providers. Because the provincial government owns and controls the case files about clients, the government is responsible for what happens to that data. WorkSafe BC imposes a legal requirement upon private sector contractors, ensuring that these private entities offer the same level of privacy protection as the public sector.
This is not optional. FOIPPA states that a public body has a continuing obligation to ensure that, when dealing with a business that it has retained under contract to perform services, the business signs a contract promising to comply with FOIPPA’s privacy requirements. The only circumstance in which a privacy protection schedule may not be required is if a contract clearly states that the government will not own or control any personal information involved.
Q: I do contracts for the Community Brain Injury Program for Children and Youth, which is run by the BC Center for Ability, a public body. Is that why I must agree to a long list of privacy requirements every year?
Yes, government ministries and other public sector organizations are instructed to attach a privacy protection schedule to any contracts that involve personal information. The privacy protection schedule ensures that the high privacy standards set by the FOIPPA are maintained for personal information held by service providers. Specifically, BC’s Privacy Protection Schedule lays out the security, storage, use, retention, disclosure requirements and limitations required by law, as well as a clause for termination for non-compliance.
Alternatively, a public body may be able to use a modified version of the privacy protection schedule in situations where the original wording of the privacy protection schedule template does not capture the circumstances or context of the contract. The public body seeking approval for a modified privacy protection schedule must first obtain consent from the Privacy, Compliance and Training Branch and provide the following information:
- the modified version of the privacy protection schedule, and
- provide a detailed explanation of why an alternative is required.
It is important to note that BC’s Privacy, Compliance and Training Branch will only consider changes that are equivalent to or better than the requirements of the standard privacy protection schedule.
Q: I am a Registered Autism Service Provider (i.e. RASP) for BC’s Autism Funding Program. I do a lot of video conferencing with clients. It is featured in their online search function, so it must be permitted, right?
Yes, it is legal for private practice speech language pathologists on the RASP list to do video conferencing with clients funded by the Autism Funding Program. Furthermore, these professionals can store data about clients on global servers and use email to interact with clients.
In this situation, PIPA applies and there is no government mandate to ensure that service providers comply with FOIPPA. This is because the Autism Funding Program does not give personal information about clients to service providers. You will recall that the government does not own or control contact information (e.g. name, phone, address, email). It is parents who hire the service providers and sign the contract to authorize payment to the service providers. The provincial government simply provides a billing authorization number for the contract with the service provider.
Similarly, a private doctor’s office obtains the medical information directly from the patient. Doctors can bill the Medical Services Plan using a billing code. Private doctors are not contractors or service providers for the provincial government.
Q: Does that mean that the determining factor is the source of the data, not the source of the funding?
Yes, exactly. As a speech language pathologist in private practice, you might have multiple referral sources and various third-party payers. When the data is coming from a public body, FOIPPA will apply if you have been asked to sign a contract to that effect. When the data is coming from private body or directly from clients, PIPA will apply.
