A similar situation to that in Alberta currently exists for Manitoba’s Personal Health Information Act[PHIA], Saskatchewan’s Health Information Protection Act [HIPA], and British Columbia’s E-Health Act (Personal Health Information Access and Protection of Privacy): all have passed and are in effect but are not deemed equivalent to PIPEDA. Thus private sector health organizations in Manitoba, Saskatchewan, and British Columbia need to comply both with the provincial health information legislation and PIPEDA while public sector organizations are governed only by the provincial health information legislation.
• Newfoundland and Labrador has passed a statute, the Personal Health Information Act, that has not yet come into force (and has not been deemed equivalent to PIPEDA by the federal government) but, when it does come into force in Newfoundland and Labrador, both it and PIPEDA will have an effect on genealogists seeking certain materials from that province.
All this legislation is relevant to those genealogists who might be searching for hospital records. I have been asked questions by people, for example, seeking to know whether their relatives have spent time in the tuberculosis sanitariums in Ontario. In general, because of this legislation and older law relating to medical records, such information is only available to patients (and, in some cases, their legal representatives).
Access, Privacy, and Genealogical Research
If you are trying to find out about someone and you know that a number of public and private sector organizations in Canada may hold information about this person, you can apply to any organization that you believe might have records, any selection of them, or all of them. It is a common practice to apply to more than one organization. Since personal data protection and access legislation differs from province to province and between territories and federal legislation, what is not released to you from one organization may be made available to you from another. You may not get the original letter from the organization that holds it, but you may get a copy of it from another.
In most jurisdictions, if you are acting as agent for the legally appointed personal representative or executor of a person who has died and you are within the number of years that jurisdiction protects personal data held by organizations, you can insist that the personal information about that person be released to you. You can also help a person to whom information relates to apply to an organization governed by personal data protection legislation for information about her- or himself. You cannot, however, represent yourself as agent for people with whom you have no direct connection. For example, you cannot represent yourself as acting as agent for a granddaughter in applying for information about her just because you are working on a genealogy of your family that includes her.
Curiously there is no provision for a deceased’s legal representative to act after death regarding personal information under PIPEDA. So, it would appear that during the 20 years following an individual’s death that PIPEDA applies to that person, organizations covered by PIPEDA will be unable to release information about that individual to anyone at all (if the record in question is under 100 years old). Under the federal public sector Privacy Act, there is a specific provision providing for access by the deceased’s legally appointed personal representative or executor — but only for purposes of administration of the estate, not for genealogy.
Personal data protection in the public sector in Canada is largely complaint-driven. That is, under the statutes, the person whose information has been wrongly handled by the organization involved can complain. At the federal level and in Ontario, British Columbia, Alberta, Newfoundland and Labrador, and Prince Edward Island there are Commissioners to whom the complaint is made (although in Newfoundland and Labrador, the person concerned can choose to go to court instead of to the Commissioner).
In Quebec, there is a Commission. In Manitoba and New Brunswick complaints are handled through the provinces’ Ombudspersons — but New Brunswick also offers the alternative of going to court. In Nova Scotia, a complaint may be taken either to the Review Officer appointed under its Freedom of Information and Protection of Privacy Act or to court.
At the federal level (and in Manitoba, Saskatchewan, Newfoundland and Labrador, New Brunswick, and Nova Scotia), the Commissioner (or other complaints investigator created under that province’s statute) must investigate the complaint against a public sector organization covered by the legislation but then can only make a recommendation. With respect to the federal Privacy Act, if the public sector organization involved does not comply with the Commissioner’s recommendation, the Commissioner may take the matter to the courts. At the federal level, the Privacy Commissioner is a separate office from the Information Commissioner whereas, in the provinces, the roles are combined. In some cases the federal Privacy Commissioner and the federal Information Commissioner (who is focused on public access to government information) have taken different positions before the Federal Court.
In Alberta, British Columbia, Ontario, Prince Edward Island, and Quebec, the decisions of the Commissioners or other reviewing appointees are final and determinative of the complaint. In these provinces, the courts will only become involved if one of the parties to the complaint formally appeals the decision by the Commissioner or other complaints decision-maker under the statutes (or, of course, in New Brunswick, Newfoundland and Labrador, and Nova Scotia if the complainant decides to go directly to the courts for relief, as mentioned above).
With respect to Ontario’s public sector legislation, the Ontario Commissioner him- or herself has legally binding decision-making power — but the individual involved in making the complaint will not receive direct compensation (that is, money) for breaches of the statute. As is evident from the description here about who decides when a complaint is launched in a given jurisdiction, each province and territory has set up its own mechanism to handle violations of its personal data protection regime or regimes.
The Ontario Commissioner’s Office recently released a decision involving genealogical research.12 The adjudicator found that the names, grades, and dates of students’ attendance at a school are the personal information of the students. As well, the teachers’ names are also personal as part of their employment history. Nevertheless, the information requested that involved students and teachers who died before 1979 was found to not be covered by the Ontario personal data protection legislation and thus would be accessible to a genealogist requesting it from the public sector school board that held it. The adjudicator also dealt with the problem the school board then faced about how to know who had died by 1979 in a large group of photos. The adjudicator looked at life expectancy data produced by Statistics Canada for the relevant period and decided the Board must release, under its legislated access mandate, information on those born before 1919. Endeavouring to gain access to information about those in the pictures born after 1919 as well, the genealogist making the request argued that he was engaged in “research.” The Commissioner’s Office agreed that genealogy is research but held that it did not comply with the statutory conditions of the research exception to personal data protection — that the research meet security and confidentiality conditions — and thus, although engaged in research, the genealogist was not given access to information about students or teachers whose information was still governed by the legislation (those born after 1919).
The federal private sector personal data protection regime, however, legislates different consequences for breach than exist in the federal public sector Privacy Act context we have just mentioned. Under PIPEDA, as under the federal Privacy Act, the federal Privacy Commissioner must investigate the complaint made and must then make a recommendation. However, under PIPEDA, once the report of the Privacy Commissioner has been issued, either the Commissioner or the complainant can take the organization being complained about to the Federal Court. At this point, it is open to the Court, if the complaint is judged to be well-founded, to order, among other things, that the organization involved pay damages (that is, money) to the complainant. This provision makes the risk of non-compliance to a private sector organization governed by PIPEDA
