Section 9 of PIPEDA: When Data Can’t Be Shared

Understanding PIPEDA and Why It Matters for Healthcare Clinics in Canada 

TOC

What is PIPEDA?

PIPEDA, or the Personal Information Protection and Electronic Documents Act, is a law in Canada that governs how organizations handle personal information in the course of their business. For healthcare clinics, adhering to PIPEDA is crucial because patient data is extremely sensitive, and protecting this information builds trust and ensures that clinics meet legal and ethical obligations.

Healthcare providers collect a lot of personal information, such as medical records, contact details, and more. PIPEDA helps ensure that this data is handled securely, used appropriately, and shared only with proper consent. Failing to comply with PIPEDA can lead to significant consequences, including legal penalties and damage to the clinic’s reputation.

A quick primer on PIPEDA, Canada’s data privacy regulation, can be read here

Section 9 of PIPEDA: When Data Can’t Be Shared

PIPEDA promotes transparency by allowing individuals to request access to their personal information. However, there are some exceptions to this. Section 9 outlines specific situations where organizations might have to refuse sharing data to protect privacy or security. Let’s break it down: 

1. Protecting Other People’s Privacy (9.1)

Image by Gerd Altmann from Pixabay

Sometimes, sharing your personal information might also reveal details about someone else. For example, if someone else’s medical data is linked with yours, the clinic can’t share the information unless it can remove (or “sever”) the other person’s details. If the third person agrees, or if it’s a situation involving someone’s life, health, or safety, the organization can share the information. 

2. Government Requests (9.2 & 9.3)

If your personal information has been shared with a government agency (such as in a legal case or investigation), you can request details about this. However, the clinic must first inform the government agency, which has 30 days to object if sharing the information could harm national security, prevent crimes like money laundering, or affect law enforcement. If the government objects, the clinic cannot provide you with the requested data, nor can they tell you that they even contacted the government.

3. Sensitive Legal Information (9.3)

Image by Gordon Johnson from Pixabay

There are specific situations where sharing personal information is prohibited:

  • If the information is protected by solicitor-client privilege(like if a lawyer discussed something confidential with you).
  • If it involves confidential business informationthat could harm the clinic’s business if shared.
  • If revealing the information could threaten someone’s safety.
  • If the information was collected during a formal dispute processor relates to an investigation.
    If any of this information can be removed (severed) without affecting the rest of your data, the clinic is required to provide you access to your personal information. 

If any of this information can be removed (severed) without affecting the rest of your data, the clinic is required to provide you access to your personal information. 

4. Life and Safety Exceptions (9.4)

If someone’s life, health, or safety is at risk, the restrictions don’t apply, and the clinic must provide access to the necessary information.

5. Notifying the Commissioner (9.5)

Image by herbinisaac from Pixabay

When an organization refuses access to certain types of information, especially in cases involving legal investigations or safety concerns, they must notify the Privacy Commissioner of Canada. This ensures that there’s oversight and that organizations aren’t misusing these exceptions to hide important information.

C) Why These Exceptions Exist

The exceptions in Section 9 of PIPEDA are designed to balance privacy rights with the need to protect individuals and society. While people have the right to access their personal data, the law recognizes that sharing some information could harm others or interfere with important activities like law enforcement or national security. 
By following these rules, healthcare clinics can ensure they’re protecting both their patients and the broader public while staying compliant with Canadian privacy laws. 

If you need more information on how PIPEDA & cybersecurity imapcts your organization, in plain & simple to understand language, please do reach out to me on harini.pallavi@friggp2c.com. Would be happy to explain. 

D) Original text of Section 9

When access is prohibited
(1) Despite clause 4.9 of Schedule 1, an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.

Marginal note: Limit
(2) Subsection (1) does not apply if the third party consents to the access or the individual needs the information because an individual’s life, health or security is threatened.

Marginal note: Information related to paragraphs 7(3)(c), (c.1) or (d)
(2.1) An organization shall comply with subsection (2.2) if an individual requests that the organization
(a) inform the individual about
(i) any disclosure of information to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d), or
(ii) the existence of any information that the organization has relating to a disclosure referred to in subparagraph (i), to a subpoena, warrant or order referred to in paragraph 7(3)(c) or to a request made by a government institution or a part of a government institution under subparagraph 7(3)(c.1)(i) or (ii); or
(b) give the individual access to the information referred to in subparagraph (a)(ii).

 Marginal note: Notification and response
(2.2) An organization to which subsection (2.1) applies

(a) shall, in writing and without delay, notify the institution or part concerned of the request made by the individual; and
(b) shall not respond to the request before the earlier of
(i) the day on which it is notified under subsection (2.3), and
(ii) thirty days after the day on which the institution or part was notified.

Marginal note: Objection
(2.3) Within thirty days after the day on which it is notified under subsection (2.2), the institution or part shall notify the organization whether or not the institution or part objects to the organization complying with the request. The institution or part may object only if the institution or part is of the opinion that compliance with the request could reasonably be expected to be injurious to

(a) national security, the defence of Canada or the conduct of international affairs;
(a.1) the detection, prevention or deterrence of money laundering or the financing of terrorist activities; or
(b) the enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law or the gathering of intelligence for the purpose of enforcing any such law.

 

Marginal note: Prohibition
(2.4) Despite clause 4.9 of Schedule 1, if an organization is notified under subsection (2.3) that the institution or part objects to the organization complying with the request, the organization

(a) shall refuse the request to the extent that it relates to paragraph (2.1)(a) or to information referred to in subparagraph (2.1)(a)(ii);
(b) shall notify the Commissioner, in writing and without delay, of the refusal; and
(c) shall not disclose to the individual
(i) any information that the organization has relating to a disclosure to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d) or to a request made by a government institution under either of those subparagraphs,
(ii) that the organization notified an institution or part under paragraph (2.2)(a) or the Commissioner under paragraph (b), or
(iii) that the institution or part objects.

Marginal note: When access may be refused
(3) Despite the note that accompanies clause 4.9 of Schedule 1, an organization is not required to give access to personal information only if

(a) the information is protected by solicitor-client privilege or the professional secrecy of advocates and notaries or by litigation privilege;
(b) to do so would reveal confidential commercial information;
(c) to do so could reasonably be expected to threaten the life or security of another individual;
(c.1) the information was collected under paragraph 7(1)(b);
(d) the information was generated in the course of a formal dispute resolution process; or
(e) the information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act.
However, in the circumstances described in paragraph (b) or (c), if giving access to the information would reveal confidential commercial information or could reasonably be expected to threaten the life or security of another individual, as the case may be, and that information is severable from the record containing any other information for which access is requested, the organization shall give the individual access after severing.

Marginal note: Limit
(4) Subsection (3) does not apply if the individual needs the information because an individual’s life, health or security is threatened. 

Marginal note: Notice
(5) If an organization decides not to give access to personal information in the circumstances set out in paragraph (3)(c.1), the organization shall, in writing, so notify the Commissioner, and shall include in the notification any information that the Commissioner may specify.

2000, c. 5, s. 9, c. 17, s. 97
2001, c. 41, s. 82
2005, c. 46, s. 57
2006, c. 9, s. 223
2015, c. 32, s. 9
2019, c. 18, s. 61
Previous Version

If still in doubt or Need Guidance or Immediate Assistance?

Why don’t you contact us at (+91 733-113-2288), or write to us at (service@friggp2c.com | friggp2c@gmail.com)
Also, check out our services like Vulnerability Assessment, Penetration Testing, Code Review, Testing as a Service, and Risk Management on our website www.friggp2c.com.
We are determined to work with and for you and make your organization one of the safest business organizations for you, your customers, and all prospective clients.

About the Author

Harini is one of the principal auditors for Frigg Business Solutions. She is an accomplished information security expert who led critical security initiatives that shielded multinational corporations from cyber-attacks, thwarted data breaches, and secured critical infrastructure.
Harini has successfully implemented the Health Information Trust Alliance – (HITRUST) common security framework and ensured 100% compliance in all these organizations. She is a Certified Risk Professional (CRiSP), Information Security Lead Auditor, HITRUST Implementor, HIPAA Compliance Expert, and Certified in Six Sigma (Black belt & Green belt).