Privacy in Your Practice
The protection of personal information is essential to the operations of any private sector organization. As providers of a service that collects, uses and discloses personal information in the course of commercial and professional activity, veterinarians are legally responsible, under the Personal Information Protection and Electronic Documents Act (PIPEDA), for protecting the privacy of the personal information they receive.
What is personal information?
Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
- Age, name, ID numbers, income, ethnic origin;
- Opinions, evaluations, and comments; and
- Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, and intentions (for example, to acquire goods or services).
How do veterinarians collect personal information?
There are a variety of ways in which veterinarians collect personal information during regular business practice, the most common being the creation and updating of animal medical records. Other examples include electronic communications, client surveys, and payment collection services.
What conversations should veterinarians be having with clients regarding personal information?
Veterinarians must obtain client consent when they collect, use or disclose any personal information. Personal information can only be used for the purposes for which it was collected. If a veterinarian intends to use the information collected for any other purpose, they must once again obtain client consent.
What conversations should veterinarians be having with third-party service providers?
The College is aware that many veterinarians choose to partner with third-party service providers for electronic medical records and other practice management related purposes. When contracting these services, the veterinarian is responsible for ensuring that the third-party service provider upholds the same level of privacy protection expected of veterinarians.
What is considered a breach of privacy of personal information?
A breach of security safeguards is defined in PIPEDA as: the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards.
What are veterinarians expected to do if there as a breach of privacy of information?
Private sector organizations subject to PIPEDA, including accredited veterinary facilities, are required to report to the Privacy Commissioner of Canada any breaches of security systems involving personal information (e.g. hacking, stolen hard drives, malware software, etc.) that pose a real risk of significant harm to individuals. They are also required to notify the affected individuals about those breaches and to keep records of all breaches for a period of two years.
For more information on this process, please click here.
Is all information contained in an animal’s medical record considered personal information?
While not all information contained in an animal’s medical record is considered personal information by PIPEDA standards, Section 17 (1) 6. in Regulation 1093 of the Veterinarians Act states that it is professional misconduct for a veterinarian to reveal:
i. with the consent of the client,
ii. if required or authorized to do so by law,
iii. to prevent, or contribute information for the treatment of, a disease or physical injury of a person, or
iv. Revoked: O. Reg. 233/15, s. 11 (1).
v. for the purpose of identifying, locating or notifying the apparent owner of the animal, protecting the rights of the apparent owner or enforcing applicable laws in respect of the animal, where it appears that the animal is not owned by the person presenting it for treatment.
Given this, all information contained in an animal’s medical record is subject to confidentiality and requires informed client consent before it can be disclosed. For more information on these requirements, please consult the College’s Professional Practice Standard: Medical Records.