Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as: 

• Age, name, ID numbers, income, ethnic origin; 

• Opinions, evaluations, and comments; and 

• Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, and intentions (for example, to acquire goods or services). 

There are a variety of ways in which veterinarians collect personal information during regular business practice, the most common being the creation and updating of animal medical records. Other examples include electronic communications, client surveys, and payment collection services. 

Veterinarians must obtain client consent when they collect, use, or disclose any personal information. Personal information can only be used for the purposes for which it was collected. If a veterinarian intends to use the information collected for any other purpose, they must once again obtain client consent. 

The College is aware that many veterinarians choose to partner with third-party service providers for electronic medical records and other practice management related purposes. When contracting these services, the veterinarian is responsible for ensuring that the third-party service provider upholds the same level of privacy protection expected of veterinarians. 

A breach of security safeguards is defined in PIPEDA as: the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards. 

Private sector organizations subject to PIPEDA, including accredited veterinary facilities, are required to report to the Privacy Commissioner of Canada any breaches of security systems involving personal information (e.g. hacking, stolen hard drives, malware software, etc.)  that pose a real risk of significant harm to individuals. They are also required to notify the affected individuals about those breaches and to keep records of all breaches for a period of two years. 

What you need to know about mandatory reporting of breaches of security safeguards

While not all information contained in an animal’s medical record is considered personal information by PIPEDA standards, Section 17 (1) 6. in Regulation 1093 of the Veterinarians Act states that it is professional misconduct for a veterinarian to reveal: 

information concerning a client, an animal or any professional service performed for an animal, to any person other than the client or another member treating the animal except, 

i. with the consent of the client, 

ii. if required or authorized to do so by law, 

iii. to prevent, or contribute information for the treatment of, a disease or physical injury of a person, or 

iv. Revoked: O. Reg. 233/15, s. 11 (1). 

v. for the purpose of identifying, locating or notifying the apparent owner of the animal, protecting the rights of the apparent owner or enforcing applicable laws in respect of the animal, where it appears that the animal is not owned by the person presenting it for treatment. 

Given this, all information contained in an animal’s medical record is subject to confidentiality and requires informed client consent before it can be disclosed. For more information, please consult the College’s Professional Practice Standard: Medical Records.