📣 Heads up: This guide is a general summary and is not intended as legal advice. For guidance specific to your practice, consult a legal professional or your regulatory body.
PIPEDA is Canada’s primary federal privacy law, and it applies to how your clinic collects, uses, and protects patient personal information. This guide walks through each of PIPEDA’s 10 fair information principles and explains how Jane’s features can help support your clinic’s compliance.
Privacy law in Canada
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the primary federal privacy law for private-sector organizations in Canada. It governs how personal information is collected, used, and disclosed in the course of commercial activity.
Depending on where your clinic operates, provincial legislation may also apply. Ontario, Alberta, and British Columbia each have their own health privacy legislation, and Quebec clinics should be aware of Law 25. The Office of the Privacy Commissioner (OPC) has guidance on how federal and provincial laws interact. If you’re unsure which laws apply to your practice, your provincial regulatory body or a privacy professional can help.
Jane’s role vs. your clinic’s role
As outlined in Jane’s Privacy Notice, Jane does not control access to or use of the data entered into Jane. Each clinic manages this individually through contracts, internal agreements, Staff Access Levels, and settings within Jane. While Jane’s features support compliant treatment of data, your clinic is ultimately responsible for handling patient information appropriately.
What counts as personal information?
Under PIPEDA, personal information is any factual or subjective information, recorded or not, about an identifiable individual. Essentially, any detail that can be used alone or combined with other details to identify a specific person.
This includes information in any form, such as:
- Age, name, ID numbers, income, ethnic origin, or blood type
- Opinions, evaluations, comments, social status, or disciplinary actions
- Employee files, credit records, loan records, medical records, and stated intentions (for example, to acquire goods or services, or change jobs)
PIPEDA’s 10 fair information principles
PIPEDA’s 10 fair information principles govern how personal information is collected, used, and disclosed, and define individuals’ rights to access that information. Here’s how Jane can help your clinic work toward compliance with each one.
Jump to any of the 10 principles:
- Accountability
- Identifying Purposes
- Consent
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Accuracy
- Safeguards
- Openness
- Individual Access
- Challenging Compliance
1. Accountability
PIPEDA Fair Information Principle 1 – Accountability
“An organization is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.”
The person responsible for your clinic’s privacy compliance should also be the Account Owner in Jane. To learn more, check out our guide on How to Check Who’s Listed as Account Owner.
Each staff member should have their own profile in Jane to minimize shared access and reduce data entry errors. The Account Owner can manage what each staff member can access using Staff Access Levels.
2. Identifying Purposes
PIPEDA Fair Information Principle 2 – Identifying Purposes
“The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.”
How Jane can help: Jane’s Intake Forms feature lets you communicate the purpose of data collection to patients at the time of collection, before or at the point of their first appointment.
3. Consent
PIPEDA Fair Information Principle 3 – Consent
“The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.”
How Jane can help: You can create and customize your own consent forms using Jane’s Intake Forms feature to support your PIPEDA consent obligations.
4. Limiting Collection
PIPEDA Fair Information Principle 4 – Limiting Collection
“The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.”
This principle means collecting only the information required for the stated purpose. For example, if a patient is visiting your clinic for treatment, PIPEDA requires that you collect only what is reasonably necessary for that treatment.
How Jane can help: Jane’s Intake Forms feature lets you control exactly which profile fields you collect from patients. You can customize the Profile Fields tab to collect only the information relevant to your practice.
5. Limiting Use, Disclosure, and Retention
PIPEDA Fair Information Principle 5 – Limiting Use, Disclosure, and Retention
“Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.”
This principle relates to how your clinic uses, discloses, and retains patient information on a day-to-day basis.
How Jane can help: Jane offers several features to support this principle, including Staff Access Levels, chart privacy settings, the Patient Data Retention Report, and patient data deletion.
6. Accuracy
PIPEDA Fair Information Principle 6 – Accuracy
“Personal information must be as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used.”
In a clinical context, this means the information collected and stored about patients should accurately and completely reflect what’s needed to provide sound care.
How Jane can help: Clinics can use periodic Intake Forms to prompt patients to review and update their information. Patients can also log into their My Account portal to update their details directly. Jane also applies formatting validation behind the scenes to help ensure information is entered correctly (for example, requiring a valid date in the date of birth field).
7. Safeguards
PIPEDA Fair Information Principle 7 – Safeguards
“Personal information must be protected by appropriate security relative to the sensitivity of the information.”
Health data is among the most sensitive categories of personal information and should receive the strongest protections.
How Jane can help: Jane has implemented a number of security and privacy measures to keep your data secure. Check out our guide on Security Features in Jane for a full overview of the options available, which can complement the data safety practices you implement at the clinic level.
8. Openness
PIPEDA Fair Information Principle 8 – Openness
“An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.”
Patients have a right to understand how their personal information is being protected, and transparency is a key part of both safety and legal compliance.
How Jane can help: You can use Jane’s Intake Forms feature to add a privacy policy template to your consent forms. You may also wish to post your privacy policy on your Online Booking site.
9. Individual Access
PIPEDA Fair Information Principle 9 – Individual Access
“Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.”
Patients have the right to know what information your clinic holds about them, how it’s being used, and to request corrections where needed. Note that there is some nuance around providing access to health data specifically. Check with your regulatory body if you have questions.
🩵 Jane Tip: When a patient requests their personal information, you can export chart data at any time from within Jane, or use the shared chart feature to give patients direct access to their chart entries.
10. Challenging Compliance
PIPEDA Fair Information Principle 10 – Challenging Compliance
“An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer.”
Each clinic needs to appoint an internal privacy contact to monitor PIPEDA compliance and respond to complaints and inquiries.
How Jane can help: While your clinic is responsible for responding to patient inquiries about the personal information it holds, you can reach Jane’s Privacy Team at [email protected] for questions about Jane’s own privacy compliance.