Privacy of personal information held by public bodies and custodians is protected by two laws in the Yukon.
The Access to Information and Protection of Privacy Act (ATIPPA) protects personal information held by public bodies and the Health Information Privacy and Management Act (HIPMA) protects personal health information held by custodians. A list of these public bodies and custodians can be found on the IPC homepage.
These Acts set out rules that public bodies and custodians must follow in respect to personal and health information and the public's right to privacy. These obligations are outlined below.
If you are concerned that your or someone else's privacy rights have been violated, you can contact our office and make a complaint or request a review.
ATIPPA is the law that public bodies must follow relating to the privacy of the personal information it holds. The Act also provides an opportunity for individuals to make a complaint about any privacy violation by a public body. If there is reason to believe that a public body has violated the Act, a complaint can be made to the Office of the Information and Privacy Commissioner (IPC).
The Health Information Privacy and Management Act supports custodians in protecting personal health information (PHI), and allows for an individual to make a complaint if they feel their PHI has been improperly collected, used, or disclosed to others.
Personal health information includes, among other things:
- information about one's health including information in medical records or files,
- information about health care that has been received,
- records of payments for health care,
- information about testing or examinations,
- information about the donation of a body part, tissue, or bodily substance, and
- a Yukon public health insurance plan number.
If someone believes a health custodian has violated their privacy, a complaint can be made to the Information and Privacy Commissioner (IPC).
Public bodies and health custodians are obliged to comply with the Acts they fall under.
A public body, under the ATIPPA:
- can only collect personal information if a law authorizes the collection, including for such things as operating a program or activity or for law enforcement purposes;
- must explain the purpose for collecting personal information, its authority for collection, and provide the individual with the business title, address and telephone number of one of its officers or employees who can answer questions about the collection;
- can only use or disclose personal information for the purpose it was collected, for a consistent purpose, or with consent for another purpose; or for the other specified purposes;
- may, at one's request, correct inaccurate personal information it holds and if it refuses, it must make a note showing the request for correction;
- must make reasonable security arrangements to protect personal information from such risks as accidental loss or alteration, and unauthorized access, use, disclosure, or disposal.
A public body's obligations are covered under Compliance and guidance documents under Resources.
A health custodian, under the HIPMA, must:
- limit the collection, use, and disclosure of personal health information, and to implement information management practices, including policies, that ensure the confidentiality, security and integrity of any personal health information they hold;
- establish retention policies and ensure personal health information is securely disposed of or destroyed when the retention period expires;
- make a public statement about their information practices and identify a contact individual who is responsible to receive and respond to complaints and requests for access.
A custodian's obligations are covered under Compliance, with guidance documents available under Resources.
The Federal Personal Information Protection and Electronic Documents Act applies private businesses conducting commercial activity and some private organizations. The Privacy Act applies to Federal government Departments and Agencies. For more on Federal legislation, go to the Office of the Privacy Commissioner of Canada.