Overview and Current Developments of Privacy Laws in Canada

The Office of the Privacy Commissioner of Canada oversees compliance with two important pieces of legislation:

  • The Privacy Act: This Act relates to the handling practices of federal government departments and agencies with regards to personal information. Individuals can access and correct personal information that the government of Canada holds about them under this legislation. This Act also relates to how the government uses, collects, or discloses personal information when providing services (such as employment insurance or old age pensions). It only applies to federal government institutions that are listed in the Privacy Act Schedule of Institutions.
  • The Personal Information Protection and Electronic Documents Act (PIPEDA): This is the federal private-sector privacy legislation.

Provincial privacy laws and PIPEDA

Privacy legislation in various provinces that have been deemed “substantially similar” to PIPEDA will apply in that province instead. Alberta, Quebec and British Columbia have substantially similar privacy legislation to PIPEDA generally, and Ontario, New Brunswick, and Newfoundland and Labrador have substantially similar health-specific privacy legislation. The replacement of PIPEDA by provincial legislation only applies when an organization wholly operates in the province, and is not operating nationally or across borders. Several other sector-specific privacy laws exist that deal with the protection of personal information, such as the Bank Act.

PIPEDA relates to how organizations collect, use, or disclose personal information during commercial activities in Canada (not any other activity). This means that the Act usually does not apply to charities, not-for-profits, and political parties (unless they are engaged in commercial activities).

Digital Privacy Act

Bill S-4, The Digital Privacy Act, introduced amendments to PIPEDA in June 2015, but didn’t come into force in full. It is anticipated that some of the clauses in The Digital Privacy Act will do so in July 2017. Some important highlights include:

  • Reporting to the Privacy Commissioner: An organization must report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual (Section 10.1(1)).
  • Notification to an individual: An organization must notify an individual of any breach of security safeguards involving the individual’s personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual (Section 10.1(3)).
  • Time to give notification: The notification shall be given as soon as feasible after the organization determines that the breach has occurred (Section 10.1(6)).
  • “Significant harm”: The definition of “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property (Section 10.1(7)).
  • The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include:
    • (a) the sensitivity of the personal information involved in the breach;
    • (b) the probability that the personal information has been, is being or will be misused; and
    • (c) any other prescribed factor (section 10.1(8)).
  • Notification to organizations: An organization that notifies an individual of a breach must also notify any third party (any other organization, a government institution or a part of a government institution) that the organization experiencing the breach believes is in a position to reduce the risk or mitigate the risk of harm (Section 10.2(1)).
  • Records must be kept regarding every breach of security safeguard that involve personal information under an organization’s control (Section 10.3(1)) and, upon request, the Commissioner must be provided access to, or a copy of, a record (Section 10.3(2)).

“Best efforts” in a contract means what?

Have you ever signed a contract that imposed an obligation on you to make “best efforts” to achieve something (like obtain a landlord’s consent, or a regulatory approval)? This might seem to be an innocuous turn of phrase with a simple, common sense meaning, but as with so many things in contracts, the words “best efforts” have a particular legal meaning, and it’s surprising how many lawyers, not to mention their clients, have only a vague idea what that meaning is.

That’s not to say that the phrase fails to set off alarm bells with lawyers, amongst whom there is much gnashing of teeth as to the different standards that might be set by a requirement for “best efforts”, compared to merely “commercially reasonable” efforts (or confusing hybrids like “commercially reasonable best efforts”, and similar formulations such as “bona fide efforts”). Part of this stems from confusion, and part from some scary-sounding words in pronouncements of the courts over the years. According to the Common Law, this is what “best efforts” means:

  1. “Best efforts” imposes a higher obligation than a “reasonable effort”.


  1. “Best efforts” means taking, in good faith, all reasonable steps to achieve the objective, carrying the process to its logical conclusion and leaving no stone unturned.


  1. “Best efforts” includes doing everything known to be usual, necessary and proper for ensuring the success of the endeavour.


  1. The meaning of “best efforts” is, however, not boundless. It must be approached in the light of the particular contract, the parties to it and the contract’s overall purpose as reflected in its language.


  1. While “best efforts” of the defendant must be subject to such overriding obligations as honesty and fair dealing, it is not necessary for the plaintiff to prove that the defendant acted in bad faith.


  1. Evidence of “inevitable failure” is relevant to whether a failure to make best efforts actually caused any damage. The onus to show that failure was inevitable regardless of whether the defendant made “best efforts” rests on the defendant.


  1. Evidence that the defendant, had it acted diligently, could have satisfied the “best efforts” test is relevant evidence that the defendant did not use its best efforts.


It’s a sometimes dim memory of the phrase “leaving no stone unturned” that causes anxiety and drives lawyers to recommend to their clients that they assume only a duty to make “commercially reasonable” (or “reasonable commercial”) efforts. The fear is that turning over every stone amounts to a legal obligation to bankrupt yourself, if that’s what it takes, but does “best efforts” really mean a party has to go to commercially unreasonable lengths to get the thing done? Note paragraph 2 in the list above – “‘Best efforts’ means taking, in good faith, all reasonable steps…”.

This seems to mean that best efforts and reasonable efforts are one and the same, but it’s hard to take comfort in the “reasonable” language in paragraph 2, since, as set out in paragraph 1, the courts state flatly that “best efforts” imposes a higher obligation than “reasonable efforts”; and while that might seem to be contradicted by the notion of “reasonable” steps, note how, in paragraph 3, the law then equates “reasonable” with “no stone unturned” (no reasonable stone, perhaps?).

It’s to avoid the possibly onerous obligation to “leave no stone unturned” that lawyers recommend their clients assume only an obligation to make “reasonable efforts” instead, and even here, there is doubt, since it isn’t clear that “reasonable” means the same thing as “commercially reasonable” – there’s no guidance from the courts to make that clear. In fact, despite lawyers playing around with all sorts of formulations, such as “reasonable best efforts”, we really only have any degree of certainty about two phrases: “best efforts” and “reasonable commercial efforts”.

Here’s what the Ontario courts have said about “reasonable commercial efforts”:


Reasonable implies sound judgment, a sensible view, a view that is not absurd. Commercial means having profit or financial gain as opposed to loss as a primary aim or object. These words impose a standard of reasonable commercial efforts, not one of best efforts or bona fide efforts.

So there you have it. “Reasonable commercial efforts” means efforts that are reasonable in view of the overall objective of coming out ahead in the deal, and that’s different from “best”, from “bona fide”, and maybe from just plain “reasonable”, too, if we are to infer that the word “commercially” also influences the analysis (perhaps “reasonable” equates with “possible”, while “commercially reasonable” means “possible plus not too unprofitable”?). It can all seem like arcane hair-splitting, but as long as the courts are going to insist there’s a distinction, however illogical it might seem upon close reading of their reasons, it does seem prudent to prefer “reasonable commercial efforts” for your own obligations, and “best efforts” for the other side, if they can be persuaded. All other variations should be avoided, however similar they may seem from a practical perspective. We just can’t be sure what a court would do with them.

Sexual abuse of patients by health care providers

Physicians and other regulated health professionals have a duty to act in the best interests of their patients, an obligation that has always been viewed as being generally incompatible with any sort of sexual relationship between health care providers and patients. Under the Regulated Health Professions Act, Ontario takes a zero tolerance approach to sexual activity between patients and health care providers, and it’s no defence to argue that a sexual relationship between a patient and a provider is consensual. All sexual acts, including “behaviour and remarks of a sexual nature” come within the definition of “sexual abuse”, though the concept “of a sexual nature” excludes touching, behaviour, or remarks of a clinical nature appropriate to the service provided.

The Health Professions Procedural Code provides for mandatory revocation of a regulated health professional’s certificate of registration for certain instances of sexual abuse – if the abuse comes within a defined list of sexual acts, revocation must result. For sexual abuse that does not involve these acts, the penalty is at the discretion of the Discipline Committee. If a provider’s certificate of registration has been revoked, the provider can’t apply for re-instatement for 5 years.

The mandatory revocation provisions have been challenged in the Court of Appeal several times since they took effect in December of 1993. This month the Divisional Court affirmed the legislative scheme, and specifically the mandatory revocation sections, as being constitutional[1].  The Court affirmed that there is no constitutional right to practise a profession; that a revocation of a professional license is not a deprivation of an individual’s liberty (and therefore not contrary to section 7 of the Charter) and that the ordeal of undergoing disciplinary proceedings (and the related media storm) is not a violation of a provider’s security interests (also protected under section 7 of the Charter).

Over the years, some providers have argued in court that the zero tolerance provisions are too broad because they include spouses, and sexual relationships that pre-date the professional relationship, and certain exemptions with respect to spousal relationships have been added to the Act. A spousal exemption enacted in 2013, to permit treatment of spouses where the profession makes a regulation to that effect, gave rise to a novel  defence in a recent abuse case.

In Sliwin v CPSO, the provider argued that his multi-year extra-marital relationship, conducted clandestinely in his office, in exchange for free (and major) cosmetic surgery, was tantamount to a spousal relationship, even though they did not cohabit. The court rejected this argument, holding that the exemption is specific, unambiguous and narrowly drafted to include only spouses, as defined in the Family Law Act (which includes married and common law spouses), and only sexual relationships that occur when the provider is not engaged in the practice of the profession.

Zero tolerance for sexual abuse is now an entrenched principle, and in some ways is becoming even more strict. The Ontario government has recently proposed changes to expand the list of defined sexual acts which, once proven, will require mandatory revocation; the proposed changes will also require suspension of a professional’s privilege to practise where outright revocation is not mandatory. Debates about these changes, embodied in Bill 87, the Protecting Patients Act, began on March 27, 2017.  As of April 13, 2017, the Bill is at second reading and has been referred to the Standing Committee of the Legislative Assembly of Ontario.

While the Bill expands the grounds for mandatory revocation, and increases fines for failures to report instances of sexual abuse of patients, the proposed amendments would introduce temporal parameters around the meaning of “patient”. In Bill 87, a patient remains a patient for one year after the end of the patient-provider relationship. Additional criteria for defining “patient” may be set out in a government regulation. This introduces some flexibility into the zero tolerance approach and reflects some of the arguments previously advanced by unsuccessful litigant health care professionals.

To see Bill 87, click here http://www.ontla.on.ca/web/bills/bills_detail.do?locale=en&BillID=4477&detailPage=bills_detail_the_bill

To see the decision of the Divisional Court in Sliwin v. CPSO (2017), click here. http://www.canlii.org/en/on/onscdc/doc/2017/2017onsc1947/2017onsc1947.html?searchUrlHash=AAAAAQAGc2xpd2luAAAAAAE&resultIndex=7

To see a list of the 26 professions regulated under the RHPA, click here https://www.ontario.ca/laws/statute/91r18#BK52   and then click on Schedule 1.

Simmie Palter is senior health law counsel at Dykeman & O’Brien LLP. Professional regulation is one of Simmie’s main areas of interests, but she provides advice in many other aspects of health law. The views expressed herein do not constitute legal advice. For more information email spalter@ddohealthlaw.com.

[1] Sliwin v. College of Physicians and Surgeons of Ontario 2017 ONSC 1947 (CanLII, Div Ct).

CFTA will replace AIT this summer

The Agreement on Internal Trade (AIT) will be replaced by the Canadian Free Trade Agreement (CFTA) on July 1, 2017. The AIT has been in force since 1995 and its purpose was to improve interprovincial trade by removing trade barriers and harmonizing standards across provinces.

Ontario health care organizations that are subject to the BPS Procurement Directive rely on AIT exemptions to allow them to sole-source or single-source in specified circumstances.

DDO Health Law is undertaking an analysis to identify what has stayed the same in the CFTA – and what has changed with respect to procurement rules, thresholds and exemptions. How will this impact your health care organization? Stay tuned! We will post more!

See the CFTA and more background info at:


If you have any questions about how the CFTA may impact your health care organization and its procurement activities, please contact me at kobrien@ddohealthlaw.com.

And follow me on Twitter @KathyOB_DDO and follow DDO @DDOHealthLaw.