Key Takeaways
- Quebec's Loi 25 (Law 25) introduced the most stringent privacy requirements in Canada, with a phased implementation from 2022 through 2024 that imposed new obligations for consent management, breach notification, privacy impact assessments, and the appointment of a privacy officer — all of which apply to residential care operators handling personal health information in Quebec.
- Canadian residential care operators navigate a layered privacy framework: federal PIPEDA establishes the baseline for private-sector organizations, while provincial health information acts (Ontario's PHIPA, Alberta's HIA, BC's PIPA) impose sector-specific requirements for personal health information that may exceed PIPEDA in scope and prescription.
- Personal health information in long-term care settings includes not only clinical records but also medication administration data, behavioural observations, family communications, care plan discussions, and staff notes — all of which are subject to privacy legislation and must be protected, accessed, and disclosed in accordance with applicable law.
- Privacy impact assessments (PIAs) are mandatory under Loi 25 for any project involving the collection, use, or disclosure of personal information, and are required or strongly recommended under most provincial health information statutes when new technology systems are implemented in care settings.
- Technology platforms used in residential care must provide granular access controls, immutable audit trails, consent management capabilities, and data breach detection and notification workflows to meet the privacy compliance requirements of Loi 25, PIPEDA, and provincial health information statutes.
Introduction
A residential care facility in Montreal receives a request from a resident's adult child. The child wants a complete copy of their parent's care records — medication history, progress notes, behavioural observations, incident reports, and care conference summaries. The request seems straightforward. But under Quebec's privacy framework, the answer involves multiple layers of legal analysis. Does the child have legal authority to make this request on behalf of the resident? Has the resident provided consent for disclosure to this family member? Does the resident have the capacity to consent, and if not, who is the mandataire (legal representative)? Which specific records can be disclosed, and which elements — such as notes referencing other residents or staff observations not yet reviewed by the resident — must be redacted? What is the timeline for responding, and what must the facility document about the request and the response?
Now multiply this scenario across every family interaction, every transfer to hospital, every consultation with an external physician, every insurance inquiry, every regulatory submission, and every technology vendor that accesses resident data. Privacy compliance in Canadian residential care is not a single obligation — it is a continuous operational discipline that touches every aspect of care delivery, documentation, and information management.
Canadian privacy law is layered. At the federal level, the Personal Information Protection and Electronic Documents Act (PIPEDA) establishes the baseline for how private-sector organizations collect, use, and disclose personal information. At the provincial level, health-specific statutes — Ontario's Personal Health Information Protection Act (PHIPA), Alberta's Health Information Act (HIA), British Columbia's Personal Information Protection Act (PIPA), and Quebec's Act respecting the protection of personal information in the private sector (as amended by Loi 25) — impose additional requirements tailored to the health care sector. These provincial statutes do not merely supplement PIPEDA — in provinces where they have been deemed substantially similar to PIPEDA, they replace it for intraprovincial health information transactions.
Quebec's Loi 25 (Law 25), formally the Act to modernize legislative provisions as regards the protection of personal information, transformed Quebec's privacy landscape beginning in 2022. Its phased implementation through 2024 introduced requirements that significantly exceed the previous framework and, in several areas, exceed the requirements of any other Canadian jurisdiction. For residential care operators in Quebec — and for multi-provincial operators with Quebec facilities — Loi 25 compliance requires deliberate investment in governance, technology, and operational processes.
This article provides a practical guide to privacy compliance for Canadian residential care operators, with particular focus on Loi 25 and its interaction with the broader Canadian privacy framework. It covers the specific obligations that apply to long-term care settings, the practical challenges of managing personal health information in care environments, and the technology requirements for maintaining privacy compliance at operational scale.
Quebec's Loi 25: What Changed and Why It Matters
Loi 25 modernized Quebec's privacy framework in response to the increasing digitization of personal information and a series of high-profile data breaches that exposed the inadequacy of the previous regime. The law was passed in September 2021 and implemented in three phases, with the final provisions taking effect on September 22, 2024.
Phase 1 (September 2022): Governance and Breach Response
The first phase imposed two immediate obligations. First, every organization handling personal information must designate a person responsible for the protection of personal information — effectively a privacy officer. By default, this is the highest-ranking officer of the organization, but the responsibility can be delegated to another person whose title and contact information must be published on the organization's website. In a residential care organization, this role is typically assigned to the compliance officer or a dedicated privacy officer, but the delegation must be formal and documented.
Second, Phase 1 established mandatory breach notification requirements. Organizations that experience a confidentiality incident involving personal information must assess the risk of serious injury to affected individuals. If the risk is serious, the organization must notify the Commission d'acces a l'information (CAI) — Quebec's privacy regulator — and the affected individuals. The notification must describe the personal information involved, the circumstances of the breach, the measures taken to reduce the risk, and the steps individuals can take to protect themselves.
For residential care operators, the breach notification requirement has particular significance. Care facilities process highly sensitive personal health information across multiple systems, devices, and staff members. A lost tablet containing resident records, an unauthorized access to the electronic health record by a terminated employee, or a misdirected fax containing clinical information all constitute potential confidentiality incidents that require assessment and, potentially, notification.
Phase 2 (September 2023): Policies, PIAs, and Consent
The second phase introduced the most operationally significant requirements. Organizations must establish and publish governance policies regarding the protection of personal information. These policies must describe the categories of personal information collected, the purposes of collection, the retention and destruction practices, the roles and responsibilities for privacy protection, and the process for handling access and correction requests.
Phase 2 also mandated privacy impact assessments (PIAs) for any project involving the collection, use, or disclosure of personal information — including the acquisition or development of information systems. For residential care operators, this means that implementing a new electronic health record, deploying a medication management system, installing surveillance cameras, or engaging a cloud-based care platform requires a documented PIA before the project proceeds.
Consent requirements were strengthened in Phase 2. Consent for the collection, use, and disclosure of personal information must be manifest, free, informed, given for specific purposes, and requested in clear and simple language. For sensitive information — which includes health information — consent must be given expressly. This affects how residential care facilities obtain consent from residents and their legal representatives for information handling practices.
Phase 3 (September 2024): Data Portability and Expanded Rights
The final phase introduced data portability rights, allowing individuals to request a copy of their personal information in a structured, commonly used technological format. It also introduced the right to de-indexation (the right to have personal information cease being disseminated) and expanded the rights of individuals to access and correct their personal information.
For residential care operators, the data portability requirement means that when a resident transfers to another facility or when a legal representative requests records, the organization must be able to produce the requested information in a structured, portable format — not merely as printed documents or PDF scans of handwritten notes.
Loi 25 penalties are substantial
The CAI can impose administrative monetary penalties of up to $10 million or 2% of worldwide turnover for organizations that fail to comply with Loi 25 requirements. For more serious violations, penal provisions allow fines of up to $25 million or 4% of worldwide turnover. These penalty levels are comparable to the European GDPR and represent a significant increase over the previous Quebec privacy regime. Residential care operators cannot treat Loi 25 compliance as optional or low-priority.
The Broader Canadian Privacy Framework for Health Information
While Loi 25 commands attention for its scope and penalties, it operates within a broader Canadian privacy framework that residential care operators must navigate across all provinces of operation.
PIPEDA: The Federal Baseline
PIPEDA applies to private-sector organizations that collect, use, or disclose personal information in the course of commercial activities. For residential care operators, PIPEDA applies to interprovincial and international information transfers and serves as the default privacy framework in provinces without substantially similar legislation.
PIPEDA is built on 10 fair information principles: accountability, identifying purposes, consent, limiting collection, limiting use disclosure and retention, accuracy, safeguards, openness, individual access, and challenging compliance. These principles establish the framework for how personal information — including personal health information — must be handled.
For residential care operators, PIPEDA's requirements include: collecting personal information only for identified, reasonable purposes; obtaining meaningful consent for collection, use, and disclosure; protecting personal information with security safeguards appropriate to the sensitivity of the information; providing individuals with access to their personal information on request; and maintaining accuracy of personal information used to make decisions about individuals.
Ontario: PHIPA
Ontario's Personal Health Information Protection Act (PHIPA) is the primary privacy legislation for health information in Ontario. PHIPA applies to health information custodians — a category that includes long-term care homes and their operators — and establishes specific rules for the collection, use, disclosure, and retention of personal health information.
Key PHIPA requirements for residential care operators include: the designation of a contact person for privacy matters, the establishment of practices and procedures to protect personal health information, the limitation of collection to information reasonably necessary for a lawful purpose, restrictions on use and disclosure (including a "circle of care" concept that permits sharing among health care providers involved in the individual's care without express consent), and mandatory breach notification to the Information and Privacy Commissioner of Ontario for incidents involving personal health information.
PHIPA's "circle of care" concept is particularly relevant to residential care. It allows personal health information to be shared among health care providers involved in the resident's care — the facility's nurses, physicians, pharmacists, therapists — without requiring express consent for each disclosure, provided the disclosure is for the purpose of providing health care. However, the circle of care does not extend to all disclosures. Sharing information with a resident's employer, insurance company, or family members outside the care relationship requires specific consent unless another exception applies.
Alberta: Health Information Act
Alberta's Health Information Act (HIA) governs the collection, use, and disclosure of health information by custodians, which include operators of continuing care facilities. The HIA establishes requirements similar to PHIPA but with Alberta-specific provisions for health information disclosure, consent, and access.
Key HIA provisions include: mandatory designation of an affiliate (an employee or contractor) for each information management purpose, restrictions on collection to information reasonably required for the custodian's purpose, the ability to disclose health information within the custodian's organization for care purposes without consent, mandatory breach notification to the Information and Privacy Commissioner of Alberta, and specific provisions for research use of health information with ethics board approval.
British Columbia: PIPA
British Columbia's Personal Information Protection Act (PIPA) applies to private-sector organizations, including privately operated residential care facilities. PIPA's requirements are broadly consistent with PIPEDA but include BC-specific provisions for consent exceptions, mandatory breach reporting to the Office of the Information and Privacy Commissioner, and requirements for privacy management programs.
For residential care operators in BC, PIPA requires: documented privacy management programs, breach notification and reporting, consent management that distinguishes between implied consent (for purposes a reasonable person would consider appropriate) and express consent (for sensitive information including health information), and response to access requests within 30 business days.
Personal Health Information in Care Settings
The concept of "personal health information" in residential care extends far beyond what operators might initially assume. Understanding the full scope of information that falls under privacy protection is essential for building compliant information management practices.
What Constitutes Personal Health Information
In a residential care setting, personal health information includes all of the following: clinical assessment data (vital signs, cognitive assessments, functional assessments, nutritional assessments); care plans and care plan revisions; progress notes documenting clinical observations and interventions; medication administration records including PRN indications and responses; incident and injury reports; behavioural observation documentation; family and substitute decision-maker communications about care; physician orders and consultation notes; therapy notes (physiotherapy, occupational therapy, speech-language pathology); laboratory and diagnostic imaging results; discharge and transfer summaries; and photographs or video recordings of residents taken for clinical purposes.
Beyond clinical records, personal health information in residential care also encompasses administrative records that contain health-related data: admission assessments, funding and acuity classification data (such as RAI-MDS assessments), insurance claims, and billing records that reference diagnoses or services.
Common Privacy Risks in Residential Care
Residential care settings present unique privacy risks that differ from acute care or physician office environments.
Shared living environments. Residents live in close proximity, and staff conversations about care occur in environments where other residents or visitors may overhear. Clinical discussions at nursing stations, in hallways, or in shared dining areas create disclosure risks that are difficult to eliminate entirely but must be managed through awareness and environmental controls.
Family access expectations. Family members often expect unrestricted access to their loved one's care information, but privacy legislation requires that access be authorized — either through the resident's own consent (if the resident has capacity) or through a legally recognized substitute decision-maker (if the resident lacks capacity). Staff must be trained to verify authorization before disclosing personal health information to family members, even when the request seems routine.
Staff turnover and access management. High turnover in residential care means that access credentials must be provisioned and deprovisioned frequently. A terminated staff member whose electronic system access is not revoked promptly creates an unauthorized access risk. A float staff member who is given broad system access for operational convenience may be able to view records of residents who are not in their care — a violation of the minimum necessary access principle.
Mobile devices and point-of-care documentation. Tablets and smartphones used for point-of-care documentation create data loss risks if devices are lost, stolen, or improperly secured. The convenience of mobile documentation must be balanced with technical controls (encryption, remote wipe capability, automatic session timeout) that protect the information on the device.
Consent Management in Residential Care
Consent management in long-term care is complicated by the prevalence of cognitive impairment among residents. Privacy legislation in all Canadian jurisdictions provides for substitute decision-makers to exercise privacy rights on behalf of individuals who lack capacity, but the operational implementation of consent management requires careful attention.
Capacity Assessment
Before seeking consent for the collection, use, or disclosure of personal health information, the facility must determine whether the resident has the capacity to provide informed consent. Capacity is not a binary or permanent state — a resident may have capacity for some decisions but not others, and capacity may fluctuate over time. The assessment of capacity for privacy consent should be documented and reviewed periodically.
Substitute Decision-Makers
When a resident lacks capacity to consent, the facility must identify the appropriate substitute decision-maker. Provincial legislation defines the hierarchy of substitute decision-makers differently. In Ontario, PHIPA defers to the Health Care Consent Act hierarchy (guardian of the person, attorney for personal care, specified family members in priority order). In Quebec, the mandataire designated by the resident or appointed by the court has authority. In Alberta and BC, the hierarchy is defined by the respective health information and personal information statutes.
The facility must document who the authorized substitute decision-maker is, verify their authority, and ensure that privacy consents obtained from substitute decision-makers are valid and current. When a new substitute decision-maker is appointed — due to death, incapacity, or legal change — the facility must update its consent records.
Consent Withdrawal
Both residents (with capacity) and substitute decision-makers can withdraw consent for specific uses or disclosures of personal health information. The facility must have a process for receiving, documenting, and operationalizing consent withdrawals. If a resident withdraws consent for information sharing with a specific family member, the electronic system must be able to restrict that family member's access without affecting the care team's access.
Consent is not a one-time event
Privacy consent in residential care must be treated as a dynamic, ongoing process — not a form signed at admission and filed. Residents' circumstances, capacity, legal representatives, and information-sharing preferences change over time. Best practice is to review and document consent status at every care plan review, at every change in legal representative, and whenever the resident or substitute decision-maker raises a concern about information handling. A consent form dated three years ago that has never been revisited does not demonstrate meaningful consent management in an inspection or privacy investigation.
Privacy Impact Assessments for Care Technology
Loi 25 mandates privacy impact assessments for any project involving the collection, use, or disclosure of personal information, and the other provincial frameworks either require or strongly recommend PIAs for new health information systems. For residential care operators evaluating or implementing technology platforms, PIAs are a compliance prerequisite.
When a PIA Is Required
A PIA should be conducted before: implementing a new electronic health record or care documentation system; deploying mobile devices for point-of-care documentation; implementing a resident monitoring system (fall detection, wandering alerts, video surveillance); engaging a cloud-based care platform or migrating from on-premises to cloud infrastructure; implementing a new medication management system; deploying a visitor management system that collects personal information; and implementing any analytics or reporting system that processes personal health information.
PIA Content Requirements
Under Loi 25, the PIA must describe the personal information involved, the purposes of collection and use, the necessity and proportionality of the information collection, the privacy risks identified, and the measures taken to mitigate those risks. The PIA must be provided to the CAI upon request.
A practical PIA for a residential care technology implementation should address: what personal health information the system will collect, store, process, and transmit; the legal basis for each collection purpose; who will have access to the information and on what basis; where the information will be stored (including cloud provider locations and whether data leaves Canada); what technical safeguards protect the information (encryption, access controls, audit trails); what happens to the information when the system is decommissioned; and what the breach response plan is for the system.
Data Residency Considerations
Canadian privacy legislation does not uniformly prohibit the storage of personal health information outside Canada, but several provincial statutes impose restrictions or conditions. BC's Freedom of Information and Protection of Privacy Act (FIPPA) restricts public bodies from storing personal information outside Canada. Ontario's PHIPA does not prohibit cross-border storage but requires the custodian to ensure equivalent protection. Quebec's Loi 25 requires a PIA before transferring personal information outside Quebec and requires the organization to verify that the receiving jurisdiction provides adequate privacy protection.
For residential care operators selecting technology platforms, the safest approach is to require that all personal health information be stored in Canada, on infrastructure operated by a Canadian entity or a provider with Canadian data centres. This approach avoids the complex legal analysis required to justify cross-border data transfers and provides a clear, defensible position in privacy investigations.
Data Breach Management in Residential Care
Privacy breach management in Canadian residential care requires preparedness for the types of incidents that are most likely to occur in care settings, which differ from the breach scenarios common in other industries.
Common Breach Scenarios in Residential Care
| Breach Type | Example | Risk Level |
|---|---|---|
| Unauthorized access by terminated staff | Former employee accesses EHR after termination due to delayed account deprovisioning | High — intentional access, potentially malicious |
| Lost or stolen mobile device | Tablet used for point-of-care documentation is left in a common area or lost off-premises | High if unencrypted; moderate if encrypted with remote wipe |
| Misdirected communication | Fax containing resident clinical information sent to wrong number; email sent to wrong family member | Moderate — limited scope but involves sensitive information |
| Unauthorized family disclosure | Staff member shares clinical information with family member not authorized to receive it | Moderate — limited scope, potential complaint |
| System vulnerability exploitation | Ransomware attack encrypts resident records, potentially exfiltrating data before encryption | Critical — widespread, potential for significant harm |
| Improper disposal | Paper records containing personal health information placed in regular waste rather than secure destruction | Variable — depends on whether information was actually accessed |
Breach Response Protocol
A compliant breach response protocol for Canadian residential care operators must include the following steps.
Containment. Immediately contain the breach to prevent further unauthorized access or disclosure. Revoke compromised access credentials. Recover or remotely wipe lost devices. Isolate affected systems.
Assessment. Assess the breach to determine: what personal information was involved, how many individuals are affected, whether the information has been further disclosed or misused, and what the risk of serious harm is to affected individuals. The risk assessment must consider the sensitivity of the information (health information is inherently sensitive), the probability that the information has been or will be misused, and the potential consequences for affected individuals.
Notification. If the risk assessment determines that there is a risk of serious harm, notify the applicable privacy commissioner (CAI in Quebec, IPC in Ontario, OIPC in Alberta and BC) and the affected individuals. Notification timelines vary by jurisdiction — Loi 25 requires notification "with diligence" (promptly), while other provinces have specific timelines ranging from 72 hours to "at the earliest reasonable opportunity."
Documentation. Document every aspect of the breach: when it was discovered, what happened, who was notified, what containment and remediation measures were taken, and what steps were implemented to prevent recurrence. Maintain a breach register that records all confidentiality incidents, whether or not they triggered notification obligations. Loi 25 requires organizations to maintain a register of confidentiality incidents that must be provided to the CAI upon request.
Remediation. Implement measures to prevent recurrence. This may include policy changes, additional staff training, technology upgrades, or process modifications. Document the remediation measures and verify their effectiveness.
Technology Requirements for Privacy Compliance
Privacy compliance in Canadian residential care cannot be maintained without technology that enforces privacy controls at the system level. The following capabilities are essential.
Role-Based Access Control
The technology platform must support granular role-based access control that limits each user's access to the personal health information they need for their role. A personal support worker caring for residents on Unit A should not be able to access records for residents on Unit B. An administrative staff member processing billing should see only the billing-relevant data, not the full clinical record. Access controls must be configurable per facility, per unit, per role, and per individual.
Immutable Audit Trails
Every access to personal health information must be logged in an immutable audit trail that records who accessed what information, when, and from what device or location. The audit trail must be tamper-proof — entries cannot be modified or deleted, even by system administrators. This audit trail is the primary evidence in any privacy investigation or complaint, and its integrity is essential for demonstrating compliance.
Consent Management
The platform must support documented consent management that records: what consent was given, by whom (resident or substitute decision-maker), for what purposes, and when. It must support consent withdrawal and enforce access restrictions based on current consent status. When a resident withdraws consent for a specific disclosure, the system must be able to enforce that restriction automatically.
Encryption and Data Protection
Personal health information must be encrypted at rest and in transit. Mobile devices used for point-of-care documentation must support device-level encryption, automatic session timeout, and remote wipe capability. Data backups must be encrypted and stored in compliance with data residency requirements.
Breach Detection and Response
The platform should include capabilities for detecting potential privacy breaches — unusual access patterns, access outside normal working hours, bulk data exports, and access by terminated accounts. Automated alerts for potential breach scenarios enable rapid containment and reduce the window of unauthorized access.
Case Scenario: Maison Soleil Care Group
Maison Soleil Care Group operates four CHSLDs in the greater Montreal area, serving approximately 480 residents. In early 2024, as Loi 25's Phase 2 requirements came into effect, the organization discovered that its privacy practices — which had been adequate under the previous Quebec framework — fell significantly short of the new requirements.
The organization had no designated privacy officer (the default responsibility rested with the CEO, who was unaware of this obligation). No privacy impact assessments had been conducted for the electronic health record system implemented two years earlier. The consent management process consisted of a single form signed at admission that had not been reviewed or updated since. The breach response process was informal — incidents were reported to the director of nursing, who decided case-by-case whether to notify anyone.
A complaint from a family member — who discovered that a former employee had accessed their mother's records after termination — triggered a CAI investigation. The investigation revealed not only the unauthorized access incident but also the systemic gaps in the organization's privacy governance. The CAI issued an order requiring Maison Soleil to implement a comprehensive privacy compliance program within six months, failing which administrative penalties would be imposed.
Maison Soleil appointed a dedicated privacy officer (the compliance director, with additional training in Quebec privacy law), conducted retrospective PIAs for all technology systems, overhauled the consent management process to include regular review and documented capacity assessment, implemented role-based access controls with automated deprovisioning for terminated staff, established a documented breach response protocol with a breach register, and deployed staff privacy training covering the specific scenarios relevant to residential care. The entire remediation cost approximately $120,000 — a fraction of the potential penalties under Loi 25, which could have reached $10 million for the systemic non-compliance the CAI identified.
The lesson for other operators is clear: Loi 25 compliance cannot be deferred or treated as a future project. The requirements are in effect, the CAI is actively investigating, and the penalties are substantial. The cost of proactive compliance is a small fraction of the cost of reactive remediation under regulatory pressure.
Harmony's Privacy Architecture
Harmony's platform is built with Canadian privacy compliance requirements integrated into its architecture. Role-based access control enforces the minimum necessary access principle, with configurable access profiles per facility, per unit, and per role. The immutable audit trail logs every access to personal health information with user identity, timestamp, device, and action performed. Consent management is integrated into the resident record, with documented consent status that is reviewed at each care plan update and that governs system-level access restrictions.
Data is encrypted at rest and in transit, stored in Canadian data centres, and backed up to Canadian infrastructure. Mobile device management includes encryption enforcement, session timeout, and remote wipe capability. Breach detection capabilities include automated alerts for unusual access patterns, and the platform supports the breach documentation and notification workflows required by Loi 25, PHIPA, HIA, and PIPA.
The Privacy Officer Role in Residential Care Organizations
Loi 25 requires that every organization designate a person responsible for the protection of personal information. While this is a Quebec-specific legal requirement, all Canadian provinces expect health information custodians to have an identifiable point of accountability for privacy. For residential care organizations, the privacy officer role carries responsibilities that are distinct from — though often combined with — the compliance officer role.
Responsibilities
The privacy officer in a residential care organization is responsible for: developing and maintaining the organization's privacy policies and procedures; conducting or overseeing privacy impact assessments for new projects and technology implementations; managing data breach response, including assessment, notification, and documentation; responding to access, correction, and portability requests from residents and their legal representatives; overseeing staff privacy training; managing the organization's relationship with the applicable privacy commissioner; maintaining the breach register required by Loi 25; and advising operational leaders on privacy implications of new programs, partnerships, or technology decisions.
Organizational Positioning
The privacy officer should have sufficient organizational authority to influence decisions that affect personal health information. In practice, this means the role should report to senior leadership — ideally the CEO, COO, or VP of Compliance — rather than to IT or operations management. The privacy officer's authority to escalate concerns, halt projects that pose unacceptable privacy risks, and mandate corrective actions must be clear and supported by organizational policy.
In smaller organizations, the privacy officer role is often combined with the compliance officer role, which is practical given the overlap between privacy compliance and general regulatory compliance. In larger organizations — particularly those operating in Quebec where Loi 25 demands dedicated attention — a separate privacy officer may be warranted.
Staff Training on Privacy
Privacy training in residential care must go beyond policy acknowledgment. Staff interact with personal health information in every shift, and the privacy risks they face are practical, not theoretical. Training should include scenario-based examples drawn from residential care settings: how to respond when a family member requests information by phone and you cannot verify their identity; what to do when you realize you accessed the wrong resident's record; how to handle a conversation about a resident's care in a shared space; and what constitutes a privacy breach that must be reported internally.
Training should be delivered at onboarding, refreshed annually, and supplemented with brief scenario discussions at team meetings. Track training completion as a compliance metric and include privacy knowledge in competency assessments for roles with elevated information access.
Building a Privacy Compliance Roadmap
For residential care organizations that have not yet achieved full privacy compliance — or that are entering Quebec and must now meet Loi 25 requirements — a phased implementation roadmap provides a structured path forward.
Phase 1: Foundation (Months 1 through 3)
Designate the privacy officer. Conduct a privacy risk assessment that identifies all personal health information holdings, information flows, access points, and current safeguards. Establish the breach response protocol and the breach register. Publish the required governance policies on the organization's website. Implement basic access controls in the electronic health record to enforce role-based access.
Phase 2: Operationalization (Months 4 through 6)
Conduct privacy impact assessments for all existing technology systems that process personal health information. Review and formalize consent management processes, including documentation of consent authority for residents who lack capacity. Implement staff privacy training program. Establish the access and correction request handling process. Review vendor contracts for privacy provisions and data processing agreements.
Phase 3: Maturity (Months 7 through 12)
Implement advanced access controls including unit-level restriction and anomaly detection. Deploy automated breach detection capabilities. Conduct a simulated breach response exercise to test the breach protocol. Perform a privacy audit using the applicable privacy commissioner's published assessment criteria. Address audit findings and establish the ongoing privacy monitoring cadence.
Use the CAI's published guides
The Commission d'acces a l'information publishes practical guides for organizations implementing Loi 25 compliance. These guides include templates for privacy impact assessments, breach notification forms, and governance policy frameworks. They are available in French on the CAI website and provide authoritative guidance on what the regulator expects. Use them as your starting point rather than building from scratch.
Conclusion
Privacy compliance in Canadian residential care is a layered obligation that requires attention to federal legislation, provincial health information statutes, and — for operators in Quebec — the comprehensive requirements of Loi 25. The information handled in residential care settings is among the most sensitive categories of personal information: health status, medication records, behavioural observations, cognitive assessments, and end-of-life preferences. The responsibility for protecting this information is not merely legal — it is an expression of the trust that residents and families place in care organizations.
The operational disciplines required for privacy compliance — consent management, access control, breach preparedness, privacy impact assessments, and staff training — are not separate from care delivery. They are embedded in it. Every clinical interaction, every documentation entry, every family communication, and every technology decision involves personal health information and is subject to privacy obligations.
For residential care operators, the practical starting point is an honest assessment of current privacy practices against the applicable legislative requirements. Review your consent management processes: are they documented, current, and enforced? Examine your access controls: do they reflect the minimum necessary principle, or do staff have broader access than their roles require? Evaluate your breach response capability: do you have a documented plan, a trained response team, and a breach register? Assess your technology platform: does it enforce privacy controls at the system level, or does privacy depend entirely on staff behaviour?
Privacy compliance is not a destination — it is a continuous practice that must evolve with legislative changes, technological developments, and the operational realities of caring for vulnerable populations. The organizations that build privacy into their operational DNA — rather than treating it as a separate compliance exercise — provide the strongest protection for the individuals entrusted to their care.
Frequently Asked Questions
Does Loi 25 apply to all residential care operators in Quebec, including non-profit organizations?
Loi 25 applies to any enterprise that collects, holds, uses, or communicates personal information in Quebec, regardless of whether the enterprise is for-profit or non-profit. The definition of "enterprise" under Quebec's Act respecting the protection of personal information in the private sector is broad. Public-sector organizations (including publicly operated CHSLDs) are subject to separate privacy legislation — the Act respecting Access to documents held by public bodies — which was also amended by Loi 25 with similar strengthened requirements. In practice, all residential care operators in Quebec, whether public, private, or non-profit, face enhanced privacy obligations under the Loi 25 amendments.
Can we store resident health information in a cloud system hosted outside Canada?
Storage outside Canada is not categorically prohibited under all Canadian privacy legislation, but it introduces significant compliance complexity. Loi 25 requires a privacy impact assessment before transferring personal information outside Quebec and requires the organization to verify that the receiving jurisdiction provides adequate protection. PHIPA requires custodians to take reasonable steps to ensure that health information transferred outside Ontario receives a comparable level of protection. BC's FIPPA prohibits certain public bodies from storing personal information outside Canada. The safest and simplest approach for residential care operators is to require that all personal health information be stored in Canada. This avoids the legal analysis, documentation, and ongoing monitoring required to justify cross-border storage, and it provides a clear, defensible position in any privacy investigation.
What is the difference between PIPEDA and the provincial health information acts?
PIPEDA is the federal privacy legislation for the private sector. Provincial health information acts (PHIPA in Ontario, HIA in Alberta, PIPA in BC, and Quebec's private-sector privacy act as amended by Loi 25) are provincial legislation that governs health information specifically or personal information more broadly within the province. In provinces where the provincial legislation has been deemed substantially similar to PIPEDA, the provincial act replaces PIPEDA for intraprovincial transactions. PIPEDA continues to apply to interprovincial and international transfers of personal information. For residential care operators, the provincial act is the primary compliance framework for day-to-day operations, while PIPEDA applies to information that crosses provincial or national borders.
How often should we conduct privacy training for care staff?
Privacy training should be provided to all staff at onboarding and refreshed annually at minimum. However, annual training alone is insufficient for residential care settings where privacy risks are embedded in daily care interactions. Supplement annual training with brief, scenario-based reminders at staff meetings (quarterly), targeted training when privacy incidents occur (using the incident as a teaching opportunity without identifying individuals), and role-specific training when staff transition to roles with different access levels. Track training completion as a compliance metric and treat privacy training non-compliance with the same urgency as clinical training non-compliance — both create organizational risk.
