Provincial Disclosures (Canada)

Version 1.1.0·Effective 2026-05-26

Provincial Disclosures (Canada)

This document explains how Phiusion Labs complies with the privacy laws of each Canadian province and territory. It supplements — and does not replace — the Privacy Notice for Practitioners and the Privacy Notice for Patients. Where a province imposes obligations beyond the federal floor, those obligations are described here in plain language and keyed to the relevant statutes.

Phiusion is B2B software sold for cosmetic and general wellness purposes. Nothing in this document should be read to suggest that the application performs a regulated clinical function; professional judgment remains entirely with the licensed health professional using the application.

1. Provincial framework overview

Canadian privacy law operates on two layers.

Federal floor. The Personal Information Protection and Electronic Documents Act ("PIPEDA") sets the baseline for private-sector handling of personal information across Canada. PIPEDA applies in every province and territory where a provincial private-sector statute has not been declared "substantially similar" by the Governor-in-Council. PIPEDA also applies to all interprovincial and international flows of personal information for commercial purposes, regardless of provincial overlays. The federal Consumer Privacy Protection Act ("CPPA"), which forms the privacy core of Bill C-27, will replace PIPEDA upon proclamation; references to PIPEDA in this document should be read to include CPPA equivalents once that statute comes into force.

Provincial overlays. Three provinces — Quebec, Alberta, and British Columbia — have private-sector privacy statutes that have been declared substantially similar to PIPEDA and that therefore displace PIPEDA for activities wholly within those provinces. Several provinces additionally have health-information statutes (Ontario's PHIPA; Alberta's HIA; Manitoba's PHIA; New Brunswick's PHIPAA; Newfoundland and Labrador's PHIA; Nova Scotia's PHIA; Prince Edward Island's HIA; Saskatchewan's HIPA) that govern personal health information held by defined custodians or trustees. The territorial private-sector layer is PIPEDA itself; the Office of the Privacy Commissioner of Canada is the supervisory authority.

Phiusion's posture is to comply with the strictest applicable regime in each jurisdiction and to publish, in this document, the province-specific disclosures that go beyond what the practitioner and patient privacy notices already say. Where a province requires a published artefact (Ontario's PHIPA s.6(3) HINP disclosures; Quebec's Law 25 Privacy Officer designation; cross-border PIA), the artefact is named in the relevant section below and linked.

The federal Canadian Anti-Spam Legislation ("CASL") governs commercial electronic messages to Canadian recipients across all provinces and territories; Phiusion's CASL compliance is described in the Privacy Notice for Practitioners §3 and is not repeated here.

2. Ontario — PHIPA full treatment

Ontario's Personal Health Information Protection Act, 2004 ("PHIPA") and Ontario Regulation 329/04 ("O. Reg. 329/04") govern personal health information ("PHI") held by health-information custodians in the province. Phiusion's Ontario obligations are extensive because Ontario is Phiusion's home jurisdiction and because Phiusion operates as a Health Information Network Provider ("HINP") to Ontario custodians.

2.1 Custodian, HINP, and agent relationships

PHIPA distinguishes three categories of person who handle PHI.

A health-information custodian is defined in PHIPA s.3(1) as a person who, as a result of his or her power or duties or the work he or she performs, has custody or control of PHI. Custodians include health-care practitioners (defined by reference to regulated health professions), operators of health-care facilities, and a list of named bodies. The Ontario-based health professional using the Phiusion application is the custodian for the PHI he or she records in the application.

A health-information network provider is defined in O. Reg. 329/04 s.6(2) as a person who provides services to two or more health-information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose PHI to one another. Phiusion Labs acts in this HINP capacity. The HINP role is the source of Phiusion's published transparency obligations under O. Reg. 329/04 s.6(3).

An agent under PHIPA s.2 is a person authorized by a custodian to perform services for the custodian in respect of PHI, acting on the custodian's behalf and not its own behalf. Phiusion is not the custodian's agent; the HINP role is distinct from the agent role. Phiusion's own employees and contractors — including the personnel of Universkin SAS, the French company that builds and operates the platform on Phiusion's behalf — are Phiusion's agents for the purposes of PHIPA s.6(3)(b), and Phiusion's directives to those agents appear in §2.2 below.

The boundary between these roles matters because each role has its own duties. The custodian decides why and how PHI is collected, used, and disclosed; the HINP supplies the electronic infrastructure and is bound by O. Reg. 329/04 s.6(3); the agent acts under the custodian's authority and is subject to the custodian's directives and the HINP's internal restrictions.

2.2 PHIPA s.6(3) — the four published artefacts

O. Reg. 329/04 s.6(3) requires a HINP to make available to the public a plain-language description of (a) the services the HINP provides to custodians, (b) the safeguards the HINP has in place to protect the privacy and security of PHI, and (c) the directives, guidelines, and policies that apply to the services. The Information and Privacy Commissioner of Ontario ("IPC Ontario") additionally expects a HINP to publish an annual audit summary. Phiusion publishes four artefacts to satisfy these requirements.

Artefact #1 — Services description. Phiusion's published services description appears in this section and in §2 of the PHIPA HINP Services Agreement. The services Phiusion supplies to Ontario custodians are: application hosting (web-application access from the Phiusion domain, including authentication, session management, and user-interface delivery); patient-record storage (storage of patient profiles, medical-history fields, photo sessions, clinical-evaluation sessions, treatment selections, and order history); photo storage and processing (secure object storage for patient photos, including a background-removal preprocessing step performed before storage); SkinXS API access (routing of patient photos to the SkinXS analysis service for skin-feature scoring, with results returned to the custodian's workspace for professional review and curation); telemetry and reliability monitoring (error reporting, performance counters, and feature-usage signals); breach detection (monitoring for unauthorized access, abnormal query patterns, and credential compromise); and encrypted backups with restoration available on written request. Phiusion does not make autonomous clinical determinations, does not generate prescriptions, and does not produce patient-facing output without a practitioner curation step. SkinXS suggests; the practitioner decides.

Artefact #2 — Safeguards summary. The safeguards summary is published in the PHIPA Audit Summary, which carries the canonical statement of Phiusion's technical, organizational, and administrative safeguards. In summary: TLS 1.2 or higher in transit; AES-256 at rest; row-level security ("RLS") in the database so that each custodian sees only its own records; mandatory multi-factor authentication on every practitioner account; signed-URL access controls on photo storage; access logging on every read and write of PHI; a documented information-security programme; annual penetration testing; mandatory privacy and security training for all personnel with production access; background checks and confidentiality undertakings for engineering staff; role-based access control with least-privilege defaults; written sub-processor agreements; and written vendor agreements with Universkin SAS (BAA and DPA). The full statement is in the PHIPA Audit Summary §3 (technical), §4 (organizational), and §5 (administrative).

Artefact #3 — Directives to agents. PHIPA s.6(3)(b) requires the HINP to put restrictions in place that prevent its agents from accessing PHI except where strictly necessary to deliver the services. Phiusion's standing directives to its personnel — including personnel of Universkin SAS under the BAA and DPA — are:

  • Need-to-know. No member of Phiusion or Universkin staff may access PHI except where the access is required to deliver one of the services described in artefact #1, or to respond to a written request from the custodian. "Required" is interpreted narrowly: curiosity, convenience, and unscoped exploration are not bases for access.
  • Role-based access. Production access is granted by role, with the smallest possible privilege envelope for each role. The default for a new role is no production access; access is added only where the role's documented duties require it. Privileges are reviewed quarterly and revoked on role change, transfer, or departure.
  • Training. Every individual with any path to PHI completes privacy and security training at onboarding and annually thereafter. The curriculum covers PHIPA obligations for HINPs, the directives in this section, breach-handling procedures, and the specific data flows of the Phiusion application. Records of completion are kept for the period set in the internal Retention Schedule (available to regulators and to data subjects on request) and are available to custodians on written request.
  • Confidentiality undertakings. Every individual signs a written confidentiality undertaking that survives termination of employment or engagement. Breach of the undertaking is grounds for dismissal and, where applicable, civil action.
  • Logging and review. Access to PHI is logged with actor identity, timestamp, action, and target record identifier. Logs are reviewed on a defined cadence and on demand following any incident or custodian inquiry.
  • No secondary use. Personnel may not use PHI for any purpose outside the services described in artefact #1, and may not export PHI from the production environment except where doing so is required to deliver a service the custodian has requested. AI-model improvement on patient data is governed by separate patient consent under the AI Improvement Consent and the Privacy Notice for Patients; the directive in this paragraph reinforces that no model improvement happens absent that separate patient consent.
  • Cross-border discipline. Universkin SAS personnel in France operate under the same directives as Phiusion personnel in Canada. The BAA and DPA make the directives contractually binding on Universkin and on each Universkin sub-processor.

These directives are reissued to each individual at annual training and are referenced in employment, contractor, and vendor agreements with Universkin SAS.

Artefact #4 — Audit summary. The annual audit summary is published as the PHIPA Audit Summary. The first audit summary covers the pre-launch baseline for calendar year 2026; subsequent annual summaries are republished on or before 1 June of each year and cover the preceding calendar year.

2.3 IPC Ontario contact and complaint process

If an Ontario custodian or patient is not satisfied with how Phiusion has handled a privacy concern, the matter can be escalated to the Information and Privacy Commissioner of Ontario. The IPC accepts written complaints and conducts investigations and reviews under PHIPA Part VI.

  • Information and Privacy Commissioner of Ontario (IPC). 2 Bloor Street East, Suite 1400, Toronto, Ontario M4W 1A8. Telephone: 1-800-387-0073. Web: https://www.ipc.on.ca/.

Phiusion will acknowledge IPC correspondence within two business days and will cooperate fully with any IPC review, investigation, or order. See the PHIPA Audit Summary §9 for the standing commitment.

2.4 Breach chain under PHIPA s.10.1 and s.12

PHIPA s.10.1 imposes a duty on a HINP to notify the custodian at the first reasonable opportunity if PHI handled by the HINP on behalf of the custodian has been stolen, lost, or accessed by an unauthorized person. PHIPA s.12(2) and s.12(3) reserve to the custodian the decision whether to notify affected individuals and the IPC, respectively. Phiusion's role in the chain is HINP-to-custodian only:

  • Phiusion will notify the affected custodian as soon as the incident's scope is sufficiently confirmed to inform the custodian usefully, and in any event without undue delay.
  • The notification will identify, to the extent then known, the affected data, the approximate number of records, the nature and timing of the incident, the response steps already taken, and a Phiusion contact for follow-up.
  • Phiusion will assist the custodian in preparing the custodian's IPC and individual notifications on request.
  • Phiusion's end-to-end breach workflow is documented in the internal Breach Notification Playbook (available to regulators and to data subjects on request).

3. Quebec — Law 25 full treatment

Quebec's Act respecting the protection of personal information in the private sector, as amended by An Act to modernize legislative provisions as regards the protection of personal information (commonly "Law 25"), imposes the strictest private-sector privacy regime in Canada. Quebec is a substantially-similar province, so Law 25 displaces PIPEDA for activities wholly within Quebec; PIPEDA continues to apply to interprovincial and international flows.

3.1 Privacy Officer designation (Law 25 art. 3.1)

Law 25 art. 3.1 requires every enterprise that handles personal information to designate a Privacy Officer ("person in charge of the protection of personal information") and to publish the title and contact details of that person on the enterprise's website. The function may be delegated in writing.

  • Phiusion Labs Privacy Officer. Jonathan Garbutt, privacy@phiusionlabs.app. The Privacy Officer's contact information will be published in the public footer of the Phiusion application before any Quebec practitioner or patient is onboarded.
  • Universkin SAS Data Protection Officer. Maître Eric ELABD, +33 (4) 93.00.11.96, dpo@universkin.com. The Universkin DPO is independently designated under GDPR Art. 37 and supports the Privacy Officer for the sub-processor leg of Quebec processing that takes place in France.

3.2 Cross-border Privacy Impact Assessment (Law 25 art. 17)

Law 25 art. 17 requires that, before personal information is communicated outside Quebec, the enterprise conduct an assessment of the privacy-related factors ("évaluation des facteurs relatifs à la vie privée" — "EFVP", commonly translated as Privacy Impact Assessment or "PIA") taking into account, among other factors, the sensitivity of the information, the purposes of the communication, the protective measures applicable to the information in the receiving jurisdiction, and the legal regime applicable in that jurisdiction (including the rules governing access by foreign public authorities). The communication may take place only if the assessment shows that the information will receive adequate protection in light of generally recognised principles.

Because the Phiusion application operates from France through Universkin SAS, all Quebec personal information that flows through the application is, by definition, communicated outside Quebec. Phiusion will file a written cross-border PIA covering this processing before the first Quebec practitioner onboards and before any Quebec patient is enrolled. The PIA is filed and kept on record; it is available to the Commission d'accès à l'information du Québec ("CAI") on request and is described in summary in the Privacy Notice for Practitioners §5 and the Privacy Notice for Patients.

3.3 Biometric express consent (Law 25 art. 12) and CAI pre-notification

Law 25 art. 12 — read in combination with the Act to establish a legal framework for information technology ("LCCJTI") arts. 44–45 — requires express consent before personal information is collected for the purpose of verifying or confirming a person's identity using biometric characteristics or measurements. The same framework requires the enterprise to declare to the CAI, at least sixty (60) days before the creation or use of a biometric database, that the database exists or is to be created.

The face-geometry processing performed by SkinXS on patient photos meets the broad statutory definition of biometric processing in Quebec. Accordingly:

  • Quebec patients are presented with an express opt-in for biometric processing before any photo is taken. The wording, design, and per-purpose granularity of the opt-in are described in the Patient Photo Consent and the Privacy Notice for Patients.
  • Phiusion files the LCCJTI art. 45 declaration with the CAI not less than sixty (60) days before the first Quebec patient is enrolled.
  • Withdrawal of biometric consent is supported through the workflow described in the Consent Withdrawal policy.

3.4 Per-purpose opt-in checkboxes for Quebec patients

Law 25 art. 14 requires that, where consent is the lawful basis for processing personal information, the consent must be manifest, free, and informed, and must be given for specific purposes. Bundled consent for a stack of unrelated purposes is not valid. For Quebec patients, the Phiusion application surfaces separate opt-in checkboxes for, at minimum:

  • Photo capture and storage for the patient's record (see Patient Photo Consent).
  • SkinXS biometric processing of those photos for skin-feature scoring (see §3.3 above).
  • Optional contribution of de-identified photos to AI-model improvement (see AI Improvement Consent).
  • Cross-border processing by Universkin SAS in France and by US sub-processors (see §3.2 above and §13 below).

Each checkbox can be granted or withheld independently, and any one of them can be withdrawn at any time through the Consent Withdrawal flow. Withdrawal does not affect processing that occurred before withdrawal.

3.5 French-language requirements

The Charter of the French Language arts. 51 and 52, as amended by An Act respecting French, the official and common language of Québec ("Bill 96"), requires that consumer-facing contracts and documents be drawn up in French; where another language is also used, the French version must be made available on no less favourable terms. Law 25 art. 8 requires that the information provided to the data subject under arts. 7 and 8.3 be presented in clear and simple terms.

Before the Quebec launch:

Patient-facing notices in Quebec will be available in French at launch. Practitioner-facing onboarding may proceed in English with the practitioner's express consent under Charter of the French Language art. 55 (as amended by Bill 96).

3.6 Quebec data-subject rights

Quebec patients and practitioners have the following rights under Law 25:

  • Access (arts. 27–29). Right to obtain confirmation of processing and a copy of the personal information held about them, in a structured and commonly used format.
  • Rectification (art. 28). Right to require correction of inaccurate, incomplete, or equivocal personal information.
  • Portability (art. 28.1, in force since 22 September 2024). Right to receive computerised personal information in a structured, commonly used technological format, and to have it transmitted directly to another person or body where this is technically possible.
  • De-indexing and right to be forgotten (art. 28.1). Right to require the cessation of dissemination, or the de-indexing of a hyperlink, where the dissemination contravenes the law or a court order.
  • Withdrawal of consent (art. 14). Right to withdraw consent at any time, with future effect.
  • Information about automated decision-making (art. 12.1). Where a decision based exclusively on automated processing produces legal or similarly significant effects, the data subject has the right to be informed of the principal factors and parameters that led to the decision and to submit observations to a person able to review the decision. As described in the Privacy Notice for Practitioners §10, SkinXS is not such a decision system because the practitioner curation step is mandatory; the patient-facing output is the practitioner's judgment, not the software's score.

Requests are submitted to privacy@phiusionlabs.app. Phiusion responds within thirty (30) days of receipt; a complex request may be extended in line with art. 32, with notice to the requester.

3.7 CAI contact and complaint process

If a Quebec data subject is not satisfied with Phiusion's response to a request or a privacy concern, the matter may be escalated to the CAI.

  • Commission d'accès à l'information du Québec (CAI). Bureau de Québec: 525, boul. René-Lévesque Est, bureau 2.36, Québec (Québec) G1R 5S9. Telephone: 1-888-528-7741. Web: https://www.cai.gouv.qc.ca/.

3.8 Confidentiality incident register (Law 25 art. 3.8) and individual notification (art. 3.5)

Law 25 art. 3.8 requires every enterprise to keep a register of confidentiality incidents. The register records the nature, circumstances, and consequences of each incident and the corrective actions taken; the CAI may request the register at any time. Law 25 art. 3.5 requires the enterprise to notify the CAI and the affected individuals where a confidentiality incident presents a "serious risk of injury" ("risque sérieux de préjudice"), taking into account the sensitivity of the information, the anticipated consequences of its use, and the likelihood that it will be used for harmful purposes.

Phiusion maintains the confidentiality incident register and the associated workflow as described in the internal Breach Notification Playbook (available to regulators and to data subjects on request). Quebec-affected records in the register are retained on the Quebec-indefinite schedule documented in the internal Retention Schedule (available on the same basis).

4. Alberta — AB PIPA and AB HIA

Alberta's Personal Information Protection Act ("AB PIPA") is the substantially-similar private-sector statute that displaces PIPEDA for activities wholly within Alberta. Alberta's Health Information Act ("AB HIA") governs personal health information held by defined custodians.

AB PIPA. AB PIPA ss.7–8 require knowledge and consent before personal information is collected, used, or disclosed, with exceptions for specified purposes. AB PIPA s.24 gives an individual a right to access personal information about him- or herself held by an organisation; s.25 governs the response timeline (45 days, extendable). AB PIPA s.34.1 imposes a duty to notify the Office of the Information and Privacy Commissioner of Alberta ("OIPC AB") of a privacy breach involving a real risk of significant harm. Phiusion's processing of Alberta-practitioner account information and of personal information from Alberta patients tracks these obligations; the operational detail (consent surfaces, access response, breach notification) is identical to the federal PIPEDA flow described in the Privacy Notice for Practitioners and the Privacy Notice for Patients.

AB HIA. AB HIA imposes additional duties on "custodians" — a defined list that includes regulated health professionals and other named bodies — when they handle health information. Phiusion is not an Alberta HIA custodian; the Phiusion self-serve onboarding flow is not designed to establish a practitioner's status as an Alberta HIA custodian. Practitioners who self-identify at signup as an Alberta HIA custodian sign the Alberta HIA Services Agreement (D24) at signup, under which Phiusion acts as their information manager under HIA s.66. The standard self-serve flow does not, on its own, establish the practitioner's custodian status — that arises from the practitioner's regulated-health-profession licensure and practice.

OIPC AB contact. Office of the Information and Privacy Commissioner of Alberta. Edmonton office: Suite 410, 9925 109 Street NW, Edmonton, Alberta T5K 2J8. Telephone: 1-888-878-4044. Web: https://www.oipc.ab.ca/.

5. British Columbia — BC PIPA and BC BPCPA

British Columbia's Personal Information Protection Act ("BC PIPA") is the substantially-similar private-sector statute that displaces PIPEDA for activities wholly within BC.

BC PIPA. BC PIPA ss.6–8 require knowledge and consent before personal information is collected, used, or disclosed, with statutory exceptions. BC PIPA s.23 gives an individual a right of access to his or her own personal information; s.29 governs the response timeline. BC PIPA does not, on its face, include a mandatory breach-notification provision, but the Office of the Information and Privacy Commissioner of BC ("OIPC BC") encourages notification on the same real-risk-of-significant-harm threshold used federally. Phiusion notifies on that threshold.

BC BPCPA. The Business Practices and Consumer Protection Act applies to consumer-facing aspects of any sale of services to a British Columbia consumer. Phiusion's B2B sales to BC practitioners are not consumer transactions, but where a patient interacts with the application directly (for example, when receiving a copy of a consent under the Patient Photo Consent), Phiusion observes the deceptive-practices and unfair-practices baselines set by the BPCPA.

OIPC BC contact. Office of the Information and Privacy Commissioner for British Columbia. 4th Floor, 947 Fort Street, PO Box 9038, Stn. Prov. Govt., Victoria, BC V8W 9A4. Telephone: 1-250-387-5629. Web: https://www.oipc.bc.ca/.

6. Manitoba — MB PIPA and MB PHIA

Manitoba's Personal Information Protection and Identity Theft Prevention Act ("MB PIPA", in force) applies to private-sector handling of personal information in Manitoba. Although it shares acronyms with the federal regime, MB PIPA has not been declared substantially similar; PIPEDA continues to apply to commercial activities of federal works and interprovincial flows. Phiusion's Manitoba processing complies with both MB PIPA and PIPEDA on a strictest-applicable basis.

Manitoba's Personal Health Information Act ("MB PHIA") governs personal health information held by defined "trustees". Phiusion is not a Manitoba PHIA trustee. Practitioners who self-identify at signup as a Manitoba PHIA trustee sign the Manitoba PHIA Services Agreement (D25) at signup, under which Phiusion acts as their information manager under PHIA s.25.

Manitoba Ombudsman contact. The Manitoba Ombudsman oversees both MB PIPA and MB PHIA. 750 - 500 Portage Avenue, Winnipeg, Manitoba R3C 3X1. Telephone: 1-800-665-0531. Web: https://www.ombudsman.mb.ca/.

7. New Brunswick — PIPEDA baseline and NB PHIPAA

New Brunswick has not enacted a substantially-similar private-sector privacy statute; PIPEDA is the operative private-sector law. New Brunswick's Personal Health Information Privacy and Access Act ("NB PHIPAA") governs personal health information held by defined custodians; Phiusion is not an NB PHIPAA custodian. NB practitioners who self-identify as a custodian sign the Atlantic PHIA-equivalent Services Agreement (D26) at signup, with the NB statute selected at sign time; Phiusion acts as their information manager under PHIPAA s.62.

OAIPC NB contact. Office of the Access to Information and Privacy Commissioner for New Brunswick. 65 Regent Street, Suite 230, Fredericton, NB E3B 7H8. Telephone: 1-877-755-2811. Web: https://www.beta.gnb.ca/content/gnb/en/ip-en.html (see also the consolidated portal https://www.beta.gnb.ca/).

8. Newfoundland and Labrador — NL ATIPPA and NL PHIA

Newfoundland and Labrador has not enacted a substantially-similar private-sector privacy statute; PIPEDA is the operative private-sector law. NL's Access to Information and Protection of Privacy Act, 2015 ("NL ATIPPA") applies to public bodies and is not directly applicable to Phiusion as a private-sector enterprise; it is noted here for completeness because patients sometimes interact with provincial-public-sector bodies whose handling of the same information is governed by ATIPPA. NL's Personal Health Information Act ("NL PHIA") governs personal health information held by defined custodians; Phiusion is not an NL PHIA custodian. NL practitioners who self-identify as a custodian sign the Atlantic PHIA-equivalent Services Agreement (D26) at signup, with the NL statute selected at sign time; Phiusion acts as their information manager under PHIA s.21.

OIPC NL contact. Office of the Information and Privacy Commissioner of Newfoundland and Labrador. 2 Canada Drive, P.O. Box 13004, Station A, St. John's, NL A1B 3V8. Telephone: 1-877-729-6309. Web: https://www.oipc.nl.ca/.

9. Nova Scotia — NS PIIDPA and NS PHIA

Nova Scotia has not enacted a substantially-similar private-sector privacy statute; PIPEDA is the operative private-sector law. NS's Personal Information International Disclosure Protection Act ("NS PIIDPA") restricts disclosures of personal information by public bodies and their service providers to jurisdictions outside Canada; PIIDPA is principally a public-sector statute, but Phiusion observes its substance for any Nova Scotia public-sector body that may use the application (for example, a clinic operated by a regional health authority). NS's Personal Health Information Act ("NS PHIA") governs personal health information held by defined custodians; Phiusion is not an NS PHIA custodian. NS practitioners who self-identify as a custodian sign the Atlantic PHIA-equivalent Services Agreement (D26) at signup, with the NS statute selected at sign time; Phiusion acts as their information manager under PHIA s.66.

OIPC NS contact. Office of the Information and Privacy Commissioner for Nova Scotia. PO Box 181, Halifax, Nova Scotia B3J 2M4. Telephone: 1-866-243-1564. Web: https://oipc.novascotia.ca/.

10. Prince Edward Island — PIPEDA baseline and PEI HIA

Prince Edward Island has not enacted a substantially-similar private-sector privacy statute; PIPEDA is the operative private-sector law. PEI's Health Information Act ("PEI HIA") governs personal health information held by defined custodians; Phiusion is not a PEI HIA custodian. PEI practitioners who self-identify as a custodian sign the Atlantic PHIA-equivalent Services Agreement (D26) at signup, with the PEI statute selected at sign time; Phiusion acts as their information manager under HIA s.13.

OIPC PE contact. Office of the Information and Privacy Commissioner of Prince Edward Island. PO Box 2000, Charlottetown, PE C1A 7N8. Telephone: 1-902-368-4099. Web: https://www.assembly.pe.ca/officers-assembly/information-privacy-commissioner.

11. Saskatchewan — PIPEDA baseline and SK HIPA

Saskatchewan has not enacted a substantially-similar private-sector privacy statute; PIPEDA is the operative private-sector law for private-sector handling of personal information. Saskatchewan's Health Information Protection Act ("SK HIPA") governs personal health information held by defined trustees; Phiusion is not an SK HIPA trustee. SK practitioners who self-identify as a trustee sign the Saskatchewan HIPA IMSP Services Agreement (D27) at signup, under which Phiusion acts as their Information Management Service Provider under HIPA s.18. The Freedom of Information and Protection of Privacy Act ("SK FOIP") is the public-sector counterpart and is noted here for completeness.

OIPC SK contact. Office of the Saskatchewan Information and Privacy Commissioner. 503 - 1801 Hamilton Street, Regina, Saskatchewan S4P 4B4. Telephone: 1-877-748-2298. Web: https://oipc.sk.ca/.

12. Territories — Yukon, Northwest Territories, Nunavut

In the three Canadian territories, federal PIPEDA applies to private-sector handling of personal information; the Office of the Privacy Commissioner of Canada is the supervisory authority. Each territory also has a public-sector access-and-privacy statute that applies to its territorial public bodies (Yukon's Access to Information and Protection of Privacy Act; the Northwest Territories' Access to Information and Protection of Privacy Act; Nunavut's Access to Information and Protection of Privacy Act); those statutes do not apply to Phiusion as a private-sector enterprise, but they are noted here for completeness because territorial public-sector clinics may interact with the application.

  • Yukon — Information and Privacy Commissioner. 211 Hawkins Street, 3rd Floor, Whitehorse, Yukon Y1A 1X3. Telephone: 1-867-667-8468. Web: https://www.yukonombudsman.ca/.
  • Northwest Territories — Information and Privacy Commissioner. 5018 - 47th Street, Suite 4-3, Yellowknife, NT X1A 2N7. Telephone: 1-867-669-0976. Web: https://atipp-nt.ca/.
  • Nunavut — Information and Privacy Commissioner. P.O. Box 130, Rankin Inlet, NU X0C 0G0. Telephone: 1-867-645-2895. Web: https://www.info-privacy.nu.ca/.

For PIPEDA-stream matters, the supervisory authority for all three territories is the Office of the Privacy Commissioner of Canada, https://www.priv.gc.ca/.

13. Cross-border processing of Canadian personal information

Phiusion is headquartered in Ontario, Canada, but the application is built and operated by Universkin SAS in France, and several sub-processors are located in the United States. Personal information of Canadian patients and practitioners therefore crosses Canadian borders in the ordinary course of providing the service. The mechanisms below are applied in combination.

Canada → France (Universkin SAS). The European Commission has adopted an adequacy decision in respect of PIPEDA-governed Canadian personal information. No further mechanism is required for the Canada-to-EU leg. Universkin SAS, on receipt of the information in France, is a sub-processor to Phiusion under the BAA and DPA and is subject to the directives in §2.2 above.

France (Universkin SAS) → United States sub-processors. Universkin SAS uses US sub-processors (listed on the Sub-Processors page) for parts of the service delivery chain. The transfer mechanism is the European Commission's Standard Contractual Clauses ("SCCs"), supplemented by EU-US Data Privacy Framework ("DPF") self-certification where the sub-processor participates, and by per-vendor transfer-impact assessments documenting the legal regime applicable in the United States and the supplementary measures applied (encryption in transit and at rest, pseudonymisation where the data path supports it, contractual challenge-and-notify obligations, and the access-restriction directives in §2.2). The full statement of supplementary measures is in the Privacy Notice for Practitioners §5.

Canada (Phiusion Labs) → United States sub-processors. Where Phiusion itself transfers personal information directly to a US sub-processor (rather than routing through Universkin), the applicable mechanism is the contractual flowdown required by PIPEDA Schedule 1 Principle 4.1.3, which obliges the transferring organisation to use contractual or other means to provide a comparable level of protection while the information is being processed by the third party. This is not the same mechanism as the EU SCCs and is not interchangeable with it.

Province-specific overlays. Three province-specific overlays apply on top of the federal mechanisms:

  • Quebec — Law 25 art. 17 PIA. Phiusion files a written cross-border PIA covering the Quebec leg before any Quebec onboarding. See §3.2 above.
  • Alberta and British Columbia — AB PIPA / BC PIPA flowdowns. AB PIPA s.13.1 and BC PIPA s.21 impose contractual flowdowns analogous to PIPEDA Principle 4.1.3 when personal information is transferred to a service provider outside the province (and, in BC's case, outside Canada in respect of public-sector data). Phiusion's sub-processor agreements include the required flowdowns.
  • Ontario — PHIPA s.10(4) and HINP duties. When PHI under the custody of an Ontario custodian is handled by Phiusion as HINP and routed to a sub-processor, the custodian retains its PHIPA s.10(4) "reasonable steps" duty over the chain. Phiusion's BAA and DPA with Universkin SAS, and Phiusion's sub-processor agreements, are designed to discharge the custodian's duty on the chain; the PHIPA HINP Services Agreement §6 documents the pass-through obligations.

14. Custodian/trustee self-identification and onboarding (Decision #18)

Phiusion's self-serve onboarding flow is designed for the federal-private-sector and substantially-similar-province baseline (PIPEDA, Quebec Law 25, Alberta PIPA, BC PIPA, and the federal-baseline provinces). Several provincial health-information statutes — Ontario PHIPA, Alberta HIA, Manitoba PHIA, New Brunswick PHIPAA, Newfoundland and Labrador PHIA, Nova Scotia PHIA, Prince Edward Island HIA, and Saskatchewan HIPA — impose additional duties on persons defined as "custodians" or "trustees" of personal health information. Those duties are bilateral in character and cannot be discharged through a shrinkwrap acceptance of standard terms; each requires a written agreement between the practitioner and Phiusion.

Decision #18 addresses this by asking practitioners, at signup, whether they self-identify as a custodian or trustee under any of the provincial health-information statutes listed above. Practitioners who answer yes are routed through an inline bilateral-agreement signing flow at /signup/sign, where they sign the agreement that corresponds to their statutory regime as part of account creation. "Information manager," "Health Information Network Provider," and "Information Management Service Provider" are different statute-specific role-names for the same functional position; each bullet below names the role under the relevant statute. The inline-sign agreement paths are:

Separately (and outside the Canadian-provincial scope of this document), US practitioners who self-identify as a HIPAA covered entity sign the Business Associate Agreement (D13) on the same inline-sign path.

The standard self-serve flow does not, on its own, establish a practitioner's status as a custodian, trustee, or HIPAA covered entity. That status arises from the practitioner's regulated-health-profession licensure and practice; Phiusion records the practitioner's self-declaration in the practitioner's account record and uses it to determine which bilateral agreement applies.

Two exceptions apply.

  • Practitioners with a regulated status not yet covered by a drafted bilateral agreement. If a province enacts a new health-information statute, or if a practitioner's status falls outside the eight covered statutes above, Phiusion routes the practitioner to manual sales onboarding for a bilateral agreement (the legacy Decision #18 path). This branch is reserved for future jurisdictions; in the current rollout, every covered status has an inline-sign path.
  • Practitioners who explicitly waive custodian/trustee status. A practitioner who is licensed in a province with a health-information statute but who, on the facts of his or her practice, is not a custodian or trustee (for example, because the practitioner practises exclusively in cosmetic wellness for which the statute's scope is not engaged) may proceed through the standard self-serve flow. The practitioner's self-declaration is recorded in the practitioner's account record.

Decision #18 is reviewed annually as part of the legal review cycle (see frontmatter review.next_review_due).

15. Contact

For anything covered by this document, write to:

  • Privacy Officer (Phiusion Labs): Jonathan Garbutt, privacy@phiusionlabs.app.
  • Data Protection Officer (Universkin SAS, France): Maître Eric ELABD, +33 (4) 93.00.11.96, dpo@universkin.com.

If we do not resolve a concern to your satisfaction, you can also reach the supervisory authority for your jurisdiction.

Federal

  • Office of the Privacy Commissioner of Canada (OPC). 30 Victoria Street, Gatineau, Quebec K1A 1H3. Telephone: 1-800-282-1376. Web: https://www.priv.gc.ca/.

Provincial

  • Ontario — Information and Privacy Commissioner of Ontario (IPC). https://www.ipc.on.ca/.
  • Quebec — Commission d'accès à l'information du Québec (CAI). https://www.cai.gouv.qc.ca/.
  • Alberta — Office of the Information and Privacy Commissioner of Alberta (OIPC AB). https://www.oipc.ab.ca/.
  • British Columbia — Office of the Information and Privacy Commissioner for British Columbia (OIPC BC). https://www.oipc.bc.ca/.
  • Manitoba — Manitoba Ombudsman. https://www.ombudsman.mb.ca/.
  • New Brunswick — Office of the Access to Information and Privacy Commissioner (OAIPC NB). https://www.beta.gnb.ca/.
  • Newfoundland and Labrador — Office of the Information and Privacy Commissioner of Newfoundland and Labrador (OIPC NL). https://www.oipc.nl.ca/.
  • Nova Scotia — Office of the Information and Privacy Commissioner for Nova Scotia (OIPC NS). https://oipc.novascotia.ca/.
  • Prince Edward Island — Office of the Information and Privacy Commissioner of Prince Edward Island (OIPC PE). https://www.assembly.pe.ca/officers-assembly/information-privacy-commissioner.
  • Saskatchewan — Office of the Saskatchewan Information and Privacy Commissioner (OIPC SK). https://oipc.sk.ca/.

Territorial

  • Yukon — Information and Privacy Commissioner. https://www.yukonombudsman.ca/.
  • Northwest Territories — Information and Privacy Commissioner. https://atipp-nt.ca/.
  • Nunavut — Information and Privacy Commissioner. https://www.info-privacy.nu.ca/.
  • For PIPEDA-stream matters in all three territories, the Office of the Privacy Commissioner of Canada acts as the supervisory authority.

For related documents, see the Privacy Notice for Practitioners, the Privacy Notice for Patients, the PHIPA HINP Services Agreement, the PHIPA Audit Summary, the Sub-Processors page, the Cookie & Tracking Notice, the Terms of Service, the Patient Photo Consent, the AI Improvement Consent, and the Consent Withdrawal policy.