PIPEDA Compliance
AutoRx processes personal information in line with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial health-privacy law. PIPEDA is built on ten fair information principles; the summary below maps how AutoRx meets each one in a pharmacy automation context. Your Privacy Policy and DPA set the binding commitments for your commercial relationship.
How AutoRx meets the PIPEDA principles
- Accountability. AutoRx is accountable for the personal information under its control, including information transferred to subprocessors, all of which are disclosed in the Trust Center.
- Identifying purposes and limiting collection. AutoRx collects only the prescription and patient data needed to read, validate, and write a prescription into Kroll. It does not collect personal information for unrelated purposes.
- Consent. AutoRx acts on your instructions as the pharmacy. The patient relationship and consent for care stay with your pharmacy; AutoRx processes data only within the scope you authorize.
- Limiting use, disclosure, and retention. Personal information is used only to deliver the service, never sold or used for advertising, and retained only as long as your DPA and recordkeeping obligations require.
- Accuracy. AutoRx reads patient profile, drug history, and your formulary before each write, which is built to keep entered data accurate and route uncertain cases to a pharmacist.
- Safeguards. Data is encrypted in transit and at rest, stored in Canadian data centres, and access is restricted on a need-to-know basis and logged.
- Openness and individual access. AutoRx's processing, subprocessors, and security posture are documented and available to your pharmacy, which supports your ability to respond to patient access requests.
- Challenging compliance. Your pharmacy can raise privacy questions or concerns at any time, and AutoRx's audit logs support investigation of any specific prescription's handling.
Data residency and agreements
PIPEDA permits transfers of personal information to a third party for processing, but AutoRx keeps all data in Canadian data centres and discloses every subprocessor that may handle it. Before any prescription data moves, you receive a Data Processing Agreement (DPA) covering permitted uses, retention, security, and breach handling. For Ontario pharmacies, see also our PHIPA compliance summary, and the PIPEDA glossary entry for a plain-language definition.
Frequently asked questions
Is AutoRx PIPEDA compliant?
Yes. AutoRx processes personal information in line with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial health-privacy law. It limits collection and use to delivering the service, stores data in Canada, operates under a Data Processing Agreement, and discloses its subprocessors.
Does AutoRx keep patient data in Canada under PIPEDA?
Yes. All personal information AutoRx processes is stored and processed in Canadian data centres, encrypted in transit and at rest. PIPEDA permits transfers for processing, but AutoRx keeps data in Canada and discloses every subprocessor that may handle it in the Trust Center.
How long does AutoRx retain prescription data?
AutoRx retains personal information only as long as needed to provide the service and to meet your retention requirements, as set out in your Data Processing Agreement. Retention periods are configurable to match your pharmacy and provincial recordkeeping obligations.
How does PIPEDA relate to PHIPA for my pharmacy?
PIPEDA is the federal private-sector privacy law; PHIPA is Ontario's health-specific privacy law. Ontario pharmacies are generally governed by PHIPA for health information, with PIPEDA applying to commercial activity and in provinces without substantially similar health-privacy legislation. AutoRx is built to satisfy both.
