Canadian dental clinics must obtain patient consent before collecting, using, or disclosing personal health information under the Personal Information Protection and Electronic Documents Act (PIPEDA). Because dental records are classified as sensitive health information, express consent is the default requirement for collecting treatment histories, sharing records with insurers, and sending automated recall messages. This guide covers exactly what your dental patient consent form must include, how express and implied consent differ in a dental context, how provincial health privacy laws interact with PIPEDA, and a practical compliance checklist your front desk can use today.

10
Privacy rules
7
OPC guidelines
Express
Health consent
30 days
Access request

Does PIPEDA Apply to Your Dental Practice?

Yes. Dental practices operating as private businesses are subject to PIPEDA, which governs the collection, use, and disclosure of personal information in the course of commercial activities across Canada. The Office of the Privacy Commissioner of Canada (OPC) has confirmed this in formal investigations, including PIPEDA Case #2006-325, which applied PIPEDA's consent and safeguards principles directly to a dental office's handling of patient files. The OPC ruled that dental practices must comply with Principle 3 (Consent) and Principle 7 (Safeguards) when managing patient records, even in the context of a practice sale.

Under PIPEDA, the 10 fair information principles form the baseline compliance framework. Principle 3 is the one most directly relevant to patient intake forms and recall systems. The other nine principles carry equally binding obligations: Accountability (designate a privacy officer), Identifying Purposes (state why you collect data before or at the time of collection), Limiting Collection (collect only what you need), Limiting Use and Retention (use data only for stated purposes and delete it when the relationship ends), Accuracy (keep contact details current), Safeguards (encrypt and protect patient information), Openness (maintain a publicly available privacy policy), Individual Access (respond to access requests within 30 days), and Challenging Compliance (provide a formal complaint mechanism).

Failing to comply with PIPEDA is not merely a theoretical risk. The OPC can investigate complaints from patients, issue findings, and refer matters to the Federal Court, which can order organisations to correct their practices and award damages.

PIPEDA does not mandate a specific form or template. The OPC confirmed this explicitly: "There is no prescribed form in which these elements must be highlighted." However, the OPC's 2018 Meaningful Consent Guidelines (enforceable from 1 January 2019) establish four mandatory content elements that must be prominently included in any consent notice. These cannot be buried in a lengthy privacy policy or small-print terms.

Four Mandatory Disclosures — OPC Meaningful Consent Guidelines (2018)
1. What information is collected: Name each specific data type: patient name, date of birth, contact details, dental health history, treatment records, X-rays, periodontal charts, and insurance information. Vague language such as 'other relevant information' does not meet the standard.
2. Which third parties receive it: List all recipients by category: dental laboratories, specialist referral offices, insurance providers, billing services, and any patient communication platform that processes contact data on your behalf. General language such as 'selected partners' is not acceptable under the 2018 OPC guidelines.
3. The purposes for collection and use: State each purpose as narrowly as possible: appointment scheduling, recall reminders, insurance billing, specialist referrals, and public health reporting. Each new purpose requires fresh consent.
4. Any meaningful risks of harm: If patient data is processed by a vendor outside Canada (for example, a US-based SMS or email provider), the consent form or privacy notice must disclose this. Patients are entitled to know their information may be subject to foreign jurisdiction.

In addition to these four content requirements, the consent notice must be in plain language that a patient without a legal or medical background can understand. A consent form that meets the legal letter of the OPC's guidelines but is written in dense regulatory prose fails the spirit of PIPEDA. The standard is patient comprehension, not legal defensibility.

A wet signature is not required. Oral consent (recorded by telephone or at reception), clearly ticked checkboxes, and tablet-based digital signatures are all valid, provided the four mandatory elements were communicated before or at the time of consent.

Dental records, including examination findings, treatment histories, X-rays, and periodontal charting, are classified as sensitive health information under PIPEDA. The OPC's Interpretation Bulletin on Sensitive Information states: "Medical information is almost always considered to be sensitive, calling for a rather more explicit form of consent." Express consent is therefore the default requirement for collecting, using, or disclosing dental health information.

Implied consent is acceptable for:
  • Sharing records within the immediate circle of care, for example between an associate dentist and a hygienist treating the same patient in your practice
  • Routine administrative details such as recording a patient's billing address for appointment correspondence
Express consent is required for:
  • Collecting dental health records, examination findings, and treatment histories
  • Sharing records with insurance providers, specialist offices, or dental laboratories
  • Sending automated recall SMS or email messages via a third-party platform
  • Any marketing, promotional, or non-treatment communications

The OPC recognises a limited opt-out (negative option) consent mechanism for non-sensitive data, but only where the information is demonstrably non-sensitive, the purposes are limited and clearly disclosed at the time of collection, and a convenient opt-out with immediate effect is available. For dental health information, this threshold is rarely met. Opt-out consent should not be used as a default mechanism for patient recall systems.

Children under 13 in most circumstances require parental or guardian consent. For patients aged 13 to 17, the question of capacity to consent is assessed case by case; the treating dentist's clinical judgement of the patient's maturity is relevant. For adult patients who lack the capacity to consent, consent must be obtained from a substitute decision-maker.

The OPC's Seven Requirements for Meaningful Consent

Beyond the four mandatory disclosure elements, the OPC's 2018 guidelines establish seven guiding principles for how consent must be obtained and maintained. These apply equally to paper intake forms and any digital consent process your practice uses.

1
Emphasise key elements prominently
The four mandatory disclosures must appear prominently. They cannot be buried in a long privacy policy or small-print terms. The OPC expects these elements to be the first thing a patient sees, not page three of an intake packet.
2
Let patients control how much detail they receive
A layered approach is encouraged: a brief summary with a 'Learn more' link or a separate privacy notice for patients who want full detail. Both the summary and the full notice must be readily available on request.
3
Provide clear yes/no choices
For any data collection that is not strictly necessary to provide care, patients must have an easily accessible option to decline. Pre-ticked boxes and consent bundled invisibly with treatment consent do not satisfy PIPEDA's standard.
4
Use innovative delivery methods
The OPC explicitly encourages alternatives to the wall-of-text intake form. Tablet-based consent at check-in, just-in-time notices, and plain-language summaries are all valid approaches provided the four mandatory elements are included.
5
Design for the patient's perspective
The OPC evaluates consent processes from the patient's viewpoint, not the practice's. Ask a non-clinical staff member to read your form cold. If they cannot clearly state what they agreed to after one reading, the form needs revision.
6
Treat consent as an ongoing process
Consent is not a one-time checkbox at intake. You must obtain fresh consent when you change vendors, add new communication channels, or change how you use patient data. A patient who consented to recall SMS in 2022 has not necessarily consented to a new use of their data in 2026.
7
Be accountable and document your process
The OPC requires organisations to demonstrate that their consent process is understandable and functional. Designate a privacy officer, train staff on the consent process, and keep written records of how and when consent was obtained.

Provincial Health Privacy Laws and How They Interact With PIPEDA

In most provinces, provincial health privacy legislation applies to dental health information alongside or instead of PIPEDA. The OPC has recognised several provincial laws as "substantially similar," which means PIPEDA is partially displaced for health records in those jurisdictions. Dental clinics in Ontario, for example, are primarily governed by the Personal Health Information Protection Act (PHIPA) for dental records, with the College of Dental Surgeons providing regulatory oversight. However, PIPEDA's commercial activity provisions still apply to marketing emails, recall SMS campaigns, and other non-clinical data uses, even in provinces with substantially similar legislation.

ProvinceGoverning LawCoverage
OntarioPHIPAPersonal health information held by health information custodians, including dentists
AlbertaHIA + PIPAHealth records (HIA) plus other commercial personal information (PIPA)
British ColumbiaPIPAAll personal information collected in the course of commercial activity
QuebecLaw 25 / ARPPIPSAll personal information; requires a Privacy Impact Assessment before new technology adoption
ManitobaPHIAPersonal health information
Other provincesPIPEDAFederal baseline applies where no substantially similar provincial law exists

Compliance with PHIPA in Ontario does not automatically mean PIPEDA compliance, and vice versa. Confirm with a privacy lawyer which laws apply to your specific activities if you are unsure. Quebec's Law 25 imposes additional obligations including a mandatory Privacy Impact Assessment (PIA) before adopting new technology that collects personal information. If your clinic is in Quebec and you are considering new recall software or a patient communication platform, a PIA must be completed before deployment.

Dental Practice Consent Form Audit Checklist

Use this checklist to assess whether your current patient consent form and privacy process meet PIPEDA's requirements. Each item reflects a verified obligation from the OPC's published guidance and the 2018 Meaningful Consent Guidelines.

Your patient intake form names every category of information collected, every third party who may receive it, every purpose for collection, and any cross-border data processing risks.
A privacy officer (or privacy compliance manager) is designated in writing and known to all staff as the person who handles data access requests and escalates potential breaches.
Your consent process was designed to be understandable to patients, not just compliant for regulators. A non-clinical staff member has reviewed it and can describe what patients agreed to.
A clear withdrawal mechanism exists (for example, a STOP keyword for SMS and an in-office process for record sharing), and it is communicated to every patient.
You know which provincial privacy law governs your practice and have verified your consent form meets that standard in addition to PIPEDA.
You obtain fresh patient consent whenever you add a new vendor, change recall software, or change how you use patient data for any existing purpose.
All third-party vendors who handle patient data have provided a written privacy commitment, a Data Processing Agreement, or a PIPEDA-compatible privacy policy.

Key Takeaways

  • Dental practices in Canada are subject to PIPEDA. The OPC has directly investigated dental offices and applied PIPEDA's consent and safeguard principles to patient records.
  • Dental health records are classified as sensitive information under PIPEDA. Express consent is the default requirement for collecting, using, and disclosing them.
  • A PIPEDA-compliant dental patient consent form must prominently disclose four things: what is collected, who receives it, why, and any meaningful risks from cross-border data processing. These disclosures cannot be buried in a lengthy policy.
  • Implied consent is acceptable only within a strictly defined circle of care (the treating clinical team directly involved in a patient's care) and for routine administrative details.
  • There is no prescribed consent form template under PIPEDA. The OPC's 2018 Meaningful Consent Guidelines set seven enforceable process requirements that your form and consent mechanism must satisfy.
  • Most provinces have health-specific privacy laws (PHIPA in Ontario, PIPA in Alberta and BC, Law 25 in Quebec) that apply alongside or instead of PIPEDA for dental health records. Identify which law governs your practice and verify your consent form meets that standard.
  • Consent is not a one-time event. Obtain fresh consent when you change vendors, add new communication channels, or change how you use patient data.
Does Your Recall System Help You Stay PIPEDA Compliant?
DentRecall is built for Canadian dental clinics. Every automated recall SMS includes a STOP opt-out, patient consent is collected at import, and all patient data is stored and processed in Canada. A PIPEDA-compliant recall system should not require your front desk to do extra work to stay on the right side of the OPC.
See How DentRecall Handles Consent