PIPEDA and voice AI: the privacy checklist for a Canadian dental practice
Consent, retention, Canadian hosting, incident register: a PIPEDA-first checklist for a voice agent that talks to your patients — with Quebec Law 25 add-ons where they apply.
Why it matters to you
Every Canadian dental practice that collects personal information — name, insurance details, reason for visit — falls under PIPEDA, Canada's federal privacy law (or its substantially-similar provincial equivalents in Alberta, BC, and Quebec). A voice AI agent is a processor, but you, the practice, remain accountable to your patients and to your provincial regulator (RCDSO in ON, CDSBC in BC, ADA+C in AB, ODNB in NB, ODQ in QC, and so on). If you also serve Quebec patients, Quebec Law 25 adds stricter rules on consent, retention, and breach reporting on top of the PIPEDA baseline.
The 5 must-check obligations
1. Explicit consent: the agent opens with "This call may be recorded to confirm your appointment. Do you wish to continue?". 2. Data minimization: only what is needed to book — name, phone, reason. No SIN, no credit card. 3. Hosting: recordings and transcripts are stored in Canada, in a Montreal data centre (AWS ca-central-1). 4. Retention: 90 days by default, configurable. Automatic deletion after. 5. Incident register: any privacy incident is logged and notified to your privacy officer, with breach reporting to the OPC under PIPEDA (and to the CAI under Quebec Law 25 when applicable).
A clause to add to your privacy notice
"Inbound phone calls may be handled by an automated voice assistant provided by Agent IA Vocal inc. Transcripts are stored in Canada for up to 90 days. You may request deletion at any time at dentists@agentiavocal.ca."
What about your provincial dental regulator?
No Canadian dental regulatory body forbids voice AI for appointment booking — provided any clinical information is transferred to a team member and no diagnosis is given by the AI. That is exactly how Sophie is configured out of the box.