Want to learn about privacy rights Canada, but don’t know where to begin? Here’s a summary of related legislation and regulations in Canada.
Because the Learn section of TalkRights features content produced by CCLA volunteers and interviews with experts in their own words, opinions expressed here do not necessarily represent the CCLA’s own policies or positions. For official publications, key reports, position papers, legal documentation, and up-to-date news about the CCLA’s work check out the In Focus section of our website.
Personal Information Protection and Electronic Documents Act (PIPEDA) : Use of Personal Information by Private Sector Organizations
What Does This Act Do?
- PIPEDA gives individuals the right to access and request correction of the personal information given to private sector organizations
- PIPEDA also regulates how private sector organizations may collect, use or disclose personal information in the course of commercial activities – (s. 4(1) of PIPEDA)
- It also applies to employee personal information held by federal works, undertakings and businesses.
PIPEDA does not apply:
- At all in Alberta, British Columbia and Quebec – they have their own provincial legislation that is “substantially similar” to PIPEDA
- To personal health information only in Ontario, New Brunswick and Newfoundland
- To certain sectors regulated by other laws; for example:
- Use and disclosure of personal financial information by federally regulated financial institutions
- Consumer credit reporting
- Confidentiality of credit union transactions
- Confidentiality of personal information collected by professionals
What is Personal Information under PIPEDA?
- Personal information is defined as “information about an identifiable individual” (s. 2(1) of PIPEDA)
- This has been interpreted very broadly by the courts – essentially, where there is a serious possibility that the individual could be identified with that information alone, or in combination with other information, it will be protected
- Information is still “personal information” even if is publicly available
- May include subjective evaluations of a person which may not necessarily be accurate
- In the technological context, the following may be personal information:
- Photographs of yourself or your house kept on your cell phone or other devices
- Tracking information recorded by your GPS
- The IP address associated with your computer or your smart phone
- However, personal information does not include the name, title or business address or telephone number of an employee of an organization
What Does PIPEDA Require Private Businesses to Do in Collection, Use and Disclosure of Your Personal Information?
- You have the right to know and to consent to every collection, use and disclosure of your information, unless an exception applies
- Organizations must tell you the purpose for which they are collecting your information at the time they collect it or before
- In certain circumstances, consent with respect to use or disclosure may be sought after the information is gathered but before it is used or disclosed
- Consent must be meaningful; therefore, organizations have to make reasonable efforts to ensure that you understand
- You have the right to withdraw your consent at any time with reasonable notice
- Subject to certain restrictions imposed by law and by contracts you have agreed to
How Do You Access Your Own Personal Information?
You should send a written request to the relevant organization, providing details to allow your information to be found and identified (Schedule 1, s. 4.9; Act, s. 8).
Dates, account numbers, names/positions of individuals that you contacted would be helpful. Organizations are required to assist you with your request if you ask them. Organizations must provide the information within a reasonable time and at minimal or no cost.
What Do You Do if You Are Concerned about Disclosure of Your Personal Information?
If you have a complaint about how your personal information has been collected, used, disclosed, retained and/or disposed of by a private-sector institution covered by PIPEDA, you can file a complaint to the Privacy Commissioner of Canada.
Examples of issues brought before this body include:
- Unique device identifiers provided by Apple
- Personal information used by online dating services
- Online impersonation on Facebook
- Information handling practices of WhatsApp Inc.
Privacy Act: Use of Personal Information by Federal Government Institutions
What Does This Act Do?
The Privacy Act protects personal information about individuals within the control of federal government institutions, including information collected from your activities online. You have the right to access and request correction to this information (s. 12).
This Act only applies to federal government institutions that are listed in the Privacy Act Schedule of Institutions.
For example, this could include information submitted online to Service Canada for the purposes of employment insurance, old age security and the Canada Pension Plan.
Personal information can only be used to advance the purpose for which the information was collected or for a use consistent with that purpose (s. 7).
What Is “Personal Information” under the Privacy Act? (s. 3 – definition of “personal information”)
Some examples of personal information include:
- Names, age, marital status and blood type
- Home address
- Race, national or ethnic origin
- Religious beliefs
- Educational history, medical history and employment history
- Criminal records and fingerprints
- Financial transactions
- Any identifying number, symbol or other particular assigned to the individual – for example, your SIN number
- Personal opinions or views, except where they are about another person or about specified government grants, awards or prizes
- Views or opinions of others about an individual
- Correspondence sent to a government institution of a private or confidential nature
Some examples of information that is NOT personal information include:
- Information about an individual who is or was an officer or employee of a government institution relating to his or her position or functions
- Information about an individual who is or was doing contract work for a government institution relevant to that work
- Information about financial benefits granted by the government, including licences or permits
- Information about an individual who has been dead for more than twenty years
How Do You Request Your Own Personal Information? (s. 12-13)
In order to request your own personal information:
- You must be a Canadian citizen or permanent resident
- You must be asking for “personal information” (described above)
- You must provide sufficiently specific information on the location of the information so that it is reasonable to expect a government institution to find it. The more specific your request, the more quickly someone can answer it
InfoSource, the public directory of federal government agencies, may help identify which federal government institution has your information.
The request must be in writing to the government institution that has control of the information.
You will want to submit a Personal Information Request Form: see InfoSource website above, and there is no charge to apply for information under this Act.
Access to information requests can be refused, either because the information does not exist or because disclosure is inappropriate based on an exception in the Act. For example, if the information was obtained in confidence from government of a province or foreign state, or disclosure would be harmful to federal-provincial relations or international affairs. Where access to information is refused, you can make a complaint to the Privacy Commissioner.
When Can Someone Else Request Your Personal Information? (s. 8)
Your information that is protected by the Act can only be disclosed:
- With your consent; or
- In accordance with the exception terms of the Act.
The exception terms of the Act are listed. They allow your personal information to be disclosed:
- Consistent with the reason the information was gathered in the first place;
- Consistent with laws or regulations that allow disclosure or to enforce the law;
- To follow an order of a court, person or body which has a power to require disclosure – for example, to comply with a warrant or subpoena;
- To the Attorney General of Canada, for use in legal proceedings involving the Crown or the Canadian government;
- To help an aboriginal government or organization investigate claims, disputes or grievances of aboriginal peoples;
- To a member of Parliament to help an individual solve a problem;
- For internal audits, archiving or research and statistical purposes under certain circumstances;
- To locate an individual to collect a debt owed to the Crown; or
- Other purposes where the public interest would outweigh any invasion of privacy or where disclosure would clearly benefit the person to whom the personal information belongs.
What Do You Do if You Are Concerned about Disclosure of Your Personal Information by a Federal Government Institution?
If you have a complaint about how your personal information has been collected, used, disclosed, retained and/or disposed of by a federal government institution, you can file a complaint to the Privacy Commissioner of Canada.
Findings under the Privacy Act may be found here.
Federal Access to Information Act (ATIA)
What Does this Act Do?
Freedom of information legislation is based on the idea that members of the public should have the right to have access to as much government information as possible in accordance with the public interest.
This promotes government accountability, allowing individuals to inform themselves as voters and taxpayers.
Why Is This Legislation Relevant to Online Privacy?
The definition of a “record” under the ATIA is very broad; it includes e-mail messages, web pages, web browser history and virtually anything stored in an electronic device, including cell phones, Blackberries and iPods.
If a federal government institution has logged information based on your usage of its website or your usage of its services, that information could potentially be disclosed to another person.
What Information May be Obtained Through an Access to Information Request?
Under the ATIA, Canadian citizens, permanent residents and businesses and corporations within Canada can gain access to copies of information and documents held by a federal government institution.
The ATIA promotes a balance between ensuring access to information and protecting other interests that could be damaged by such access. There are some exceptions to access to information by the public (“exemptions”), which are meant to protect your personal information from disclosure where this would cause identifiable harm.
Your “personal information” can only be obtained by someone else under the ATIA by someone else if:
- You consent;
- Through one of the exceptions in the Privacy Act (described above); or
- The information is publicly available (s. 19)
- Other examples of exemptions that could protect information transmitted online could include (s. 13-23)
- Where disclosure could reasonably be expected to threaten the safety of individuals
- Where disclosure could harm the economic interests of a third party – for example:
- Financial information
- Trade secrets
- Information that could interfere with contractual negotiations
- Information relating to environmental or product testing carried out by or on behalf of a government institution
Personal Health Information Protection Act (PHIPA) (Ontario)
What Does This Act Do?
PHIPA protects the privacy of personal health information held by health information custodians in Ontario.
Health information custodians include:
- Heath care providers – including your doctors, nurses, dentists, psychologists and others
- Medical laboratories
- Ambulance services
- The Minister of Health and Long Term Care
What is Personal Health Information under PHIPA?
Personal health information includes identifying information about you in an oral or recorded form, if the information relates to your physical or mental health.
- Family health history
- Details visits to your family doctor or to your specialist:
- Your lifestyle habits
- The medications you are prescribed
- Your Ontario health card number
- Test results
- Your genetic information
What Does PHIPA Require Health Information Custodians to Do in Collection, Use and Disclosure of Your Personal Health Information?
PHIPA generally requires your consent to be obtained before your health information can be collected, use or disclosed.
However, disclosure of certain information is permitted in emergency or other urgent circumstances without your consent:
- Where it is in the public interest and the information reveals a serious risk to the public in respect of an environmental, health or safety hazard
- Where there are compelling circumstances affecting the health and safety of an individual or group
- Where there is a legal duty to disclose to a public authority
- Compassionate circumstances – ie. when a spouse, close relative or friend is informed about an individual who is injured, ill or deceased
- Disclosure is reasonably necessary to provide health care to you
PHIPA also requires custodians to keep personal health information securely stored, including electronic health records.
PHIPA also requires custodians to notify you if your personal health information is stolen, lost or accessed by an unauthorized person.
How Do You Access Your Own Personal Health Information?
You have the right to access your personal health information and require their correction when they are inaccurate or incomplete. You can make an access request in writing to the relevant health information custodian. Generally, subject to the custodian requesting an exemption, you will get a reply in 30 days. However, if you urgently need the information, you can request faster access. Custodians may charge a reasonable fee to cover costs.
If you are denied access, the custodian must explain why – there are certain exceptions to your right of access. Custodians are required to correct an incomplete or inaccurate record but they do not have to change professional opinions or records created by others. Correction requests must also be in writing, and if denied, the custodian must explain why.
What Do You Do if You Are Concerned about Disclosure of Your Personal Health Information?
If you are worried that a health information custodian has not complied with PHIPA, you are denied access to your personal health information or a correction you want to make and you are unsatisfied with the reasons why, you can file a complaint with the Office of the Information and Privacy Commissioner.