Reports and Publications
OPC Guidance Documents
A Guide for Individuals
Your Guide to PIPEDA
The Personal Information Protection and Electronic Documents Act
When you do business with a company, you do more than simply exchange money for a product or service: Unless you pay in cash, you also leave behind a trail of personal information about yourself. Your name, address, credit card number and spending habits are all information of great value to somebody, whether that’s a legitimate marketer or an identity thief.
Without question, many organizations need to collect personal information about you for their legitimate business purposes.
Your personal information includes your...
- name, race, ethnic origin, religion, marital status, educational level
- e-mail address and messages, IP (Internet protocol) address
- age, height, weight, medical records, blood type, DNA code, fingerprints, voiceprint
- income, purchases, spending habits, banking information, credit/debit card data, loan or credit reports, tax returns
- Social Insurance Number (SIN) or other identification numbers.
However, there are rules to ensure that they advise you about their intent to collect and use your personal information, and obtain your consent. They must also manage your information in a way that safeguards your privacy and lessens the chances that your personal information will fall into the wrong hands.
Those rules are set out in the Personal Information Protection and Electronic Documents Act, usually referred to as PIPEDA.
In this technological era, it is hard for ordinary people to know when they are being monitored and their personal information recorded, shared or sold.
PIPEDA is designed to help you find out, and thus to maintain a measure of control over your personal information.
After all, control over your personal information is key to preserving your privacy, an important right that is tied to personal autonomy, freedom of thought and speech, and liberty of movement and assembly.
The Office of the Privacy Commissioner of Canada has prepared this overview of PIPEDA, and how it can help protect your privacy.
Your Rights under PIPEDA
PIPEDA requires private-sector organizations to collect, use or disclose your personal information by fair and lawful means, with your consent, and only for purposes that are stated and reasonable.
They’re also obliged to protect your personal information through appropriate security measures, and to destroy it when it’s no longer needed for the original purposes.
You have the right to expect the personal information the organization holds about you to be accurate, complete and up-to-date. That means you have a right to see it, and to ask for corrections if they got it wrong.
If you think an organization covered by PIPEDA is not living up to its obligations, you should try to address your concerns directly with the organization. If that doesn’t work, you have the option of lodging a complaint with the Privacy Commissioner.
Where PIPEDA applies
Some fine print
Police who show they need personal information for an investigation or during an emergency may not be required under PIPEDA to obtain consent to collect it.
PIPEDA also exempts organizations that collect, use or disclose personal information solely for journalistic, artistic or literary purposes. There are also exceptions for the private use of personal information, such as for genealogical research.
PIPEDA applies to the personal information collected, used or disclosed by organizations engaged in commercial activities, from banks and retail outlets to airlines, communications companies and law firms. It applies equally to small and big businesses, whether they operate out of an actual building or only online.
The law, which has been fully in force since 2004, applies to private enterprises across Canada.
There are exceptions: Many private enterprises operating within British Columbia, Alberta and Quebec are covered not by PIPEDA but by similar provincial statutes.
But, even in those provinces, PIPEDA applies to organizations under federal jurisdiction, such as companies involved in banking, transportation, broadcasting or telecommunications. For those businesses, PIPEDA also applies to the personal information of employees.
Another law, called the Privacy Act, protects the privacy of your dealings with federal government departments, agencies and Crown corporations.
Exercising your Rights under PIPEDA
Good to know...
An enterprise may only collect personal information that is essential to the business transaction. If further information is requested, you are entitled to ask why, and to decline to provide it if you are dissatisfied with the answer. You should still be able to complete the transaction, even if you refuse to give out more personal information than is warranted.
1. Seeing your personal information
If you want to see the information that an organization holds about you, write to it directly with your request. Provide dates, account numbers and any other details that would help the organization track down the information you want.
Ordinarily, the organization must give you the information within a reasonable time and at minimal or no cost. There are, however, exceptions, such as if disclosure would threaten somebody else’s life or security.
2. Correcting the record
If you find errors or omissions in the records that an organization keeps about you, write to it and explain the corrections you are seeking. Supply copies of any documents that support your request.
If the organization refuses to correct its records, you may require it to attach a statement of your disagreement to the file. This statement must be passed on to any other organization that has access to the information.
3. Considering a complaint
You are entitled to file a complaint if you believe a business is violating any provision of PIPEDA.
For example, you might complain if you run into trouble obtaining your personal information, if an organization refuses to correct information you consider inaccurate or incomplete, or if you suspect your personal information has been improperly collected, used or disclosed.
It’s important to try to settle the dispute yourself first. Under PIPEDA, organizations must have on staff a person who is responsible for privacy issues, and this is where you could begin.
You may also want to contact the organization's industry association, ombudsman or complaints office, if there is one. For example, the Canadian Marketing Association and the Ombudsman for Banking Services and Investments handle customer complaints about their member companies.
If you aren’t satisfied with the outcome, you have the option of filing a complaint with the Office of the Privacy Commissioner of Canada.
4. Filing a complaint
The Privacy Commissioner is an independent ombudsman who tries to resolve disputes through negotiation, mediation and conciliation.
To file a complaint to the Privacy Commissioner, please download, fill out and mail the complaint form available on our website, www.priv.gc.ca. Complaints sent by e-mail are not accepted as security cannot be ensured.
On the website, you will also find some guidelines to help you with your complaint. You don’t need to hire special advisers and there is no fee to make a complaint.
The Commissioner has the power to investigate and try to resolve your complaint. The Commissioner may also ask the organization to release your personal information to you or to correct inaccuracies. A business may also be urged to change its personal information-handling practices.
At the end of the investigation, the Commissioner will report findings to you and the organization with which you had the dispute.
Without disclosing your identity, the Commissioner may also publish a summary of your case, in order to share its lessons with others.
5. Going to court
If the Privacy Commissioner's report still has not addressed your concerns, you may, under certain circumstances, take your complaint to the Federal Court of Canada.
In cases where the Privacy Commissioner supports your position but has been unable to resolve the dispute, the Commissioner may also choose to take your complaint to court on your behalf.
The court can order an organization to correct practices that do not comply with the law, and to publish notices of the changes it expects to make. It can also award you compensation for damages you suffered, such as humiliation.
For more information, please contact:
The Office of the Privacy Commissioner of Canada
30 Victoria Street
Phone: (819) 994-5444
Fax: (819) 994-5424
TTY: (819) 994-6591
Follow us on Twitter: @privacyPrivee
Cat. No. IP54-23/2009
Updated: April 2009