Reports and Publications
OPC Guidance Documents
A Guide for Individuals
Protecting Your Privacy
An Overview of the Office of the Privacy Commissioner of Canada and Federal Privacy Legislation
With technology now affecting every aspect of modern life, there has never been a more important time to think about your privacy, and to safeguard it against a broadening range of threats.
For more than three decades, the Office of the Privacy Commissioner of Canada has been doing just that. Our job is to see that the Government of Canada and many of the private-sector organizations that collect your personal information do so with care and respect for your privacy.
Governments and companies compile a huge array of personal information about you. For example, some is gathered when you fill out your tax return or apply for a government benefit. Some is collected when you use your credit card or visit websites. And some is picked up by surveillance cameras, radio-frequency identification chips embedded in products and ID cards, and cell phone tracking devices.
But, in general, your personal information should only be collected, used and disclosed with your knowledge, and often your consent, for legitimate purposes. It must also be stored, shared and disposed of in a way that keeps it secure and confidential.
As far back as 1984, the first annual report of the Office of the Privacy Commissioner of Canada underscored the importance of safeguarding personal information.
“Privacy,” the report observed, “is not simply a precious and often irreplaceable human resource; respect for privacy is the acknowledgement of respect for human dignity and of the individuality of man.”
This guide offers individuals an overview of the role of our Office and Canada’s two federal privacy laws: the Privacy Act, which applies to the federal public sector, and the Personal Information Protection and Electronic Documents Act (PIPEDA).
About the Office of the Privacy Commissioner of Canada
The Office of the Privacy Commissioner of Canada was established in 1983 following the passage of the Privacy Act, which governs the personal information-handling practices of federal departments and agencies.
Beginning in 2001, the duties of our Office were extended to the private sector under the Personal Information Protection and Electronic Documents Act (PIPEDA). The legislation came into force in stages between 2001 and 2004.
The Privacy Commissioner of Canada, who is independent of government, reports directly to Parliament.
As a public advocate for the privacy rights of Canadians, the Commissioner carries out the following activities:
- Investigating complaints and issuing reports with recommendations to federal government institutions and private sector organizations to remedy situations, as appropriate;
- Pursuing legal action before Federal Courts where matters remain unresolved;
- Assessing compliance with obligations contained in the Privacy Act and PIPEDA through the conduct of independent audit and review activities, and publicly report on findings;
- Advising on, and review, privacy impact assessments of new and existing government initiatives;
- Providing legal and policy analyses and expertise to help guide Parliament’s review of evolving legislation to ensure respect for individuals’ right to privacy;
- Responding to inquiries of Parliamentarians, individual Canadians and organizations seeking information and guidance and taking proactive steps to inform them of emerging privacy issues;
- Promoting public awareness and compliance, and fostering understanding of privacy rights and obligations through: proactive engagement with federal government institutions, industry associations, legal community, academia, professional associations, and other stakeholders; preparation and dissemination of public education materials, positions on evolving legislation, regulations and policies, guidance documents and research findings for use by the general public, federal government institutions and private sector organizations;
- Providing legal opinions and litigate court cases to advance the interpretation and application of federal privacy laws;
- Monitoring trends in privacy practices, identify systemic privacy issues that need to be addressed by federal government institutions and private sector organizations and promoting integration of best practices; and
- Working with privacy stakeholders from other jurisdictions in Canada and on the international scene to address global privacy issues that result from ever-increasing trans-border data flows.
We’re here to help
Our Office encourages people with a privacy concern to offer the organization the opportunity to address the issue before filing a complaint with us.
The Privacy Commissioner is an ombudsman who tries to resolve disputes through negotiation, mediation and conciliation.
The Commissioner may launch an investigation into the personal information-handling practices of organizations in the public and private sectors. The investigation could lead the Commissioner to recommend changes in an organization’s practices.
In a typical year, our Office responds to approximately 10,000 requests from Canadians for information about privacy and investigates more than 1,400 complaints under the Privacy Act and the Personal Information Protection and Electronic Documents Act.
Overview of privacy protections in the federal government
Governments need information about their citizens in order to deliver programs and set public policies in vital areas such as health, transportation, public safety and national security.
At the same time, Canadians need to know that their personal information is being collected, used and disclosed only according to strict rules that preserve their right to privacy.
Without privacy, other fundamental rights — to speak, to assemble and to be free from unreasonable search and seizure — lack true meaning.
The Privacy Act, which came into force in 1983, requires appropriate safeguards for the personal information that is gathered by the federal government.
In the intervening decades, several trends have emerged to make the need for such a law ever more acute.
In particular, the Internet, global positioning systems (GPS), wireless communications technologies, radio frequency identification (RFID) tags and miniaturized surveillance equipment have revolutionized the ways we create, store and share data on individuals.
And there are ever-growing amounts of personal information are being compiled, as governments address such modern-day concerns as threats to public safety and national security.
Where the Privacy Act Applies
The Privacy Act applies to the federal public sector, which includes about 250 departments, agencies and Crown corporations, ranging from Agriculture and Agri–Food Canada to the Yukon Surface Rights Board.
All provinces and territories have similar laws governing their own public sectors.
In passing the Privacy Act and appointing a Privacy Commissioner, Parliament asserted Canadians’ right to privacy. It concluded that, while government needs to collect and use the personal information of Canadians, it must do so in a way that does not unduly interfere with people’s privacy.
The Privacy Act thus sets out the privacy rights of Canadians in their interactions with the federal government.
It obliges government institutions to respect the privacy of individuals by controlling the collection, use, disclosure, retention and disposal of recorded personal information.
Your Right to Privacy
The Canadian Charter of Rights and Freedoms does not specifically mention privacy or the protection of personal information. However, it does afford protection under Section 7 (the right to life, liberty and the security of the person), and Section 8 (the right to be secure against unreasonable search or seizure).
The Supreme Court of Canada has stated that the Privacy Act has “quasi-constitutional status”, and that the values and rights set out in the Act are closely linked to those set out in the Constitution as being necessary to a free and democratic society.
In particular it states that:
- The government can only collect personal information that relates directly to one of its operating programs or activities;
- Wherever possible, the information should be collected directly from the person it is about and the individual should be informed about the purpose of the collection;
- The government should take all reasonable steps to ensure that the information it collects is accurate, up-to-date and complete;
- The government may only use the personal information for the purposes that it collected it, or for a use consistent with that purpose (unless the individual consents to other uses), and
- Personal information may be disclosed by a government institution without an individual’s consent where permitted under the Act. For example, it can be disclosed for the purpose of complying with warrants or court orders; where the disclosure is authorized in federal legislation; where disclosure would clearly benefit the individual, or where the public interest in disclosure outweighs the invasion of privacy.
The Privacy Act offers protections for personal information, which it defines as any recorded information “about an identifiable individual.”
It can include your race or colour; national or ethnic origin; religion; age; marital status; blood type; fingerprints; medical, criminal or employment history; information on financial transactions; home address; and your Social Insurance Number (SIN), driver’s licence or any other identifying number assigned to you.
Access to Your Personal Information
Under the Privacy Act, you also have the right to see the information that the government holds about you, and to request corrections to that information.
To do that, you should contact the Privacy Coordinator in the relevant government department or agency. To find out who that person is, refer to Info Source, which is a public directory of every department and agency of the federal government. It is available on the Info Source website.
Once you have located the correct contact, complete a Personal Information Request Form, which is available online. Being as precise as possible in your request will help speed up the process.
The Personal Information Request Form should be sent directly to the Privacy Coordinator in the relevant department or agency.
There is no charge to request access to your personal records. Ordinarily, the government has 30 days to respond to your request, although this deadline may be extended under certain circumstances, such as when large quantities of documents are involved or if your documents require translation or conversion into a different format.
Once you have received and reviewed the information, you can reassure yourself that it is accurate and complete. If it is not, you may ask the department or agency to make the necessary corrections, additions or deletions.
Note: Requests for access to information held by the federal government that is not personal information should be made under the Access to Information Act, which is enforced by the Office of the Information Commissioner of Canada.
Information on federal departments and agencies can be found in Info Source.
Complaints to the Privacy Commissioner
We encourage you to try first to work out any disputes about your personal records directly with the department or agency where they are held. You should try to resolve the matter with the help of the Privacy Coordinator in the relevant government department or agency.
A list of Access to Information and Privacy (ATIP) Coordinators can be found on the Web.
You may also call our Office, toll-free at 1-800-282-1376, and one of our Information Officers can answer questions about our complaints process.
You can file a complaint if, for example:
- You feel your personal information has been wrongfully collected, used or disclosed;
- You were refused access to your personal information, or
- You feel there was an unreasonable delay in getting access to your information.
Please visit our web site for forms and other information that can help you through the complaints process.
There are a few options available for filing a complaint with us. You can fill out our online complaint form and file it electronically, or you can download and fill out a complaint form and then mail it to us. Complaints must be made in writing.
As part of an investigation, the Commissioner may recommend that the department or agency take specified steps to resolve an issue. The Commissioner reports back to you on the results of the investigation.
Privacy Impact Assessments
Another important way that the personal information in the hands of the federal government is protected is through Privacy Impact Assessments, or PIAs.
PIAs, which are required under federal policy, are a type of risk-assessment exercise that helps reassure Canadians that privacy issues are thoroughly taken into account during the design or redesign of federal programs or services.
They also help to avoid or mitigate the risk that the privacy of Canadians could be compromised when a program is developed or substantially changed.
Institutions must submit their PIAs to the Privacy Commissioner of Canada, who may advise institutions on ways to address potential privacy risks.
Institutions have to publish summaries of their PIA results so that Canadians can see how privacy issues have been addressed in the design of a program or service.
Overview of Canada’s federal private sector privacy law
When you do business with a company, you do more than simply exchange money for a product or service: Unless you pay in cash, you also leave behind a trail of personal information about yourself. Your name, address, credit card number and spending habits are all information of great value to somebody, whether that’s a legitimate marketer or an identity thief.
Many organizations need to collect personal information about you for legitimate business purposes.
But personal information has become an increasingly hot commodity for many private sector organizations that use it in order to try to sell us more of their services and products.
The Personal Information Protection and Electronic Documents Act (PIPEDA), sets the ground rules for handling of personal information in course of commercial activities. It applies equally to small and big businesses, whether they operate out of an actual building or only online.
Where PIPEDA Applies
PIPEDA applies to private enterprises across Canada, except in provinces that have adopted substantially similar privacy legislation, namely Québec, British Columbia, and Alberta.
Ontario, New Brunswick and Newfoundland and Labrador fall into this category with respect to personal health information held by health information custodians under health sector privacy laws in those provinces.
However, even in those provinces with substantially similar legislation, and elsewhere in Canada, PIPEDA continues to apply to personal information collected, used or disclosed by all federally regulated organizations such as radio and television stations, airports and airlines, railways and telecommunication companies.
PIPEDA also applies to all personal data that flows across provincial or national borders, in the course of commercial transactions involving organizations subject to the Act or to substantially similar legislation.
PIPEDA has limited application in the employment context. In terms of employee information, PIPEDA only applies to federally regulated organizations.
Your rights under PIPEDA
PIPEDA requires private-sector organizations to collect, use or disclose your personal information by fair and lawful means, with your consent, and only for purposes that are stated and reasonable.
An enterprise may only collect personal information that is essential to the business transaction. If further information is requested, you are entitled to ask why, and to decline to provide it if you are dissatisfied with the answer. You should still be able to complete the transaction, even if you refuse to give out more personal information than is warranted.
Organizations are also obliged to protect your personal information through appropriate security measures, and to destroy it when it’s no longer needed for the original purposes.
You have the right to expect the personal information the organization holds about you to be accurate, complete and up-to-date. That means you have a right to see it, and to ask for corrections if they got it wrong.
Some fine print
Police who show they need personal information for an investigation or during an emergency may not be required under PIPEDA to obtain consent to collect it.
PIPEDA does not apply to an employee’s name, title, business address or telephone number.
PIPEDA also exempts organizations that collect, use or disclose personal information solely for journalistic, artistic or literary purposes
It is also important to note that PIPEDA applies to commercial activities, therefore, an individual’s collection, use or disclosure of personal information strictly for personal purposes are not covered by the law.
Tips for exercising your rights under PIPEDA
Seeing your personal information
If you want to see the information that an organization holds about you, write to it directly with your request. Provide dates, account numbers and any other details that would help the organization track down the information you want. Ordinarily, the organization must give you the information within a reasonable time and at minimal or no cost. There are, however, exceptions, such as if disclosure would threaten somebody else’s life or security.
Correcting the record
If you find errors or omissions in the records that an organization keeps about you, write to it and explain the corrections you are seeking. Supply copies of any documents that support your request. If the organization refuses to correct its records, you may require it to attach a statement of your disagreement to the file. This statement must be passed on to any other organization that has access to the information.
Fair Information Principles
PIPEDA sets out 10 principles of fair information practices, which set up the basic privacy obligations under the law. They are:
- Accountability - Organizations should appoint someone to be responsible for privacy issues. They should make information about their privacy policies and procedures to available to customers.
- Identifying purposes - Organization must identify the reasons for collecting your personal information before or at the time of collection.
- Consent - Organizations should clearly inform you of the purposes for the collection, use or disclosure of personal information.
- Limiting collection - Organizations should limit the amount and type of the information gathered to what is necessary.
- Limiting use, disclosure and retention - In general, organizations should use or disclose your personal information only for the purpose for which it was collected, unless you consent. They should keep your personal information only as long as necessary.
- Accuracy - Organizations should keep your personal information as accurate, complete and up to date as necessary.
- Safeguards - Organizations need to protect your personal information against loss or theft by using appropriate security safeguards.
- Openness - An organization’s privacy policies and practices must be understandable and easily available.
- Individual access - Generally speaking, you have a right to access the personal information that an organization holds about you.
- Recourse (Challenging compliance) - Organizations must develop simple and easily accessible complaint procedures. When you contact an organization about a privacy concern, you should be informed about avenues of recourse.
For more detailed information about the Fair Information Principles, please see our guide for businesses, Your Privacy Responsibilities, which is available on our website.
Under PIPEDA, personal information includes your:
- name, race, ethnic origin, religion, marital status, educational level
- e-mail address and messages, IP (Internet protocol) address
- age, height, weight, medical records, blood type, DNA code, fingerprints, voiceprint
- income, purchases, spending habits, banking information, credit/debit card data, loan or credit reports, tax returns
- Social Insurance Number (SIN) or other identification numbers.
Complaints to the Privacy Commissioner
If you think an organization covered by PIPEDA is not living up to its obligations, it is important to try to address your concerns directly with the organization.
Issues can often be resolved very quickly by speaking with the right person.
You should try to resolve the matter with the help of the person responsible for privacy within the organization. In larger companies, this individual is often called the privacy officer.
You may also contact the organization's industry association, ombudsman or complaints office, if there is one. For example, the Ombudsman for Banking Services and Investments handles customer complaints about member companies.
If you aren’t satisfied with the outcome, you have the option of filing a complaint with our Office. Our website includes a guide on how to file a complaint as well as an online complaint form or form that can be downloaded and mailed to us. You don’t need to hire special advisers and there is no fee to make a complaint.
The Commissioner has the power to investigate and try to resolve your complaint. The Commissioner may also ask the organization to release your personal information to you or to correct inaccuracies. A business may also be asked to change its personal information-handling practices to comply with PIPEDA.
At the end of the investigation, the Commissioner will report findings to you and the organization. Without disclosing your identity, the Commissioner may publish a summary of your case, in order to share its lessons with others.
The Commissioner is not empowered to impose fines or award damages for contraventions of PIPEDA.
If the Privacy Commissioner's report still has not addressed your concerns, you may, under certain circumstances, take your complaint to the Federal Court of Canada. In cases where the Commissioner supports your position but has been unable to resolve the dispute, the Commissioner may also choose to take your complaint to court on your behalf.
The court can order an organization to correct practices that do not comply with the law, and to publish notices of the changes it expects to make. It can also award you compensation for damages you suffered, such as humiliation.
Learn more about your privacy rights
What can you do?
By understanding the value of personal privacy, you can do a lot to defend it. For example, you can be careful about sharing personal information or letting it circulate freely.
When you are asked to provide personal information, ensure you understand how it will be used, why it is needed, who will be sharing it and how it will be safeguarded. Read privacy policies and ask questions.
Don’t share your personal information if you are not comfortable with the answers and give out no more than the minimum required.
Our Office has also developed a number of online resources to help individuals to become more informed about how to protect their personal information.
Please visit our website at www.priv.gc.ca.
Follow us on Twitter: @privacyPrivee
If you have a question or concern about privacy or are worried that your privacy has been or could be breached, you can call us.
Our Information Centre is open weekdays from 8:30 a.m. to 4:30 p.m. ET.
Phone: (819) 994-5444
Fax: (819) 994-5424
TTY: (819) 994-6591
Office of the Privacy Commissioner of Canada
30 Victoria Street
Cat. No. IP54-57/2014E
Updated March 2014