Fact Sheets

Privacy Legislation in Canada

Note: This Fact Sheet is not intended to provide legal advice; it is only intended to provide general information about privacy legislation in Canada.

A basic overview of privacy legislation in Canada

There are a number of laws in Canada that relate to privacy rights, and there are various government organizations and agencies responsible for overseeing compliance with these laws.

The key factors that determine what laws apply and who oversees them include:

  • The nature of the organization responsible for the personal information
    • Is the organization a federal government institution subject to the Privacy Act?
    • Is it a provincial or territorial government institution? 
    • Is it a private-sector organization?
    • Is it engaged in commercial activities?
    • Is it a federal work, undertaking or business (FWUB)?
  • The location of the organization (where is it based?)
  • The type of information (is it personal information, and if so, what type of personal information is it. i.e., is it health information?) 

The following provides an overview of privacy laws in Canada and the issues to which they may apply.

Federal privacy laws

Canada has two federal privacy laws, the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), the federal private-sector privacy law.

The Privacy Act

The Privacy Act relates to an individual’s right to access and correct personal information the Government of Canada holds about them or the Government’s collection, use and disclosure of their personal information in the course of providing services (e.g., old age pensions or employment insurance).

The Privacy Act only applies to federal government institutions listed in the Privacy Act Schedule of Institutions. It applies to all of the personal information that the federal government collects, uses and discloses—be it about individuals or federal employees.

It should be noted that the Privacy Act does not apply to political parties and political representatives.

The Office of the Privacy Commissioner of Canada oversees compliance with the Privacy Act.

The Personal Information Protection and Electronic Documents Act

PIPEDA sets out the ground rules for how private-sector organizations collect, use or disclose personal information in the course of commercial activities across Canada. It also applies to personal information of employees of federally-regulated works, undertakings, or businesses (organizations that are federally-regulated, such as banks, airlines, and telecommunications companies).

It should be noted that PIPEDA does not apply to organizations that are not engaged in commercial activity. As such, it does not generally apply to not-for-profit and charity groups, associations or political parties, for example—unless the organization is conducting a commercial activity (fundraising is not considered a commercial activity).

In addition, PIPEDA will not apply to an organization that operates wholly within a province that has legislation that has been deemed substantially similar to the PIPEDA, unless the personal information crosses provincial or national borders.  Alberta, British Columbia and Quebec have general private-sector legislation that has been deemed substantially similar. (see following section titled “Provincial privacy laws” for more information)

Therefore, PIPEDA generally applies to:

  • Private-sector organizations carrying on business in Canada in the provinces or territories of Manitoba, New Brunswick, Newfoundland and Labrador, Northwest Territories, Nova Scotia, Nunavut, Ontario, Prince Edward Island, Saskatchewan, or Yukon but not their handling of employee information.
  • Private-sector organizations carrying on business in Canada when the personal information they collect, use or disclose crosses provincial or national borders but not their handling of  employee information.
  • Federally-regulated organizations carrying on commercial activity in Canada, such as a bank, airline, telephone or broadcasting company, etc., including their handling of health information and employee information.

The Office of the Privacy Commissioner of Canada oversees compliance with PIPEDA.

Provincial privacy laws

Every province and territory has its own public-sector legislation and the relevant provincial act will apply to provincial government agencies, not the Privacy Act.

For the private-sector, some provinces have privacy legislation that has been deemed “substantially similar” to PIPEDA, which means that it is applied instead of PIPEDA in some cases.  Alberta, British Columbia and Québec all have private-sector legislation which has been declared to be “substantially similar” and will apply to private-sector businesses that collect, use and disclose personal information while carrying on business within those provinces.

Ontario, New Brunswick, and Newfoundland and Labrador have privacy legislation, which applies to health information that has been declared substantially similar to PIPEDA with respect to health information custodians. 

While other provinces and territories have also passed their own health privacy laws, these have not been declared substantially similar to PIPEDA. Therefore in some cases PIPEDA may still apply.

In addition, some provinces have passed privacy laws that apply to employee information. Examples include

Each province and territory in Canada has a commissioner or ombudsman responsible for overseeing provincial and territorial privacy legislation, and these are listed on our website.

Sector-specific privacy laws

Several federal and provincial sector-specific laws include provisions dealing with the protection of personal information.

The federal Bank Act, for example, contains provisions regulating the use and disclosure of personal financial information by federally regulated financial institutions.

Most provinces have legislation dealing with consumer credit reporting. These acts typically impose an obligation on credit reporting agencies to ensure the accuracy of the information, place limits on the disclosure of the information and give consumers the right to have access to, and challenge the accuracy of, the information.

Provincial laws governing credit unions typically have provisions dealing with the confidentiality of information relating to members' transactions.

There is also a large number of provincial acts that contain confidentiality provisions concerning personal information collected by professionals.

It should be noted that the presence of other legislation that has privacy-related provisions does not necessarily mean that PIPEDA does not apply.

For more information about privacy legislation in Canada and what organization may be best suited to help you if you have a privacy issue, see our infographic: Privacy Protection in Canada.

Updated in May 2014