Summary of privacy laws in Canada

This page is not intended to provide legal advice; it is only intended to provide general information about privacy legislation in Canada.

Reviewed: January 2018

There are several laws in Canada that relate to privacy rights. Enforcement of these laws is handled by various government organizations and agencies.

Several factors determine which laws apply and who oversees them. Among them:

  • The nature of the organization handling the personal information
    • Is it a federal government institution?
    • Is it a provincial or territorial government institution?
    • Is it private sector?
    • Is it engaged in commercial activities?
    • Is it a federally regulated business?
  • Where is the organization based?
  • What type of information is involved?
  • Does the information cross provincial or national borders?

On this page

What is personal information?

Personal information is data about an “identifiable individual”. It is information that on its own or combined with other pieces of data, can identify you as an individual.

The definition of personal information differs somewhat under PIPEDA or the Privacy Act but generally, it can mean information about your:

  • race, national or ethnic origin,
  • religion,
  • age, marital status,
  • medical, education or employment history,
  • financial information,
  • DNA,
  • identifying numbers such as your social insurance number, or driver’s licence,
  • views or opinions about you as an employee.

What is generally not considered personal information can include:

  • Information that is not about an individual, because the connection with a person is too weak or far-removed (for example, a postal code on its own which covers a wide area with many homes)
  • Information about an organization such as a business.
  • Information that has been rendered anonymous, as long as it is not possible to link that data back to an identifiable person
  • Certain information about public servants such as their name, position and title
  • A person’s business contact information that an organization collects, uses or discloses for the sole purpose of communicating with that person in relation to their employment, business or profession.
  • Government information. Occasionally people contact us for access to government information. This is different from personal information. For access to government information, contact the Information Commissioner of Canada.

Federal privacy laws and what they cover

Canada has two federal privacy laws that are enforced by the Office of the Privacy Commissioner of Canada:

The Privacy Act

The Privacy Act relates to a person’s right to access and correct personal information that the Government of Canada holds about them. The Act also applies to the Government’s collection, use and disclosure of personal information in the course of providing services such as:

  • old age security pensions
  • employment insurance
  • border security
  • federal policing and public safety
  • tax collection and refunds.

The Privacy Act only applies to federal government institutions listed in the Privacy Act Schedule of Institutions. It applies to all of the personal information that the federal government collects, uses, and discloses. This includes personal information about federal employees.

The Privacy Act does not apply to political parties and political representatives.

What is personal information under Privacy Act?

The Privacy Act offers protections for personal information, which it defines as any recorded information “about an identifiable individual.”

The Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA sets the ground rules for how private-sector organizations collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada. It also applies to the personal information of employees of federally-regulated businesses such as:

  • banks
  • airlines
  • telecommunications companies.

What does PIPEDA apply to?

PIPEDA generally applies to personal information held by private sector organizations that are not federally-regulated, and conduct business in:

  • Manitoba
  • New Brunswick
  • Newfoundland and Labrador
  • Northwest Territories
  • Nova Scotia
  • Nunavut
  • Ontario
  • Prince Edward Island
  • Saskatchewan
  • Yukon.

Federally-regulated organizations that conduct business in Canada are always subject to PIPEDA and must also apply the act to their employees’ personal information.

What does PIPEDA not apply to?

PIPEDA does not apply to organizations that do not engage in commercial, for-profit activities.

Unless they are engaging in commercial activities that are not central to their mandate and involve personal information, PIPEDA does not generally apply to:

Municipalities, universities, schools, and hospitals are generally covered by provincial laws. PIPEDA may only apply in certain situations. For example, if the organization is engaged in a commercial activity which is outside of its core activity such as, a university selling an alumni list.

Unless the personal information crosses provincial or national borders, PIPEDA does not apply to organizations that operate entirely within:

  • Alberta
  • British Columbia
  • Quebec.

These three provinces have general private-sector laws that have been deemed substantially similar to PIPEDA.

All businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA regardless of which province or territory they are based in.

Federally-regulated businesses operating in Canada are subject to PIPEDA.

Organizations in the Northwest Territories, Yukon and Nunavut are considered federally-regulated and therefore are covered by PIPEDA.

What is personal information under PIPEDA?

Under PIPEDA, personal information means information about an identifiable individual.

Provincial privacy laws

Every province and territory has its own laws that apply to provincial government agencies and their handling of personal information. Some provinces have private-sector privacy laws that have been deemed “substantially similar” to PIPEDA. This means that those laws apply instead of PIPEDA in some cases. These provinces are:

Health related

The following provinces have health-related privacy laws that have been declared substantially similar to PIPEDA with respect to health information:

While other provinces and territories have also passed their own health privacy laws, these have not been declared substantially similar to PIPEDA. In some of those cases, PIPEDA may still apply.

Employment related

Some provinces have passed privacy laws that apply to employee information. Examples include:

Sector-specific privacy laws

Several federal and provincial sector-specific laws include provisions dealing with the protection of personal information.

The federal Bank Act, for example, contains provisions regulating the use and disclosure of personal financial information by federally regulated financial institutions.

Provincial laws governing credit unions typically have provisions dealing with the confidentiality of information relating to members' transactions.

Most provinces have laws dealing with consumer credit reporting. These acts typically impose an obligation on credit reporting agencies to:

  • ensure the accuracy of the information
  • place limits on the disclosure of the information
  • give consumers the right to have access to, and challenge the accuracy of, the information.

There are many provincial laws that contain confidentiality provisions concerning personal information collected by professionals.

The presence of other privacy-related legislation does not always mean that PIPEDA does not apply.

If you have a concern about your privacy, use our tool to find the right organization to contact about your privacy issue.

Date modified: