Topics on this page:
On January 1, 2004, the law was extended to every organization that collects, uses or discloses personal information in the course of a commercial activity within a province, whether or not the organization is a federally-regulated business.
The federal government has the right to exempt organizations and/or activities in provinces that have adopted privacy legislation that is substantially similar to the federal law.
The following private sector privacy laws exist within the provinces:
- The Quebec Act Respecting the Protection of Personal Information in the Private Sector (Industry Canada has already announced that this law is substantially similar to PIPEDA);
- The Alberta Health Information Act
- The Saskatchewan Health Information Protection Act
- The Manitoba Personal Health Information Act
- B.C. and Alberta intend to introduce their own broad private sector privacy legislation in response to PIPEDA.
The Personal Information Protection and Electronic Documents Act (PIPEDA), a Federal Act, came into force on January 1, 2001.
PIPEDA is based on 10 principles for the protection of personal information summarize as follows:
Principle 1 - Accountability
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the principles.
Principle 2 - Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
- Principle 3 - Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.Note: In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. In addition, organizations that do not have a direct relationship with the individual may not always be able to seek consent. For example, seeking consent may be impractical for a charity or a direct-marketing firm that wishes to acquire a mailing list from another organization. In such cases, the organization providing the list would be expected to obtain consent before disclosing personal information.
Principle 4 - Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
Principle 5 - Limiting Use, Disclosure, and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
Principle 6 - Accuracy
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
Principle 7 - Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
Principle 8 - Openness
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
Principle 9 - Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.Note: In certain situations, an organization may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement should be limited and specific. The reasons for denying access should be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.
Principle 10 - Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.
The law currently applies to federally regulated companies, such as:
- interprovincial transportation and telecommunications.
- The law also applies to all organizations that disclose personal information for consideration outside a province or the country.
The federal government and provinces and territories have access to information laws or are in the process of enacting them.
Federal Access to Information Act
The purpose of the Federal Access to Information Act is to extend the present laws of Canada to provide a right of access to information in records under the control of a government institution in accordance with the principles that government information should be available to the public, that necessary exceptions to the right of access should be limited and specific and that decisions on the disclosure of government information should be reviewed independently of government.
Access and Privacy Laws and Commissions Canadian Provinces and Territories
More information can be found at: Access and Privacy Laws and Commissions Canadian Provinces and Territories