The term privacy has many definitions, but for purposes here, privacy will mean the ability to control information about oneself. The ability to maintain our privacy has eroded substantially in the past decades, due to information systems. In Canada, the Privacy Act is the law that sets out your privacy rights in your interactions with the federal government. It applies to how the government collects, uses and discloses your personal information. The Privacy Act protects your personal information that government institutions hold. The Act also gives you the right to access your personal information held by the federal government.
Personal Information (PI)
Information about a person that can be used to uniquely establish that person’s identity is called personally identifiable information, or PI. This is a broad category that includes information such as:
- Social Insurance Number;
- Date of birth;
- Place of birth;
- Mother‘s maiden name;
- Biometric records (fingerprint, face, etc.);
- Medical records;
- Educational records;
- Financial information; and
- Employment information.
The Personal Information Protection and Electronic Documents Act (PIPEDA)
Canadians are increasingly concerned about their privacy. They are choosing to do business with organizations that are sensitive to those concerns and can demonstrate they will carefully handle personal information. Organizations that collect PI are responsible to protect it. The Office of the Privacy Commissioner in Canada outlines guidelines for businesses in obtaining meaningful consent.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal private sector privacy law and it requires individuals to understand the nature, purpose and consequences of what they are consenting to. In order for consent to be considered valid, or meaningful, organizations must inform individuals of their privacy practices in a comprehensive and understandable manner. This means that organizations must provide information about their privacy management practices in a form that is readily accessible to those interested individuals who wish to read it. It outlines the ground rules for how businesses must handle personal information for commercial activities. The Office of the Privacy Commissioner of Canada (OPC) has prepared a guide to help organizations understand and meet their obligations under PIPEDA.
Fair Information Principles
Businesses must follow the ten fair information principles to protect personal information. By following these principles, a business will contribute to building customer trust in their business and in the digital economy. The principles are:
- Identifying purposes
- Limiting collection
- Limiting use, disclosure and retention
- Individual access
- Challenging compliance
People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy. Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, it must obtain consent again. Personal information must be protected by appropriate safeguards. .
Personal Information Protection Statutes
In addition to PIPEDA, there are a number of statutes in Canada that apply to the protection of PI (personal information). Many of the provinces have their own laws that may override or expand on federal legislation.
- Provinces of Alberta, British Columbia and Quebec each have legislation that is similar to PIPEDA, which applies to the protection of PI by private sector organizations within these provinces;
- Canadian jurisdiction has legislation governing the protection of PI by government bodies/institutions; and
- Provinces have legislation that applies to the protection of personal health information by certain types of custodians, such as doctors and hospitals. For example, Ontario has the Personal Health Information Protection Act (PHIPA). To learn more check your health privacy rights in Ontario.
What is a Cookie?
Website cookies are small files sent by websites to users’ computers, usually without knowledge or specific consent. Cookies can be used to personalize a website, remember users’ preferences, and retain products in electronic shopping carts. Regulators are concerned about cookies because they can also be used to track online behaviour, activities and interests, and can be accessible by third parties.  Canada’s anti-spam legislation (CASL) is the federal law dealing with cookies, spam, and other electronic threats. It is meant to protect Canadians while ensuring that businesses can continue to compete in the global marketplace.
- Office of the Privacy Commissioner of Canada. (2019, May 31). PIPEDA Fair Information principles. https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/p_principle/. ↵
- Bennett, C., Gratton, T., & Yao, J. (2020, April 2). Website cookies in Canada: Is consent required?: Insights: DLA piper global law firm. DLA Piper. https://www.dlapiper.com/en/canada/insights/publications/2020/04/website-cookies-in-canada-is-consent-required/. ↵