- Is it a federal government institution?
- Is it a provincial or territorial government institution?
- Is it private sector?
- Is it engaged in commercial activities?
- Is it a federally regulated business?
On this page
- What is personal information?
- Federal privacy laws and what they cover
- The Privacy Act
- The Personal Information Protection and Electronic Documents Act ( PIPEDA )
- What does PIPEDA apply to?
- What does PIPEDA not apply to?
- Health related
- Employment related
What is personal information?
Personal information is data about an “identifiable individual”. It is information that on its own or combined with other pieces of data, can identify you as an individual.
The definition of personal information differs somewhat under PIPEDA or the Privacy Act but generally, it can mean information about your:
- race, national or ethnic origin,
- religion,
- age, marital status,
- medical, education or employment history,
- financial information,
- DNA ,
- identifying numbers such as your social insurance number, or driver’s licence,
- views or opinions about you as an employee.
What is generally not considered personal information can include:
- Information that is not about an individual, because the connection with a person is too weak or far-removed (for example, a postal code on its own which covers a wide area with many homes)
- Information about an organization such as a business.
- Information that has been rendered anonymous, as long as it is not possible to link that data back to an identifiable person
- Certain information about public servants such as their name, position and title
- A person’s business contact information that an organization collects, uses or discloses for the sole purpose of communicating with that person in relation to their employment, business or profession.
- Government information. Occasionally people contact us for access to government information. This is different from personal information. For access to government information, contact the Information Commissioner of Canada.
Federal privacy laws and what they cover
Canada has two federal privacy laws that are enforced by the Office of the Privacy Commissioner of Canada:
- the Privacy Act, which covers how the federal government handles personal information;
- the Personal Information Protection and Electronic Documents Act ( PIPEDA ), which covers how businesses handle personal information.
The Privacy Act
The Privacy Act relates to a person’s right to access and correct personal information that the Government of Canada holds about them. The Act also applies to the Government’s collection, use and disclosure of personal information in the course of providing services such as:
- old age security pensions
- employment insurance
- border security
- federal policing and public safety
- tax collection and refunds.
The Privacy Act only applies to federal government institutions listed in the Privacy Act Schedule of Institutions. It applies to all of the personal information that the federal government collects, uses, and discloses. This includes personal information about federal employees.
The Privacy Act does not apply to political parties and political representatives.
What is personal information under Privacy Act?
The Privacy Act offers protections for personal information, which it defines as any recorded information “about an identifiable individual.”
The Personal Information Protection and Electronic Documents Act ( PIPEDA )
PIPEDA sets the ground rules for how private-sector organizations collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada. It also applies to the personal information of employees of federally-regulated businesses such as:
- banks
- airlines
- telecommunications companies.
What does PIPEDA apply to?
PIPEDA generally applies to personal information held by private sector organizations that are not federally-regulated, and conduct business in:
- Manitoba
- New Brunswick
- Newfoundland and Labrador
- Northwest Territories
- Nova Scotia
- Nunavut
- Ontario
- Prince Edward Island
- Saskatchewan
- Yukon.
Federally-regulated organizations that conduct business in Canada are always subject to PIPEDA and must also apply the act to their employees’ personal information.
What does PIPEDA not apply to?
PIPEDA does not apply to organizations that do not engage in commercial, for-profit activities.
Unless they are engaging in commercial activities that are not central to their mandate and involve personal information, PIPEDA does not generally apply to:
- not-for-profit and charity groups
- political parties and associations.
Municipalities, universities, schools, and hospitals are generally covered by provincial laws. PIPEDA may only apply in certain situations. For example, if the organization is engaged in a commercial activity which is outside of its core activity such as, a university selling an alumni list.
Unless the personal information crosses provincial or national borders, PIPEDA does not apply to organizations that operate entirely within:
- Alberta
- British Columbia
- Quebec.
These three provinces have general private-sector laws that have been deemed substantially similar to PIPEDA .
All businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA regardless of which province or territory they are based in.
Federally-regulated businesses operating in Canada are subject to PIPEDA .
Organizations in the Northwest Territories, Yukon and Nunavut are considered federally-regulated and therefore are covered by PIPEDA .
What is personal information under PIPEDA ?
Under PIPEDA , personal information means information about an identifiable individual.
Provincial privacy laws
Every province and territory has its own laws that apply to provincial government agencies and their handling of personal information. Some provinces have private-sector privacy laws that may apply instead of PIPEDA . This means that those laws apply instead of PIPEDA in some cases. These provinces are:
Health related
While other provinces and territories have also passed their own health privacy laws, these have not been declared substantially similar to PIPEDA . In some of those cases, PIPEDA may still apply.
Employment related
Some provinces have passed privacy laws that apply to employee information. Examples include:
Sector-specific privacy laws
Several federal and provincial sector-specific laws include provisions dealing with the protection of personal information.
The federal Bank Act, for example, contains provisions regulating the use and disclosure of personal financial information by federally regulated financial institutions.
Provincial laws governing credit unions typically have provisions dealing with the confidentiality of information relating to members' transactions.
Most provinces have laws dealing with consumer credit reporting. These acts typically impose an obligation on credit reporting agencies to:
- ensure the accuracy of the information
- place limits on the disclosure of the information
- give consumers the right to have access to, and challenge the accuracy of, the information.
There are many provincial laws that contain confidentiality provisions concerning personal information collected by professionals.
The presence of other privacy-related legislation does not always mean that PIPEDA does not apply.
If you have a concern about your privacy, use our tool to find the right organization to contact about your privacy issue.
