Privacy Legislation Summary

Download PDF Version

1. What is personal information?

Personal information means information about an identifiable individual that is recorded in any form. It generally includes:

  • A person’s name, address and telephone number
  • Gender
  • Racial or ethnic origin
  • Political opinions
  • Religious beliefs
  • ID numbers
  • Income
  • Credit, loan records and financial information
  • Trade union membership
  • Blood type
  • Health or medical history

2. When should it be protected?

To ensure protection, the privacy legislation sets out how, when and for what purpose personal information can be:

  • Collected
  • Used 
  • Disclosed to third parties
  • Accessible to, and corrected by, the individual concerned
  • Destroyed
  • Trade union membership
  • Blood type
  • Health or medical history

3. Public Sector Legislation

The federal Privacy Act of 1983 governs the handling of personal information in the federal public sector. Institutions that must adhere include:

  • ​Federal government departments and agencies
  • Crown corporations

Section 6(3) of the Act requires government bodies to comply with the applicable regulations and any directives or guidelines issued by the relevant minister as it relates to disposal of personal information.

There is also separate public-sector privacy legislation at the provincial and territorial level. While generally similar to the Privacy Act, it should be noted that there are important variations between the jurisdictions.

4. Private Sector Legislation

The Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect January 1, 2004.

  • It governs how private-sector organizations may handle personal information during the course of commercial activities
  • It is enforceable on provincially-regulated businesses in provinces other than those with their own “substantially similar” privacy legislation – i.e. British Columbia, Alberta and Quebec
  • It can still apply even if additional sector- specific privacy laws are also in effect

It applies to federally-regulated organizations, across Canada, including:

  • Banks
  • Airlines
  • Telecommunication companies

5. Offences/penalties and risks associated with non-compliance

The Federal Privacy Commissioner is authorized to receive and investigate privacy complaints. It can:

  • Publicize its findings
  • Publicly identify a business that is non-compliant
  • Refer complaints to Federal Court for enforcement of its findings

Private-sector organizations that fail to protect the privacy of personal information face significant risks, including:

  • Privacy complaints
  • Industry or regulatory sanctions
  • Damage to their reputation, brand and business relationships

6. Recommended privacy and information management guidelines:

  • A statement of purpose
  • Guidelines on how personal information should be collected, processed and disclosed
  • Categories of documents (hard copy and electronic) and how long they should be kept
  • Protocols for handling and recording an individual’s request to access their file, and any subsequent action
  • Members of staff designated to deal with the document management system
  • Requirements for secure document storage and accessibility
  • Methods of document destruction, including those carried out by third parties
  • How to keep an accurate record of documents destroyed

Request a Quote

Fill out the form or call 888-750-6450 to start protecting your business today!

Select Service

Company info

Your info

Additional Info