Privacy

Note: The information provided on this webpage is of a general nature and does not constitute legal advice. Moreover, it addresses only some issues in privacy law. If you have questions about how privacy law applies in a particular situation, you should consult a lawyer.

Introduction

With the continued growth of the internet and the ever increasing ability of online services to track and 'mine' personal information, the protection of personal information has become a hot topic.

In Canada, data protection in the private sector is governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial laws in certain provinces. These statutes regulate the collection, use, and disclosure of personal information by private sector organizations. Organizations that operate wholly within Alberta, B.C., or Quebec are governed by the province’s privacy legislation. All other organizations engaged in commercial activities in Canada are subject to PIPEDA.

Public sector organizations are subject to separate privacy legislation. Federally, the Privacy Act governs government collection, use and disclosure of personal information. Each province has its own public sector privacy legislation, usually combined with access to information legislation – e.g., the Ontario Freedom of Information and Protection of Privacy Act. Some provinces (e.g., Alberta, Manitoba, Ontario and Saskatchewan) also have legislation specific to health privacy.

This webpage addresses issues surrounding PIPEDA, privacy in the private sector, and ways to protect your personal privacy while online. Information regarding provincial privacy legislation can be obtained by following the appropriate links under Resources.

For more information on privacy laws, see the Privacy Commissioner of Canada's website. Links to provincial privacy commissioners and relevant legislation are provided under Resources on that site. For information concerning your right to access information held by government organizations as well as private organizations, see CIPPIC's Access to Information User Manual.

F.A.Q.

What information is protected under PIPEDA?

Personal Information Protection and Electronic Documents Act (PIPEDA) is focused on the protection of "Personal Information". The definition of "Personal Information" for the purposes of the Act is broad, covering any "information about an identifiable individual" except the name, title, and business address or office telephone number of an employee of an organization. While not explicitly stated in the legislation, it is likely that business email addresses and facsimile numbers would also fall outside the definition of "personal information".

Anonymous data (i.e. information not associated with an individual) does not constitute 'personal information' and is therefore not subject to the restrictions in the Act.

To whom does PIPEDA apply?

PIPEDA, or substantial similar provincial legislation, applies to every business, organization, and individual that engages in the collection, use or disclosure of personal information in the course of a commercial activity. "Commercial activity" includes the selling, bartering or leasing of donor, membership or other fundraising lists.

The Act does not apply to information collected for personal purposes, such as recording the telephone numbers and addresses of friends and family in a personal address book. Nor does it apply to information collected, used, or disclosed for journalistic, artistic, or literary purposes.

What are my rights under PIPEDA?

Under PIPEDA you have the right to:

know why an organization collects, uses or discloses your personal information;
know who in the organization is responsible for protecting your personal information;
refuse or withdraw your consent to the organization's use of your personal information, subject to some exceptions such as law enforcement and medical emergencies;
be supplied with a product or a service even if you refuse consent to the collection, use or disclosure of personal information that is not essential to the transaction;
not have your personal information collected, used, or disclosed for any purpose that a person would consider inappropriate under the circumstances;
expect the personal information an organization holds about you to be accurate, complete and up-to-date;
obtain access to your personal information and ask for corrections if necessary; and,
file a complaint with the Privacy Commissioner about an organization you believe is not respecting your privacy rights.

What does the law require of organizations collecting personal information?

All organizations in Canada are responsible for personal information under their control and are required to:

designate and make identifiable a privacy compliance officer who is responsible to ensure compliance;
have personal information policies that are clear, understandable and readily available;
collect information by fair and lawful means;
make clear the reasons for the collection of personal information;
obtain appropriate consent when collecting, using or disclosing personal information;
collect only that information that is necessary to fulfil the stated reasons for collection;
destroy, erase or make anonymous personal information that it no longer needs in order to fulfil the purpose for which it was collected;
ensure that the information it keeps about people is accurate, complete and up to date for the purposes for which required;
protect personal information through appropriate security measures; and,
comply with the request of individuals as to the existence, use and disclosure of information about them and allow them to challenge the accuracy and completeness of the information and have it amended if necessary.

There are a number of exceptions to the above requirements. For example, organizations need not obtain the consent of an individual to:

collect and use personal information if it is clearly in the individual's interests and consent cannot be obtained in a timely manner;
use personal information in an emergency threatening an individual's life, health, or security;
disclose personal information to collect a debt the individual owes to the organization;
disclose personal information as required by law or by court order; and,
collect, use and disclose personal information that is available in a published directory specified by the regulations.

How do I know what information an organization has about me?

You may ask an organization to disclose any and all personal information about you that it has collected. In most circumstances an organization must provide the information requested within a reasonable time and at minimal or no cost. For more information on your rights to access your personal information held by private sector companies or the government, see CIPPIC's Access to Information Manual.

There are a number of situations where an organization cannot, or can choose not to disclose personal information about you that it has collected. For example, an organization cannot disclose personal information about you that it has collected if it would likely reveal personal information about another individual unless that individual has consented to the disclosure of the information or there exists a life-threatening situation.

Similarly, an organization may choose not to disclose personal information about you that it has collected if to do so would reveal confidential commercial information, violate solicitor-client privilege, or threaten the life or security of a third party. It is important to note however, that an organization cannot choose to withhold information in situations where an individual's life, health or security is in jeopardy.

How can I correct information held about me by an organization?

Personal information is required to be as accurate, complete and up-to-date as is necessary for the purposes for which it is collected. Individuals may write to an organization that they believe has inaccurate information about them and request that the information be corrected. In these situations you may wish to attach supporting documentation to your request.

If the organization refuses to correct your personal information, you may require it to attach a statement of your disagreement to the file. This statement must be passed on to any other organization that is given access to the information.

How can I lodge a complaint against an organization?

The federal Office of the Privacy Commissioner encourages you try to settle the matter directly with the organization by contacting the person responsible for handling privacy issues within the organization.

However, if you are unsatisfied with an organization's response to your privacy concerns, you may lodge a complaint with the federal Office of the Privacy Commissioner by calling 1-800-282-1376. You may also complain to your provincial Privacy Commissioner by following the links below.

Some organizations are subject to PIPEDA, while others are subject to similar provincial legislation that is administered by that province's Privacy Commissioner. If the office you are complaining to does not have jurisdiction over the organization in question, they should refer you to the office that does have jurisdiction.

What is the role of the Privacy Commissioner?

The Privacy Commissioner of Canada acts as an ombudsman who investigates complaints and negotiates solutions between you and the organization. While the Commissioner does not have the authority to order an organization to change their personal information policies or procedures she may make public any information relating to the personal information management practices of an organization.

While they also provide ombudsman-type services, Privacy Commissioners in Quebec, Alberta and B.C. have broader enforcement powers, including the ability to make rulings that are binding on the organization. For more information on the powers of the various provincial Privacy Commissioners, follow the links under "Resources", below.

What remedies exist beyond the Office of the Privacy Commissioner of Canada?

If you are not satisfied with the outcome of the actions taken by the Privacy Commissioner of Canada, it is possible to take the matter to the Federal Court of Canada. The Court has the authority to order an organization to change its personal information collection practices. The Court also has the discretion to order an organization to compensate you for damages (including humiliation) suffered as a result of a violation of PIPEDA.

What level of privacy can I expect online?

Almost nothing you do on the internet is truly private. Every time you access content or services through the internet there is the potential for websites and online services to collect details about your location, your ISP (Internet Service Provider), previous websites you have visited, your interests, and your computer's technical configuration.

Information about a consumer's behaviour and interests is invaluable for marketing purposes. A 1999 study conducted by Georgetown University found that 92.8% of websites collect at least one type of personal identifying information (e.g. name, email address, postal address), and that 56.8% collected at least one type of demographic information (e.g. gender, preferences, postal code). Only 6.6% of the websites analyzed collected no personal information.

Some individuals use online aliases in chat rooms and news groups to protect their identity and privacy, but an online alias is not an absolute barrier against the discovery of an individual's true identity. In short, it is naive to believe that one's online activities usually go unnoticed.

How do online services track and record personal information?

Websites and online services employ a number of techniques to track and collect personal information from users.

A cookie is a text file containing certain information that a website or online service can store on a user's hard disk. Every time you re-visit a website the contents of the cookie are read from your computer. Cookies allow websites and online services to track information such as website traffic, user preferences, and online purchases. In some instances companies have engaged in cross-site profiling which allowed them to collect and analyze information across a number of different websites and create vast databases of user profiles.

A web bug is a graphic on a Web page or in an e-mail message that enables a third party to monitor who is reading the page or message. Web bugs are often invisible because they are typically only 1-by-1 pixels in size. In many cases, Web bugs are placed on Web pages by third parties interested in collecting data about visitors to those pages. A web bug can confirm when a message or web page is viewed and record the IP address of the viewer. Like cookies, web bugs can be used to collect and record user data that can compromise an individual's privacy.

Spyware is software installed on your computer, often without your knowledge, which is designed to track and report you're movements as you surf the web. Spyware can be used to collect more detailed personal information about you and in some cases can be used to capture credit card numbers and other sensitive information. Adware is a similar program that is often combined with other programmes to display or re-route your internet browser to advertisements on the internet.

In addition, users often volunteer personal information such home addresses, phone numbers, and email addresses, to websites or online services when filling out online registration forms. When companies combine information collected surreptitiously with information provided voluntarily, it is possible to create a detailed profile of an individual.

What can I do to protect my privacy while online?

There are various ways to protect your privacy while online. While none of these options are fool-proof, their use may help to preserve your personal information.

Encryption software makes it more difficult for third parties to read your messages and documents. Encryption software works by encoding files so that they become gibberish to anyone but the intended recipient. Encrypted transfers are particularly important when sending sensitive information, such as credit card numbers and other financial information, over the internet.

Some websites use encryption software to ensure information sent by users will be kept confidential. These sites usually indicate that transfers are secure and your internet browser will often display a symbol – usually a small padlock - in the lower right hand corner of the page.

Cookie deflectors make the file where a browser stores its cookies unreadable or do not allow a website to copy a cookie to your hard drive in the first place. Also, most internet browsers can now be configured to restrict cookies from being stored on your computer.

A remailer is a computer service which privatizes your email. Unlike average email servers which log incoming and outgoing traffic and add identifying and traceable information to outgoing mail, anonymous remailers strip emails of any identifiable information. When delivered to the recipient, the email will only reveal that it was sent from an anonymous source (usually the remailer's name and email address).

Anonymous web surfing programmes act as an intermediary between your computer and any websites you visit and prevent the websites recording information about you.

Resources

Legislation Governing Privacy in the Private Sector

Government Resources

Office of the Privacy Commissioner of Canada
Commission D'acces a L'information - Quebec Privacy Commissioner
The Office of the Information and Privacy Commissioner of Alberta
The Office of the Information and Privacy Commissioner for B.C.
The Office of the Information and Privacy Commissioner of Ontario
Consumer Connection: Consumer Connection is published and designed by the Office of Consumer Affairs of Industry Canada and provides information about shopping safely online and the Canadian Code of Practice for Consumer Protection in Electronic Commerce.

Canadian Non-Government Resources

Access to Information User Manual
Canadian Access and Privacy Association: The Canadian Access and Privacy Association is a national non-profit organization whose goals are to promote knowledge and understanding of access and privacy laws and experiences in Canada.
CSA Model Code for the Protection of Privacy: The Canadian Standards Association (CSA) is a not-for-profit organization which works with business, industry, government and consumers in developing standards address such issues as public privacy, safety and health. PIPEDA's privacy provisions are based on the CSA's Model Code for the Protection of Personal Information.
Media Awareness Network: The Media Awareness Network is a Canadian non-profit organization providing a comprehensive collection of materials focusing on media education and internet literacy.
PIPEDA On the Web: A collection of information and links about the PIPEDA, including recent news, links to the legal text of PIPEDA, and court decisions that have considered PIPEDA.
PrivacyInfo.ca: The site features summaries of all of the Canadian Privacy Commissioner's decisions under the Personal Information Protection and Electronic Documents Act (PIPEDA).
Public Interest Advocacy Centre (PIAC): PIAC is a non-profit organization that provides legal and research services on behalf of consumer interests, and, in particular, vulnerable consumer interests, concerning the provision of important public services.

International Resources

Electronic Privacy Information Centre (EPIC): EPIC is a public interest research center in Washington, D.C. established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values.
Electronic Frontier Foundation: EFF is a donor-supported organization focusing on civil liberties issues related to technology. EEF publishes a comprehensive archive of digital civil liberties information and is one of the most linked-to websites in the world.
Federal Trade Commission: Privacy Initiatives: The Federal Trade Commission (FTC) enforces federal consumer protection laws in the United States. The FTC's Privacy Initiatives webpage includes educational resources about protecting privacy and information on Spam, the Do-Not-Call Registry, and identity theft.
Global Internet Liberty Campaign.: International coalition of 40 privacy, free speech and human rights groups dedicated to fighting international threats to privacy and free speech on the Internet.
Online Privacy Alliance: The Online Privacy Alliance is a coalition of companies and associations committed to promoting the privacy of individuals online.
Privacy 2000: The Privacy2000 website is home to comprehensive information about the nationally renowned Privacy2000 conference series. The site also provides links to international news on privacy and security issues, and a headline archive that dates back to 2000.
PrivacyExchange.org: PrivacyExchange is an online global resource for consumer privacy and data protection containing a library of privacy laws, practices, publications, websites and other resources concerning consumer privacy and data protection developments worldwide.
Privacy International: Privacy International (PI) is a human rights group formed in 1990 by concerned members of more than forty Human Rights organizations from different countries. Based in London, England, with an office in Washington, D.C., PI acts as a watchdog on surveillance by governments and corporations.
Privacy Rights Clearinghouse: The Privacy Rights Clearinghouse is a nonprofit consumer education, research, and advocacy program. Their website includes fact sheets on numerous privacy issues, including internet privacy, identity theft, telemarketing, junk mail, medical records, and workplace privacy.
WorldLII Searchable Privacy Database: A search engine connected to all of the databases specializing in Privacy and Freedom of Information law available on any of the Legal Information Institutes (LIIs) that are part of WorldLII.

Resources for Small Businesses

Downloadable Privacy Presentation: An Overview of the PIPEDA for Businesses and Organizations: A Powerpoint presentation produced by the Office of the Privacy Commissioner of Canada that provides an overview of PIPEDA for businesses and organizations.
Online E-Security and Privacy Guide: An online guide created by Industry Canada to help businesses and organizations comply with PIPEDA.
Your Privacy Responsibilities: A Guide for Businesses and Organizations: A guide for businesses and organizations to PIPEDA produced by the Office of the Privacy Commissioner of Canada.
Nymity: An organization providing privacy workshops, training, and consultation services to Canadian businesses and organizations. The website also includes an article entitled 10 Steps to Compliance which provides an outline for complying with privacy legislation in Canada.
20 Questions a Small Business Should Ask About Privacy: A resource published by the Canadian Institute of Chartered Accountants and available in pdf format.
Implementing Consent Requirements for Customers: The Information and Privacy Commissioner of Alberta released an advisory under the Personal Information Protection Act on May 31, 2004 regarding customer consent requirements. A PDF version of the advisory is available through the link above.

Other

Privacy.net: Demonstrates and explains the ability of websites to collect and catalog information regarding users.
Weekendpictures.ca aims to increase literacy of the impact of sharing personal information within online networked environments.

This page last updated: June 2, 2007

Canadian Internet Policy and Public Interest Clinic (CIPPIC)

Current page is 2.6.25: Privacy