Privacy FAQ

Privacy

Note: The information provided on this webpage is of a general nature and does not constitute legal advice. Moreover, it addresses only some issues in privacy law. If you have questions about how privacy law applies in a particular situation, you should consult a lawyer.
 

Introduction

With the continued growth of the internet and the ever increasing ability of online services to track and 'mine' personal information, the protection of personal information has become a hot topic.
 
In Canada, data protection in the private sector is governed primarily by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial laws in certain provinces. These statutes regulate the collection, use, and disclosure of personal information by private sector organizations. Organizations that operate wholly within Alberta, B.C., or Quebec are governed by the province's privacy legislation. All other organizations engaged in commercial activities in Canada are subject to PIPEDA.
 
Public sector organizations are subject to separate privacy legislation. Federally, the Privacy Act governs government collection, use and disclosure of personal information. Each province has its own public sector privacy legislation, usually combined with access to information legislation - e.g., the Ontario Freedom of Information and Protection of Privacy Act. Some provinces (e.g., Alberta, Manitoba, Ontario and Saskatchewan) also have legislation specific to health privacy.
 
This webpage addresses issues surrounding PIPEDA, privacy in the private sector, and ways to protect your personal privacy while online. Information regarding provincial privacy legislation can be obtained by following the appropriate links under Resources.
For more information on privacy laws, see the Privacy Commissioner of Canada's website. Links to provincial privacy commissioners and relevant legislation are provided under Resources on that site. For information concerning your right to access information held by government organizations as well as private organizations, see CIPPIC's Access to Information User Manual.
 

F.A.Q.

Contents

What information is protected under PIPEDA?

Personal Information Protection and Electronic Documents Act (PIPEDA) is focused on the protection of "Personal Information". The definition of "Personal Information" for the purposes of the Act is broad, covering any "information about an identifiable individual" except the name, title, and business address or office telephone number of an employee of an organization. While not explicitly stated in the legislation, it is likely that business email addresses and facsimile numbers would also fall outside the definition of "personal information".
 
Anonymous data (i.e. information not associated with an individual) does not constitute 'personal information' and is therefore not subject to the restrictions in the Act. However, where there is a serious possibility that anonymous information can be linked back deanonymized or linked back to the individual in question, it is classified as 'personal information' and subject to the Act.
 

To whom does PIPEDA apply?

PIPEDA, or substantial similar provincial legislation, applies to every business, organization, and individual that engages in the collection, use or disclosure of personal information in the course of a commercial activity. "Commercial activity" includes the selling, bartering or leasing of donor, membership or other fundraising lists, or any course of conduct that has a 'commercial character'. Information collected by organizations about their employees is not considered to be 'of a commercial character' and is only subject to the Act if the organization is a federal work, undertaking or business. PIPEDA provides some examples of federal works, including: airlines, banks, nuclear facilities, telecommunications companies such as internet service providers, and radio and television broadcasters. For more information see our Workplace Privacy FAQ.
 
The Act does not apply to information collected for personal purposes, such as recording the telephone numbers and addresses of friends and family in a personal address book. Nor does it apply to information collected, used, or disclosed for journalistic, artistic, or literary purposes.
 

What are my rights under PIPEDA?

Under PIPEDA you have the right to:
 
  • know why an organization collects, uses or discloses your personal information;
  • know who in the organization is responsible for protecting your personal information;
  • refuse or withdraw your consent to the organization's use of your personal information, subject to some exceptions such as law enforcement and medical emergencies;
  • be supplied with a product or a service even if you refuse consent to the collection, use or disclosure of personal information that is not necessary for the transaction;
  • not have your personal information collected, used, or disclosed for any purpose that a person would consider inappropriate under the circumstances;
  • expect the personal information an organization holds about you to be accurate, complete and up-to-date;
  • obtain access to your personal information and ask for corrections if necessary; and
  • file a complaint with the Privacy Commissioner about an organization you believe is not respecting your privacy rights.

What does the law require of organizations collecting personal information?

All organizations in Canada are responsible for personal information under their control and are required to:
  • designate and make identifiable a privacy compliance officer who is responsible to ensure compliance;
  • have personal information policies that are clear, understandable and readily available;
  • collect information by fair and lawful means;
  • make clear the reasons for the collection of personal information;
  • employ the proper form of consent when collecting, using or disclosing personal information;
  • collect only that information that is necessary to fulfil the stated reasons for collection;
  • destroy, erase or make anonymous personal information that it no longer needs in order to fulfil the purpose for which it was collected;
  • ensure that the information it keeps about people is accurate, complete and up to date for the purposes for which it is required;
  • protect personal information through appropriate security measures, including technical measrures; and,
  • comply with the request of individuals as to the existence, use and disclosure of information about them and allow them to challenge the accuracy and completeness of the information and have it amended if necessary.
There are a number of exceptions to the above requirements. For example, organizations need not obtain the consent of an individual to:
  • collect and use personal information if it is clearly in the individual's interests and consent cannot be obtained in a timely manner;
  • use personal information in an emergency threatening an individual's life, health, or security;
  • disclose personal information to collect a debt the individual owes to the organization;
  • disclose personal information as required by law or by court order; and
  • collect, use and disclose personal information that is available in a published directory specified by the regulations.

How do I know what information an organization has about me?

You may ask an organization to disclose any and all personal information about you that it has collected. In most circumstances an organization must provide the information requested within a reasonable time and at minimal or no cost. For more information on your rights to access your personal information held by private sector companies or the government, see CIPPIC's Access to Information Manual.
There are a number of situations where an organization cannot, or can choose not to disclose personal information about you that it has collected. For example, an organization cannot disclose personal information about you that it has collected if it would likely reveal personal information about another individual unless that individual has consented to the disclosure of the information or there exists a life-threatening situation.
Similarly, an organization may choose not to disclose personal information about you that it has collected if to do so would reveal confidential commercial information, violate solicitor-client privilege, or threaten the life or security of a third party. It is important to note however, that an organization cannot choose to withhold information in situations where an individual's life, health or security is in jeopardy.
 

How can I correct information held about me by an organization?

Personal information is required to be as accurate, complete and up-to-date as is necessary for the purposes for which it is collected. Individuals may write to an organization that they believe has inaccurate information about them and request that the information be corrected. In these situations you may wish to attach supporting documentation to your request.
 
If the organization refuses to correct your personal information, you may require it to attach a statement of your disagreement to the file. This statement must be passed on to any other organization that is given access to the information.
 

How can I lodge a complaint against an organization?

The federal Office of the Privacy Commissioner encourages you try to settle the matter directly with the organization by contacting the person responsible for handling privacy issues within the organization.
 
However, if you are unsatisfied with an organization's response to your privacy concerns, you may lodge a complaint with the federal Office of the Privacy Commissioner by calling 1-800-282-1376. You may also complain to your provincial Privacy Commissioner by following the links below.
 
Some organizations are subject to PIPEDA, while others are subject to similar provincial legislation that is administered by that province's Privacy Commissioner. If the office you are complaining to does not have jurisdiction over the organization in question, they should refer you to the office that does have jurisdiction.
 

What is the role of the Privacy Commissioner?

The Privacy Commissioner of Canada acts as an ombudsman who investigates complaints and negotiates solutions between you and the organization. While the Commissioner does not have the authority to order an organization to change their personal information policies or procedures she may make public any information relating to the personal information management practices of an organization.
 
While they also provide ombudsman-type services, Privacy Commissioners in Quebec, Alberta and B.C. have broader enforcement powers, including the ability to make rulings that are binding on the organization. For more information on the powers of the various provincial Privacy Commissioners, follow the links under "Resources", below.
 

What remedies exist beyond the Office of the Privacy Commissioner of Canada?

If you are not satisfied with the outcome of the actions taken by the Privacy Commissioner of Canada, it is possible to take the matter to the Federal Court of Canada. The Court has the authority to order an organization to change its personal information collection practices. The Court also has the discretion to order an organization to compensate you for damages (including humiliation) suffered as a result of a violation of PIPEDA.
 

What level of privacy can I expect online?

Almost nothing you do on the internet is truly private. Every time you access content or services through the internet there is the potential for websites and online services to collect details about your location, your ISP (Internet Service Provider), previous websites you have visited, your interests, and your computer's technical configuration.
 
Most websites today collect some personal information about their visitors, and many collect information about users across several, non-related websites through online tracking tools. Research shows a large disconnection between the privacy expectations of individuals surfing the Internet and between the type of tracking that is in fact occurring. One recent study showed that 62% of U.S. participants falsley believed the very fact that a website has a privacy policy prevents it from sharing the information with other companies absent explicit additional consent. While PIPEDA states that information can only be collected, used or disclosed with an individual's consent, many organizations rely on rarely read and often very long privacy policies as a mechanism for gaining that consent.
 
Some individuals use online aliases in chat rooms and news groups to protect their identity and privacy, but an online alias is not an absolute barrier against the discovery of an individual's true identity. In short, it is becoming more challenging for individuals to maintain a level of privacy with respect to their online activities.
 

How do online services track and record personal information?

Websites and online services employ a number of techniques to track and collect personal information from users.
A cookie is a text file containing certain information that a website or online service can store on a user's hard disk. Every time you re-visit a website the contents of the cookie are read from your computer. Cookies allow websites and online services to track information such as website traffic, user preferences, and online purchases. In many instances companies have engaged in cross-site profiling which allows them to track different websites and webpages individuals have visited and analyze this and other information in order create user profiles.
 
A web bug is a graphic on a Web page or in an e-mail message that enables a third party to monitor who is reading the page or message. Web bugs are often invisible because they are typically only 1-by-1 pixels in size. In many cases, Web bugs are placed on Web pages by third parties interested in collecting data about visitors to those pages. A web bug can confirm when a message or web page is viewed and record the IP address of the viewer. Like cookies, web bugs can be used to collect and record user data that can compromise an individual's privacy.
 
Spyware is software installed on your computer, often without your knowledge, which is designed to track and report you're movements as you surf the web. Spyware can be used to collect more detailed personal information about you and in some cases can be used to capture credit card numbers and other sensitive information. Adware is a similar program that is often combined with other programmes to display or re-route your internet browser to advertisements on the internet.
 
In addition, users often volunteer personal information such home addresses, phone numbers, and email addresses, to websites or online services when filling out online registration forms. When companies combine information collected surreptitiously with information provided voluntarily, it is possible to create a detailed profile of an individual.
 
Companies compile these disparate information sources into sophisticated user profiles. These profiles are then used to create and send targetted advertisements to individuals under the assumption that a more informed and tailored advertisement will be more capable of convincing an individual to purchase specific products.
 
The Privacy Commissioner has issued guidelines on the conditions under which online tracking is acceptable. These guidelines restate that organizations must gain consent from individuals before collecting their personal information or soon thereafter. This has proven challenging for Internet companies whose primary business it is to track the online activities of individuals with whom they have never interacted with before. In order to fulfill their obligations under these guidelines, online tracking companies may need the development of a browser-enabled opt-out consent mechanism as well as to take greater steps in their efforts to inform people their information is being collected as they browse online.
 

What can I do to protect my privacy while online?

There are various ways to protect your privacy while online. While none of these options are fool-proof, their use may help to preserve your personal information.
 
Encryption software makes it more difficult for third parties to read your messages and documents. Encryption software works by encoding files so that they become gibberish to anyone but the intended recipient. Encrypted transfers are particularly important when sending sensitive information, such as credit card numbers and other financial information, over the internet.
 
Some websites use encryption software to ensure information sent by users will be kept confidential. These sites usually indicate that transfers are secure and your internet browser will often display a symbol - usually a small padlock - in the lower right hand corner of the page. It is also possible to make use of encryption services such as the Tor Project to provide greater encryption for one's browsing activities.
 
Cookie deflectors make the file where a browser stores its cookies unreadable or do not allow a website to copy a cookie to your hard drive in the first place. Also, most internet browsers can now be configured to restrict cookies from being stored on your computer. In addition, some browsers such as Firefox and Internet Explorer have begun developing mechanisms that will signal to third parties that users do not wish to be tracked. Microsoft has provided a utlitiy that allows you to test whether your browser's 'do not track' capabilites have been enabled or not.
 
A remailer is a computer service which privatizes your email. Unlike average email servers which log incoming and outgoing traffic and add identifying and traceable information to outgoing mail, anonymous remailers strip emails of any identifiable information. When delivered to the recipient, the email will only reveal that it was sent from an anonymous source (usually the remailer's name and email address).
 
Anonymous web surfing programmes act as an intermediary between your computer and any websites you visit and prevent the websites recording information about you. Lists of other privacy enhancing technologies which can be used to enhance online privacy have been compiled by the Electronic Information Privacy Center and the Center for Internet & Society.
 

Resources

Legislation Governing Privacy in the Private Sector

Government Resources

Canadian Non-Government Resources

  • Canadian Access and Privacy Association: The Canadian Access and Privacy Association is a national non-profit organization whose goals are to promote knowledge and understanding of access and privacy laws and experiences in Canada.
  • CSA Model Code for the Protection of Privacy: The Canadian Standards Association (CSA) is a not-for-profit organization which works with business, industry, government and consumers in developing standards address such issues as public privacy, safety and health. PIPEDA's privacy provisions are based on the CSA's Model Code for the Protection of Personal Information.
  • Media Awareness Network: The Media Awareness Network is a Canadian non-profit organization providing a comprehensive collection of materials focusing on media education and internet literacy.
  • PIPEDA On the Web: A collection of information and links about the PIPEDA, including recent news, links to the legal text of PIPEDA, and court decisions that have considered PIPEDA.
  • PrivacyInfo.ca: The site features summaries of all of the Canadian Privacy Commissioner's decisions under the Personal Information Protection and Electronic Documents Act (PIPEDA).
  • Public Interest Advocacy Centre (PIAC): PIAC is a non-profit organization that provides legal and research services on behalf of consumer interests, and, in particular, vulnerable consumer interests, concerning the provision of important public services.
International Resources
  • Electronic Privacy Information Centre (EPIC): EPIC is a public interest research center in Washington, D.C. established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values.
  • Electronic Frontier Foundation: EFF is a donor-supported organization focusing on civil liberties issues related to technology. EEF publishes a comprehensive archive of digital civil liberties information and is one of the most linked-to websites in the world.
  • Federal Trade Commission: Privacy Initiatives: The Federal Trade Commission (FTC) enforces federal consumer protection laws in the United States. The FTC's Privacy Initiatives webpage includes educational resources about protecting privacy and information on Spam, the Do-Not-Call Registry, and identity theft.
  • Privacy International: Privacy International (PI) is a human rights group formed in 1990 by concerned members of more than forty Human Rights organizations from different countries. Based in London, England, with an office in Washington, D.C., PI acts as a watchdog on surveillance by governments and corporations.
  • Global Internet Liberty Campaign.: International coalition of 40 privacy, free speech and human rights groups dedicated to fighting international threats to privacy and free speech on the Internet.
  • Online Privacy Alliance: The Online Privacy Alliance is a coalition of companies and associations committed to promoting the privacy of individuals online.
  • Privacy 2000: The Privacy2000 website is home to comprehensive information about the nationally renowned Privacy2000 conference series. The site also provides links to international news on privacy and security issues, and a headline archive that dates back to 2000.
  • PrivacyExchange.org: PrivacyExchange is an online global resource for consumer privacy and data protection containing a library of privacy laws, practices, publications, websites and other resources concerning consumer privacy and data protection developments worldwide.
  • Privacy Rights Clearinghouse: The Privacy Rights Clearinghouse is a nonprofit consumer education, research, and advocacy program. Their website includes fact sheets on numerous privacy issues, including internet privacy, identity theft, telemarketing, junk mail, medical records, and workplace privacy.
  • WorldLII Searchable Privacy Database: A search engine connected to all of the databases specializing in Privacy and Freedom of Information law available on any of the Legal Information Institutes (LIIs) that are part of WorldLII.

Resources for Small Businesses

Other

  • Privacy.net: Demonstrates and explains the ability of websites to collect and catalog information regarding users.
  • Weekendpictures.ca aims to increase literacy of the impact of sharing personal information within online networked environments.
This page last updated: January 17, 2011