1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Legal Guide

Federal private sector privacy legislation

The Personal Information Protection and Electronic Documents Act (“PIPEDA”) is the main statute regulating the collection, use and disclosure of personal information in Canada. The legislation attempts to balance the needs of organizations to collect, use and disclose information from and about individuals in Canada, with the obligation to respect the individual’s right to control the collection, use and disclosure of information about the individual. The law applies to organizations that engage in the collection, use or disclosure of such information in the course of commercial activity; unless a substantially similar provincial law applies. Apart from the healthcare sector, the only laws of general private sector application that have been declared to be substantially similar are those in British Columbia, Alberta and Quebec.

What is personal information?

Personal Information is commonly defined in Canada to be information about an identifiable individual. There remains considerable debate regarding what falls with that definition. The definition includes, but is not limited to, information such as home address, telephone number, age, sex, marital status, education, social insurance number, credit history, race and ethnic origin. It must be noted that an individual’s name, business address, business title and business phone number, are not considered to be personal information and are therefore excluded from protection under PIPEDA. An individual’s business email address, however, has been determined to be personal information information under the federal legislation. Other types of data that may appear to be anonymous may be considered personal information if the data is used in connection with a purpose relating to an individual. Accordingly, an Internet Protocol (IP) address may be considered to be personal information.

Application of PIPEDA

PIPEDA applies to all organizations in Canada involved in the collectioin, use or disclosure of personal information in the course of commercial activity, unless provincial privacy legislation exists that is substantially similar to PIPEDA. In addition, PIPEDA applies to foreign organizations that have a real and substantial connection to Canada based on their activities in Canada, including through contracting with Canada organizations or marketing to Canadian consumers..

General principles of PIPEDA

In addition to its provisions, PIPEDA sets out a list of general principles that form part of the legislation and with which organizations are required to comply. These 10 fair information principles are based on the Canadian Standards Association’s Code on the Protection of Personal Information.

PIPEDA applies the following fair information principles to the collection, use and disclosure of personal information:

  1. i.     Accountability: An organization involved in the collection, use or disclosure of personal information is responsible for the information it controls, and shall appoint an individual to ensure compliance with the established principles. This person is generally referred to as the Privacy Officer in an organization.
  1. ii.     Identifying the purpose: Before an organization obtains an individual’s consent to use personal information, that organization must identify (and obtain that person’s consent relating to) the purpose(s) for which the information is being collected and used.
  1. iii.     Consent: Collection, use or disclosure of an individual’s personal information without that person’s consent is prohibited. However, PIPEDA provides for exceptions to the general rule of informed consent. The exceptions are generally related to information that is necessary to be disclosed in the event of an emergency and/or legal investigation.
  1. iv.     Limiting collection: The personal information collected must be limited to that which is needed to satisfy the identified purposes originally agreed to.
  1. v.     Limiting use, disclosure and retention: The personal information collected must not be used or disclosed for purposes other than those for which it was originally collected, unless the organization obtains the consent of the individual in relation to the new purpose or as required by law. Organizations are also required to implement policies for the retention and destruction of that information when it becomes no longer required to fulfill the purposes identified to the individual at the time of collection.
  1. vi.     Accuracy: Organizations must ensure that the personal information they retain is both accurate and recent, as is necessary for the purposes for which that information will be used.
  1. vii.     Adequate security: Organizations involved in the collection, use, or disclosure of personal information are required to adopt security measures to protect personal information against loss, theft, unauthorized access, disclosure, use, modification or copying.
  1. viii.     Openness of policies: An organization’s practices and policies with respect to the management of personal information should be made accessible to those individuals providing information.
  1. ix.     Individual access: An individual who provides personal information shall, upon request, be provided accurate information as to the existence, use and disclosure of their information. In addition, that individual must be given access to that information, as well as the opportunity to correct any inaccuracies that may exist.
  1. x.     Contesting compliance: An individual must be afforded the opportunity to challenge an organization’s compliance or lack thereof, of the principles, by addressing the person(s) appointed by that organization for ensuring such compliance.

Consent as a key principle

One of the key principles of PIPEDA is consent. The meaningful consent of an individual is required for the collection, use and disclosure of his or her personal information. There are, however, exceptions to the requirement to obtain consent. Among the most important exceptions are disclosure to law enforcement and other government institutions in response to production orders and other lawful demands. In addition, personal information may be disclosed on the initiative of the organization to law enforcement or a government institution if there are reasonable grounds to believe that the information relates to a breach of the laws of Canada, a province or a foreign state.

Another key principle is reasonableness. Consent is, in most cases a necessary, but not sufficient condition to the collection, use or disclosure of personal information. Irrespective of consent, an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

Employee personal information

PIPEDA applies to federally regulated employers with respect to their collection, use and disclosure of employee personal information in connection with the management of the employer-employee relationship. Federally regulated employers include federal works, undertakings and businesses, which include all organizations operating in the Yukon, the Northwest Territories, and Nunavut as well as organizations falling within federal jurisdiction such as banks, railways, interprovincial pipelines, and airlines. PIPEDA does not apply to that is used in connection with management of the

employer-employee relationship. As described below, personal information of employees in the provinces of British Columbia, Alberta and Quebec are governed by provincial private sector legislation.

Additional posts from the blog



Canada’s Anti-Spam Law – New Guidance on Offering Apps, Software

by Margot Patterson

CASL also prohibits installing a “computer program” – including an app, widget, software, or other executable data – on a computer system (e.g. computer, device) unless the program is installed with consent and complies with disclosure requirements. The provisions in CASL related to the installation of computer programs will come into force on January 15, 2015.



Environment Canada issues Hydrofluorocarbon reporting requirement

by Nalin Sahni

On April 7, 2014, the Minister of the Environment issued a Notice with respect to hydrofluorocarbons (the “Notice”), pursuant to the Canadian Environmental Protection Act, 1999. The Notice imposes reporting requirements on those who imported, exported, or manufactured certain hydrofluorocarbons (“HFCs”) from 2008 and 2012. A non-exhaustive list of HFCs subject to these reporting requirements can be found in Schedule 1 of the Notice.



“Oh, what a tangled web we weave when first we practice to deceive.”

by Andy Pushalik

In an interesting decision, the Human Rights Tribunal of Ontario has ruled that an employer is not liable for discriminatory and harassing texts sent by a rogue employee to another of its workers.

Privacy Policy | Terms of Use

© 2018 Dentons