Year: 2021

Canadian privacy laws regulate data protection and the disclosure, collection, use, and disposal of personal information. At the same time, many users have voiced concerns about compliance with federal regulations and feel that steps are needed to protect their internet privacy.

What Canadians Think

A recent survey released by the Office of the Privacy Commissioner reveals that 92 percent or the majority of respondents are concerned about the protection of personal data. Of them 87 percent share that they are concerned about how social media websites collect information. The vast majority or 90 percent expressed concerns about the use of personal details to make important decisions, including healthcare coverage, insurance claims, and job decisions. The majority of the interviewed or 75 percent also think that it is the job of the government to safeguard privacy. Only 38 percent of respondents believe that businesses respect their internet privacy compared to 55 percent sharing the same for the government authorities. Facts actually confirm this. The poll shows that 74 percent of Canadians uninstalled or chose not to install phone apps out of concern how their data would be handled. About the same percentage (75 percent) limited the types of personal details that can be shared through their mobile phone. The poll was conducted in February, 2019 and involved over 1,500 respondents.

Applicable Laws

The main pieces of legislation that regulate online data protection are the Privacy Act and PIPEDAor Personal Information Protection and Electronic Documents Act. PIPEDA outlines a number of principles that guide information practices, including accuracy, limiting collection, consent, identifying purposes, and accountability. Fair data management is also guided by the principles of openness, limiting retention, disclosure, and use, recourse, and individual access. Accuracy refers to the use of complete and accurate information while individual access helps ensure that all persons have access to their personal data and if they request so, they must be informed about disclosure and use. The principle of transparency requires that organizations disclose their practices and policies, including in brochures and other materials, listing the entity’s codes, standards, and policies and the address, title, and name of the official responsible for the implementation of practices and policies. Users should also be informed about the use and type of data that is collected and held by the entity and how they can access it. Finally, PIDEPA also contains safeguards, including technological, organizational, and physical measures. Examples of technological measures include encryption and password use while organizational measures involve limiting access and security clearances. There are also physical methods of protection such as limiting access to office spaces and locking cabinets.

The Privacy Act regulates the use of personal data by the federal government. Access to information can be refused to individuals in case of solicitor-client privilege, when an individual requested information about another person, or when investigations or national defense are concerned. Access to medical records can also be refused if the person requesting them will not benefit from getting familiar with the contents.

The Privacy Commissioner of Canada is responsible for the investigation of complaints filed by individuals who have privacy concerns. The Commissioner is also tasked with raising awareness, conducting research, publishing information, and conducting audits. Among the main strategies that guide his work are strengthening data protection for members of vulnerable groups, protecting privacy in a world without borders, and identifying technological and innovative ways for information protection.

Five Eyes Agreement

This is an agreement to exchange information about serious security issues, which was signed by Canada, Australia, New Zealand, the United Kingdom, and the USA. Data collected by different entities can be exchanged, including businesses, organizations, and individual parties. In Canada, the agencies responsible for data sharing include the Canadian Security Intelligence Service, Communications Security Establishment, and Canadian Forces Intelligence Command.

Privacy laws govern the use and storage of information, including financial, healthcare, and personal data which persons, private and public entities, and government bodies collect. In Canada, different laws govern data protection, including sector-specific and provincial legislation, the Personal Information Protection Electronic Documents Act (PIPEDA), and the Privacy Act.

What Counts as Personal Information

The Privacy Act and PIPEDA define it as person’s financial details, employment, education, and medical history, marital status, age, and religion. Other details include DNA, social insurance number, ethnicity, nationality, and race, and employee’s opinions and views.

The Privacy Act

The Canadian Privacy Act regulates the government’s access and use of personal information while providing services. These include public and border safety, employment insurance, old age security, tax collection, and others. The act also protects the right of individuals to access personal information held by the federal authorities and to correct any details that are not accurate.

There are certain exclusions such as material held in the Canadian Museum of Nature, Canadian Museum of History, National Gallery of Canada, and Library and Archives of Canada. The provisions do not apply to personal data disclosed, used, held, and collected by the Canadian Broadcasting Corporation.

PIPEDA

This act deals with how business entities use personal information that has been collected for commercial purposes. PIPEDA contains provisions on application, purpose, and interpretation, court hearings, investigation and filing of complaints, and compliance agreements. The provisions do not apply to data collected by entities for literary, artistic, or journalistic materials and information collected for domestic and individual use. The act also does not apply to government entities that fall under the Privacy Act.

Organizations Subject to Federal Regulations

Certain organizations are federally regulated and fall under PIPEDA, including TV and radio broadcasters, telecommunication operators, foreign and national banks, and airlines, aircraft, and airports. Other entities that are subject to PIPEDA include offshore drilling operators and international and inter-provincial transport companies. All organizations operating in Nunavut, Yukon, and the Northwestern Territories are subject to federal legislation and are thus covered by the Personal Information Protection Electronic Documents Act.

Provincial Legislation

Several provinces have their own privacy laws, including Quebec, British Columbia, and Alberta. Entities that fall under provincial legislation are not subject to PIPEDA. Some provinces have adopted legislation that is similar to PIPEDA with regard to health information. These include Ontario, Nova Scotia, Newfoundland and Labrador, and New Brunswick. The Personal Health Information Act of Nova Scotia, for example, governs the destruction, disposal, holding, use, collection, and disclosure of health data. Custodians authorized under the act include home oxygen agencies, home care agencies, hearing and speech centres, and Mi’kmaw First Nation bands. The act also authorizes non-custodian entities such as the Office of the Public Trustee, Minister of Community Services, and Workers’ Compensation Board.

PIPEDA or Provincial Laws

Territorial and provincial legislation applies to activities carried out by hospitals, public schools, recreation complexes, and local transit authorities. The same applies to charities and non-for-profits such as clubs and professional and sports associations. On the other hand, commercial private sector entities are subject to PIPEDA, examples being entertainment venues, insurance providers, restaurants and hotels, services providers, and retail stores. Entities that are mainly operating outside of Canada are also regulated by PIPEDA.

Office of the Privacy Commissioner of Canada

Individuals who have privacy issues with various entities can contact the Office of the Privacy Commissioner. It is tasked with the implementation of federal legislation and conducting investigations into federal bodies and businesses.