Canadians are protected by two federal privacy laws, the Privacy Act and the Personal Information Protection and Electronic Documents Act.

The Privacy Act took effect on July 1, 1983. This Act imposes obligations on some 150 federal government departments and agencies to respect the privacy rights of Canadians by placing limits on the collection, use and disclosure of personal information. The Privacy Act gives Canadians the right to access and correct personal information about them held by these federal government organizations.

As of January 1, 2001, individuals are also protected by the Personal Information Protection and Electronic Documents Act which sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities.

The law gives individuals the right to see and ask for corrections to information an organization may have collected about them. Since the beginning of this year, the Act applies to personal information about customers or employees that is collected used or disclosed by the federally regulated sector in the course of commercial activities. In addition, the Act covers all businesses and organizations engaged in commercial activity in Yukon, the Northwest Territories and Nunavut as well as information sold across provincial and territorial boundaries. As of January 1, 2002, the personal health information collected, used or disclosed by these organizations is also covered.

As of January 1, 2004, the Act will cover the collection, use or disclosure of personal information in the course of any commercial activity within provinces, including provincially regulated organizations. The Act will also apply to all personal information in all inter-provincial and international transactions by all organizations subject to the Act. The federal government may exempt organizations or activities in provinces that have their own privacy laws if they are deemed to be substantially similar to the federal law. To assist in making that determination, the Privacy Commissioner is mandated, under the Act, to report to Parliament on the extent to which provinces have passed legislation that is in fact substantially similar.

Oversight of both Acts rests with the Privacy Commissioner of Canada who is also authorized to receive and investigate complaints.

Within the federal public sector, the Privacy Commissioner of Canada can initiate audits of information practices randomly. In conducting an audit, the Commissioner has the power to summon any person before her. She also has the authority to administer oaths, receive evidence and, enter the premises of an organization, after fulfilling security requirements. The Commissioner can also examine or obtain copies of any records found.

The Commissioner is impartial and nonpartisan, which means she can act independently to investigate complaints from individuals. This mandate extends to both the federal public sector and the private sector. As such, the Privacy Commissioner of Canada can make recommendations to improve how personal information is handled. She can also publicize recommendations and reports. In some cases, the Commissioner can refer cases to the Federal Court. At this level, the Court can award damages to a complainant, including damages for humiliation.

As ombudsman, the Commissioner doesn't issue orders or impose penalties, but rather arrives at her decisions through a process of inquiry and persuasion, a process which underlines her impartiality and dedication to problem resolution.

However, it is a criminal offence to obstruct the Commissioner during an investigation or audit or to knowingly dispose of personal information that could be subject to a request. The legislation also makes it a criminal offence for employers to take retaliatory actions against employees.

The Privacy Commissioner of Canada's mandate also includes research, education and promotion of privacy issues in Canada. As an Agent of Parliament, the Privacy Commissioner of Canada reports directly to the House of Commons and to the Senate.

The Act establishes a fair information code to regulate government handling of personal records, which requires the federal government to:

• limit its collection of personal information to the minimum details needed to operate programs or activities;
• collect the information, whenever possible, directly from the person concerned;
• tell the person why the information is being collected and how it will be used;
• not use the information for purposes other than those specified, unless allowed by law;
• keep the information for long enough to allow the person a reasonable opportunity to obtain access;
• ensure the information is as accurate, up-to-date and complete as possible; and,
• not disclose personal information unless specifically allowed by the Privacy Act or another law.

Personal information is any factual or subjective information, recorded or not, about an identifiable individual. It includes:

• age, name, weight, height;
• medical records;
• ID numbers, income, ethnic origin, or blood type;
• opinions, evaluations, comments, social status, or disciplinary action; and,
• employee files, credit records, loan records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs.)

Personal information does not include your job title, telephone number or address, anything that might appear on your business card, or can be found through publicly available information such as the telephone book.

It applies to the whole range of federal government records, for example:

• pension and unemployment insurance files;
• medical records;
• tax records;
• security clearances;
• student loan applications; and,
• military records.

The information may be recorded "in any form" and so includes video and audio tape, and any electronic information medium.

To find out how to gain access to the personal information the federal government holds visit InfoSource at http://infosource.gc.ca or call 1 800 635-7943.

The law requires organizations to:

• obtain your consent when they collect, use or disclose your personal information;*
• supply you with a product or a service even if you refuse consent for the collection, use or disclosure of your personal information unless the information is essential to the transaction;*
• collect information by fair and lawful means; and,
• provide personal information policies that are clear, understandable and readily available.

Organizations should destroy, erase or make anonymous personal information about you that it no longer needs in order to fulfil the purpose for which it was collected.

*There are exceptions to these principles. For example: an organization may not need to obtain your consent if collecting the information clearly benefits you and your consent cannot be obtained in a timely way; or if the information is needed by a law enforcement agency for an investigation, and getting consent might compromise the information's accuracy.

Your ability to control your personal information is key to your right to privacy. The Act gives you control over your personal information by requiring organizations to obtain your consent to collect, use or disclose information about you.

The law gives you the right to:

• know why an organization collects, uses or discloses your personal information;
• expect an organization to collect, use or disclose your personal information reasonably and appropriately, and not use the information for any purpose other than that to which you have consented;
• know who in the organization is responsible for protecting your personal information;
• expect an organization to protect your personal information by taking appropriate security measures;
• expect the personal information an organization holds about you to be accurate, complete and up-to-date;
• obtain access to your personal information and ask for corrections; and,
• complain about how an organization handles your personal information, confidentially if requested.

• The Collection, use or disclosure of personal information by federal government organizations listed in the Privacy Act;
• Provincial or territorial governments and their agents;
• An employee's name, title, business address or telephone number;
• An individual's collection, use or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list); and,
• The collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes.