Jump to Left NavigationJump to Content Office of the Privacy Commissioner of Canada / Commissariat à la protection de la vie privée du Canada Government of Canada
FrançaisContact UsHelpSearchCanada Site
HomeWhat's NewAbout UsFAQsSite Map
Our Mandate
Commissioner's Findings
Settled and Early Resolution Cases
Incident Summaries
Key Issues
Media Centre
Resource Centre
E-Kit for Businesses
Information for Individuals
Reports and Publications
Contributions Program
Speeches
Upcoming Events
Privacy Links
Provincial / Territorial Links
Privacy Legislation
Privacy Impact Assessments
Fact Sheets
Privacy Quiz
Proactive Disclosure
Resource Centre

A Guide for Individuals

Your Privacy Rights

Canada's Personal Information Protection and Electronic Documents Act

Introduction

The Office of the Privacy Commissioner of Canada has prepared this guide to help individuals learn about their rights under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's new private sector privacy law.

What is PIPEDA?

Part 1 of PIPEDA sets ground rules for how organizations may collect, use or disclose information about you in the course of commercial activities. The law also gives you the right to see and ask for corrections to information an organization may have collected about you. If you think an organization covered by the Act is not living up to its responsibilities under the law, you have the right to lodge an official complaint.

What is personal information?

"Personal information" under the Act means information about an "identifiable individual."

For example, "personal information" includes your

  • name, age, weight, height
  • medical records
  • income, purchases and spending habits
  • race, ethnic origin and colour
  • blood type, DNA code, fingerprints
  • marital status and religion
  • education; and
  • home address and phone number

"Personal information" does not include the name, job title, business address or office telephone number of an employee of an organization.

How does the Act protect my personal information?

Your ability to control your personal information is key to your right to privacy.

The Act gives you control over your personal information by requiring organizations to obtain your consent to collect, use or disclose information about you. The Act confers certain rights on individuals, and imposes specific obligations on organizations.

The law gives you the right to:

  • know why an organization collects, uses or discloses your personal information;
  • expect an organization to collect, use or disclose your personal information reasonably and appropriately, and not use the information for any purpose other than that to which you have consented;
  • know who in the organization is responsible for protecting your personal information;
  • expect an organization to protect your personal information by taking appropriate security measures;
  • expect the personal information an organization holds about you to be accurate, complete and up-to-date;
  • obtain access to your personal information and ask for corrections if necessary; and
  • complain about how an organization handles your personal information if you feel your privacy rights have not been respected.

The law requires organizations to:

  • obtain your consent when they collect, use or disclose your personal information;
  • supply you with a product or a service even if you refuse consent for the collection, use or disclosure of your personal information unless that information is essential to the transaction;
  • collect information by fair and lawful means; and
  • have personal information policies that are clear, understandable and readily available.

An organization should destroy, erase or make anonymous personal information about you that it no longer needs in order to fulfil the purpose for which it was collected.

There are certain exceptions to these principles. For example, an organization may not need to obtain your consent if collecting the information clearly benefits you and your consent cannot be obtained in a timely way; or if the information is needed by a law enforcement agency for an investigation, and getting consent might compromise the information's accuracy.

How can I see the personal information an organization has about me?

  • Send a written request to the organization that holds your personal information. You must provide enough detail to allow the organization to identify the information you want. For example, include dates, account numbers, and the names or positions of people you may have dealt with at the organization.
  • Organizations must provide the information requested within a reasonable time and at minimal or no cost.

How can I correct errors or omissions in my personal information?

  • Write to the organization that has personal information about you and explain the correction you are requesting and why. Supply copies of any documents that support your request, if you have them.
  • If the organization refuses to correct your personal information, you may require it to attach a statement of your disagreement to the file. This statement must be passed on to any other organization that may have access to the information.

What if I believe my privacy rights are not being respected?

The Act gives you the right to make a complaint if:

  • you run into any difficulties obtaining your personal information, if an organization refuses to correct information you consider inaccurate or incomplete, or if you suspect your personal information has been improperly collected, used or disclosed; or
  • you believe an organization is not following any provision of PIPEDA.

Where do I complain?

  • Contact the Office of the Privacy Commissioner of Canada by calling 1-800-282-1376 if you need more information or advice on how you should proceed.
  • We encourage you to first try to settle the matter directly with the organization about which you are complaining by contacting the person responsible for handling privacy issues within the organization.
  • If you are not satisfied with the organization's response, you may contact the organization's industry association, ombudsman or complaint office, if there is one. For example, the Canadian Marketing Association and the Ombudsman for Banking Services and Investments handle customers' complaints about their member companies.
  • If you are not satisfied with the way the organization or industry association handles the matter, contact the Office of the Privacy Commissioner of Canada. There is no fee for making a complaint to our Office.

What is the role of the Privacy Commissioner of Canada?

  • The Privacy Commissioner is an ombudsman who attempts to resolve disputes through negotiation, mediation and conciliation.
  • The Commissioner has the power to investigate your complaint.
  • The Commissioner may also initiate her own investigation or review regarding how an organization handles personal information.
  • The Commissioner can recommend that the organization release your personal information to you or correct any inaccuracies.
  • The Commissioner may recommend to an organizations that they change their personal information handling practices.
  • The Commissioner will report the findings of the investigation to you and the organization.

What if the organization ignores the recommendations of the Privacy Commissioner?

  • The Privacy Commissioner has the power to make public any information about the personal information handling practices of an organization. Few organizations would like to be publicly identified as having violated the privacy rights of individuals.
  • The Privacy Commissioner may also take the complaint to the Federal Court of Canada on your behalf if she supports you, but has been unable to resolve the dispute.
  • Once you have received the Privacy Commissioner's report, you may, under certain circumstances, take your complaint to the Federal Court of Canada yourself.
  • The Court can order an organization to correct any practices that do not comply with the law, and to publish notices of how it has or will correct its practices.
  • The Court can also award damages to the complainant, including damages for humiliation suffered.

What is not covered by PIPEDA?

  • Any federal government organization already covered by the Privacy Act.
  • Provincial or territorial governments, and their agents.
  • Any organization that collects, uses or discloses personal information solely for journalistic, artistic or literary purposes.
  • An individual's collection, use or disclosure of personal information for personal purposes, such as genealogical research shared with other family members

For more information

If you have any questions about how an organization handles your personal information or wish to make a complaint under the new law, please contact us at:

The Office of the Privacy Commissioner of Canada
112 Kent Street
Ottawa, ON K1A 1H3
Telephone: (613) 995-8210
Toll-free: 1-800-282-1376
Fax: (613) 947-6850
Web site: www.privcom.gc.ca

Please do not make complaints or provide personal information by e-mail, as security cannot be ensured.

Note that this brochure summarizes the law. As such, it has no legal status. To obtain the full text of PIPEDA, visit our Web site or contact the Office of the Privacy Commissioner of Canada.

IP54-1/2004
ISBN: 0-662-68003-0
Updated March 2004

Cette publication est disponible également en français.
 

Date published: 2003-11-06
Date modified: 2004-04-26

 Top of Page Important Notices