Canada has one of the most comprehensive privacy legislative and policy frameworks in the world. The privacy of Canadians is protected by the Canadian Charter of Rights and Freedoms, through various provisions, but
especially s. 8 which provides: "Everyone has the right to be secure against unreasonable search or seizure." The Criminal Code has various provisions creating criminal offences relating to invasions of privacy, and in particular, Part VI, relating to the interception of private communications. Many federal statutes contain provisions limiting the use and disclosure of personal information collected by specific federal government institutions to specified purposes.
In addition, Canadians are protected by two federal privacy laws of general application, the Privacy Act that governs the collection, use, disclosure and retention of personal information by federal government institutions and the Personal Information Protection and Electronics Documentation Act (PIPEDA), which governs the collection, use, disclosure and retention of personal information by certain parts of the private sector. Recently, this framework was even further strengthened to include a
Policy on Privacy Impact Assessments and an associated PIA Guidelines document.
The privacy of Canadians is also protected by various provincial laws of general application that govern the collection, use, disclosure and retention of personal information by public bodies and in some cases by the private sector, as well as by other privacy provisions in other provincial statutes.
Privacy Act
The Privacy Act places limits on the collection, use and disclosure of personal information by federal government institutions. It also gives Canadians the right to access and correct personal information about them that is held by institutions.
The Privacy Act is authority-based—the institution must ensure that they have legal authority for any program or activity that collects, uses or discloses personal information.
For more about the Privacy Act, either check out the Privacy Act website or check out Module 2 of the Overview Course. There is also an annotated version of the Privacy Act available here.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA balances the individual's privacy rights with the need of organizations to collect, use and disclose personal information for legitimate business purposes. It is important to remember that PIPEDA, unlike the Privacy Act, applies to some parts of the Canadian private sector. PIPEDA applies to organizations who collect, use or disclose personal information in the course of commercial activities.
PIPEDA is a consent-based Act. Organizations subject to this Act must have consent to collect, use or disclose personal information.
Check out the PIPEDA link for more information or take a look at the Overview Course, Module 2, Personal Information Protection and Electronic Documents Act.
PIA Policy
"This Policy [TBS Policy on Privacy Impact Assessments] is timely as we make progress on Government On-Line (GOL) initiatives and increasingly deliver programs and services to Canadians over the Internet. Establishing the trust and confidence of Canadians is essential to the success of GOL...This Policy sends a strong signal to Canadians that the Government of Canada is committed to protecting their personal information" Source
The policy provides a consistent framework for institutions to use when designing or re-designing programs and services and where there may be privacy issues to consider. The policy also helps to:
- Ensure accountability
- Provide information to decision-makers
- Reduce the risk of having to re-design programs and services
- Communicate results to the OPC and the public
- Promote awareness of sound privacy practices
The PIA Policy is based on the universal privacy principles as outlined in the Canadian Standards Association's Model Code for the Protection of Personal Information.
Take a look at the policy at the TBS website or look at the Overview Course - Module 2, The Policy on Privacy Impact Assessments.
The Policy applies to about 150 federal institutions that include GoC departments, agencies and Crown corporations.
PIA Guidelines
In conjunction with the Policy on PIAs, this document helps institutions conduct PIAs. The Policy also helps institutions determine if their initiatives involve either cross-jurisdictional or cross-sectoral activities and in identifying the requirements of various legislative provisions involving privacy.
Check out TBS's website to take a look at the Guidelines document or the Overview Course, Module 2, The TBS Privacy Impact Assessment Guidelines: A Framework to Manage Privacy Risk.
The Guideline document provides questionnaires to follow when conducting a PIA. Following the questionnaires will make it possible to have consistency across government institutions in how they complete their PIAs.
Others
So far, we've covered the main pieces of legislation and policy relating to privacy; however, there are other legislative and policy documents that might have an impact on your particular situation. A couple of examples include the Access to Information Act and the Official Languages Act at the federal level. Remember: every province and territory also has some type of legislation or policy.
You can find a more complete list of legislation and policy links in the Glossary.
Interpreting legislation and policy can be difficult. The PIA Policy states: "The examination must be conducted in consultation with the institutions' privacy policy and legal advisors." Therefore, ensure that your PIA Practitioner consults experts. Also, tell your team that the legislation and policy can be very interconnected and interdependent— and that it is important to review more than just the Privacy Act or PIPEDA.
Concept of privacy?
Module summary
What I will learn?