Symbol of the Government of Canada
Symbol of the government of Quebec
Skip to content|Skip to institutional links

Common menu bar links

Home Page > Regulation/Law

 

Institutional Links

Protection of Personal Information - Your Responsibilities

Privacy Commissioner of Canada

Last Verified: 2007-10-18

Act: Personal Information Protection and Electronic Documents Act; 2000, c. 5

Related Reading
More Information

To Whom Does This Apply?

The Personal Information Protection and Electronic Documents Act (PIPEDA) sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities.

When the Act took effect initially on January 1, 2001, it only applied to the commercial activities of what are known as federal works, undertakings or businesses, such as transportation and telecommunications companies, banks and broadcasters. It also applied to the personal information of employees in those companies, and it applied to personal information that is sold, leased, or bartered across provincial or national boundaries by provincially regulated organizations. It also applied to the commercial activities of businesses in the Territories.

As of January 1, 2004, PIPEDA began to cover the collection, use or disclosure of personal information in the course of all commercial activities in Canada, except in provinces which have enacted legislation that is deemed to be substantially similar to the federal law. The Act also applies to all personal information in all interprovincial and international transactions by all organizations subject to the Act in the course of their commercial activities.

Eligible Activities

Collection, use or disclosure of personal information in the course of commercial activities.

Summary

The Personal Information Protection and Electronic Documents Act (PIPEDA) is really about good information management practices -- from which every organization benefits.

The Guide to PIPEDA helps businesses understand their obligations and comply with the Act. PIPEDA itself sets out ground rules for managing personal information in the private sector. It balances two things:

  • an individual's right to the privacy of personal information; and
  • the need of organizations to collect, use or disclose personal information for legitimate business purposes.

The Guide covers part I of the Act. For parts 2 to 5 of the Act (electronic documents and signatures as legal alternatives to original documents and signatures), please see Justice Canada's Web page about PIPEDA.

Commercial use of personal information within individual provinces

  • As of January 1, 2004, the law extends to every organization that collects, uses or discloses personal information in the course of a commercial activity within a province, whether or not the organization is a federally regulated business.
  • However, the federal government may exempt organizations and/or activities in provinces that have adopted privacy legislation that is deemed to be similar to the federal law.

PIPEDA in brief

Organizations covered by PIPEDA must:

  • obtain an individual's consent when they collect, use or disclose the individual's personal information;
  • allow the individual to access their personal information;
  • allow the individual to challenge the accuracy of their personal information;
  • only use the personal information for the purposes for which it was collected;
  • obtain additional consent if the personal information is going to be used for another purpose;
  • assure the individuals that their information will be protected by specific safeguards e.g., locked cabinets, computer passwords or encryption.

Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:

  • age, name, ID numbers, income, ethnic origin, or blood type;
  • opinions, evaluations, comments, social status, or disciplinary actions;
  • employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).

Personal information DOES NOT include the name, title, business address or telephone number of an employee of an organization.

The guide outlines a business's responsibilities under PIPEDA such as to:

Be accountable Be accurate
Identify the purpose Use appropriate safeguards
Obtain consent Be open
Limit collection Give individuals access
Limit use, disclosure and retention Challenge compliance

The Guide to PIPEDA for Businesses and Organizations is available on line or in hard copy (contact the Privacy Commissioner of Canada or visit their Web site). You will also find numerous handy fact sheets such as:

Examples of Fact Sheets

  • The Application of the PIPEDA to Charitable and Non-Profit Organizations
  • Application of the PIPEDA to Employee Records
  • Privacy in the workplace

DISCLAIMER
Information contained in this section is of a general nature only and is not intended to constitute advice for any specific fact situation. For particular questions, the users are invited to contact their lawyer. For additional information, see contact(s) listed below.

Quebec Contact(s):
See National Contact.

National Contact(s):
Privacy Commissioner of Canada
3rd Floor, Tower B
Place de Ville
112 Kent Street
Ottawa, Ontario  K1A 1H3
Telephone: 613- 995-8210
Fax: 613-947-6850
Toll-free (information): 1-800-282-1376
TTY (hearing impaired): 613-992-9190
Web site: http://www.privcom.gc.ca/index_e.asp



Last Modified: 2007-10-18

Top of page
Important Notices