Canada’s Privacy and Anti-Spam Laws
In Canada, privacy is governed by a collection of privacy laws from the public sector, private sector, and health sector, as well as by Canada’s Anti-Spam Legislation (CASL). The laws vary depending on the sector and may be in place at both the federal and provincial level, and may also take into account common law principles.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law that applies to private-sector organizations in Canada that collect, use, or disclose personal information as part of their commercial activities. This includes:
Alberta, British Columbia, and Quebec have provincial private sector privacy laws that are considered substantially similar to PIPEDA. As a result, organizations subject to these equivalent provincial privacy laws are usually exempt from PIPEDA regarding the handling of personal information within the relevant province.
Federal organizations, including banks, airlines, telecommunications companies, inter-provincial or international transportation companies and radio and television broadcasters, are always subject to PIPEDA. The legislation also applies to their employees’ personal information.
Any business that operates in Canada and deals with personal information as part of their commercial activities, regardless of their location within the country, including provinces with equivalent laws, must comply with PIPEDA if the information being handled crosses provincial or national borders.
Under PIPEDA, personal information includes any information about an identifiable individual, including the following:
- Age, name, ID numbers, income, ethnic origin, blood type;
- Opinions, evaluations, comments, social status, disciplinary actions; and
- Employee files, credit records, loan records, medical records.
Personal information under PIPEDA does not include business contact information, such as an employee’s name, title, work address, phone number, or email, for the sole purpose of communicating with them in regards to their job or profession. PIPEDA also does not apply to an organization’s collection, use, or disclosure of personal information solely for journalistic, artistic, or literary purposes.
Primary Responsibilities under PIPEDA
To comply with PIPEDA, organizations must fulfill several requirements. Organizations that are subject to PIPEDA are typically expected to obtain an individual’s consent before collecting, using, or disclosing their personal information. Individuals have the right to access their personal information that is held by an organization and have the ability to dispute its accuracy.
The use of personal information must be limited to the purposes for which it was collected. If an organization wishes to use the information for another purpose, they must secure additional consent. The personal information must also be secured with appropriate security measures.
Individuals should be able to challenge the organization’s compliance with PIPEDA principles and bring their challenge to the appropriate agency, such as the Privacy Commissioner of Canada.
For a comprehensive understanding of the steps your organization needs to take to comply with PIPEDA, it is advisable to seek the guidance of a Privacy Lawyer.
PIPEDA Fair Information Principles
- Accountability: Organizations must designate a person responsible for complying with PIPEDA and protecting personal information, even if it has been transferred to a third party.
- Identifying Purposes: Organizations must inform individuals of the purpose for collecting their personal information before or at the time of collection.
- Consent: Organizations must obtain meaningful consent for the collection, use, and disclosure of personal information and individuals must be able to withdraw consent.
- Limiting Collection: Organizations must collect personal information only for the purpose they have identified and only through lawful means.
- Limiting Use, Disclosure, and Retention: Organizations may only use or disclose personal information for the identified purpose and must keep it only as long as necessary.
- Accuracy: Personal information must be accurate and complete when disclosed to third parties.
- Safeguards: Personal information must be protected appropriately based on its sensitivity.
- Openness: Organizations must have clear and understandable privacy practices, free of complex legal terms.
- Individual Access: Individuals have the right to access their personal information and challenge its accuracy.
- Challenging Compliance: Individuals may challenge the organization’s compliance with PIPEDA and address their challenge to the designated person responsible for compliance.
- A clear explanation of the personal information that will be collected (such as name, address, credit records, ID numbers, etc.).
- Information on the method of storage and processing of personal information.
- Explanation of the intended use of personal information.
- The legal basis for collecting personal information.
- The purpose of the organization in collecting and using personal information.
- Details on any third parties who may have access to personal information, and for what purpose.
- The retention period for personal information.
- The individual’s right to access their personal information and the ability to correct any inaccuracies.
- Designate a contact person to address privacy concerns.