Press "Enter" to skip to content

How Privacy Law in Canada Works

Last updated on May 7, 2021

Canadian privacy law serves two purposes: to govern how organizations are allowed to collect, use, and disclose your personal information, and also to enable individuals to access and manage personal information collected by organizations.

Requesting access to personal information is usually provided free or at a minimal cost, depending on the amount of information you request, the jurisdiction you access your information under, and whether it is provided by a private sector organization or a public body.

For example, privacy legislation enables you to request a free credit report from any Canadian credit bureau. If you request your credit report and find any errors, such as typos in your name, address, or employment history, you are able to request that your information be corrected.

Canada’s Provinces and Territories

Canada has ten provinces and three territories, each with different sets of privacy legislation that apply. To learn more, click any of the links below.

Provinces

Territories

Canada’s Private and Public Sector

Canadian privacy legislation is framed around Canada’s private and public sector. In order to understand how privacy legislation applies across Canada, it is very important that you understand the distinction between these two sectors.

The Private Sector

The private sector consists of organizations that are privately owned and are not part of the government. Organizations that operate in Canada’s private sector are typically:

  • corporations (profit and non-profit),
  • partnerships,
  • charities,
  • trade unions,
  • labour organizations, and
  • individuals acting in a commercial capacity or on behalf of any of the aforementioned organizations.

The Public Sector

The public sector refers to organizations that are owned and operated by the federal, provincial, and municipal governments. These organizations are referred to as public bodies by legislation. Public bodies that operate in Canada’s public sector are typically:

  • educational bodies (universities, technical institutes, colleges, school boards and charter schools),
  • health care bodies (Regional Health Authorities, provincial health boards, nursing home operators, hospital boards and subsidiary health corporations),
  • and local government bodies (municipalities, police services and commissions, libraries, etc).

Refer to the links at the beginning of this page to learn more about privacy legislation in each province and territory.

Two Federal Acts

At the federal level, Canada has two different privacy acts which are enforced by the Office of the Privacy Commissioner of Canada. These two acts are the Personal Information Protection and Electronic Documents Act and the Privacy Act.

Personal Information Protection and Electronic Documents Act

The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to the commercial transactions of organizations that operate in Canada’s private sector.

More specifically, PIPEDA applies to organizations that are federally regulated and fall under the legislative authority of the Parliament of Canada, such as the telecommunications and broadcasting industry, and all local businesses in Yukon, Nunavut, and the Northwest Territories.

In addition, PIPEDA applies to the private sector of each province unless a province has enacted its own privacy legislation that is substantially similar to PIPEDA.

Learn more about PIPEDA.

The Privacy Act

The Privacy Act is similar to PIPEDA in concept: it explains how federally regulated public bodies can collect, use, and disclose your personal information, as well as explain how you can request to access and update it. Examples of federally regulated public bodies include the:

  • Bank of Canada
  • Canada Revenue Agency (CRA)
  • Canadian Space Agency
  • National Research Council Canada
  • Statistics Canada
  • Treasury Board of Canada

Provincial and Territorial Legislation

Throughout Canada, only three provinces have their own private sector privacy legislation which supersede PIPEDA. All other provinces must comply with PIPEDA.

Four provinces in Canada have their own health specific privacy legislation which applies to health information.

Every province and territory in Canada has their own public sector privacy legislation.

The Private Sector

To date, only British Columbia, Alberta, and Quebec have their own private sector privacy legislation which supersedes PIPEDA. These pieces of legislation have been deemed to be substantially similar to PIPEDA.

Figure 2. British Columbia, Alberta, and Quebec have their own private sector privacy legislation

However, private sector organizations in British Columbia, Alberta, and Quebec do not only have to understand their own specific privacy legislation; if any personal information flows across provincial or territorial borders, PIPEDA will then apply to that information.

It is therefore imperative that private sector organizations in British Columbia, Alberta, and Quebec have a good understanding of their own legislation and PIPEDA.

To illustrate this concept, let’s imagine a music store that operates in Alberta and collects personal information from its customers in Alberta. Because this music store is a business in Alberta’s private sector, it will comply with Alberta’s Personal Information Protection Act, and not PIPEDA.

However, if the store collects personal information — such as the name, address, and credit card numbers of customers who order across Canada — PIPEDA will apply.

The Public Sector

Every province and territory in Canada has their own specific public sector privacy legislation. The links at the beginning of this page provide more information about public and private legislation in each province and territory.

Figure 3. Every province and territory have their own public sector privacy legislation

Health Specific Privacy Legislation

In addition to private and public sector privacy legislation, Alberta, Saskatchewan, Manitoba and Ontario have enacted privacy legislation which explains how individuals can access their health records from health care bodies. Some examples of health care bodies are:

    • Public hospitals,
    • community service providers,
    • personal care homes,
    • long term care facilities,
    • physicians,
    • psychiatric facilities, and
    • pharmacies.

Figure 3. Alberta, Saskatchewan, Manitoba, and Ontario have their own health specific privacy legislation

Conclusion

Determining which jurisdiction personal information falls under can sometimes be tricky, especially if an organization has multiple locations across Canada or does business on the Internet. Courts around the world have recently struggled over determining which jurisdiction to hear cases in when multiple jurisdictions are involved.

The privacy commissioners of Alberta, British Columbia, and Canada have recently taken initiatives to cooperate in order to address trans-border privacy concerns.

Organizations in Canada should appoint privacy officers who will understand which privacy laws apply to their business. Organizations in Alberta, British Columbia, and Quebec should be mindful of both their own private sector privacy legislation as well as PIPEDA.