Symbol of the Government of Canada
Government of Manitoba
Skip to content|Skip to institutional links

Common menu bar links

Home Page > Home Page

 

Protection of Personal Information - Your Responsibilities

Privacy Commissioner of Canada

Last Verified: 2008-12-01

Act: Personal Information Protection and Electronic Documents Act; 2000, c. 5

Related Reading
More Information

To Whom Does This Apply?

The Personal Information Protection and Electronic Documents Act (PIPEDA) sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities.

If you own or run a business, PIPEDA is a law that can help you enormously. Recent studies have proven that when an organization adopts fair information/privacy management practices into their operations and policies, it will make their business more competitive.

How does this work? If you manage your information properly, you can avoid data breaches that can result in lost time and resources spent recovering from a breach, as well as a loss of reputation. Good privacy is good business. Businesses are encouraged to visit the Office of the Privacy Commissioner's Web site for more information on how you can incorporate privacy governance and privacy risk mitigation into your daily operations.

Eligible Activities

Collection, use or disclosure of personal information in the course of commercial activities.

Summary

The Personal Information Protection and Electronic Documents Act (PIPEDA) is really about good information management practices -- from which every organization benefits.

PIPEDA sets out ground rules for managing personal information in the private sector. It balances two things:

  • the need for organizations to collect, use or disclose personal information for legitimate business purposes; and
  • an individual's right to privacy of personal information.
Commercial use of personal information within individual provinces

  • As of January 1, 2004, the law applies to organizations engaged in commercial activities across the country, except in provinces that have their own private sector privacy laws.
  • Quebec, Alberta and British Columbia each have their own law, and Ontario has a law which focuses specifically on personal health information.
  • Even in these provinces, PIPEDA continues to apply to the federally-regulated private sector and to personal information in inter-provincial and international transactions.

PIPEDA in brief

Organizations covered by PIPEDA must:

  • obtain an individual's consent when they collect, use or disclose the individual's personal information;
  • allow the individual to access their personal information;
  • allow the individual to challenge the accuracy of their personal information;
  • only use the personal information for the purposes for which it was collected;
  • obtain additional consent if the personal information is going to be used for another purpose;
  • assure the individuals that their information will be protected by specific safeguards e.g., locked cabinets, computer passwords or encryption.

Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:

  • age, name, ID numbers, income, ethnic origin, or blood type;
  • opinions, evaluations, comments, social status, or disciplinary actions;
  • employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).

Personal information DOES NOT include the name, title, business address or telephone number of an employee of an organization.

The PIPEDA Guide for Businesses and Organizations outlines their responsibilities under PIPEDA. There are ten "fair information principles" outlined in the guide, with explanations of how businesses and organizations can adhere to these principles. The principles are:

Be accountable Be accurate
Identify the purpose Use appropriate safeguards
Obtain consent Be open
Limit collection Give individuals access
Limit use, disclosure and retention Provide recourse

DISCLAIMER
Information contained in this section is of a general nature only and is not intended to constitute advice for any specific fact situation. For particular questions, the users are invited to contact their lawyer. For additional information, see contact(s) listed below.

Manitoba Contact(s):
See National Contact.

National Contact(s):
Privacy Commissioner of Canada
3rd Floor, Tower B
Place de Ville
112 Kent Street
Ottawa, Ontario  K1A 1H3
Telephone: 613- 995-8210
Fax: 613-947-6850
Toll-free (information): 1-800-282-1376
TTY (hearing impaired): 613-992-9190
Web site: http://www.privcom.gc.ca/index_e.asp



DISCLAIMER
Information contained in this document is of a general nature only and is not intended to constitute advice for any specific fact situation. Users concerned about the reliability of the information should consult directly with the source, or seek legal counsel.
LINKS POLICY
Some of the hypertext links lead to non-federal government sites which are not subject to the Official Languages Act and the material is available in one language only.