Canadian Privacy Laws

Canada has two federal Privacy laws:

  • The Privacy Act 1983, applies to the federal government’s handling of personal information.
  • The Personal Information Protection and Electronic Documents Act 2000 (PIPEDA), applies to how businesses handle personal information.

PIPEDA sets out clear rules to follow for private sector businesses in Canada that handle personal information. Any company that has information crossing provincial or national borders is subject to PIPEDA, regardless of which province or territory they are based in. ¹

PIPEDA does not give a geographical limit, however, the Federal Court of Canada has ruled that ‘PIPEDA does apply to businesses found in other jurisdictions if there is a substantial connection between an organisation’s activities and Canada’. ² Therefore, Canada’s data privacy law will have a direct impact on US and international companies that have Canadian customers.

Principles

Companies must follow the 10 fair information principles to protect personal information, which are set out in Schedule 1 of PIPEDA. These are:

Principle 1 – Accountability

An organization is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.

Principle 2 – Identifying Purposes

The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.

Principle 3 – Consent

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Principle 4 – Limiting Collection

The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.

Principle 5 – Limiting Use, Disclosure, and Retention

Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.

Principle 6 – Accuracy

Personal information must be as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used.

Principle 7 – Safeguards

Personal information must be protected by appropriate security relative to the sensitivity of the information.

Principle 8 – Openness

An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.

Principle 9 – Individual Access

Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Principle 10 – Challenging Compliance

An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer. ᵌ

Personal Rights

Organisations who come under PIPEDA and who are using information in the course of commercial activity must generally obtain an individual’s consent when they collect, use or disclose that individual’s personal information. Under PIPEDA people have the right to access their personal information held by any organisation. They also have the right to challenge its accuracy. 

Personal information can only be used for the purposes for which it was collected by a company. If an organisation is going to use the information for another purpose, they must obtain consent again. Personal information must be protected by appropriate safeguards. ⁴

Any organisations subject to PIPEDA who become aware of any breaches of their security that could result in personal information being leaked must notify the Privacy Commissioner of Canada. Companies must also inform any individual whose information is involved in these breaches. Records of all security breaches must be kept for two years.

Provincial Privacy laws

Each Province has either fully adopted the federal PIPEDA or have developed their own Privacy law deemed ‘substantially similar’ by the Office of the Privacy Commissioner of Canada. Some provinces adhere to PIPEDA overall, but their Health Privacy laws have been deemed substantially similar to federal PIPEDA so stand alone. (See bottom of article for Privacy laws and links to policies).

Trust and Compliance

It is important that companies and individuals feel confident sharing their data with other businesses. Businesses need to demonstrate that they are following the laws as they are set out and are PIPEDA compliant.

One area that requires people to share a lot of personal information is lone worker systems. As the system needs a worker’s name, phone number and location in case of an emergency, companies need to know their data is being stored securely.

Privacy

Ok Alone is an enterprise level solution for lone workers and adheres to all applicable privacy laws and endeavours to use best practice whenever possible. They have carefully constructed their terms and conditions around the Canadian Privacy Act and the GDPR to comply in Canada, the EU and the UK. They have their own very detailed Privacy policy which can be viewed here (https://www.okaloneworker.com/work-alone-monitoring-privacy/)

Ok Alone uses personal data in line with the 10 fair information principles to protect personal information, which are set out in Schedule 1 (https://laws-lois.justice.gc.ca/eng/acts/p-8.6/page-11.html#h-417659) of PIPEDA.

User Rights

Every person whose data Ok Alone uses has the right to request deletion, updating, correction, or the full record of their data.  To enable this, each Admin Monitor can add, edit, update and delete Worker’s personal information in the system.  In the event that there is a particular element of data the Monitor cannot edit, update or delete, they can also email [email protected] to request data is removed from the systems.

Access

Ok Alone takes data privacy very seriously, making sure internal access to customer’s personal data is on a need to know basis.  All users with access to personal data have individual logins and standard industry security practices are maintained.

Ok Alone customers also have a great deal of control over which people internally see personal data.  There are three levels of user access rights for the Monitors, each of which grants different access to personal data. Workers do not have access to personal data. All interaction between Workers and the system occurs through an encrypted connection with the app. Combined, this ensures people’s data stays private.

Storage and Security

The servers used by Ok Alone are located in Canada and are subject to PIPEDA. This ensures all data received from customers is kept securely. Ok Alone does not share any data or information with other companies. Ok Alone encrypts their data and uses firewall protection to make sure all information on record is secure.

Provincial Privacy laws

AlbertaPersonal Information Protection Act

British ColumbiaPersonal Information Protection Act

ManitobaThe Personal Information Protection and Electronic Documents Act (PIPEDA)

New BrunswickThe Personal Information Protection and Electronic Documents Act (PIPEDA)
                              Personal Health Information Privacy and Access Act,

Newfoundland and LabradorThe Personal Information Protection and Electronic Documents Act (PIPEDA)
Personal Health Information Act and Pharmacy Network Regulations

Northwest territoriesThe Personal Information Protection and Electronic Documents Act (PIPEDA)

Nova ScotiaThe Personal Information Protection and Electronic Documents Act (PIPEDA)
                        Personal Health Information Act

NunavutThe Personal Information Protection and Electronic Documents Act (PIPEDA)

OntarioThe Personal Information Protection and Electronic Documents Act (PIPEDA)
                Personal Health Information Protection Act, 2004

Prince Edward IslandThe Personal Information Protection and Electronic Documents Act (PIPEDA)

QuebecAct Respecting the Protection of Personal Information in the Private Sector

SaskatchewanThe Personal Information Protection and Electronic Documents Act (PIPEDA)

YukonThe Personal Information Protection and Electronic Documents Act (PIPEDA)

1 – https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/02_05_d_15/

2 – https://www.endpointprotector.com/blog/data-protection-in-canada-pipeda/

3 – https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/p_principle/

4 – https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/



Loading the try app form. Not working? Email: [email protected]