Privacy Act for the Private Sector


By Rosemary Pon
Human Resources Consultant - RJP Ventures Inc

With the Personal Information Protection and Electronic Documents Act (PIPEDA) which came into effect on January 1, 2004, private sector businesses need to focus attention on how they manage personal information. This legislation affects data pertaining to employees and customers.

The Privacy Commissioner of Canada defines personal information that "is any factual or subjective information, recorded or not, about an identifiable individual. It includes:

  • age, name, weight, height;
  • medical records;
  • ID numbers, income, ethnic origin, or blood type;
  • opinions, evaluations, comments, social status, or disciplinary action; and
  • employee files, credit records, loan records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs.)"

Personal information that is available publicly is excluded under PIPEDA. This includes telephone book and business card information, such as your job title, telephone number or address.

Organizations in the private sector are required to handle personal information appropriately, in accordance to PIPEDA. They are held legally responsible for managing information and need to designate a privacy information gatekeeper. Organizations must:

  • Obtain consent from individuals when they collect, use or disclose their personal information, unless:
    • The need to collect the information is clearly in their best interest and their consent cannot be obtained in a timely manner; or
    • The information is needed by a law enforcement agency for an investigation, and obtaining consent may jeopardize the information's accuracy
  • Supply the product or a service, even if the individual refuses consent for the collection, use or disclosure of their personal information
  • Collect information fairly and lawfully, and
  • Provide personal information policies that are clear, understandable and readily available
  • Destroy, erase or make anonymous personal information about an individual that is no longer needed to fulfill the purpose for which it was collected

Under PIPEDA, individual has the right to privacy, to:

  • Know how their personal information is collected, used or disclosed and why an organization collects, uses or discloses their personal information
  • Know who is responsible for protecting their personal information in the organization
  • Expect the organization to use personal information responsibly, only for the purposes for which it was collected. When an organization changes the purpose for which the information will be used, the organization must re-obtain consent.
  • Expect the organization to implement appropriate security measures to protect their personal information
  • Expect the organization collect accurate, complete and up-to-date information about the individual
  • Access to their personal information and request for corrections to be made
  • Complain how an organization handles their personal information, confidentially if requested.

The Ombudsman from the Privacy Commissioner of Canada will handle complaints under this law. The Ombudsman investigates complaints, conducts audits, promotes awareness of PIPEDA, and researches privacy matters.

It is an offence to:

  • Destroy personal information that an individual has requested
  • Retaliate against an individual who has complained to the Privacy Commissioner, and/or
  • Obstruct a complaint investigation or an audit by the Privacy Commissioner or his delegate

For an indictable offence, the organization can be fined up to $100,000 and an individual can be fined up to $10,000 for failure to comply.

For further details about PIPEDA, see

For information on other related items, such as:

20 Questions a Small Business Should Ask About Privacy

Private Sector Privacy in other Jurisdictions