Compliance With Canada's Privacy Legislation

The Personal Information Protection and Electronic Documents Act (PIPEDA), formerly referred to as Bill C-6, is essentially about balance. On one hand, it respects an individual’s right to privacy while on the other, it recognizes the need for industry and organizations to collect, use, and disclose personal information. PIPEDA became law January 1, 2004 and, as its name suggests, encompasses two primary objectives:

  • to establish rules that govern the collection, use, and disclosure of personal information by private sector organizations; and

  • to acknowledge the validity and legality of electronic documents. For more information regarding this legislation, please visit the official web site of the Privacy Commissioner of Canada at

The Privacy Commissioner of Canada's office has powers of Superior Court of record, which means they can subpoena documents, examine your employees under oath, and take records from your premises. So, you better pay attention!  Under PIPEDA, every business must have a privacy policy statement regarding the collection, storage, use, disclosure, security, and disposal of information about its clients or customers.

Quebec, Alberta, and British Columbia are the only provinces that currently have legislation dealing with personal information in the private sector that meets the test of “substantially similar” with the PIPEDA. Consequently, their respective provincially-regulated organizations are exempted from the federal Act. For more information regarding the respective provincial privacy legislation, please visit their official websites:

  • Alberta Personal Information Protection Act (PIPA): For information contact the Access and Privacy Branch at:

  • B.C. Personal Information Protection Act (BC PIPA):

  • Québec An Act Respecting the Protection of Personal Information in the Private Sector:

What is personal information?

Personal information is information about an identifiable individual. It could include: an individual's race, ethnic origin, colour, age, marital status, religion, education, medical information, criminal record, employment history, financial records, address, telephone number, e-mail address, and Social Insurance Number. It does not include the name, title, business address, or business telephone number of an employee of an organization.

The key obligation in a Privacy Compliance Regime

ABCsolutions has developed a comprehensive package of materials that can be customized to your business. After we undertake a consultation with you about your business services and the information you collect from your customers/clients, we will develop the materials that meet your specific needs. Your policy statement will be modeled after the ten privacy principles and include such things as:

  • A set of policies and procedures covering your organization’s lifecycle of information flow, including: how the personal information is collected, used, disclosed, stored, protected, destroyed, and why it is needed;

  • Pamphlets, brochures, or notices that can be sent or given to customers explaining your privacy regime;

  • The designation of an employee as your Privacy Officer; and

  • Policy that outlines how a customer can get access to their personal information, make changes to it when they want, and have it removed from your files if they are allowed by law to do so.

Click here for more information on your Privacy obligations