The federal Privacy Act

How the Privacy Act protects personal information held by federal government institutions.

TL;DR

The Privacy Act governs how federal departments and agencies collect, use, disclose, retain, and dispose of your personal information. It gives you a right to access records about yourself held by the federal government, to correct them if wrong, and to complain to the OPC.

What the Privacy Act covers

The Privacy Act applies to more than 250 federal government institutions, including departments, agencies, Crown corporations, and most federal offices. It does not apply to private-sector businesses (those are covered by PIPEDA or equivalent provincial laws).

Personal information under the Act is broadly defined and includes information about race, national or ethnic origin, religion, age, medical or criminal history, financial information, addresses, fingerprints, opinions, and anything else that could identify you.

Rules for federal institutions

Federal institutions must follow strict limits on personal information:

Collection: An institution may only collect information that relates directly to an operating program or activity.
Direct collection: Wherever possible, information must be collected directly from the individual.
Notice: Institutions must tell you why they are collecting your information.
Accuracy: Institutions must take reasonable steps to ensure information is accurate, up to date, and complete before using it.
Use: Information may only be used for the purpose it was collected or for a 'consistent use' compatible with that purpose, unless you consent or the Act permits another use.
Disclosure: Personal information may only be disclosed in limited circumstances defined in section 8 of the Act.
Retention and disposal: Institutions must keep information used to make a decision about you for at least two years after the last administrative action.

Your right to access and correct

Canadian citizens, permanent residents, and people present in Canada can request access to their personal information held by a federal institution. The institution has 30 days to respond (extensions are possible for complex requests).

If information is wrong, you can request a correction. If the institution refuses, you can require that a notation be attached to the record indicating the correction was requested and refused.

Complaints

If you believe a federal institution has mishandled your personal information, you can file a complaint with the Office of the Privacy Commissioner of Canada. The OPC investigates and issues findings.

If the matter involves a refused access request, you can also apply to the Federal Court for a review.

How the Privacy Act differs from PIPEDA

The Privacy Act covers the federal public sector; PIPEDA covers the private sector. The two laws use similar principles but are enforced differently.

The Privacy Act is widely regarded as outdated. It predates the commercial internet and does not include a general consent requirement or explicit breach-notification rules. Reform has been proposed but not yet enacted.

Sources & References

Privacy Act (Canada)—Federal statute governing the collection, use, disclosure, and protection of personal information by federal government institutions.Justice Laws Website
Office of the Privacy Commissioner of Canada (OPC)—Oversees compliance with PIPEDA and the Privacy Act, investigates complaints, and promotes privacy rights.Government of Canada
Access to Information Act (Canada)—Federal statute providing a right of access to records under the control of federal government institutions.Justice Laws Website
Canadian Charter of Rights and Freedoms—Constitutional guarantee of fundamental freedoms, democratic rights, mobility rights, legal rights, and equality rights.Justice Laws Website

All sources link directly to official government websites. This page provides legal information, not legal advice. Consult a qualified professional before acting on any information presented here.