Privacy Rights in Ontario

How FIPPA, MFIPPA, PHIPA, and federal law combine to protect Ontarians from provincial ministries to hospitals and school boards.

TL;DR

Ontario does not have its own private-sector privacy statute, so PIPEDA applies to most businesses. For provincial and municipal government bodies, FIPPA and MFIPPA give you access and correction rights. Health information is governed by PHIPA. Complaints go to the Information and Privacy Commissioner of Ontario (IPC).

Laws that apply in Ontario

A mix of federal and provincial laws shape your privacy rights in Ontario:

PIPEDA covers most private-sector businesses (stores, banks, insurance, employers in federal works).
FIPPA covers provincial ministries, agencies, colleges, universities, and most provincial institutions.
MFIPPA covers municipalities, police services, school boards, and local public bodies.
PHIPA covers health information custodians such as hospitals, clinics, physicians, and pharmacies.
The Child, Youth and Family Services Act adds privacy rules for children's aid societies.

Access and correction (FIPPA/MFIPPA)

You have a right to request access to records held by provincial and municipal institutions. The default response time is 30 days, though extensions are allowed for complex requests.

You can also request that inaccurate personal information be corrected. If the institution refuses, you can file a statement of disagreement that is attached to your file.

Health privacy (PHIPA)

PHIPA gives you rights to access and correct your own health records and requires custodians to obtain consent (express or implied) before collecting, using, or disclosing your personal health information.

Since 2020, Ontario has required mandatory breach reporting to the IPC when certain types of breach occur.

How to file a complaint

Most privacy complaints in Ontario go to the Information and Privacy Commissioner of Ontario (IPC). Complaints about a federally regulated business or purely private-sector activity go to the OPC. Children's aid complaints have their own process under the CYFSA.

Sources & References

Freedom of Information and Protection of Privacy Act (FIPPA Ontario)—Ontario statute governing access to records and privacy of personal information held by provincial institutions including ministries, agencies, and universities.Ontario.ca
Municipal Freedom of Information and Protection of Privacy Act (MFIPPA Ontario)—Ontario statute governing access to records and privacy of personal information held by municipal institutions including municipalities, police services, and school boards.Ontario.ca
Personal Health Information Protection Act, 2004 (PHIPA Ontario)—Ontario's health privacy statute governing the collection, use, and disclosure of personal health information by health information custodians.Ontario.ca
Information and Privacy Commissioner of Ontario (IPC)—Independent officer overseeing FIPPA, MFIPPA, PHIPA, and CYFSA in Ontario. Resolves access appeals, investigates privacy complaints, and issues orders.Government of Ontario
Personal Information Protection and Electronic Documents Act (PIPEDA)—Federal private-sector privacy law governing the collection, use, and disclosure of personal information.Justice Laws Website
Office of the Privacy Commissioner of Canada (OPC)—Oversees compliance with PIPEDA and the Privacy Act, investigates complaints, and promotes privacy rights.Government of Canada

All sources link directly to official government websites. This page provides legal information, not legal advice. Consult a qualified professional before acting on any information presented here.