Protecting Personal Information And Your PrivacyEnglish | Français
In Canada, there are laws that protect your privacy. The federal law that regulates personal information handled in the course of commercial activities is called the Personal Information Protection and Electronic Documents Act (PIPEDA), and there is a
separate law for federal public sector institutions called the Privacy Act. These laws set the rules for how organizations may collect, use or disclose your personal information. Responsibility for overseeing these rules rests with the Office of the Privacy Commissioner of Canada (OPC).
Under PIPEDA, organizations must follow 10 principles. For example, they must collect, use or disclose your personal information only with your consent, and only for reasonable purposes. They are required to protect your personal information, ensure it’s accurate, complete and up to date (as appropriate in the circumstances), and destroy it when it’s no longer needed. It’s important to remember that some organizations, including government institutions, are not subject to PIPEDA.
There are other laws, aside from PIPEDA and the Privacy Act that deal with your privacy. For more information, check out this handy OPC tool.
PIPEDA offers you certain privacy rights including:
- The right to know what personal information an organization has about you. Ordinarily, the organization must give you the information within a reasonable time and at minimal or no cost.
- The right to correct personal information an organization has about you if it is out of date or incorrect.
- The right to revoke your consent for the continued use and disclosure of your personal information.
- The right to raise a privacy concern with an organization. If you are worried about the way your personal information is being handled by an organization, you should let them know. Organizations care about your privacy and in most cases, will work hard to quickly and effectively address your concern.
These rights are subject to certain exemptions laid out in the law. For example, most of these laws contain unique provisions that may apply during a public health crisis to ensure the law is not a barrier to appropriate information-sharing.
You may also reach out to the CMA for advice and assistance.
If you are not satisfied with an organization’s response to your concerns, you may be able to file a formal complaint with the OPC.
You can visit the Office of the Privacy Commissioner of Canada (OPC) to find out more.
Organizations require a certain amount of information from you to serve you well. It’s best to share the minimum amount of personal information that is needed for the products and services you want and need.
Don’t over-share: The best way to protect your privacy is to share the minimum amount of personal information necessary. Organizations require a certain amount of information from you in order to deliver the products and services you need and want. Beyond this, you should exercise your judgment in what you share, and know your rights (outlined above).
Pay attention to your online privacy settings: Online privacy settings can help you increase the control you have over how your personal information is handled, such as what information an organization collects and who can
adjust these settings regularly.
On your mobile device, you can control if and when different apps can turn on location tracking. On your browser, you can control things like pop-ups and cookies. These functions are intended to improve and personalize your experience, and it’s important for you to decide what you’re comfortable with. For more information, see the OPC’s tips for privacy settings.
Exercise choice when it comes to interest-based advertising: All advertising seeks to show the right products to the right audience at the right time. The process of serving online ads based on predicted interests relies on
recognizing cookies that are stored by web browsers or advertising IDs set on mobile devices. Over time, this information gathered by companies informs them how to show more relevant ads.
Companies engaging in any type of interest-based advertising practices online should be respecting your data privacy rights in Canada by providing you with notice about the collection of data for advertising purposes and the use of interest-based advertising when it’s happening. Companies must also give you the ability to opt-out.
In Canada, many companies participate in a self-regulatory program for interest-based advertising called AdChoices. As a consumer, you can opt-out of interest-based advertising from companies registered with the program, and also report any issues with interest-based advertising that you encounter. We encourage you to learn more.
You can help protect your personal information by keeping your devices and software as secure as possible.
Learn how you can protect yourself by visiting the Canadian Cyber Centre website, and start with the following simple cybersecurity tips:
- Keep your devices updated: Keep all software on your personal internet-connected devices up to date, including your computer, smartphone and tablet.
- Use and update protective software: As appropriate to your device, use and update protective software, such as anti-virus software, anti-phishing software, firewalls and host intrusion detection system (HIDS).
- Use strong passwords: Use unique passphrases and complex passwords (eight or more characters with a combination of characters, numbers and symbols) for all accounts, including your social media accounts. Use different passwords for different accounts, and use two-factor authentication if it’s offered.
- Avoid using public WiFi and "jailbroken" devices: Use of public WiFi connections puts you at risk. If you must use one, you should use a Virtual Private Network (VPN). Always remember to turn off your Wi-Fi, GPS, and Bluetooth when not in use. Do not attempt to jailbreak your devices, which is a method of disabling the security measures put on by the device manufacturer.
- Back up your data: Avoid losing data by storing your data securely and knowing your backup procedures. Back up often.
- Don’t share information that could help hackers: Do not openly share personal information that could help someone hack into any of your accounts or guess your passwords, particularly on social media. When creating security questions for logins, don’t make the answers personal information, like your middle name or address.
- Stay secure when working remotely: Be sure to take precautions when using company devices. In addition to the tips above, here are some best practices:
- Keep your devices in a secure place, and ensure they “auto log-out” when not in use. Use your devices only for work, and don’t let others use them.
- Make sure you’re using a secure network when accessing work accounts and shared drives, like a VPN issued by your employer.
- If you’re connecting to a home WiFi network, make sure you have that network locked down with a strong password. If you can separate your WiFi network by creating one for personal devices and one for work devices, do that.
- Follow the advice of your IT department and contact them as soon as issues arise.
- Be vigilant when using videoconferencing: Videoconferencing tools are more popular than ever during the pandemic. When a technology grows quickly in popularity, bad actors may aim to take advantage of the onslaught of new and untrained users. They may access meetings uninvited, share malicious links, or attempt to access chat logs saved on servers or the cloud. Be sure to use privacy settings to lock down your meeting (including the “waiting room” feature). Avoid recording meetings and storing the logs unless you have to, and don’t share links to your meeting in an open forum.
- Office of the Privacy Commissioner of Canada (OPC): A Guide for Individuals, Protecting your Privacy
- Canadian Centre for Cybersecurity: Protecting Against Malware
- Canadian Centre for Cybersecurity: Considerations When Using Video-teleconferencing Products and Services