Shred with Confidence

Shred with Confidence

Trust us with your
sensitive materials.

non document

Non Paper Destruction

Destroying all forms of media, products, packaging and more.

Privacy Legislation

Privacy Legislation

Learn about your obligations concerning documents and information.

Stay Informed >

Contact Us

Give us a call


Legislative Information Regarding Personal Documents

Three major pieces of legislation, two Federal and one Provincial, have been enacted that effect documents that contain personal information about residents of Ontario. These include:

  • The Privacy Act
  • The Personal Information Protection and Electronic Documents Act
  • The Personal Health Information Protection Act, 2004

Privacy Act

The Privacy Act came into effect on July 1, 1983. This Act obligated some 150 federal government departments and agencies to respect the privacy rights of Canadians by placing limits on the collection, use and disclosure of personal information. The Privacy Act gave Canadians the right to access and correct the personal information about themselves held by these federal government organizations.

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA was implemented over four years with the final enactment being in place as of January 1, 2004. Generally this legislation establishes the rules, exceptions and remedies for how organizations may collect, use or disclose information about you in the course of commercial activities. This law also gives persons the right to review information that organizations may have collected about you and provides you with the opportunity to ask for correction to this information if it is incorrect.

The Department of Justice has indicated that the purpose of the Personal Information Protection and Electronic Documents Act:

“is to provide Canadians with a right of privacy with respect to their personal information that is collected, used or disclosed by an organization in the private sector in an era in which technology increasingly facilitates the collection and free flow of information.”

The Department has further indicated that “Personal Information” under the Act means information about an “identifiable individual.”

Personal information includes:

  • Name, age, weight, height
  • Medical records
  • Income, purchases and spending habits
  • Race, ethnic origin and colour
  • Blood type, DNA code, fingerprints
  • Marital status and religion
  • Education
  • Home address and phone number

Personal information does not include:

Name, job title, business address or office telephone number of an employee of an organization

Rules, Exceptions & Remedies

The law gives you the right to see and ask for corrections to information an organization may have collected about you. If you think an organization covered by the Act is not living up to its responsibilities under the law, you have the right to lodge an official complaint.

The PIPEDA Guide, prepared by the Federal Department of justice explains as follows:

The PIPEDA gives you the right to:

  • Know why an organization collects, uses or discloses your personal information; natural supports
  • Expect an organization to collect, use or disclose your personal information reasonably and appropriately, and not use the information for any purpose other than that to which you have consented;
  • Know who in the organization is responsible for protecting your personal information; Expect an organization to protect your personal information by taking appropriate security measures;
  • Expect the personal information an organization holds about you to be accurate, complete and up-to-date;
  • Obtain access to your personal information and ask for corrections if necessary; and
  • Complain about how an organization handles your personal information if you feel your privacy rights have not been respected

This law requires organizations to:

  • Obtain your consent when they collect, use or disclose your personal information;
  • Supply you with a product or a service even if you refuse consent for the collection, use or disclosure of your personal information unless that information is essential to the transaction;
  • Collect information by fair and lawful means; and
  • Have personal information policies that are clear, understandable and readily available.

An organization must also, destroy, erase or make anonymous personal information about you when it is no longer

needed, in order to fulfill the purpose for which it was collected.


The Department of Justice allows certain exceptions to these principles. For example, an organization may not need your consent in obtaining information about you if collecting the information clearly benefits you and your consent cannot be obtained in a timely way; or if the information is needed by a law enforcement agency for an investigation, and getting consent might compromise the information’s accuracy.

You can find out about the information that an organization has collected about you by sending a written request to the organization that holds your personal information. However, you must provide details that will allow the organization to identify the information you want. This could include dates, subscription, account numbers or reference numbers, or the names and positions of the people you may have dealt with at the organization or who may have collected this information.

Organizations must provide the information requested within a reasonable time and at minimal or no cost.

If you find there are errors or omissions in your personal information you may write to the organization and explain the corrections you are requesting, and why you are making the request. Supply copies of any documents that you have that support your request.

If the organization declines to make the corrections you that you are requesting, you may require the organization to attach a statement of your disagreement or request to your file. This statement must then be passed on to any other organization that may be allowed access to the information.

If you believe your privacy rights are not being respected, the Act allows you to make a complaint if:

  • An organization refuses to divulge the personal information it has collected about you, refuses to correct the information that you have told them is inaccurate or incorrect, or if you think that that this information has been improperly collected used or disclosed
  • If you believe an organization is not following the provisions of PIPEDA.

You can send your complaint to:

Office of the Privacy Commissioner of Canada at

112 Kent Street
Place de Ville
Tower B, 3rd Floor
Ottawa, Ontario
K1A 1H3   or call,

1-800-282-1376 if you need more information or advice on how you should proceed.

The Role of the Privacy Commissioner

  • Attempt to resolve disputes through negotiation, mediation and conciliation
  • Investigate your complaint
  • Initiate their own investigation or review regarding how an organization handles personal information
  • Can recommend that the organization release your personal information to you or correct any inaccuracies
  • May recommend to organizations that they change their personal information handling practices
  • Report the findings of the investigation to you and the organization

If the organization ignores the recommendations of the Privacy Commissioner:

  • The Commissioner has the power to make public any information about the personal information handling practices of an organization
  • The Commissioner may take the complaint to the Federal Court of Canada
  • You may, under certain circumstances, take your complaint to the Federal Court of Canada
  • The Court can order an organization to correct any practices that do not comply with the law, and to publish notices of how it has or will correct its practices
  • The Court can also award damages to the complainant

PIPEDA does not cover:

  • Federal government organizations already covered by the Privacy Act
  • Provincial or territorial governments, and their agents
  • Organizations that collect, uses or disclose personal information solely for journalistic, artistic or literary purposes
  • Individual’s that collect, use or disclosure personal information for their own purposes, such as genealogical research shared with other family members

Retention of Information

Organizations must make policies and procedures to govern the destruction of personal information which is no longer needed. All information that is no longer needed, must be destroyed, erased, or made anonymous.

Personal Health Information Protection Act, 2004

The Personal Health Information Protection Act, 2004 (PHIPA) enacted by Ontario is the Province’s health-specific privacy legislation. PHIPA is similar to PIPEDA but covers health information which is under the jurisdiction of the Province of Ontario, whereas PIPEDA is federal legislation. PHIPA governs the manner in which personal health information is collected, used and disclosed within the health care system. It also regulates individuals and organizations that receive personal information from health care professionals. PHIPA came into force on November 1, 2004; after which time all health information custodians must comply.

This Act is designed to give individuals greater control over how their personal health information is collected, used or disclosed. In addition, PHIPA confirms a patient’s existing right to access one’s own personal health information and provides a means for complaint and correction through the Office of the Information and Privacy Commissioner/Ontario (IPC) when privacy rights relating to personal health information have been violated. It should be noted however that there is no obligation for custodians to seek consent for personal health information that was collected prior to this date.

The necessity of health privacy information legislation in Ontario is based on the fact that the nature of our health care system requires that health information may pass through many hands, i.e.; from a doctor’s office, to a specialist, a medical lab, a hospital, or an insurance company for reimbursement of claims. Also, personal health information must be readily shared, such as in the case of a medical emergency. The increasing use of technology to transfer and store medical data instantaneously has also increased the need for legislated rules to assure that that personal health information will be protected. The need for the proper destruction of information no longer needed is also addressed.

Certain organizations including insurance companies, schools and employers – who may have custody or control of health information, are not governed by PHIPA. They are bound by PHIPA only when they receive personal health information from a health information custodian.

Health information custodians are individuals or organizations under PHIPA that, as a result of their power or duties, have custody or control of personal health information.

Health Information Custodians include:

  • Hospitals
  • Health care practitioners, including doctors, nurses, pharmacists, psychologists and dentists
  • Psychiatric facilities
  • Pharmacies
  • Laboratories
  • Nursing homes and long-term care facilities
  • Retirement homes and homes for special care
  • Community care access centres
  • Ambulance services
  • Boards of health
  • The Minister of Health and Long-Term Care
  • Entities prescribed by regulations that are not defined as health information custodians but are permitted to collect personal health information from health information custodians for the purpose of health planning and management

Custodians do not include:

  • Aboriginal healers or midwives who provide traditional healing services to aboriginal persons or members of an aboriginal community
  • Persons who provide health treatment by spiritual means or by prayer

Custodians must:

  • Have in place information practices compliant with this legislation
  • Comply with their published information practices
  • Take reasonable precautions to ensure that the information is accurate, complete and up to date for the purpose of the use of the information
  • Take reasonable steps to ensure the information is protected against theft, loss or unauthorized access
  • Notify the individual if the information is lost, stolen, or accessed by unauthorized persons
  • Ensure that records are retained, transferred and disposed of in a secure manner
  • Make available to the public, a general description of the custodian’s information practices, how to contact the custodian, how to gain access to one’s personal records, and how to make a complaint
  • Inform the individual of any use or disclosure of the individual’s information without the individual’s consent, if such use or disclosure is outside the scope of the custodian’s published information practices

Collection, Use & Disclosure

  • A Health Information Custodian (HIC) may not collect, use, or disclose personal health information unless consent is obtained under this act, and the information is necessary for a lawful purpose
  • The act specifies what constitutes consent for individuals of specific ages and who can provide consent when the individual is unable
  • Health Cards may only be requested for the provision of provincially funded health resources by a Health Information Custodian (HIC)
  • The information collected may be used only for the purpose for which it is collected, or where permitted by an Act of the Canada, for planning or delivering services, or for educating agents to provide health care.
  • A HIC may disclose the information to another HIC for the benefit of the individual if the individual cannot reasonably provide consent, or to try to contact a relative or substitute decision maker, if the individual cannot provide consent
  • An individual has the right to the record of personal health information under the control of the HIC, unless the records are part of certain legal proceedings
  • An individual may request any errors in the record be corrected
  • All records when no longer necessary must be disposed of in a secure manner in accordance with the prescribed requirements
  • A person found guilty of an offense under this act, will a face a fine of up to $50,000. If a corporation, the fine may be up to $250,000

Copyright Norfolk Disposal Services 2018 - Legal
Created by

Legal notice