Learn about your obligations concerning documents and information.
Three major pieces of legislation, two Federal and one Provincial, have been enacted that effect documents that contain personal information about residents of Ontario. These include:
The Privacy Act came into effect on July 1, 1983. This Act obligated some 150 federal government departments and agencies to respect the privacy rights of Canadians by placing limits on the collection, use and disclosure of personal information. The Privacy Act gave Canadians the right to access and correct the personal information about themselves held by these federal government organizations.
PIPEDA was implemented over four years with the final enactment being in place as of January 1, 2004. Generally this legislation establishes the rules, exceptions and remedies for how organizations may collect, use or disclose information about you in the course of commercial activities. This law also gives persons the right to review information that organizations may have collected about you and provides you with the opportunity to ask for correction to this information if it is incorrect.
The Department of Justice has indicated that the purpose of the Personal Information Protection and Electronic Documents Act:
“is to provide Canadians with a right of privacy with respect to their personal information that is collected, used or disclosed by an organization in the private sector in an era in which technology increasingly facilitates the collection and free flow of information.”
The Department has further indicated that “Personal Information” under the Act means information about an “identifiable individual.”
Personal information includes:
Personal information does not include:
Name, job title, business address or office telephone number of an employee of an organization
The law gives you the right to see and ask for corrections to information an organization may have collected about you. If you think an organization covered by the Act is not living up to its responsibilities under the law, you have the right to lodge an official complaint.
The PIPEDA Guide, prepared by the Federal Department of justice explains as follows:
The PIPEDA gives you the right to:
This law requires organizations to:
An organization must also, destroy, erase or make anonymous personal information about you when it is no longer
needed, in order to fulfill the purpose for which it was collected.
The Department of Justice allows certain exceptions to these principles. For example, an organization may not need your consent in obtaining information about you if collecting the information clearly benefits you and your consent cannot be obtained in a timely way; or if the information is needed by a law enforcement agency for an investigation, and getting consent might compromise the information’s accuracy.
You can find out about the information that an organization has collected about you by sending a written request to the organization that holds your personal information. However, you must provide details that will allow the organization to identify the information you want. This could include dates, subscription, account numbers or reference numbers, or the names and positions of the people you may have dealt with at the organization or who may have collected this information.
Organizations must provide the information requested within a reasonable time and at minimal or no cost.
If you find there are errors or omissions in your personal information you may write to the organization and explain the corrections you are requesting, and why you are making the request. Supply copies of any documents that you have that support your request.
If the organization declines to make the corrections you that you are requesting, you may require the organization to attach a statement of your disagreement or request to your file. This statement must then be passed on to any other organization that may be allowed access to the information.
112 Kent Street
Place de Ville
Tower B, 3rd Floor
K1A 1H3 or call,
1-800-282-1376 if you need more information or advice on how you should proceed.
The Role of the Privacy Commissioner
Organizations must make policies and procedures to govern the destruction of personal information which is no longer needed. All information that is no longer needed, must be destroyed, erased, or made anonymous.
The Personal Health Information Protection Act, 2004 (PHIPA) enacted by Ontario is the Province’s health-specific privacy legislation. PHIPA is similar to PIPEDA but covers health information which is under the jurisdiction of the Province of Ontario, whereas PIPEDA is federal legislation. PHIPA governs the manner in which personal health information is collected, used and disclosed within the health care system. It also regulates individuals and organizations that receive personal information from health care professionals. PHIPA came into force on November 1, 2004; after which time all health information custodians must comply.
This Act is designed to give individuals greater control over how their personal health information is collected, used or disclosed. In addition, PHIPA confirms a patient’s existing right to access one’s own personal health information and provides a means for complaint and correction through the Office of the Information and Privacy Commissioner/Ontario (IPC) when privacy rights relating to personal health information have been violated. It should be noted however that there is no obligation for custodians to seek consent for personal health information that was collected prior to this date.
The necessity of health privacy information legislation in Ontario is based on the fact that the nature of our health care system requires that health information may pass through many hands, i.e.; from a doctor’s office, to a specialist, a medical lab, a hospital, or an insurance company for reimbursement of claims. Also, personal health information must be readily shared, such as in the case of a medical emergency. The increasing use of technology to transfer and store medical data instantaneously has also increased the need for legislated rules to assure that that personal health information will be protected. The need for the proper destruction of information no longer needed is also addressed.
Certain organizations including insurance companies, schools and employers – who may have custody or control of health information, are not governed by PHIPA. They are bound by PHIPA only when they receive personal health information from a health information custodian.
Health information custodians are individuals or organizations under PHIPA that, as a result of their power or duties, have custody or control of personal health information.