Canada

Image

Canada Topic Page

Navigate by Topic

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to privacy in Canada.

Featured Resources

BOOK

Canadian Privacy, Fourth Edition

This article analyzes how Canada is poised to potentially pass several major private sector privacy law reforms on both the federal and provincial levels.
Read More

ARTICLE

Quebec regulations situate province ‘between Canada and Europe’

This article covers the happenings at the IAPP Canada Privacy Symposium 2023, including the status of the AI and Data Act, and whether it sufficiently regulates the technology as currently constituted.
Read More

ARTICLE

OPC announces investigation of OpenAI at IAPP CPS 2023

This article covers Privacy Commissioner of Canada Philippe Dufresne’s opening keynote address at IAPP Canada Privacy Symposium 2023, in which he announced his office would partner with multiple provincial data protection authorities to investigate generative artificial intelligence developer OpenAI.
Read More

WEB CONFERENCE

Privacy beyond checkmarks: Law 25 and the evolving landscape of Canadian consent

Québec’s Law 25 will require Canadian businesses with customers in the province, including those not based in Québec, to comply with GDPR-style requirements. Is your organization’s privacy program ready?
Read More

ARTICLE

Tracking Canadian private-sector privacy law reform

This article tracks Canada’s plans to potentially pass several major private sector privacy law reforms on both the federal and provincial levels
Read More

VIDEO

Privacy Around the Globe: Canada

This LinkedIn Live takes a close look at the changing privacy landscape in Canada, as IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, talks with Dentons Global Privacy and Cybersecurity Group co-Chair Chantal Bernier.
Read More


Canada Dashboard Digest newsletter

Keep up to date with the most important privacy and data protection news from Canada by subscribing to the Canada Dashboard Digest newsletter.

Additional News and Resources

Canadian Parliament's Bill C-27 hearing delves deeper into AIDA

There are a range of crucial points that are becoming unavoidable in discussions around artificial intelligence legislation. Most glaring among them are the need to develop governance frameworks for the creation and deployment of AI, and training a future workforce that will be tasked with implementing such frameworks at each level of an AI model's life cycle. Addressing the House of Commons of Canada's Standing Committee on Industry and Technology 7 Dec., IAPP AI Governance Center Director Ash... Read More

CAI issues 2023-2027 strategic plan

Quebec's data protection authority, the Commission d'accès a l'information du Québec, released its 2023-2027 Strategic Plan. The report states the CAI will devote resources to ensure public bodies adhere to disclosure requirements and improve the protection of personal information. Additionally, the CAI will look to streamline the appeal process for sanction decisions and expand its human resources capacity.Full story... Read More

Quebec DPA reviews 2022-2023 annual report

Quebec's data protection authority, the Commission d’acces a L’information du Quebec, released its 2022-2023 annual report, noting it achieved all goals outlined in its broader 2019-2023 Strategic Plan. The CAI claimed it "deployed as many actions to publicize the new obligations of organizations" under the provincial private-sector privacy law, Law 25. The regulator added, "In addition to revising its documentation and launching a new website to better support organizations, the Commission has ... Read More

Canadian government issues guidelines for employee AI use

The Canadian government issued new guidelines for employees using artificial intelligence tools on the job, CBC News reports. Treasury Board President Anita Anand said the guidelines, based on existing legislation including the Privacy Act, will "ensure responsible use of generative AI" and confirm "bias does not creep in if employees do go down the road to use generative AI."Full story... Read More

Canada rolls out generative AI code of practice

The Government of Canada published a code of practice for generative artificial intelligence development and use. In anticipation of lawmakers passing the proposed Artificial Intelligence and Data Act, the government's voluntary code will help potential covered entities "avoid harmful impacts, build trust in their systems, and transition smoothly to compliance with Canada's forthcoming regulatory regime." The code includes principles for safety, fairness, transparency and human oversight. Editor... Read More

An update of C-27 since its reintroduction in Parliament

Since its introduction in Canadian Parliament last year, Bill C-27, the Digital Charter Implementation Act, has been front and center in regulatory conversations among privacy professionals in Canada. The omnibus legislation passed the House of Commons on second reading 24 April and contains three separate pieces of legislation: the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act. Despite privacy legislati... Read More

OPC releases 2023-2024 strategy

The Office of the Privacy Commissioner of Canada published its 2023-2024 departmental plan. Commissioner Philippe Dufresne said the office is "preparing to be ready to deliver on its new mandate" if federal privacy law reforms under Bill C-27 pass. He also alluded to his office needing to be "properly resourced" for "necessary operational and structural changes" the office will assume under Bill C-27. Advising toward Bill C-27's finalization and establishing a "fair, accessible and timely compli... Read More

Canadian government releases AIDA companion document

The Canadian government published a companion document with key information about the proposed Artificial Intelligence and Data Act. The AIDA is contained within the proposed omnibus Bill C-27, the Digital Charter Implementation Act, which was tabled last year. The "new regulatory system" the AIDA establishes represents "the first step" toward guiding "AI innovation in a positive direction, and to encourage the responsible adoption of AI technologies by Canadians and Canadian businesses."Full St... Read More

OPC publishes organizational tips for conducting PIAs

The Office of the Privacy Commissioner of Canada published a guide with five tips for improving privacy impact assessments. The OPC found the missteps organizations take when conducting PIAs include not understanding their legal authority to collect certain personal data, defining the scope of a PIA for “clear analysis,” and creating and implementing an action plan based on the PIA.Full Story... Read More

Quebec information commission releases children's privacy report

Quebec’s data protection authority, Le Commission d’accès à l’information du Quebec, published a report regarding potential children's privacy amendments to provincial privacy legislation. The goal of the report was to examine enhanced protections for children under the age of 14. Themes reviewed in the report include going beyond parental consent for children's data use, improved privacy awareness for parents and children, and proposals for prohibited data collection practices.Full Story... Read More

Synthetic data a key to privacy by design practices in new Canadian smart city partnership

Toronto-based nonprofit Innovate Cities and synthetic data generation provider Replica Analytics joined forces in a new effort to help Canadian cities transition away from using personal data and instead utilize synthetic data. The basis of the partnership entails providing municipalities with synthetic data based on real-life data points to achieve smarter solutions for each given city. IAPP Staff Writer Alex LaCasse has the details.Full Story... Read More

Expanding the scope of privacy legislation under Canada's Consumer Privacy Protection Act

In 2020, I wrote about what I considered a significant flaw under the proposed Consumer Privacy Protection Act in Bill C-11, which was tabled in November 2020, and then died when the federal election was called in 2021. Bill C-11 retained the definition of personal information — information about an identifiable individual — but introduced a new concept of “deidentify.” This seemed to, by implication, alter the concept of personal information, expanding the scope of federal privacy legislation ... Read More

Parting thoughts: A Canadian privacy one-on-one with Daniel Therrien

Canada's federal privacy regime is on the cusp of an overhaul with the recent introduction of Bill C-27, an omnibus legislative package for data protection and artificial intelligence. Many have called for this reform in recent years to address growing privacy issues. Former Privacy Commissioner of Canada Daniel Therrien was one who saw the need and strongly advocated for change during the final years of his eight-year term. Therrien completed his tenure as commissioner June 3, spending some ti... Read More

A look at Canada's new federal privacy legislation, Bill C-27

Last week, while privacy professionals in Canada were still contemplating Bill C-26 on cybersecurity, the much-anticipated Digital Charter Implementation Act, 2022 — Bill C-27 — was introduced by the federal government. It is a reintroduction and, some may agree, an improvement of Bill C-11, first introduced in 2020 and failed on the order paper as a result of the federal election in 2021. The new statutory framework in Bill C-27 governs private sector personal information protection practices ... Read More

Tim Hortons app investigation highlights ‘urgent need’ for ‘stronger privacy laws’

Fast-food chain Tim Hortons’ mobile application tracked and recorded users’ movements every few minutes of every day, everywhere they went, even when the app was not in use. This according to a joint investigation by federal and provincial Canadian privacy authorities, which they said points to the need for privacy reform in the country.   The Office of the Privacy Commissioner of Canada, Commission d'accès à l'information du Québec, Office of the Information and Privacy Commissioner for Britis... Read More

Canada introduces new federal privacy and AI legislation

Canada took a step toward updating its privacy regime June 16, as Minister of Innovation, Science and Industry François-Philippe Champagne and Minister of Justice and Attorney General of Canada David Lametti introduced Bill C-27. The Digital Charter Implementation Act, 2022 features three pieces of legislation: the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act.  The three-pronged legislation aims to stren... Read More

PIPEDA rights for consumers

This article from Termageddon discusses the Personal Information Protection and Electronic Documents Act rights for consumers and how these rights affect your business and privacy policy.  Click To View ... Read More

Therrien says 'uncertainty' clouds Canadian privacy, urges thoughtful reform

After eight years at the helm of Canada's privacy regime, the time has arrived for Privacy Commissioner of Canada Daniel Therrien to pass the reins. The longtime civil servant will leave his post June 3, allowing him the opportunity to speak candidly for the first time about the state of Canadian privacy during his keynote speech at the IAPP Canada Privacy Symposium 2022. Instead of reflecting on what was or could have been during his tenure, Therrien provided unfiltered thoughts on the gray ar... Read More

OPC publishes report examining strategic privacy priorities

The Office of the Privacy Commissioner of Canada published a report that recounted the strategic privacy priorities over the last seven years. The report titled “Strategic Privacy Priorities and the Themes and Observations that Emerged: 2015-2022” examined the OPC’s work in the fields of economics of personal information, government surveillance, and reputation and privacy as an effort to help restore Canadians’ trust in government and the digital economy. These selected priorities reflected the... Read More

OPC releases 2022-2023 departmental plan

Privacy Commissioner of Canada Daniel Therrien announced details of his office's 2022-2023 departmental plan. He said the plan will focus on continuing "to build on our efforts to contribute to the adoption of new federal privacy laws and prepare the Office for changes stemming from these reforms." Noting how federal privacy law updates are "building trust among Canadians" and "fostering innovation," Therrien explained the office is "reviewing potential operational and structural changes as well... Read More

Quebec’s Bill 64: The first of many privacy modernization bills in Canada?

Privacy in Quebec is about to get a major makeover. Passed in September, Quebec’s Bill 64 revamps and modernizes much of the province’s current privacy laws, including the Private Sector Act, Quebec’s main statute that regulates the collection, use and disclosure of personal information by private organizations. IAPP Westin Research Fellow Samuel Adams analyzes the proposed changes to consent, data protection officers, notice, individuals’ rights and more, and the ripple effect this could cause ... Read More

A deep dive into Canadians' privacy concerns

On June 15, the Office of the Privacy Commissioner of Canada released the results of the “2020-21 Survey of Canadians on Privacy-Related Issues.” Between November and December 2020, a 14-minute random digit dialing telephone survey was administered to 1,502 Canadian residents 16 years or older. The goal of the research was to better understand the extent to which Canadians were aware, understood and perceived privacy-related issues. In the report, the results were expressed as a percentage. Kno... Read More

Facial recognition pilot caught millions of travelers at Toronto airport

The Globe and Mail reports a 2016 facial recognition pilot at Toronto Pearson International Airport was the largest government deployment of biometric technology in Canada to date. The six-month trial sought to help Canada's Border Services Agency detect travelers using fake identities. CBSA indicated it "takes the issue of personal information and privacy seriously," noting it performed a privacy impact assessment before launch. University of Ottawa’s Tamir Israel said the revelations were "rea... Read More

OIPC publishes review of private liquor, cannabis retailers

The Office of the Information and Privacy Commissioner for British Columbia published its review of private liquor and cannabis retailers. The report covers the personal information collected by the retailers as well as a review of their privacy management programs, their websites and how they address video surveillance. The commissioner also included recommendations for retailers to better understand their obligations under the province's Personal Information Protection Act.Full Story... Read More

OPC survey finds 87% of Canadians concerned about their privacy

A survey authorized by the Office of the Privacy Commissioner of Canada found 87% of Canadians expressed concern about the protection of their privacy. Of the 1,502 respondents polled, 89% said they are worried data collection could lead to identity theft and 88% said they are concerned companies could use the information to make a decision about them regarding a job or an insurance claim. The survey also found seven in 10 Canadians refused to provide data to an organization over privacy concern... Read More

OPC: Royal Canadian Mounted Police use of Clearview AI violates Privacy Act

Ever since The New York Times first reported on Clearview AI in January 2020, the world has grappled with the reach of the controversial company, which offered facial recognition services used by more than 600 law enforcement agencies. Canada has been no different, and the fallout from the revelation of Clearview AI continues 18 months from the Times' initial report. The Office of the Privacy Commissioner found the Royal Canadian Mounted Police violated the Privacy Act through its use of Clearv... Read More

On the virtual Symposium stage, Therrien keeps his eyes toward the future

Before giving his annual keynote at this year's virtual IAPP Canada Privacy Symposium, Privacy Commissioner of Canada Daniel Therrien briefly considered retrospection. Therrien is nearing the end of his seventh year as privacy commissioner and thought it might be time to look back at what has been accomplished during his tenure. Therrien ultimately decided against it, feeling it was far more imperative to focus on the future, and there's no shortage of reasons why he wouldn't. Therrien recently... Read More

British Columbia's RCMP breaks own facial recognition rules

The Royal Canadian Mounted Police of British Columbia broke its own standards on facial recognition by partnering with U.S.-based biometrics service IntelCenter, The Tyee reports. The deal, signed in 2016, allowed RCMP to access the 700,000-image database, which was created by lifting facial images from social media and other online sources. RCMP Sgt. Kris Clark indicated the deal was only signed to trial IntelCenter's database.Full Story... Read More

OPC breaks down privacy-enhancing technologies

The Office of Privacy Commissioner of Canada published a blog post outlining how certain privacy-enhancing technologies can support businesses' data privacy efforts. The OPC explained the benefits of federated learning and differential privacy, outlining how both employ respective anonymization practices that keep datasets protected. However, the OPC notes both technologies have received mostly "theoretical development" because there have been "few use-cases in businesses."Full Story... Read More

Op-ed: Remote learning brings privacy pitfalls for Canadian students

In an op-ed for The Conversation, the University of Toronto's Claudiu Popa discusses privacy issues stemming from another return to remote learning in Ontario. Popa lists the mass data collection, student tracking via education technologies and an inability to opt out of said collection or tracking as the dilemmas facing children and their parents. Popa said parents should "take a stand and protect their families by requiring school boards to supply sufficient information to be comfortable with ... Read More

Canadian authorities determine facial recognition firm violated privacy laws

The Office of the Privacy Commissioner of Canada, the Commission d'accès à l'information du Québec, the Office of the Information and Privacy Commissioner for British Columbia and the Office of the Information and Privacy Commissioner of Alberta have found Clearview AI violated federal and provincial privacy laws. Following its joint investigation, the commissioners determined Clearview's collection of more than three billion images, millions of which belong to Canadians, took place without the... Read More

The rise of co-regulation, from GDPR to Canada’s Bill C-11

Codes of practice and certification programs are among some of the new regulatory tools referenced in the Consumer Privacy Protection Act, which proposes to reshape Canada’s federal framework for privacy protection and is introduced by the recent Bill C-11. Under the provisions (ss 76-81), organizations could voluntarily set and enforce norms of practice to establish compliance with the CPPA, effectively giving them a say in defining what compliance entails at the level of implementation and pr... Read More

'Schrems II' déjà vu: What new EDPB guidance means for Canadian businesses

On July 16, 2020, the Court of Justice of the European Union issued the now-famous "Schrems II" decision that invalidated the EU-U.S. Privacy Shield and threw the legality of transfers of EU personal data to non-adequate third countries into question. The CJEU upheld the validity of standard contractual clauses with the caveat that data exporters must assess whether laws and practices in the data importer’s country could undermine their data protection obligations, and if so, either implement su... Read More

Federal privacy reform in Canada: The Consumer Privacy Protection Act

The federal minority government released draft legislation to update and modernize Canada’s federal private sector privacy legislation. The present law, the Personal Information and Electronic Documents Act, was initially passed in 2001 and fully came into effect in 2004. We will not go into a detailed explanation of Canada’s federal division of powers or the application of PIPEDA but will instead focus on the proposed changes. It is important to remember that a key goal of PIPEDA was to allow ... Read More

Big fines included in Canada's newly proposed national privacy bill

The Canadian government proposed new legislation Tuesday that would reshape the nation's privacy framework. Bill C-11, which was introduced by Minister of Information Science and Economic Development Navdeep Bains, includes steep fines for companies — up to 5% of revenue or C$25 million, whichever is the higher sum.  In a fact sheet, the proposed Digital Charter Implementation Act, 2020, which includes the Consumer Privacy Protection Act, "would significantly increase protections to Canadians' ... Read More

OPC – Privacy Guide for Businesses

The Office of the Privacy Commissioner of Canada developed a privacy guide to help organizations adhere to the Personal Information Protection and Electronic Documents Act. The guide contains a summary of principals within PIPEDA organizations should follow, as well as the meaningful consent and privacy breach requirements they must meet. Read More

In annual report, Therrien makes familiar call for legislative reform

Privacy Commissioner of Canada Daniel Therrien has called for an update to the country's federal privacy laws for years. It was a main talking point of the Office of the Privacy Commissioner of Canada's "2018–2019 Annual Report," and a year later, Therrien found himself making the same plea to the federal government. But the world is nowhere near the same place it was when the OPC published its annual report last December. The COVID-19 pandemic has upended just about every aspect of everyday li... Read More

'Schrems II': Impact on Data Flows with Canada

On July 16, the Court of Justice of the European Union decision  sent a shockwave through the privacy, tech and business communities with its determination that the EU-U.S. Privacy Shield is no longer a valid basis for transferring EU personal data to the U.S. Though focused on the U.S., this decision has the potential to impact Canadian businesses in a number of ways. We will not reiterate what has already been described in numerous articles available through the IAPP about the decision itself... Read More

Canada’s Supreme Court upholds Genetic Non-Discrimination Act

On July 10, Canada’s Supreme Court issued its Reference re Genetic Non‑Discrimination Act decision, surprising many by upholding the Genetic Non-Discrimination Act’s constitutionality in a 5–4 decision. This is consequential for Canadian privacy in many ways, and I will attempt to provide some context for both Canadians and non-Canadians to understand how this decision came about and why it is consequential. (As my colleague Dustin Moores pointed out, recent news analysis has been more focused o... Read More

A quick comparative survey of Quebec’s proposed privacy legislation

On June 12, 2020, Quebec tabled its proposed update to its public and private sector privacy laws, and it lives up to the promise of the “GDPR-style legislation” first announced this spring. There are a number of elements that echo other federal and provincial privacy laws in Canada, but there is a very strong European flavor. (Please note that Quebec follows a civil code legal system as opposed to its common law counterparts in the rest of Canada, and forthcoming guidance from Quebec lawyers wi... Read More

The Inaugural Ian Kerr Memorial Lecture

We are honored to introduce the Ian Kerr Memorial Lecture. Kerr’s legacy advancing the growth and visibility of the privacy profession will live on in forward-thinking discourse presented by keynote speakers each year at the IAPP Canada Privacy Symposium. This year, we are pleased to feature University of Ottawa Faculty of Law Professor Michael Geist as the inaugural Ian Kerr Memorial lecturer, presented here virtually. Read More

How Facebook's settlement with Canada’s Competition Bureau may impact OPC's recommendations

Now that Facebook’s settlement with the Competition Bureau Canada has been published, it is interesting to consider how this could impact other regulatory actions Facebook is dealing with in Canada with the Office of the Privacy Commissioner of Canada. The settlement is quite short but has some interesting implications. First, it expressly states that Facebook’s agreement does not constitute an admission of guilt under the Competition Act or any other law, so this settlement doesn’t preclude F... Read More

Canadian police agencies grapple with facial recognition use

Police agencies in Canada are grappling with the use of facial-recognition technology, a tool that law enforcement officials say could aid in identifying criminals but that privacy advocates argue raises concerns. Two Canadian police services have said they used the controversial technology, one calling for a review by Ontario's privacy commissioner, while a third expressed plans to move forward with implementation.  The Office of the Privacy Commissioner of Canada is now prepared to step in an... Read More

Is Canada’s proposed consent requirement for cross-border transfers worth the risk?

The Office of the Privacy Commissioner of Canada took the unusual step of reopening a previously suspended, controversial consultation on cross-border transfers under the Personal Information Protection and Electronic Documents Act — signaling it remains determined to move toward a consent-based model for such transfers under current and possibly future PIPEDA rules. The OPC’s proposal to impose consent rules on cross-border transfers runs counter to the growing consensus that obtaining the indi... Read More

Therrien speaks on Digital Charter, trans-border data flow consultation at CPS19

Privacy Commissioner of Canada Daniel Therrien believes the question about whether privacy legislation should be amended is in the past. It is no longer should the country's privacy laws be amended, but what is the best way to do so, and with the announcement of the country's Digital Charter, the commissioner said the federal government seems to agree. Therrien covered the latest development during his keynote speech at the IAPP Canada Privacy Symposium here in Toronto. The commissioner also an... Read More

The Evolution of Canada’s Data Broker Industry

This report from Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic follows up on CIPPIC’s 2006 study of the Canadian data brokerage industry. It looks specifically at the changes and impact they have had on the shape, practices and products of the data broker industry in Canada. Click To View (PDF) ... Read More

A 'reasonable' discussion about PIAs in Canada

Looking at Canada’s Personal Information Protection and Electronic Documents Act, the word “reasonable” pops up quite often. Companies have an obligation to ensure they always act in a way a reasonable person would consider appropriate in a given circumstance.  Almaga Consulting President Gilles Fourchet, CIPP/C, CIPT, FIP, said one area where reasonableness should play a role for privacy professionals is conducting privacy impact assessments. He compared performing a PIA to how encryption was... Read More

OPC, OIPC find AIQ violated federal, provincial privacy laws

For the second time this year, the Office of the Privacy Commissioner of Canada and Office of the Information and Privacy Commissioner for British Columbia announced an organization had violated federal and provincial privacy laws through its use of data. Privacy Commissioner of Canada Daniel Therrien and British Columbia Information and Privacy Commissioner Michael McEvoy revealed the findings of their investigation into data analytics firm AggregateIQ. The commissioners concluded the British ... Read More

Working with Canadian regulators requires communications, transparency

Communication is a fundamental building block for any relationship. This is not a new discovery. As a matter of fact, it is about as far from a hot take as you will get. For privacy professionals in Canada, however, it may become more important than ever. Canadian Innovation Minister Navdeep Bains recently unveiled the Digital Charter, which contains principals that will reform the country's privacy laws. The charter could change the dynamic for both privacy professionals and regulators, hence t... Read More

Smart City Privacy in Canada

This report from CIPPIC and the Office of the Privacy Commissioner of Canada examines the interaction between privacy legislation and smart cities, specifically looking at Canadian privacy legislation and how that applies within the context of smart cities, as well as how municipalities aiming to incorporate smart city technologies can navigate applicable laws.  Click To View ... Read More

OPC, OIPC find AIQ violated Canadian privacy laws

The Office of the Privacy Commissioner of Canada and Office of the Information and Privacy Commissioner for British Columbia announced data analytics firm AggregateIQ violated federal and provincial privacy laws through its use of data. Privacy Commissioner of Canada Daniel Therrien and British Columbia Information and Privacy Commissioner Michael McEvoy revealed the findings of their investigation into AIQ and why they believe the case highlights a need for privacy law reform within the country... Read More

PwC Canada rolls out IAPP training

With privacy and data protection taking the helm of headline news with increasing regularity, it has become much easier for privacy pros to explain what exactly their job entails. As more turn to a career in privacy, others have chosen to distinguish themselves from crowd. One example of late: PwC Canada. To prove a privacy commitment to its staff and clients, the firm made the decision to roll out IAPP training to staff, and eventually, has plans to introduce training to clients. Director of P... Read More

How to operate under Canada's new breach notification landscape

Last year was a big year for Canadian privacy professionals handling data breach notifications. That's because new requirements came into effect in August under Alberta's Health Information Act, and federal requirements under the Personal Information Protection and Electronic Documents Act came into effect a few months after that in November.  These new mandates have made waves in the Great White North, and privacy professionals and regulators have used this new legal landscape as an opportunit... Read More

Getting Started with Privacy in Canada

(January 2018) – Many employees, especially at medium-sized firms, get approached by their superiors asking them to wear “different hats.” Lately, a lot of people have been trying privacy hats on for size. Although this may not necessarily be a problem for those of us wishing to acquire new skills, it could pose challenges for others. Particularly for individuals with limited privacy knowledge, they may not know where and/or how to start figuring out what privacy is and how it impacts their organization. In this white paper, get an overview of the questions you should ask, the regulations you should know about and some ways forward when addressing organizational privacy needs in Canada. Read More

Regional Resources

Quebec DPA reviews 2022-2023 annual report

Quebec's data protection authority, the Commission d’acces a L’information du Quebec, released its 2022-2023 annual report, noting it achieved all goals outlined in its broader 2019-2023 Strategic Plan. The CAI claimed it "deployed as many actions to publicize the new obligations of organizations" under the provincial private-sector privacy law, Law 25. The regulator added, "In addition to revising its documentation and launching a new website to better support organizations, the Commission has ... Read More

Commissioner: Northwest Territories failed to properly report privacy breach

Northwest Territories Information and Privacy Commissioner Andrew Fox said a failure by the territory's Health and Social Services Authority to properly report a data breach involving personal medical information violated the Health Information Act, Yahoo News reports. The commissioner said the department in 2020 disclosed a patient's medical data — including diagnosis and personal identifying information — to the wrong person, but only reported it months later following a patient complaint.Full... Read More

Quebec information commission releases children's privacy report

Quebec’s data protection authority, Le Commission d’accès à l’information du Quebec, published a report regarding potential children's privacy amendments to provincial privacy legislation. The goal of the report was to examine enhanced protections for children under the age of 14. Themes reviewed in the report include going beyond parental consent for children's data use, improved privacy awareness for parents and children, and proposals for prohibited data collection practices.Full Story... Read More

Yukon IPC releases 2021-2022 annual report

The Yukon Information and Privacy Commissioner's office published its 2021-2022 annual report. The report reflects the Access to Information and Protection of Privacy Act taking force and "requirements set out in both the previous and the current Act." Yukon IPC Jason Pedlar said his authority under the ATIPPA is "to compel information and evidence and to determine fact and law," but also noted he can "only make recommendations and ask that the public body follow them."Full Story... Read More

Nova Scotia touts access to information compliance rates

Nova Scotia's government released its annual Information Access and Privacy Services compliance report for requests made under the Freedom of Information and Protection of Privacy Act. The province highlighted that government agencies responded to 91% of the 2,716 access requests they received in 2021-2022. The number of requests received was a 47% increase from the year prior. Minister of Service Nova Scotia and Internal Services Colton LeBlanc said the statistics demonstrate how "the public is... Read More

Nunavut holds government privacy review

CBC News reports the Legislative Assembly of Nunavut's Standing Committee on Oversight of Government Operations and Public Accounts held hearings regarding government privacy and access to information practices. The hearings stem from the Office of the Information and Privacy Commissioner of Nunavut's Annual Report 2021-2022, which alleged government entities have insufficient and outdated access to information processes. Committee Chair George Hickes said before the hearings that he would like ... Read More

OIPC Annual Reports

The Office of the Information and Privacy Commissioner for British Columbia (OIPC) publishes an annual report, highlighting the progress and obstacles of the previous year in data protection, and providing an overview of the OIPC's activities. Read More

Saskatchewan IPC to update rules of procedures

The Office of the Information and Privacy Commissioner of Saskatchewan announced updates to its rules of procedures for processing reviews and investigations related to access to information requests and privacy complaints will take effect Sept. 1. These updates will affect reviews and investigations under the Freedom of Information and Protection of Privacy Act, the Local Authority Freedom of Information and Protection of Privacy Act, and the Health Information Protection Act. Additionally, the... Read More

IPC’s strategic priorities moving forward

Information and Privacy Commissioner of Ontario Patricia Kosseim provided an update on work in four strategic priority areas of focus identified one year ago. Kosseim said input was gathered from stakeholders, institutions and the public on the areas of focus: government privacy and transparency, children and youth in a digital world, trust in digital health, and next generation law enforcement. An ad hoc advisory committee was also formed and is now a permanent Strategic Advisory Council. An an... Read More

Vancouver City Council rejects motion to install CCTV cameras around city

The Vancouver City Council rejected a measure to use closed-circuit television cameras to deter crime, CBC News reports. City Councilor Jean Swanson said she did not want to live in a "surveilled society." Other councilors who voted against the measure claimed they did not think CCTV cameras prevented crime but instead violated residents' privacy. Councilor Melissa De Genova pleaded with fellow councilors to adopt the measure and claimed CCTV cameras caught a murder suspect making a purchase of ... Read More

Saskatchewan IPC publishes information management guide

Saskatchewan Information & Privacy Commissioner Ron Kruzeniski announced new guidance for records and information management. The guidance includes a range of adoptable best practices for management activities. "The goal here is that an organization implement best practices which over time become every day practices," Kruzeniski said.Full Story... Read More

Ontario IPC reflects on 2021, looks ahead to 2022

Information and Privacy Commissioner of Ontario Patricia Kosseim published an end-of-year blog examining notable happenings she observed in 2021. Kosseim called 2021 "a challenging year," but she highlighted notable cases where individuals effectively exercised their privacy rights to achieve positive, impactful outcomes. "While I am proud of our efforts to resolve the complaints and appeals that come to us, I am mindful of the need to do so more quickly and efficiently," Kosseim wrote, adding h... Read More

Quebec’s Bill 64: The first of many privacy modernization bills in Canada?

Privacy in Quebec is about to get a major makeover. Passed in September, Quebec’s Bill 64 revamps and modernizes much of the province’s current privacy laws, including the Private Sector Act, Quebec’s main statute that regulates the collection, use and disclosure of personal information by private organizations. IAPP Westin Research Fellow Samuel Adams analyzes the proposed changes to consent, data protection officers, notice, individuals’ rights and more, and the ripple effect this could cause ... Read More

Yukon commissioner reminds public of new privacy act changes

In a blog post observing Right to Know Week, Yukon Information and Privacy Commissioner Diane McLeod-McKay reminded Yukoners of several new personal information provisions in the territory's new Access to Information and Protection of Privacy Act, which went into effect April 2021. These include specifically assigning the head of a public body as responsible for compliance and shortening the length of extensions for information requests from 60 days to 15 days. Additionally, the ATIPPA applies t... Read More

Privacy commissioner: Breaches likely underreported in Nunavut

In the 2020-21 annual report of the Office of the Information and Privacy Commissioner of Nunavut, Commissioner Graham Steele said privacy breaches in the territory are likely underreported, Nunavut News reports. Steele said the majority of breaches come from the Department of Health, but there is an “almost complete absence of reports” from other departments, meaning they may not be aware of reporting obligations under the Access to Information and Protection of Privacy Act, or may not recogniz... Read More

British Columbia, Quebec publish FAQs on vaccine passports, privacy

The Office of the Information and Privacy Commissioner of British Columbia released an FAQ on the British Columbia vaccine card and how it works in conjunction with the Public Health Orders and health care privacy laws. The FAQ explains the legal authority of the card, what information is available when the card is scanned to verify vaccination status and guidelines for taking care of the card.  The Commission d'accès à l'information du Québec published two FAQs on vaccination passports: one ... Read More

Saskatchewan IPC advises businesses discuss vaccination mandates with lawyers

The Regina Post-Leader reports Saskatchewan Information and Privacy Commissioner Ron Kruzeniski urged organizations to speak with a lawyer about mandating employee vaccinations when considering a return to office. Kruzeniski said, "In a sense, it is simple — each organization can decide for itself, ... after taking legal advice.” He also recommended organizations discuss with lawyers a purpose, length of time and breadth of data collection, and potentially developing a policy on employee vaccina... Read More

Nova Scotia privacy commissioner to see increased powers

CBC News reports Nova Scotia Premier-designate Tim Houston vowed to bestow more regulatory powers on the Nova Scotia's Office of the Information and Privacy Commissioner. Houston plans to make good on a campaign promise, adding he plans to "make sure that the proper authority is there so that Nova Scotians have access to the information that they rightly should have access to." Nova Scotia is the only Canadian province where the privacy commissioner is not an independent officer of the legislatu... Read More

Ontario town updates camera surveillance policy

The town of Callander updated its camera surveillance policies to comply with Ontario’s Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act, the Toronto Star reports. Fire Chief Todd Daley said the policy will ensure video surveillance “is for the purpose of safety and security” while “protecting the privacy of individuals.” The policy also adopted guidelines from the Information and Privacy Commissioner of Ontario. Full Sto... Read More

Breach potentially exposes holes in Alberta privacy law

CBC reports a January data breach at the Meals on Wheels charity in Edmonton, Alberta, is creating questions regarding the strength of provincial privacy law. The breach, which involved the data of more than 27,000 clients, donors, volunteers and employees, was reported to the Office of the Information and Privacy Commissioner of Alberta in June and a spokesperson said the office is still reviewing whether it has jurisdiction on the matter. Meals on Wheels had no legal obligation to report the b... Read More

Saskatchewan IPC cautions employers on asking about COVID-19 vaccine history

Saskatchewan's Information and Privacy Commissioner Ron Kruzeniski said “every employer and professional organization should check with their lawyer” before asking employees if they have received a COVID-19 vaccination, CBC News reports. Kruzeniski said questions surround whether an employer has the authority to ask employees about their vaccination status and if it’s necessary for them to know. The answer is not simple, he said, adding “It’s the argument between keeping the workplace safe and p... Read More

Calgary retailers launch ID entry

Four Calgary liquor stores are installing entry systems that will require customers to scan identification cards to verify age and ability to enter, CBC News reports. The systems have been found to mitigate rising cases of theft, but privacy advocates are wary of potential data breaches associated with the system and its data collection. Office of the Information and Privacy Commissioner of Alberta Spokesman Scott Sibbald said, "There has been no consultation with our office on this project."Ful... Read More

Vancouver police amending facial recognition guidelines

According to FindBiometrics, the Vancouver Police Department began drafting new policies on the use of facial recognition by its units. The amended guidelines come in response to findings by Canadian privacy commissioners regarding unlawful biometric data collection by Clearview AI, whose technologies were used by Canadian police. The department hopes to have the policies rewritten by the end of 2021 and committed to a ban on the use of facial recognition until the policies are finalized.Full St... Read More

Ontario IPC releases 2021–25 strategy

The Office of the Information and Privacy Commissioner of Ontario published its strategic priorities for 2021 through 2025. The regulator's focuses will include government privacy and transparency, children's privacy, aiding law enforcement's digital expansion, and digital health. "They represent a bold and exciting vision which we look forward to implementing in collaboration with many others as we move from strategic priorities to strategic outcomes," IPC Patricia Kosseim said. From here, the ... Read More

Yukon IPC launches toolkit for HIPMA compliance

Yukon's Information and Privacy Commissioner announced a new resource to aid small custodians in their efforts to comply with the territory's Health Information Privacy and Management Act. "We know that HIPMA may appear overwhelming, but its obligations are relatively straightforward and intuitive, and can easily be worked into an organization’s operations, no matter how small," IPC Diane McLeod-McKay said, adding she hopes organizations "may discover they are already meeting many of their dutie... Read More

Quebec information commission unveils biometric data consent form template

The Access to Information Commission of Quebec unveiled a form template to be used to gather consent from those who are handing over biometric information. The template can be adapted to suit each organization's needs as the commission recommends any consent for biometric projects to be obtained in writing. The commission also released an information page to inform employees about their rights regarding biometric data.Full Story... Read More

Newfoundland and Labrador OIPC advises sheriff's office on video-editing software use

Newfoundland and Labrador Information and Privacy Commissioner Michael Harvey advised the province's Office of the High Sheriff to use video-editing software to blur out the faces of residents, The Telegram reports. The recommendation came after the sheriff's office did not send an individual copies of a courthouse video over privacy concerns. Harvey added failure to obtain "normal hardware and software" is not a sufficient reason to avoid such a request. Meanwhile, the Vancouver Police Departme... Read More

Workforce tracking bracelets raise privacy concerns in Ontario

Government-purchased wearable tracking bracelets intended to help slow COVID-19 spread among workforces in Ontario are raising privacy concerns, according to Yahoo News. TraceSCAN bands track COVID-19 exposure without location data and are planned to be used in areas where the COVID alert application is not accessible, like airlines and construction sites. University of Toronto Computer Science Professor Graeme Hirst raised privacy concerns, saying data confidentiality “depends entirely on the d... Read More

Saskatchewan health system hit with ransomware attack

The Office of the Saskatchewan Information and Privacy Commissioner announced eHealth Saskatchewan, the Saskatchewan Health Authority and the Ministry of Health endured a ransomware attack involving systems holding about 50 million files. The IPC reported scans of the affected databases show approximately 5.5 million files may have contained personal information. In addition to finding the three entities had insufficient data safeguards, the IPC alleges they did not report the breach in a timely... Read More