Demystifying Privacy Protection in Ontario (In Plain English)

EIV_4379.jpg

Individuals in Ontario expect their privacy rights to be protected by legislation. That expectation is not always met in reality. This blog post is the first in a three-part series that explores gaps in the current privacy legislation, how those gaps can be filled, and the remedies available for individuals who have had their privacy violated by another individual.

We will start by looking at the Acts that currently regulate the collection, use and disclosure of personal information then conclude with a closer look at what the Acts do not govern.

The Personal Information Protection and Electronic Documents Act (PIPEDA)

This Act is the primary legislation used to protect individuals in their dealings with businesses. It applies to the personal information obtained by private sector organizations in Ontario. It also applies to the collection, use and disclosure of information a federally regulated employer (ex., banking, telecommunication, nuclear) obtains about their employees.

The Privacy Act

This statute applies to the information the federal government obtains about an individual. It governs how information is handled in the various federal ministries and crown corporations that administer programs like tax collection, employment insurance, and federal policing.

Personal Health Information Protection Act (PHIPA)

PHIPA protects information about an individual’s physical and mental health, the provision of healthcare, payment and eligibility for health care, organ donation, and even an individual’s health number.

The Freedom of Information and Protection of Privacy Act (FIPPA) and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)

These two Acts protect personal information held by provincial and municipal agencies, respectively. The Acts set out a process by which an individual can request disclosure of information being held by a public institution.

So Where Are the Gaps?

While these Acts cover the majority of situations where personal information is collected, used and disclosed there are no Acts or Regulations that address:

  • The collection use and disclosure of personal information by individuals;

  • Employment information for provincially regulated businesses;

  • Not-for-Profit, Religious and Charitable Organizations; and

  • Provincial or Federal politicians and political parties.

Next week we will look at how the gaps in the legislation may be addressed. Stay tuned to our social media feeds (Twitter, Facebook, and LinkedIn) for the next in this series or subscribe to our Top Ten in Tech Law newsletter to have it come straight to your inbox.

David Spence