Cookies help us to understand how you use our website so that we can provide you with the best experience when you are on our site. To find out more, read our privacy policy and cookie policy.
A cookie is information stored on your computer by a website you visit. Cookies often store your settings for a website, such as your preferred language or location. This allows the site to present you with information customized to fit your needs. As per the GDPR law, companies need to get your explicit approval to collect your data. Some of these cookies are ‘strictly necessary’ to provide the basic functions of the website and can not be turned off, while others if present, have the option of being turned off. Learn more about our Privacy and Cookie policies. These can be managed also from our cookie policy page.
Skip To
Page Outlines
Loading...
IE10 and below are not supported.
Contact us for any help on browser support
Consultation has concluded. Thank you for your contributions.
Welcome to Let's Talk Privacy Act
The online public consultation is now closed.
Feedback received as part of the consultation will be summarized and published in a report, and will be made available online.
For more information on why we are reviewing the Privacy Act, visit Modernizing Canada’s Privacy Act
Learn more about the consultation:
Learn more about the Privacy Act:
Welcome to Let's Talk Privacy Act
The online public consultation is now closed.
Feedback received as part of the consultation will be summarized and published in a report, and will be made available online.
For more information on why we are reviewing the Privacy Act, visit Modernizing Canada’s Privacy Act
Learn more about the consultation:
Learn more about the Privacy Act:
A modern Privacy Act should enhance Canadians’ trust in how federal public bodies treat, manage and protect their personal information. The Government of Canada’s vision is for a modern Act that better reflects contemporary expectations about how federal public bodies should protect individuals’ personal information and make better use of their information to keep Canadians safe, provide innovative solutions to the challenges Canadians face, and make Canadians’ lives easier. A modernized Privacy Act should reflect how federal public bodies are effective stewards of the personal information Canadians entrust to them, while allowing them to improve and adapt to new changes... Continue reading
A modern Privacy Act should enhance Canadians’ trust in how federal public bodies treat, manage and protect their personal information. The Government of Canada’s vision is for a modern Act that better reflects contemporary expectations about how federal public bodies should protect individuals’ personal information and make better use of their information to keep Canadians safe, provide innovative solutions to the challenges Canadians face, and make Canadians’ lives easier. A modernized Privacy Act should reflect how federal public bodies are effective stewards of the personal information Canadians entrust to them, while allowing them to improve and adapt to new changes in society and technology over time.
Three supporting pillars
This vision for modernizing the Privacy Act is supported by three pillars:
Ensuring essential equivalence with other leading data protection regimes
The Privacy Act is only one component of an increasingly global framework that links regulation of personal information practices in both the public and the private sectors across many jurisdictions. The Act should strive to be consistent with other leading data-protection regimes in Canada and elsewhere to ensure a comparable equivalence with the core requirements of those regimes. At the same time, the Privacy Act has many unique features that have served Canadians well over the years and the Act remains a strong foundation for made-in-Canada enhancements.
One place to start is stronger alignment between the Privacy Act and the federal legislation that applies to the private sector, the Personal Information Protection and Electronic Documents Act. Coherence between these federal laws can simplify the personal information protection regime for everyone, enhance domestic interoperability, prevent gaps in accountability where public and private sector entities interact, and further confirm the Privacy Act’s alignment with established global standards. Although they sometimes use different terminology and approaches, both Acts were influenced by the OECD’s foundational Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The OECD Guidelines were established in 1980 and updated in 2013 to reflect important developments in international data protection, including the evolution of Convention 108, the APEC Privacy Framework, and Europe’s General Data Protection Regulation. A modernized Privacy Act should reflect important ongoing international developments as well.
Technological neutrality
A modern Privacy Act should emphasize technological neutrality. This will allow federal public bodies to explore different and new means of carrying out their roles and ensure the Act retains its relevance in the face of new technologies. It will also allow them to regulate new practices and respond quickly to change.
The Privacy Act plays an important role in guiding the federal government’s relationships with individuals. An additional objective of Privacy Act modernization is to advance reconciliation with Indigenous peoples in Canada as there are opportunities for the Privacy Act to acknowledge, affirm and empower Indigenous individuals, communities and governments.
While this public consultation offers an opportunity for all Canadians, including Indigenous people, to respond to some ideas for amending the Privacy Act, ongoing discussions with Indigenous governments and organizations have revealed some ways in which the Act may uniquely impact Indigenous individuals and communities. As well, addressing the control... Continue reading
The Privacy Act plays an important role in guiding the federal government’s relationships with individuals. An additional objective of Privacy Act modernization is to advance reconciliation with Indigenous peoples in Canada as there are opportunities for the Privacy Act to acknowledge, affirm and empower Indigenous individuals, communities and governments.
While this public consultation offers an opportunity for all Canadians, including Indigenous people, to respond to some ideas for amending the Privacy Act, ongoing discussions with Indigenous governments and organizations have revealed some ways in which the Act may uniquely impact Indigenous individuals and communities. As well, addressing the control by Indigenous peoples over their information and data is an important step toward reconciliation. The Department of Justice Canada continues its discussions with Indigenous governments and organizations to gain further insight on some issues that have been highlighted through earlier discussions, such as:
Earlier this year, the Government of Canada launched a review of the Access to Information Act. This initiative will examine the legislative framework, consider opportunities to improve proactive publication to make information openly available, and assess processes and systems to improve service and reduce delays. The Government of Canada will engage Canadians on these important issues and will also seek the views of Indigenous peoples on aspects of the Access to Information Act that are of particular importance to them.
The Privacy Act and the Access to Information Act are both federal statutes that have quasi-constitutional status. There are similar... Continue reading
Earlier this year, the Government of Canada launched a review of the Access to Information Act. This initiative will examine the legislative framework, consider opportunities to improve proactive publication to make information openly available, and assess processes and systems to improve service and reduce delays. The Government of Canada will engage Canadians on these important issues and will also seek the views of Indigenous peoples on aspects of the Access to Information Act that are of particular importance to them.
The Privacy Act and the Access to Information Act are both federal statutes that have quasi-constitutional status. There are similar provisions and elements in both Acts, including nearly identical exceptions and exemptions to providing access to records and personal information that share the same public interest rationales, such as security, confidentiality, and privacy.
These aspects of the Privacy Act will benefit from public input to the Government’s review of the Access to Information Act. Accordingly, this discussion paper will not address some of these common elements, including the exceptions and exemptions to the right of accessing one’s personal information. These will be reviewed at a later date.
The title of the Act could be amended to more accurately reflect that it governs and regulates personal informational privacy
Despite its title, the Privacy Act is not the sole source of “privacy” protection in Canada, even at the federal level. Canadian law protects many different types of privacy interests through a combination of constitutional instruments, the Criminal Code, the Civil Code of Quebec, the common law, and other federal, provincial and territorial legislation.
For its part, the Privacy Act specifically addresses the privacy of personal information, as it governs the collection, use, disclosure, and retention of information... Continue reading
The title of the Act could be amended to more accurately reflect that it governs and regulates personal informational privacy
Despite its title, the Privacy Act is not the sole source of “privacy” protection in Canada, even at the federal level. Canadian law protects many different types of privacy interests through a combination of constitutional instruments, the Criminal Code, the Civil Code of Quebec, the common law, and other federal, provincial and territorial legislation.
For its part, the Privacy Act specifically addresses the privacy of personal information, as it governs the collection, use, disclosure, and retention of information that relates to identifiable individuals. In order to reflect this underlying aim, the title of the Act could be changed to describe it as a personal information protection law, as is currently reflected in the Act’s French title (Loi sur la protection des renseignements personnels).
The Act’s purpose clause could reflect the important underlying public objectives of federal public-sector privacy legislation
The current purpose clause states that “[t]he purpose of this Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a federal public body and that provide individuals with a right of access to that information.” This statement reflects the Act’s legislative history more than its broader public objectives. A modernized purpose clause could provide better guidance for interpretation by clearly stating the important underlying objectives of federal public sector... Continue reading
The Act’s purpose clause could reflect the important underlying public objectives of federal public-sector privacy legislation
The current purpose clause states that “[t]he purpose of this Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a federal public body and that provide individuals with a right of access to that information.” This statement reflects the Act’s legislative history more than its broader public objectives. A modernized purpose clause could provide better guidance for interpretation by clearly stating the important underlying objectives of federal public sector data protection legislation, notably:
The Act could include personal information protection principles similar to those under the Personal Information Protection and Electronic Documents Act to guide, support, and extend the protection of individuals’ personal information
The Privacy Act could incorporate a number of internationally recognized principles for protecting personal information, such as: (i) Accountability; (ii) Identifying purposes; (iii) Consent; (iv) Limiting collection; (v) Limiting use, disclosure and retention; (vi) Accuracy; (vii) Safeguards; (viii) Openness and transparency; (ix) Individual access; and (x) Challenging compliance. Adding such principles to the Privacy Act would set the baseline expectations for Canadians and federal public bodies as to how... Continue reading
The Act could include personal information protection principles similar to those under the Personal Information Protection and Electronic Documents Act to guide, support, and extend the protection of individuals’ personal information
The Privacy Act could incorporate a number of internationally recognized principles for protecting personal information, such as: (i) Accountability; (ii) Identifying purposes; (iii) Consent; (iv) Limiting collection; (v) Limiting use, disclosure and retention; (vi) Accuracy; (vii) Safeguards; (viii) Openness and transparency; (ix) Individual access; and (x) Challenging compliance. Adding such principles to the Privacy Act would set the baseline expectations for Canadians and federal public bodies as to how personal information should be managed and protected in the federal public sector. As well, since these principles would be consistent with those of the Personal Information Protection and Electronic Documents Act, this would harmonize federal regulation of the public and private privacy sectors.
For additional details and a more in-depth discussion on the rationale for adding principles to the Act, and what these principles could entail, please consult our annex here.
A number of definitions and concepts in the Act could be updated, and others could be introduced
There are a number of areas where the Act should provide clearer rules about its scope – what it covers and when its full protections are engaged. A risk-based approach to the protection of personal information has been emerging as an international best practice. Changes under consideration include:
A number of definitions and concepts in the Act could be updated, and others could be introduced
There are a number of areas where the Act should provide clearer rules about its scope – what it covers and when its full protections are engaged. A risk-based approach to the protection of personal information has been emerging as an international best practice. Changes under consideration include:
The Government is not currently considering specifying categories of personal information to which special rules would apply (such as “sensitive” personal information or information relating to minors), though some other jurisdictions do so. A flexible principles-based approach, along with some of the other proposed changes, would ensure the appropriate protection of personal information according to context. The Government also agrees with the Privacy Commissioner that the Act is not an appropriate place for defining “metadata,” since many forms of metadata will simply not be information about an identifiable individual.
Existing rights for individuals and obligations for federal public bodies could be updated and new ones introduced
The Privacy Act currently set outs a number of rights for individuals. Canadians and individuals present in Canada have the right to access their personal information. They also have rights related to notification and the correction of their information where a federal public body uses it to make a decision about them.
The Act also imposes certain obligations on federal public bodies when they intend to use the personal information to make a decision about that person. These obligations include: (i) collecting personal... Continue reading
Existing rights for individuals and obligations for federal public bodies could be updated and new ones introduced
The Privacy Act currently set outs a number of rights for individuals. Canadians and individuals present in Canada have the right to access their personal information. They also have rights related to notification and the correction of their information where a federal public body uses it to make a decision about them.
The Act also imposes certain obligations on federal public bodies when they intend to use the personal information to make a decision about that person. These obligations include: (i) collecting personal information directly from the individual where possible (subject to certain exceptions); (ii) retaining personal information for at least two years from the last time the personal information was used (unless the individual consents otherwise) or until the individual has had the opportunity to exercise all his or her rights under the Act; (iii) maintaining the accuracy of such information; and (iv) including it in a personal information bank (among other information).
These existing rights and obligations could be updated, and new rights and protections could be added to address expectations that have evolved in the digital era. Such changes could include:
The Act could include updated and new obligations that relate to the collection, use, disclosure and retention of personal information
While many stakeholders have expressed broad support for a shift towards a principles-based Privacy Act, many have cautioned that principles need to be supported by more detailed rules that can offer specific direction about what the Act requires or allows federal public bodies to do. Rules governing the collection, use, sharing and retention of personal information could be updated and new ones added. These could include:
The Act could include updated and new obligations that relate to the collection, use, disclosure and retention of personal information
While many stakeholders have expressed broad support for a shift towards a principles-based Privacy Act, many have cautioned that principles need to be supported by more detailed rules that can offer specific direction about what the Act requires or allows federal public bodies to do. Rules governing the collection, use, sharing and retention of personal information could be updated and new ones added. These could include:
For additional details and a more in-depth discussion on the rationale for these potential changes, please consult our annex here.
Federal public bodies could be provided with greater flexibility to use and disclose personal information that has undergone an established process for removing personal identifiers
There is great promise for the use of de-identified personal information to allow federal public bodies to innovate in the public interest, while still protecting personal privacy. Despite some well-known anecdotes of de-identified personal information being subsequently re-identified, the use of de-identification as a privacy-enhancing technique is well supported, even by regulators. De-identification does not completely eliminate the risk of re-identification, but when done appropriately, it significantly reduces that risk. As such, a framework focussed... Continue reading
Federal public bodies could be provided with greater flexibility to use and disclose personal information that has undergone an established process for removing personal identifiers
There is great promise for the use of de-identified personal information to allow federal public bodies to innovate in the public interest, while still protecting personal privacy. Despite some well-known anecdotes of de-identified personal information being subsequently re-identified, the use of de-identification as a privacy-enhancing technique is well supported, even by regulators. De-identification does not completely eliminate the risk of re-identification, but when done appropriately, it significantly reduces that risk. As such, a framework focussed on reducing risks by removing personal identifiers and protecting later uses of de-identified information would allow federal public bodies more flexibility to use data for public benefit, while minimizing risks to personal information.
To create a greater incentive for federal public bodies to use and share de-identified personal information, instead of information that identifies individuals, the Act could:
Online discussions are available for each section of the discussion paper:
A vision for modernizing the Privacy Act
The Privacy Act and reconciliation with Indigenous peoples in Canada
The modernization of the Privacy Act and the review of the Access to Information Act
You can also complete the online survey.