Definition of terms
Click a heading to expand the definition, or click again to collapse.
Use the menu on the right to navigate to a different help topic.*
What are information rights?
Open and accountable government depends greatly on the citizens’ access to accurate and timely information about government and its activities. At the same time, our ability to maintain personal privacy depends on our power to limit the surveillance of our personal lives by government and private sector institutions. This includes a right to limit and control the collection and use of our personal information.
In this sense, these two human rights are not contradictory. Freedom of information (FOI) rights help to increase an individual’s access to and control over information, while privacy rights increase the power of the individual in society, which is why we refer to both of them as “information rights”.
Information rights provide individuals with a much-needed counterbalance to the far greater access to and control of information enjoyed by governments and other powerful organizations. Information rights improve our democracy by reducing this imbalance of power in a society that is increasingly dominated by the uses and abuses of information. But our right as individuals to know what is going on in society must also exist in balance with the right to individual privacy.
Together, information rights help to create:
- an informed electorate,
- open, honest and accountable government,
- greater citizen participation in the democratic process, and
- greater protection of individual human rights.
What is freedom of information?
In the narrower sense in which we use it on this website, freedom of information (FOI) or access to information (ATI) are terms that describe the legal right of access to government information.
Provincial and federal freedom of information laws were created to empower citizens. They give us access to information that previously was available only to government leaders and insiders. Our governments hold vast storehouses of information about every aspect of society and every individual in it. Citizens cannot be full players without a right of access to this information.
Freedom of information in the law
Freedom of information law at the federal and provincial level allows individuals to access their own personal information from private organizations. For more information on this, read the ‘Request Personal Information’ help topic.
Freedom of information law at the federal and provincial level also allows individuals to access information from government and other public bodies. For more information on this, read the‘Request Information from Public Bodies’ help topic.
For more information about FOI law, read the ‘Freedom of Information Law’ definition below.
What is privacy and how is it protected?
Privacy rights are assuming more importance every day as an essential pillar of human freedom and a necessary protection for other human rights such as our freedoms of thought, association, and expression.
What is privacy?
Privacy, as we define it, is the ability or right to have a “private life” – to be left alone, free from illegal or unwanted scrutiny and intrusions.
“Privacy protection” means defending the privacy of individuals by legislation or other means.
In general there are three categories of privacy that are protected by law:
- spatial privacy,
- bodily privacy, and
- informational privacy.
Spatial privacy is most often affected by laws limiting the police’s ability to search premises; bodily privacy most often deals with our right to control what is done with our bodies; informational privacy is about our rights to control or consent to how our information is handled by others. It is important to understand that this right to informational privacy is limited and balanced against the needs of organizations and governments to collect, use, and disclose information for reasonable purposes. FIPA’s focus is primarily on informational privacy.
Most privacy laws in Canada are based on the Fair Information Practices – core privacy principles which are recognized, and form the basis of privacy laws, in many countries around the world. Fair Information Practices identify the broad rights individuals should have, and the broad responsibilities organizations take on when they collect, use and disclose personal information.
For more information, read the definitions below on:
- federal privacy law and public bodies
- provincial privacy law and public bodies
- federal privacy law and private bodies
- provincial privacy law and private bodies
What is personal information?
Therefore, ‘personal information’ does not have to be the kind of information that you might expect would be sensitive or private or would ordinarily be kept secret. Information can be personal information even if your name is not included, so long as the information would allow you to be identified, either by itself, or if it was matched with some other information about you. This means that a large amount of information could qualify as ‘personal’.
Even if the information is widely known, so long as it is about an identifiable individual, (and is not business contact information) it will be personal information under Canadian privacy and FOI laws. This includes:
- a photograph of you or of something about you
- your address
- your credit card number, your SIN or Care Card number
- genetic information, biometric information
- information about your friends, hobbies, talents, or favourite colour
- information about where you had lunch, bought your favourite shoes or went on vacation
- your age, sex, race, religion, memberships.
Employee personal information
In British Columbia only, employee personal information is a sub-category of personal information. Employee personal information is defined as personal information about an individual that is collected, used or disclosed solely for the purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual, but does not include personal information that is not about an individual’s employment.
This roundabout definition is in the law so that an employer can collect, use and disclose personal information about employees for reasonable business purposes without having to get the employees consent, which would impose an unnecessary cost on businesses. Under PIPA, an employee includes a volunteer, so the personal information of volunteers is treated the same way as the personal information of employees.
Under BCs provincial law, PIPA, an employer is not required to get consent to collect, use or disclose employee personal information if:
- the collection, use or disclosure is reasonable for the purposes of establishing, managing or terminating the employment relationship; and
- the employer has given the employee a notice of purposes.
Under PIPEDA, the federal law, an organization is allowed to treat an employee’s consent as being implied if they remain in their job after being given notice of purposes for the collection, use or disclosure by the organization.
For more information see the section on ‘Privacy in Employment’ on the ‘Privacy Rights in Canada‘ help topic.
Collection, use, and disclosure
“Collection” typically means to get or gather together; “use” generally means use, handle, manage or manipulate and “disclose” generally means to give to another organization or person and includes sharing and selling.
What is a ‘private body’?
A private body is any business or non-profit organization, including:
- unincorporated associations
- trade unions
A private body is not:
- an individual, when they are collecting, using or disclosing personal information for personal, journalistic, artistic or literary purposes
- any level of government
- the courts
- private trusts
What is a ‘public body’?
A public body is:
- a ministry of the government of British Columbia
- an agency, board, commission, corporation, office or other body designated in, or added by regulation to, Schedule 2
- a local public body
What is a ‘local public body’?
‘Local public body’ does not include the office of a person who is a member or officer of the Legislative Assembly; the Court of Appeal, Supreme Court or Provincial Court.
It does include the following:
A local government body
This means a municipality; a regional district; an improvement district as defined in the Local Government Act; a local area as defined in the Local Services Act; a greater board as defined in the Community Charter or any incorporated board that provides similar services and is incorporated by letters patent; a board of variance established under section 899 of the Local Government Act or section 572 of the Vancouver Charter; the trust council, the executive committee, a local trust committee and the trust fund board, as these are defined in the Islands Trust Act; the Okanagan Basin Water Board; a water users’ community as defined in the Water Act; the Okanagan-Kootenay Sterile Insect Release Board; a municipal police board established under section 23 of the Police Act; a library board as defined in the Library Act; any board, committee, commission, panel, agency or corporation that is created or owned by a body referred to in paragraphs (a) to (m) and all the members or officers of which are appointed or chosen by or under the authority of that body; a board of trustees established under section 37 of the Cremation, Interment and Funeral Services Act; the South Coast British Columbia Transportation Authority, or the Park Board referred to in section 485 of the Vancouver Charter.
A health care body
This means a hospital as defined in section 1 of the Hospital Act; a Provincial auxiliary hospital established under the Hospital (Auxiliary) Act; a regional hospital district and a regional hospital district board under the Hospital District Act; a Provincial mental health facility as defined in the Mental Health Act, or a regional health board designated under section 4 (1) of the Health Authorities Act.
A social services body
This means Community Living British Columbia established under the Community Living Authority Act.
An educational body
This means a university as defined in the University Act; Royal Roads University; an institution as defined in the College and Institute Act; the Thompson Rivers University; the Open Learning Agency established under the Open Learning Agency Act; a board as defined in the School Act, or a francophone education authority as defined in the School Act.
A governing body of a profession or occupation
If the governing body is designated in, or added by regulation to, Schedule 3.
What is 'consent'?
Express, deemed or implied
Consent can either be express, deemed or implied. In many cases consent must be express, meaning you have to actually say yes or check a box on a form. However an organization can deem your consent as having been implied by you if:
- the organization tells you that it will collect your personal information, and tells you the reason why (either verbally or by showing you its written notice of purposes) and
- you don’t explicitly refuse consent within a reasonable amount of time.
For example, when you call a bank or telecom company for service a voice may announce that the call will be recorded for quality control and training. By staying on the line and speaking with a service representative, you are implying that you consent to the collection of your personal information in the recording for quality control and training.
Except in specific, limited circumstances, such as where there is a legal requirement, or where you are an employee of the organization, you have a right to consent or not to consent to the collection, use and disclosure of your personal information by an organization in the private sector. Depending on the situation, there may be a term of a contract under which you have waived the right to withdraw consent, or there may be a law requiring the organization to collect your personal information for example for tax purposes.
Withdrawing consent in the private sector
The right to consent is accompanied by the right to withdraw or change your consent. First, you must give reasonable notice to the organization. When you do not consent, or you withdraw your consent after you gave it, the organization has to tell you what the consequences will be of your declining or withdrawal of consent.
Usually, once it has your consent, the organization may not collect, use or disclose your personal information for other, or new purposes unless it gets a new consent from you.
However, if your consent is not required for a particular purpose, an organization can continue to collect, use or disclose for that purpose. For example, a bank does not need your consent to file certain tax forms with Canada Revenue Agency to report interest income, because it is required by law to file the forms.
Unless the information is necessary to provide the product or service, the organization cannot require you to give it your personal information as a condition of being supplied the product or service.
You may not withdraw your consent at all in two circumstances: i) if doing so would frustrate the performance of a legal obligation; and ii) if you gave your consent for the purposes of a credit reporting agency creating a credit report about you.
An organization is not allowed to get your consent by giving you false or misleading information or by using deceptive or misleading practices. If you do give your consent based on false or misleading or deceptive information or practices, your consent is not valid and the organization is not allowed to rely on it.
When consent is not required in the private sector
In certain circumstances, an organization does not have to get consent before it collects, uses, or discloses personal information. These circumstances are limited by PIPA and PIPEDA. The limitations in each law are somewhat different, and so private sector organizations will have different rights depending on which of the two laws apply.
Here are some situations when a private sector organization in BC covered by PIPA does not need your consent to collect, use or disclose your personal information:
- when it is clearly in your interests and your consent cannot be obtained in a timely way;
- when it is necessary for medical treatment and you can’t give consent;
- when getting your consent might compromise the availability or accuracy of the information and the information is reasonably needed for an investigation or proceeding;
- when the organization is collecting a debt owed to it;
- when the organization needs to contact a next of kin or friend of an ill or deceased person, or where compelling circumstances exist affecting health and safety; or
- when it is allowed or required by a court order, warrant, subpoena, law or a treaty;
- when you appear at a public event voluntarily and your personal information is collected at the event (for example, you are photographed on stage at a demonstration); or
- when your personal information is needed to determine whether to select you for an award, honour, or an athletic or artistic purpose.
An organization is also allowed to disclose personal information:
- to a public body or law enforcement agency in Canada in connection with investigating or prosecuting crime;
- if there are compelling circumstances affecting someone’s health or safety;
- if the disclosure is to an archive or for research or in connection with a business transaction involving the organization.
In each of the following cases, certain conditions must be met in BC.
- List of the circumstances in which an organization can collect personal information
- List of the circumstances in which an organization can use personal information
- List of the circumstances in which an organization can disclose personal information
Consent in the public sector
Consent is not required under the Freedom of Information and Protection of Privacy Act. Public bodies are allowed to collect, use and disclose personal information without consent. However, FOIPPA does put some limits on what purposes a public body is allowed to collect and use your personal information for, and on how and where it can be disclosed. For more information, read the definition on FOIPPA below.
Private sector privacy laws
Personal Information Protection and Electronic Documents Act (PIPEDA)
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal law which applies to organizations that collect, use and disclose personal information in the course of commercial activity, unless a provincial privacy law applies.
PIPEDA applies to personal information collected, used or disclosed by all businesses in industries that are federally regulated, including personal information about their employees. Provincial privacy law does not generally apply to these organizations. Federally regulated industries include telecommunications (including phone and internet providers), interprovincial transportation (including railways, airlines and trucking), maritime industries (shipping and fishing) banks and some Indian Bands.
Most businesses in Canada are covered by provincial regulation, but certain types of businesses are deemed to have a national scope and effect, so they are regulated by the federal government. The legal term for businesses operating in these federally regulated industries is federal works, undertakings or businesses. These industries include telecommunications, maritime industries, interprovincial transportation, and banking.
PIPEDA also applies to all personal information that flows across provincial or national borders in the course of commercial transactions regardless of what type of business the sender or recipient is in. All personal information that flows across a border is covered by PIPEDA.
Personal Information Protection Act (PIPA)
In British Columbia the law that protects privacy in the private sector is called the Personal Information Protection Act (PIPA). It applies to every organization except governments in the province, including municipal governments and the Nisgaa government and the courts.
All types of organizations are covered, including for-profit businesses and non-profit organizations, associations, teams and clubs. PIPA applies to organizations when they collect, use or disclose personal information in the course of their operations.
PIPA does not apply if:
- the collection, use or disclosure of personal information is for personal purposes, (for example, keeping a phone book of friends numbers, researching and recording a family history); or
- the collection, use or disclosure of personal information is for journalistic, artistic or literary purposes, or
- another privacy law applies to the information, for example, if PIPEDA applies, PIPA will not apply.
Personal information in the private sector
Collection, use, and disclosure in the private sector
Both these laws require private sector organizations to follow certain rules to protect the privacy rights of individuals in the course of collecting, using, holding or disclosing personal information. An organization is accountable for all the personal information in its custody or under its control. It must assign someone to be responsible for complying with the law and carrying out the responsibilities required by the law. That person’s name or work contact information must be made publicly available and the organization must give the contact information to you if you request it.
These laws also recognize the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. In this way, they are intended to balance the rights of individuals with the reasonable needs of organizations. Before or at the time it collects personal information, the organization must tell the individual either in person or in writing the purposes for the collection, use and disclosure of personal information. These purposes must always be reasonable and appropriate in the circumstances. For more on this, read the definition of ‘consent,’ above.
Access and corrections
You also have a right to request access to your personal information. The organization must respond to your request generally within 30 days (although some time extensions are allowed). If the organization refuses to grant you access it must tell you why in writing and tell you that you can make a complaint to the Privacy Commissioner about the refusal.
You have the right to request that a correction be made to your personal information. If the organization does not make the requested correction, it must make a note on the file or the document containing the information to explain the correction that was requested.
Businesses and non-profits
If the organization you are concerned about is a business or non-profit organization in BC, PIPA (BC) will apply, unless the organization is a bank, a telecommunications company, an airline, a maritime business, a railway, an interprovincial trucking business, or an Indian Band (these fall into the category of federal works, undertakings or businesses) in which case, the PIPEDA will apply. PIPEDA also applies to any collection, use or disclosure of personal information that takes place across a provincial or national border.
These laws do not apply to:
- information that does not identify an individual, such as aggregate information (information about many individuals that is collected together from different sources but does not have individual identifiers on it) or statistical information;
- information about a group or business; or
- an individual’s name together with their business contact information (sometimes called tombstone data or business card information.)
- individuals, when they are collecting, using or disclosing personal information for personal, journalistic, artistic or literary purposes;
- any level of government;
- the courts; or
- private trusts.
PIPA does not apply outside BC and doesn’t apply to organizations that are covered by PIPEDA, while PIPEDA does not apply in BC except to certain organizations.
Private sector laws in other provinces
PIPEDA applies to private-sector organizations in the federally-regulated private sector, and also to provincially-regulated organizations in provinces that have not enacted personal information protection acts that the federal government has recognized as “substantially similar” to the PIPEDA. Quebec and Alberta are the only provinces besides B.C. that have enacted substantially similar acts to date, while the Ontario, New Brunswick and Newfoundland and Labrador health privacy laws are also deemed to be substantially similar (May 2014).
Public sector privacy laws
What does it do?
The Privacy Act controls how the government will collect, use, store, disclose and dispose of personal information. However, it applies only to recorded personal information it does not protect personal information that is not in a record. Examples of information that are not in a record include when biological samples (such as DNA) or real-time information (such as live video surveillance that is not recorded) are collected, used and disclosed.
The government of Canada has issued policies that all federal government institutions listed in the Schedule must follow to meet the requirements of the Privacy Act (see Treasury Board Policy Suite Renewal Policy Framework for Information and Technology Management Policy On Privacy Protection (April 1, 2008).
The Privacy Act gives you the right to access your personal information held about by the federal government. You also have the right to request that a correction be made to your personal information. All the institutions under the Act are also subject to the Privacy Regulations.
What organizations does it apply to?
- Federal government ministries, departments, agencies and commissions,
- Law enforcement and security agencies like CSIS, the RCMP, Customs and Border Control Canada
- Port authorities
- Federal Crown corporations
- Canadian agencies, foundations, boards, commissions, tribunals
When can the Canadian government collect personal information?
The Privacy Act permits a government institution to collect personal information so long as it relates directly to the institutions activities or programs.
Personal information is supposed to be collected directly from you wherever possible, except if you consent to collection from another source, or if the purpose for the collection is listed in the Privacy Act.
The government institution must give you notice of the purpose of collection unless doing so would defeat the purpose of the collection or result in the collection of inaccurate information.
How is the Canadian government allowed to use and disclose personal information?
The Privacy Act says that personal information is allowed to be used and disclosed only for:
- the purposes that you consent to; or
- the purpose for which it was obtained or compiled or for a use consistent with that purpose; or
- the purposes listed in the Act. These may be summarized as:
- as authorized by any Canadian law, or by a subpoena or warrant issued or court order;
- for legal proceedings involving the Crown in right of Canada or the Government of Canada;
- for specific types of lawful investigations;
- to a member of Parliament for the purpose of assisting you to resolve a problem;
- for audit purposes;
- for archival purposes, and for research or statistical purposes, but only if certain conditions are met;
- for the purpose of researching or validating the claims, disputes or grievances of any of the aboriginal peoples of Canada;
- to collect a debt owing to the Crown or pay a debt owed by the Crown.
Personal information can also be disclosed for any purpose where the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or where disclosure would clearly benefit the individual to whom the information relates.
It is worth noting that although the list in the Privacy Act is supposed to limit how the government can use or disclose your personal information without consent, the reality is that the list is so broad, there is very little to stop government institutions from using or disclosing your personal information in ways which you may not have contemplated when your information was originally collected.
How long can the Canadian government keep personal information?
Personal information that has been used by a government institution for an administrative purpose must be kept long enough to ensure the individual has a reasonable opportunity to get access to it. A time period will often be specified in a law or regulation that applies to the institution or to the information.
A government institution must take reasonable steps to ensure that personal information used for an administrative purpose is as accurate, complete and up-to-date as possible. The institution must dispose of the information securely.
Should I go to court?
It can be challenging to use the common law or the Privacy Act (BC) to protect individual privacy rights. First, these are tools that are generally used after the fact when the privacy breach has occurred.
Secondly, our courts are open to the public, so suing someone can result in the broader publication of the very invasion of privacy that you would prefer to keep private.
Finally, there can be a great deal of cost and time involved in bringing a lawsuit. The courts have detailed Rules of Court which all litigants are required to follow. Even if you win, you may not recover enough in damages to make the effort worth your while.
If you are considering bringing a civil suit against a person or organization, it is strongly recommended that you consult a lawyer.
- Referral Service offered by the Canadian Bar Association
- Referral service offered by the Law Society of BC
Freedom of Information and Protection of Privacy Act (BC) (FOIPPA)
Each provincial government has a law that protects the privacy of your personal information. In British Columbia that law is called the Freedom of Information and Protection of Privacy Act (FOIPPA). FOIPPA has several purposes:
- To give the public the ability to access some of the records held by government bodies;
- To prevent unauthorized collection, use and disclosure of personal information by public bodies;
- To give individuals a right of access and a right to request correction to their own personal information that is held by public bodies; and
- To give individuals the right to complain to the Information and Privacy Commissioner of BC, who can review the decisions and actions of government bodies and can make orders if he concludes that the Act has not been followed.
Who does it apply to?
FOIPPA applies to most records held by government bodies with some exceptions, including certain court records, like those held by judges and tribunals; certain records of education materials or exam questions; and records relating to a prosecution if all the proceedings have not been completed. Examples of public bodies include:
- Provincial and city governments
- Provincial government agencies and commissions
- Provincial and city police, but not the RCMP
- Health authorities, universities and colleges
- Public schools and school boards
- Some governing bodies of professions (like the College of Physicians and Surgeons or the Law Society of BC)
- every government institution listed in the Schedule 2 of the Act
Consent, collection, use, and disclosure
Consent is not required under FOIPPA. Public bodies are allowed to collect, use and disclose personal information without consent. However, FOIPPA does put some limits on what purposes a public body is allowed to collect and use your personal information for, and on how and where it can be disclosed.
Personal information may be collected by or for a public body only if:
- a law specifically says that the personal information may be collected; or
- it is collected for law enforcement purposes; or
- the personal information relates directly to an operating program or activity of the public body and the personal information is necessary for the operating program or activity.
Although these are broad categories, they do have limits. The BC Information and Privacy Commissioner has decided that when asking whether personal information is necessary for a program or activity, public bodies should be held to a fairly rigorous standard of necessity, taking into consideration the sensitivity and amount of the personal information collected, the purpose for the collection and the objective of FOIPPA to protect privacy. It is not enough that the information would be helpful. And if the purpose can be accomplished another way, the public body should take that other way.
A public body must also retain personal information for at least a year if it has been used to make a decision that directly affects the individual.
Your personal information may be used or disclosed for the purpose for which it was obtained or compiled, or for a purpose that is consistent with that purpose. In section 34 of FOIPPA, “for a consistent purpose” means that the purpose has a reasonable and direct connection to the original purpose and it is necessary for performing the duties or carrying out a program of the public body.
Certain other purposes permitted in FOIPPA are extremely broad and include purposes related to the payment to be made to a public body, licensing and regulatory purposes, law enforcement purposes, or for any purpose authorized by law.
Under private sector laws PIPA and PIPEDA, there is an overarching requirement that the collection, use and disclosure must be for purposes that are reasonable and appropriate in the circumstances. There is no such requirement in FOIPPA. In fact, because FOIPPA states that personal information may be used or disclosed if a law of BC or Canada authorizes or requires the use or disclosure, the government can do just about anything with your personal information once they have collected it. All the government has to do is pass a law to give it the necessary authority. If the law is consistent with the requirements of the Charter of Rights and Freedoms, FOIPPA permits the use or disclosure to be carried out.
And a public body may use or disclose your personal information for any other purpose, if the public body gets your consent.
Your personal information must be kept secure. A public body is required to protect personal information in its custody and under its control by making reasonable security arrangements against unauthorized use, access, collection, disclosure or disposal of the information.
FOIPPA does not specify a technical standard, in part because technical standards change very quickly. However the Information and Privacy Commissioner has interpreted the law and determined that individuals who do not have a need to know the information to carry out their job function should not access the information. Even if an employee can see the information in a system or a file, he should not be looking at it unless there is a legitimate job-related reason to do so.
A government body and its service providers will breach the law if they fail to ensure that their employees follow the law.
Security measures must consider paper and electronic storage formats, emerging risks, and the inevitability of human error. Government bodies and their service providers must know about how their systems work, and about any new technological threats to the privacy and security of information. They also have to recognize that everybody makes mistakes and should build redundancies into the security systems, such as using encryption on all portable devices.
Personal information may be stored or accessed outside Canada only in very limited circumstances.
Other privacy laws
The Privacy Act (BC)
BC has a little-used law called the Privacy Act which gives an individual a right to sue for invasion of privacy. This law makes it a civil wrong for a person to wilfully violate the privacy of another person.
This law has been used infrequently in British Columbia, but there are a few cases which give us some guidance about what “wilfully violate the privacy of another” means. It means that the person intentionally did an act that he knew or ought to have known would violate the privacy of the other person.
Other sector-specific laws dealing with privacy
There are other laws that contain provisions that provide privacy protection to Canadians. The federal Bank Act, for example, contains provisions regulating the use and disclosure of personal financial information by federally regulated financial institutions. Similar restrictions can be found in provincial statutes that regulate the activities of financial institutions, such as credit unions and insurance companies in provincial jurisdiction.
Various consumer protection laws at the federal and provincial levels offer limited protections and remedies against illegal and unethical business practices that may constitute an infringement of privacy.
Some provinces have privacy tort laws which provide a civil remedy for someone whose privacy has been violated.
For more information on Provincial and Territorial Privacy Laws, Oversight Offices, and Government Organizations, click here.
E-Health (Personal Information Access and Protection of Privacy) Act
In early 2008, the British Columbia government enacted the E-Health (Personal Information Access and Protection of Privacy) Act. This law allows the Minister of Health to designate certain health care databases as “health information banks”.
The Minister’s designation order must specify the purposes for which the information in the health information bank may be used and those purposes are limited by the Act. The information that gets put into the health information bank can be shared and used by various health care providers and administrators for purposes ranging from providing you with health care to managing the health care system. Your consent is not required, and there is no requirement for you to be told that your health information has been put into a health information bank.
The Act provides for the creation of a data stewardship committee to oversee the disclosure of personal health information from a health information bank for a planning or research purpose. The law gives you a limited right to restrict who can see and use your health information, by allowing you to put a disclosure directive on your health information which will specify to whom the information may or may not be disclosed.
You will also have a limited right of access to your health information held in a health information database.
Some other Canadian jurisdictions have enacted legislation to deal specifically with the collection, use and disclosure of personal health information by provincial health care organizations and other approved individuals and agencies:
For more information on E-Health and privacy, see the relevant sections on the ‘Privacy Rights in Canada‘ help topic.
Freedom of information laws
All access to information and freedom of information laws share a number of features. First, they operate on the presumption that, by definition, records in the custody or control of public bodies (understood to include any documentary material, regardless of medium or form) belong to the public and should – with limited specified exceptions – be available upon request. Second, they reflect and operationalize the idea that public access to information is a means to the ends of transparency, accountable government, and participatory democracy. Third, they operate through a request-response process that is intended to complement but not replace existing procedures for access to government information.
The following laws allow members of the public to request information from public bodies. The only information that can be requested from private bodies is your own personal information, under privacy law. For more information read the definition of ‘Private Sector Privacy Laws,’ above.
Freedom of Information and Protection of Privacy Act (BC)
As well as protecting personal information, the Freedom of Information and Protection of Privacy Act is also designed to make public bodies open and accountable. Under this law, members of the public can request access to records held by a provincial public body.
Complaints about how the government has handled a request for access are handled by the Information and Privacy Commissioner of BC. For more information about oversight, read the Office of the Information and Privacy Commissioner definition below.
For further information about FOIPPA, read the definition for ‘public sector privacy laws’ above.
Access to Information Act
The Access to Information Act works in conjunction with the Privacy Act. Together, the two laws work the same way that FOIPPA works in British Columbia: one part protects individual privacy, and the other part gives people a right to get access to information (other than personal information) held by government.
Compared to the scope of the information that they collect and retain the amount of data that is proactively made publicly available by government bodies represents the tip of the proverbial iceberg. If you are looking to dig deeper and obtain records that are otherwise beyond reach, exercising your formal information rights under ATI laws can be an effective and rewarding method of inquiry.
Complaints about how the government has handled a request for access are handled by the Information Commissioner of Canada, and subsequently the Federal Court of Canada. For more information about oversight, read the definition below on “Oversight of privacy and freedom of information rights”.
For information about how to file a request, click here.
What is a ‘FOI request’?
When referring to ATI/FOI mechanisms, the term ‘request’ is not synonymous with the term ask, as it is often understood in common parlance. An ATI/FOI request is an invocation of information rights, and government bodies covered by ATI/FOI legislation are legally obligated to respond- again, subject to limited specified exceptions – and release applicable records.
What is a ‘record’?
A ‘record’ is a very broad term which refers to any information held by a public or private body. This includes but is not limited to:
- Briefing notes and memoranda
- Executive summaries
- Background papers and reports
- Decks (printout of a slideshow presentation)
- Photographs, videos, diagrams and maps
- Incident reports and other forms
- Media lines, Q&As, and other communications products
- Emails and texts
- Budgets, receipts, and other financial documents
- Meeting agendas, minutes, and handouts
- Handwritten notes
What is a ‘FOI analyst’?
FOI/ATI requests are received by government workers called analysts, whose job it is to identify and contact the government office(s) that have control over the records being sought (known as the Office(s) of Primary Interest or OPIs), receive the records that are responsive to the request, and process materials in accordance with the law. ATI/FOI research often involves interactions between the requester and the assigned analyst. These interactions may take the form of requests for clarification or negotiations regarding the scope of a request.
Other provincial FOI laws
Alberta– Freedom of Information and Protection of Privacy Act, RSA 2000, c F-25 (1995)
Manitoba– Freedom of Information and Protection of Privacy Act, CCSM c F175 (1997)
New Brunswick– Right to Information and Privacy Act, SNB 2009, c R-10.6 (2010)
Newfoundland & Labrador– Access to Information and Protection of Privacy Act, SNL 2002, c A-1.1 (2005)
Northwest Territories– Access to Information and Protection of Privacy Act, SNWT (Nu) 1994, c 20 (1996)
Nova Scotia– Freedom of Information and Protection of Privacy Act, SNS 1993, c 5 (1994)
Nunavut– Access to Information and Privacy Protection Act, SNWT (Nu) 1994, c 20 (1999)[Amended form of NWT Act]
Ontario– Freedom of Information and Protection of Privacy Act, RSO 1990, c F. 31 (1997)
Prince Edward Island– Freedom of Information and Protection of Privacy Act, RSPEI 1988, cF-15.01 (2002)
Québec– An Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information, RSQ, c A-2.1 (1982)
Saskatchewan– Freedom of Information and Protection of Privacy Act, SS 1990-91, c F-22.01 (1992)
Yukon– Access to Information and Protection of Privacy Act, RSY 2002, c 1 (1985) Canada (Federal)
FOI laws covering local government and authorities:
Nova Scotia– Municipal Government Act, SNS 1998, c 18 (1998)
Saskatchewan– Local Authority Freedom of Information and Protection of Privacy Act, SS 1990-91, c L-27.1 (1992)
Ontario– Municipal Freedom of Information and Protection of Privacy Act, RSO 1990 c. M.56 (1987)
Oversight of privacy and freedom of information rights
The Information and Privacy Commissioner of British Columbia
The Office of the Information and Privacy Commissioner of British Columbia (OIPC) is independent from the government and reports directly to the legislative assembly of BC about government compliance with FOIPPA, and about other matters relating to compliance with FOIPPA and PIPA. The OIPC is impartial, and its decisions are legally binding.
The responsibilities of the OIPC include:
- To oversee and enforce government compliance with the Freedom of Information and Protection of Privacy Act
- To investigate complaints made by individuals about government bodies, and resolve them by mediation, or by holding a formal inquiry and issuing orders;
- To oversee and enforce compliance by businesses and non-profit organizations with the Personal Information Protection Act;
- To investigate complaints made by individuals about businesses and non-profit organizations, and to resolve them by mediation, or by holding a formal inquiry and issuing orders;
- To issue investigation reports, decisions and formal orders;
- To write and publish public education materials, discussion papers, public comments and guidelines for how to comply with the laws;
- To provide comments and recommendations about proposed legislation and government policy, to make presentations to legislative committees, and to issue Annual Reports to the legislature;
- To publicize privacy and access laws in British Columbia, to give talks on privacy and access rights, to educate the public about their rights and raise awareness about technological developments that impact privacy.
Offences in BC
An employee or director of a public body or its service provider who discloses personal information in ways not permitted by the Freedom of Information and Protection of Privacy Act (FOIPPA) commits an offence.
Anyone working for a government body who finds out about an unauthorized disclosure of personal information is required to tell their employer. They are also required to report a demand for disclosure that comes from outside Canada. Failure to do this is an offence.
An individual who commits these offences could be fined up to $2,000. A service provider (including an individual service provider) to a government body may be fined up to $25,000. A corporation may be fined up to $500,000.
If you believe that there has been an improper disclosure of personal information by a government body or its service provider, you should report it to the Office of the Information and Privacy Commissioner.
More generally, if anyone misleads or obstructs the Commissioner in the performance of his or her duties or fails to comply with an order made by the Commissioner or an Adjudicator, that person commits an offence and is liable to a fine of up to $5,000.
Other resources in BC
The website of the Office of the Chief Information Officer of BC contains many links to useful government forms, guidelines, policies and directives. In addition, you will find links to the legislation, procedures, standards, statistics, research reports and more.
The Ministry of Citizens Services has created a lengthy and detailed Policies and Procedures Manual for use by Freedom of Information coordinators in public bodies. The Manual is a useful tool for understanding what the coordinators are required to do to respond to your request, and may guide you in understanding how the response system works.
Who makes sure the Canadian government is following federal privacy law?
The Privacy Commissioner of Canada is an officer of Parliament, which means that she reports directly to the House of Commons and the Senate and is independent of the government in power. The Office of the Privacy Commissioner of Canada (OPC) is responsible for overseeing compliance with PIPEDA and with the Privacy Act, and for protecting and promoting individual privacy rights.
To do this, the OPC does the following:
- Investigates complaints, and resolves them by mediation, or by making recommendations and issuing decisions about the complaints and the resolution;
- Carries out audits of the government and of businesses, and issues reports of the audits;
- Issues public reports about a variety of privacy issues;
- Pursues actions in the courts under both PIPEDA and the Privacy Act;
- Comments on proposed legislation and policy;
- Supports and undertakes research into privacy issues and promotes public awareness and understanding of privacy law and privacy issues;
- Monitors trends in technology development to identify new privacy issues; and
- Works with privacy commissions throughout Canada and abroad to address global privacy issues.
The Privacy Commissioner can investigate the circumstances of the matter, but can only make recommendations; he or she has no power to order the government to do anything. If an institution refuses to provide access to information even after the Privacy Commissioner has investigated and recommended that you get access, all you can do is apply to the Federal Court for a judge to review the decision of the government institution.
Not surprisingly, it is very rare for people to go to Federal Court, because it is expensive and takes a long time.
If you are unhappy with a refusal of a government institution to give you access to personal information under the Privacy Act (Canada), here is more information about how to ask the Privacy Commissioner of Canada for a review.
The OPC website has a wealth of material about privacy issues. On the site you will find case summaries of complaints, practical guidelines for compliance, information sheets, and a wide range of useful materials about privacy rights and obligations, including research into privacy risks, international privacy law issues and the impact of new technology on privacy.
Who makes sure the Canadian government is following federal access to information law?
The Office of the Information Commissioner is appointed by and reports directly to Parliament, and provides arms-length oversight of the federal government’s access to information practices. The Commissioner encourages and assists federal institutions to adopt approaches to information-sharing that meet the objectives of the Act, and advocates for greater access to information in Canada.
The OIC can receive requests for review, and the Commissioner’s website contains fillable forms. The OPC of Canada cannot receive complaints electronically- complaints must be submitted in writing, by mail or fax.
Once a complaint has been filed and reviewed, it is assigned to an investigator in the Commissioner’s office. As with an ATI/FOI request, complaints or requests for review are assigned a file number. The investigator will contact the responding agency or public body and make an effort to address the complaint informally through a mediated resolution.
Unlike the provincial Information and Privacy Commissioner, the federal Information Commissioner of Canada does not have order-making powers. A formal investigation by the Commissioner’s Office can result in a finding that a government department or agency acted inappropriately and failed to meet its obligations under the ATIA. The head of the department or agency is not obligated to release information in response to a finding. To compel such a release, the requester and/or the Office of the Information Commissioner must initiate Federal Court proceedings.
* FIPA would like to acknowledge the contributions of Sara Levine and Darrell Evans to this section.