Part 1 of PIPEDA sets ground rules for how organizations may collect, use or disclose information about you in the course of commercial activities. The law also gives you the right to see and ask for corrections to information an organization may have collected about you. If you think an organization covered by the Act is not living up to its responsibilities under the law, you have the right to lodge an official complaint.

What is personal information?

"Personal information" under the Act means information about an "identifiable individual."

For example, "personal information" includes your

• name, age, weight, height
• medical records
• income, purchases and spending habits
• race, ethnic origin and colour
• blood type, DNA code, fingerprints
• marital status and religion
• education; and
• home address and phone number

"Personal information" does not include the name, job title, business address or office telephone number of an employee of an organization.

How does the Act protect my personal information?

Your ability to control your personal information is key to your right to privacy.

The Act gives you control over your personal information by requiring organizations to obtain your consent to collect, use or disclose information about you. The Act confers certain rights on individuals, and imposes specific obligations on organizations.

The law gives you the right to:

• know why an organization collects, uses or discloses your personal information;
• expect an organization to collect, use or disclose your personal information reasonably and appropriately, and not use the information for any purpose other than that to which you have consented;
• know who in the organization is responsible for protecting your personal information;
• expect an organization to protect your personal information by taking appropriate security measures;
• expect the personal information an organization holds about you to be accurate, complete and up-to-date;
• obtain access to your personal information and ask for corrections if necessary; and
• complain about how an organization handles your personal information if you feel your privacy rights have not been respected.

The law requires organizations to:

• obtain your consent when they collect, use or disclose your personal information;
• supply you with a product or a service even if you refuse consent for the collection, use or disclosure of your personal information unless that information is essential to the transaction;
• collect information by fair and lawful means; and
• have personal information policies that are clear, understandable and readily available.

An organization should destroy, erase or make anonymous personal information about you that it no longer needs in order to fulfil the purpose for which it was collected.

There are certain exceptions to these principles. For example, an organization may not need to obtain your consent if collecting the information clearly benefits you and your consent cannot be obtained in a timely way; or if the information is needed by a law enforcement agency for an investigation, and getting consent might compromise the information's accuracy.

How can I see the personal information an organization has about me?

• Send a written request to the organization that holds your personal information. You must provide enough detail to allow the organization to identify the information you want. For example, include dates, account numbers, and the names or positions of people you may have dealt with at the organization.
• Organizations must provide the information requested within a reasonable time and at minimal or no cost.

How can I correct errors or omissions in my personal information?

• Write to the organization that has personal information about you and explain the correction you are requesting and why. Supply copies of any documents that support your request, if you have them.
• If the organization refuses to correct your personal information, you may require it to attach a statement of your disagreement to the file. This statement must be passed on to any other organization that may have access to the information.

What if I believe my privacy rights are not being respected?

The Act gives you the right to make a complaint if:

• you run into any difficulties obtaining your personal information, if an organization refuses to correct information you consider inaccurate or incomplete, or if you suspect your personal information has been improperly collected, used or disclosed; or
• you believe an organization is not following any provision of PIPEDA.

Where do I complain?

• We encourage you to first try to settle the matter directly with the organization about which you are complaining by contacting the person responsible for handling privacy issues within the organization.
• Contact the Office of the Privacy Commissioner of Canada by calling 1-800-282-1376 if you need more information or advice on how you should proceed.