The Privacy Act (French: Loi sur la protection des renseignements personnels) is the federal information-privacy legislation of Canada that came into effect on July 1, 1983.^[1][2] Administered by the Privacy Commissioner of Canada,^[1] the Act sets out rules for how institutions of the Government of Canada collect, use, disclose, retain, and dispose of personal information of individuals.^[3]

The Act does not apply to political parties, political representatives (i.e., members of Parliament and senators), courts, and private sector organizations.^[3] All provinces and territories have their own laws governing their public sectors.^[3]

Some salient provisions of the legislation are as follows:

• A government institution may not collect personal information unless it relates directly to an operating program or activity of the institution (section 4).
• With some exceptions, when a government institution collects an individual's personal information from the individual, it must inform the individual of the purpose for which the information is being collected (section 5(2)).
• With some exceptions, personal information under the control of a government institution may be used only for the purpose for which the information was obtained or for a use consistent with that purpose, unless the individual consents (section 7).
• With some exceptions, personal information under the control of a government institution may not be disclosed, unless the individual consents (section 8).
• Every Canadian citizen or permanent resident has the right to be given access to personal information about the individual under the control of a government institution that is reasonably retrievable by the government institution, and request correction if the information is inaccurate (section 12).
• A government institution can refuse requests for access to personal information in four cases:^[4]
  1. The request interferes with the responsibilities of the government, such as national defence and law enforcement investigations (sections 19-25)
  2. The request contains the personal information of someone other than the individual who made the request (section 26).
  3. The request is subject to solicitor-client privilege (section 27).
  4. A request for an individual's own medical records can be rejected if there is no benefit to the individual in reading it (section 28).
• The Privacy Commissioner of Canada receives and investigates complaints, including complaints that an individual was denied access to his or her personal information held by a government institution (section 29).

The first privacy law in Canada was enacted in 1977 in part four of the Canadian Human Rights Act by creating the Office of the Privacy Commissioner of Canada, which would be responsible for investigating privacy violation complaints by members of the public and reporting to lawmakers.^[5]

During the 32nd Parliament in 1983, Bill C-43 was passed.^[5] This legislation created the Privacy Act and the Access to Information Act, separate from the Canadian Human Rights Act.

An individual who has been refused access to personal information may ultimately apply to the Federal Court for a review of the matter, pursuant to section 41 of the Act. The Court may order the head of the government institution to disclose the information to the individual (sections 48 and 49). Decisions of the Federal Court on such matters may be appealed to the Federal Court of Appeal, and, if leave is granted, further appealed to the Supreme Court of Canada (SCC).

Some important court decision concerning the Privacy Act are:^[6]

• Canadian Association of Elizabeth Fry Societies v Canada (Public Safety and Emergency Preparedness), 2010 FC 470 — holding that, when an individual requests their personal information and then consents to the release of that information to their representative, that consent survives the individual’s death.
• H.J. Heinz Co. of Canada Ltd. v Canada (Attorney General), 2006 SCC 13 — affirms that a third party can object to the disclosure of information under the Access to Information Act on the basis that it would disclose personal information about another individual. In the course of its reasons, the SCC articulated several principles about the interpretation of the Privacy Act.^[7]
• Canada (Information Commissioner) v Canada (Commissioner of the Royal Canadian Mounted Police), 2003 SCC 8^[8] — considering the definition of "personal information" in section 3 of the Privacy Act.
• Ruby v Canada (Solicitor General), 2002 SCC 75^[9] — holding that section 51(2)(a) of the Privacy Act is unconstitutional because it requires that the entire hearing of certain applications to Federal Court be held in camera.
• Lavigne v Canada (Office of the Commissioner of Official Languages), 2002 SCC 53^[10] — holds that the Privacy Act is 'quasi-constitutional' legislation; a head of a government institution could refuse access because of the impact that disclosure would have on current or future investigations. However, the head must prove that there is a reasonable expectation that disclosure would harm those investigations.
• Privacy Act (Can.) (Re), 2001 SCC 89^[11] — holding that the Privacy Act was not violated by a program whereby Canada Customs gave information about travellers to the Canada Employment Insurance Commission, to identify those who received employment insurance benefits while outside Canada.
• R v Zarzour, (2000) 196 F.T.R. 320 — explains the principles about retaining personal information, and that a government institution must take sufficient steps to verify the accuracy of the personal information it uses for an administrative purpose.
• Dagg v Canada (Minister of Finance), [1997] 2 S.C.R. 403^[12] — the first major SCC decision to consider the Privacy Act.

• Privacy law
• Information privacy law
• Data privacy
• Access to Information Act
• Personal Information Protection and Electronic Documents Act (PIPEDA)
• Info Source—repository of information available through the Privacy Act and Access to Information Act