Frequently Asked Questions

The Office of the Privacy Commissioner of Canada Information Centre receives enquiries covering a range of questions, issues and concerns from Canadians. We have compiled some of the most commonly asked questions below.

Note: These FAQs are not intended to provide legal advice; they are only intended to provide general information about jurisdiction.

Need more information?

Privacy and the OPC

Access to Personal Information

Fraud and ID Theft

Social Insurance Number (SIN)

Companies and the Federal Government Outsourcing Work that Includes Your Personal Information to a Third Party

Landlords and Tenants

Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and Privacy

Retailers and Your Personal Information

Telemarketing (The Do-Not-Call List) and Your Personal Information

Statistics Canada

Privacy and the OPC

Top of Page Table of ContentsWhat does the Office of the Privacy Commissioner of Canada do?

As Canada’s privacy guardian, the Office of the Privacy Commissioner of Canada:

  • reports to Parliament on issues that touch on the privacy rights of Canadians;
  • answers public inquiries and investigates complaints;
  • conducts audits of the privacy policies and practices of federal government departments and agencies, as well as private companies, and advises them on their obligations;
  • conducts and commissions research,
  • may take cases to Federal Court, and
  • engages in public education and outreach.

In fact, we speak out whenever privacy issues are at stake, expressing our views before Parliamentary committees, in the media, in public speeches and our office blog, at international forums and world regulatory bodies, and in the many publications that you can obtain from our Office or on our web site.

The Office of the Privacy Commissioner of Canada oversees two laws:

  • the Privacy Act, which sets out the rules for privacy protection in the federal public sector, and
  • the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs the information-handling practices of private-sector organizations everywhere in Canada except British Columbia, Alberta, Quebec, and the health-care sector of Ontario, New Brunswick and Newfoundland and Labrador. (Comparable laws apply to organizations conducting business wholly within those jurisdictions.) Even in those provinces, PIPEDA continues to apply to the federally regulated private sector, such as telecommunications, banking and transportation, as well interprovincial and international transactions.

For more information:

Past Findings by the OPC:

Top of Page Table of ContentsWhat laws protect my privacy in Canada?

In Canada, we are protected by two federal privacy laws. The Privacy Act covers the personal information-handling practices of the federal government and the Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s private sector privacy law, which came fully into effect on January 1, 2004.

Every province and territory also has privacy legislation governing the collection, use and disclosure of personal information held by government agencies. These acts provide individuals with a general right to access and correct their personal information. Oversight is through either an independent commissioner or ombudsman authorized to receive and investigate complaints.

British Columbia, Alberta and Quebec are the only provinces with laws recognized as substantially similar to PIPEDA. These laws regulate the collection, use and disclosure of personal information by businesses and other organizations and provide individuals with a general right of access to, and correction of, their personal information. Ontario, New Brunswick and Newfoundland and Labrador, meanwhile, have adopted privacy legislation to protect personal health information which has been recognized as substantially similar.

For more information:

Top of Page Table of ContentsWhat is personal information?

Privacy Commissioners and courts have expanded and refined the meaning of personal information to include many things, from the commonplace (name, address and income tax returns) to the more unusual (voiceprints and tracking information collected by GPS).

PIPEDA
In PIPEDA, personal information is defined as information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.

Privacy Act
In the Privacy Act, personal information is defined as information about an identifiable individual that is recorded in any form including, without restricting the generality of the foregoing,

  1. information relating to the race, national or ethnic origin, colour, religion, age or marital status of the individual,
  2. information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
  3. any identifying number, symbol or other particular assigned to the individual,
  4. the address, fingerprints or blood type of the individual,
  5. the personal opinions or views of the individual except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual by a government institution or a part of a government institution specified in the regulations,
  6. correspondence sent to a government institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence,
  7. the views or opinions of another individual about the individual,
  8. the views or opinions of another individual about a proposal for a grant, an award or a prize to be made to the individual by an institution or a part of an institution referred to in paragraph (E), but excluding the name of the other individual where it appears with the views or opinions of the other individual, and
  9. the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual, but, for the purposes of sections 7, 8 and 26 and section 19 of the Access to Information Act, does not include:
    1. information about an individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual including,
      1. the fact that the individual is or was an officer or employee of the government institution,
      2. the title, business address and telephone number of the individual,
      3. the classification, salary range and responsibilities of the position held by the individual,
      4. the name of the individual on a document prepared by the individual in the course of employment, and
      5. the personal opinions or views of the individual given in the course of employment,
    2. information about an individual who is or was performing services under contract for a government institution that relates to the services performed, including the terms of the contract, the name of the individual and the opinions or views of the individual given in the course of the performance of those services,
    3. information relating to any discretionary benefit of a financial nature, including the granting of a licence or permit, conferred on an individual, including the name of the individual and the exact nature of the benefit, and
    4. information about an individual who has been dead for more than twenty years.

For more information:

Top of Page Table of ContentsWhat types of privacy issues can the OPC help with?

The Office of the Privacy Commissioner of Canada oversees compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private sector privacy law, along with some aspects of Canada’s anti-spam legislation.

Our Office can only investigate complaints that fall under our jurisdiction. As such, the privacy issue would have to relate either to a federal government department or agency governed by the Privacy Act or to a private-sector organization (a business) covered by PIPEDA.

Furthermore, both of these acts only deal with personal information, so the issues we can help with must pertain to the handling of information about an identifiable individual. For a more detailed definition of personal information, see our FAQ on this topic.

The types of issues we deal with under the Privacy Act relate to an individual’s right to see and correct personal information the Government of Canada holds about them or the Government’s collection, use and disclosure of their personal information.

The types of issues we deal with under PIPEDA relate to the collection, use or disclosure of personal information by organizations engaged in commercial activities and the individual’s right to access and correct their personal information.

Not all privacy issues fall within the scope of either the Privacy Act or PIPEDA. Many privacy issues fall within the jurisdiction of provinces or territories, or may be the responsibility of another agency.

It should also be noted that for certain privacy issues, there is no applicable legislation for the issue. For example, the conduct of individuals who are collecting, using or disclosing personal information for personal use—or in other words, non-commercial use—may not be covered under Canadian privacy legislation.

If you have a privacy issue or concern and are looking for help, start by reading our fact sheet Privacy Legislation in Canada for more information about what laws might apply and what organizations oversee them.

Top of Page Table of ContentsIf my privacy issue doesn’t fall under the Privacy Act or PIPEDA, where can I go for help?

The OPC is contacted annually by thousands of individuals and organizations with a wide variety of privacy issues. We are committed to protecting and promoting the privacy rights of Canadians, and we do our best to help whenever we can. However, we only oversee compliance with the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, the Personal Information Protection and Electronic Documents Act (PIPEDA), and some aspects of Canada’s anti-spam legislation. As such, there are times when some privacy issues should be addressed by other organizations, and there are certain privacy issues for which there is no applicable legislation.

If you have a privacy issue or concern and are looking for help, please start by reading our fact sheet Privacy Legislation in Canada for more information about what laws might apply and what organizations oversee them.

Top of Page Table of ContentsWhat can I do if I think an organization has violated my privacy rights?

If you think that your privacy has been violated, you can take these three steps:

STEP 1: See which privacy law may apply to your situation. There are a number of laws in Canada that relate to privacy rights, and there are various government organizations and agencies responsible for overseeing compliance with these laws. Determining what legislation, if any, applies to your situation is key to finding the help you need. Our Office, for example, can only investigate complaints that relate either to a federal government department or agency governed by the Privacy Act or to a private-sector organization covered by the Personal Information Protection and Electronic Documents Act. If you are not certain what privacy legislation may apply, we encourage you to consult our fact sheet titled Privacy Legislation in Canada for more information.

STEP 2: Speak with the organization that you think has violated the privacy law, about your situation. The Office of the Privacy Commissioner of Canada is an ombudsman who tries to resolve disputes through negotiation, mediation and conciliation. As such, we encourage you to try first to work out any disputes about your personal records directly with the organization involved:

  • If you have determined that your issue falls under the Privacy Act, try to settle the matter with the department or agency that has collected, used or disclosed your personal information.

    Under the Privacy Act, you may wish to exercise your right to see the personal information that the federal government holds about you, and to request corrections to that information. A written request to the institution’s Access to Information and Privacy Co-ordinator should help you gain access to the information you seek.
  • If you have determined that your issue falls under PIPEDA, try to settle the matter directly with the organization about which you are complaining by contacting the person responsible for handling privacy issues within the organization.

    If you are not satisfied with the organization’s response, you may contact the organization’s industry association, ombudsman or complaint office, if there is one. For example, the Canadian Marketing Association and the Ombudsman for Banking Services and Investments handle customers’ complaints about their member companies.

STEP 3: If there has been no resolution with the organization in question, you may want to consider filing a complaint.

If you have been unable to resolve your issue with the organization, and it is subject to either the Privacy Act or PIPEDA, you can choose to file a complaint with our Office. For more information on filing a complaint, we encourage you to see our page on how to file a complaint under PIPEDA or our page on how to file a complaint under the Privacy Act. We do not accept complaints that are e-mailed to us.

Filing a complaint with our Office is free of charge and we are here to assist you throughout the process. There is no need to hire special advisors to help you lodge a complaint with our Office. Our Office strives to find fair and equitable resolutions to complaints.

For more information:

Past Findings by the OPC:

Top of Page Table of ContentsCan I make an anonymous complaint?

The Office does not accept anonymous complaints.

In some cases under PIPEDA, a complainant may wish to rely on the "whistle blowing" provisions to make a complaint. This may be done if the complainant has reasonable grounds to believe that a person has or intends to be in violation of PIPEDA. In this instance, a complainant must still make their complaint via the formal complaint process and they would need to include a request to keep their identity confidential.

The “whistleblowing” provisions protect employees against retaliation by the employers, such as harassment, dismissal or demotion.

Top of Page Table of ContentsI have filed a number of complaints with your Office against the federal government. Will you investigate them all right away?

The Privacy Act gives individuals the right to make and have complaints investigated by our Office. On occasion, we receive multiple complaints from an individual about federal departments and/or agencies.

The Privacy Act provides the Office with the authority to determine the procedures to be followed in the exercise of our powers and functions. So, in cases like this, complainants may be asked to prioritize which of their Privacy Act complaints are of greatest concern to them, so that we can more efficiently manage those complaints and best address immediate concerns.

As you can imagine, a full and fair investigation requires an extensive investment of time and public resources. A disproportionate allotment to any one complainant could result in others being deprived of our limited resources. With this approach, we can better balance the needs of all complainants, ensure that all Canadians have access to our services, and treat complaints in a fair and timely manner.

Please note that while we strive to complete our investigations as quickly as possible, it is not unusual that an investigation may take several months to conclude because of the high volume of Privacy Act complaints currently under investigation. Rest assured however that we take all complaints seriously and that we will deal with them in the most expeditious and fair manner possible.

You can find information about complaints under the Personal Information Protection and Electronic Documents Act (PIPEDA), which covers the collection, use and disclosure of personal information in the course of commercial activities on our website.

Top of Page Table of ContentsIf my complaint is well-founded, will I or could I be awarded damages?

The Privacy Commissioner of Canada currently does not have the power to issue awards or damages for a well-founded complaint.

The Federal Court; however, can impose damages against organizations that violate PIPEDA.

Access to Personal Information

Top of Page Table of ContentsHow do I make a request for my personal information?

Privacy Act

To gain access to your personal information under the Privacy Act, you will need to:

  • Determine which federal agency currently holds your personal information; you can do this by consulting InfoSource, the public directory of federal government agencies.
  • Fill out a Personal Information Request Form. These are available at the same locations as InfoSource.
  • Identify yourself so that the government can be sure it is you, and not someone else, asking for your personal information.
  • Specify the personal information you are seeking. The more precise your request, the faster it can be answered.
  • Send your form to the Privacy Coordinator of the agency you think currently has your information.

For more information on the Privacy Act, you can find explanatory brochures and application forms at public libraries and at Service Canada information centres across Canada. You can also contact Citizenship and Immigration Canada toll-free at 1-888-242-2100.

There is no charge to apply for information under the Privacy Act

PIPEDA

To gain access to your personal information under the Personal Information Protection and Electronic Documents Act, you will need to:

  • Send a written request to the organization holding your personal information. You must provide enough detail to allow the organization to identify the information you want; for example, include dates, account numbers, and the names or positions of people you may have dealt with at the organization.
  • Organizations must provide the information requested within a reasonable time and at minimal or no cost.

For more information:

Fraud and ID Theft

Top of Page Table of ContentsI think I may be a victim of fraud or identity theft. What do I do now?

If you have been a victim of fraud, or concerned you might be, here are a few things that you should do right away:

Call the police: File a police report. Be sure to get a file number and the name of the officer who you are dealing with.

Contact credit card companies and banks: Immediately contact credit card companies, banks, department stores and any other organizations where you have an account to advise them of the theft of your personal information.

Contact other organizations who supply identification: If you have lost your SIN card, contact Service Canada. If you have lost your driver’s license or health card, contact the provincial offices. If you have lost a passport, contact Passport Canada.

Credit bureaus: Contact the Canadian credit bureaus—TransUnion and Equifax—to report the theft and obtain a free copy of your credit report to ensure that no one has been making fraudulent use of your credit cards.

Change your online passwords: If there is any possibility that your online accounts can be accessed with the information included with your identification, be sure to immediately change your online passwords for banking, credit, e-mail and social accounts to avoid them being accessed by anyone but you.

Take notes & follow up with the Canadian Anti-Fraud Centre: Be sure to record all the steps you have taken in order to protect your identity after a theft. This information may serve as proof that your identity has been stolen if there is any fraudulent activity under your name. You should also follow up with the Canadian Anti-Fraud Centre (1-888-495-8501). The CAFC is jointly managed by the RCMP, OPP and the Competition Bureau. They collect information about identity theft and offer advice to victims.

For more information:

Past Findings by the OPC:

Top of Page Table of ContentsWhat can the Privacy Commissioner do in cases of fraud or ID theft?

The Office of the Privacy Commissioner of Canada does not typically investigate cases of fraud relating to ID theft.

We can; however, investigate data breaches, which may lead to personal information being used to commit identity theft. In this way, our Office can identify weaknesses in the systems of a private-sector organization or government department and help it to close gaps and prevent further data breaches.

Top of Page Table of ContentsHow can I avoid becoming a victim of identity theft?

While you can reduce the risk of identity theft by taking precautions with your personal information, it is impossible to avoid it entirely.

The best thing you can do is protect your personal information and be cautious whenever anyone asks you for it. Information such as your address, your Social Insurance Number (SIN), birth certificate, your mother’s maiden name or your electronic passwords can be more valuable to a thief than the money in your wallet.

Sometimes we are too quick to comply—too polite, perhaps—when someone asks for our personal information. Everyone needs to learn to ask questions about why information is being collected, how it will be used and how it will be protected. If you are not comfortable with the answers, you should decline to provide the information.

You should also take steps to verify that people asking for your personal information—particularly over the phone or via e-mail—are actually representing the organizations they say they are.

Fraudsters can use your name, date of birth, address, credit card, SIN, and other personal identification numbers to obtain phoney credit cards and open bank accounts. They can also redirect mail, establish cell phone and other services, rent vehicles, equipment and accommodation, secure employment, and even apply for a mortgage—all while impersonating you.

Here are some ways you can lower the risk of becoming a victim of identity theft:

  • Keep key documents that you don’t need on a regular basis—your birth certificate and SIN card, for example—in a safe place such as a safety deposit box.
  • Don’t give credit card numbers over the phone or online unless you are sure who you are dealing with.
  • Review all credit card and bank statements as soon as they arrive to check for discrepancies.
  • Shred or burn all papers with personal or financial information, including statements, bills, receipts and credit card offers.
  • Immediately report the loss or theft of credit and debit cards and government documents such as SIN cards, birth certificates, driver’s licences, and immigration papers.
  • Educate yourself about online security and privacy measures, including firewalls and virus protection.
  • Be suspicious of e-mails from financial institutions and other organizations asking you to provide personal information online. Reputable firms never ask for personal information in this manner. Look up their telephone number in the directory and call.
  • Never click on any links in the e-mail or cut and paste them into your browser—the link may take you to a fake website.
  • Check your credit report from a credit reporting agency once a year to ensure it is accurate and doesn’t include debts you haven’t incurred.
  • Keep your passwords private and change them often.

For more information:

Past Findings by the OPC:

Social Insurance Number (SIN)

Top of Page Table of ContentsWho can ask for my SIN number?

Your Social Insurance Number (SIN) is a confidential number that is restricted to income reporting purposes. There are a select and limited number of federal government departments and programs specifically authorized to collect the SIN.

The authority to collect and use the SIN is tied to a specific legislated purpose, not necessarily to a particular body. For example, an employer can collect an employee’s SIN to provide them with Records of Employment and T-4 slips for income tax purposes, as can provincial or municipal agencies to report financial assistance payments for income tax purposes.

Institutions from which you earn interest or income, such as banks, credit unions and trust companies, must also ask for your SIN.

If you live in Quebec, Hydro Québec is required by provincial law to collect a SIN for opening new accounts.

You are not required to provide your SIN number to any other private-sector organization or person such as a landlord. There is no law preventing private-sector organizations from asking for the SIN for other purposes, such as identification, but they do need to make people aware that collection of a SIN is optional and not a condition of service.

Our Office recommends that no private-sector organization request the SIN from a customer, and that no customer give the SIN to a private-sector organization, unless the organization is required by law to request it.

Any organization that collects your SIN, whether it operates under PIPEDA or the public-sector Privacy Act, must do so under strict rules to protect your privacy

Legislated uses of the SIN (or legislation that regulates its use) include:

  • Canada Pension Plan, Old Age Security and Employment Insurance contributions or claims (the original purposes for the SIN);
  • Income Tax identification;
  • Banks, trust companies, caisse populaires and stock brokers when they sell you financial products (GICs or Canada Savings Bonds) or services (bank accounts) that generate interest. They declare your interest to Canada Revenue Agency (CRA) for income tax purposes;
  • Various Veterans Affairs benefit programs;
  • Canada Student Loans or Canada Student Financial Assistance;
  • Canada Education Savings Grants;
  • Gasoline and Aviation Gasoline Excise Tax Applications;
  • Canadian Wheat Board Act;
  • Labour Adjustment Benefits Act;
  • Tax Rebate Discounting Regulations;
  • Race Track Supervision Regulations;
  • Garnishment Regulations (Family Orders and Agreements Enforcement Assistance Act);
  • Canada Elections Act;
  • Canadian Labour Standards Regulations (Canada Labour Code);
  • Farm Income Protection.

Programs authorized to use the SIN:

  • Immigration Adjustment Assistance Program;
  • Income and Health Care Programs;
  • Income Tax Appeals and Adverse Decisions;
  • Labour Adjustment Review Board;
  • National Dose Registry for Occupational Exposures to Radiation;
  • Rural and Native Housing Program;
  • Social Assistance and Economic Development Program

For more information:

Past Findings by the OPC:

Companies and the Federal Government Outsourcing Work that Includes Your Personal Information to a Third Party

Top of Page Table of ContentsCan the company I deal with outsource the processing of my personal information to an organization in another country/province/territory? If so, how safe is my personal information?

As a consumer, you should be aware that there is nothing in the Personal Information Protection and Electronic Documents Act (PIPEDA)—Canada’s federal private-sector privacy law—that prevents organizations from outsourcing the processing of data.

However, regardless of where your information is being processed—whether in Canada or in a foreign country—organizations subject to PIPEDA must take all reasonable steps to protect that information from unauthorized uses and disclosures while it is in the hands of the third-party processor. Organizations must also be satisfied that the third party has policies and processes in place, including training for its staff and effective security measures, to ensure that the information in its care is properly safeguarded at all times.

Organizations need to make it plain to individuals that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction. They must do this in clear and understandable language. Ideally they should do it at the time the information is collected. Once an informed individual has chosen to do business with a particular company, they do not have an additional right to refuse to have their information transferred.

It’s important to know that when your personal information is in the hands of a third-party service provider operating on foreign soil, it is subject to the laws of that country and no contract can override that. This could mean, for instance, that the organization may be obliged to respond to a subpoena or other mechanism that would give law enforcement officials access to your personal information.

For more information:

Past Findings by the OPC:

Top of Page Table of ContentsCan the federal government outsource the processing of my personal information to another organization, within or outside of Canada?

There is nothing in Privacy Act—the law that covers the personal information-handling practices of federal government departments and agencies—that prevents the outsourcing of data processing. This is largely owing to the fact that the Act came into force 30 years ago and was not designed for the current digital age that allows for the rapid and easy movement of information around the globe. Our Office has repeatedly asked for provisions around the international transfer of personal data to be subject to a more rigorous legal regime.

In light of the increase in trans-border data flows, in 2004 the government of Canada conducted a review of all its outsourcing contracts to determine their level of risk under the USA PATRIOT Act. Of 160 federal institutions, more than 80 per cent rated their contracts as having little or no risk because information is either being processed only by the federal government itself, or by a company operating exclusively in Canada.

Following this review, the Treasury Board of Canada Secretariat (TBS) provided additional guidance on this issue specifically to federal organizations.  The first guidance document they provided was titled Taking Privacy into Account Before Making Contracting Decisions. It specifically refers to privacy concerns related to foreign government access, and also outlines in detail sound technological measures to enhance privacy and security. As a complement to that document, in 2010 TBS released detailed Guidance on Preparing Information Sharing Agreements Involving Personal Information, which also addresses the increased privacy risks attached to trans-border data transfers in detail.

Finally, it is important to note that TBS requires all federal departments and agencies to prepare and publish Privacy Impact Assessments (PIA) for any new or substantially modified programs or activities that use personal information for making decisions that directly affect individuals. Therefore, if an institution were to consider outsourcing some of its functions, it may prepare a PIA that describes the impact on the personal information of Canadians and submit it to the OPC before it implemented the program or service. Our Office would then determine whether the PIA required our review and if so we might provide comments and recommendations to the institution.

For more information:

Landlords and Tenants

Top of Page Table of ContentsWhat information can a prospective landlord ask me for?

In order to make a decision on whether or not to rent a property to you, a prospective landlord may ask for some personal information that will allow them to complete a credit check. A credit check will give the prospective landlord information about your ability to pay the rent and the potential timeliness of your payment. A prospective landlord is required to gain your consent to share your personal information with any third party or organization, such as a credit reporting agency for a credit check.

Information that is required in order to run a credit check is as little as your name, address and date of birth. Although not necessary for a credit check, your driver’s license, passport, employer, income and expenses may be asked for on your rental application which may allow your landlord to obtain a more detailed report from organizations that offer credit checks.

You are not required to provide your SIN number to any private-sector organization or person such as a landlord. There is no law preventing private-sector organizations from asking for a SIN for other purposes, such as identification, but they do need to make people aware that collection of a SIN is optional and not a condition of service.

There is also nothing in the law that limits landlords from asking for your driver’s license or passport. These two forms of identification are unique to you and they contain a significant amount of personal information such as your name, address, picture, some physical descriptions, signature, possibly your year of birth and location; and, gender. Be aware of the reasons behind why someone would be asking you for this information and consult with their privacy policy or privacy officer if you have any questions. 

Sometimes a prospective landlord may only ask to “view” these documents as opposed to copying or writing down the information. This is usually done to verify or confirm the information you have already provided to them and can help to safeguard this sensitive personal information.

Once an organization or landlord has collected any personal information, it takes on new risks and responsibilities under PIPEDA. PIPEDA requires any private organization that collects your personal information to also protect it against unauthorized loss, theft or disclosure.  Because credit bureaus—which are used by many landlords—collect, use and disclose personal information through their consumer credit reports, they are also governed by provincial and federal privacy laws. 

You are entitled to see your personal information that is in the hands of an organization covered by the Act. You are also entitled to challenge the accuracy and completeness of the personal information, and to have it amended as appropriate.

For more information:

Past Findings by the OPC:

Top of Page Table of ContentsCan a landlord ask me for my Social Insurance Number (SIN)?

There is no law preventing private-sector organizations including landlords, from asking for a SIN for purposes such as identification, but you are not required to provide it and they do need to make people aware that collection of a SIN is optional and not a condition of service.

There is also nothing in the law that limits landlords from asking for your driver’s license or passport. These two forms of identification are unique to you and they contain a significant amount of personal information such as your name, address, picture, some physical descriptions, signature, possibly your year of birth and location; and, gender. Be aware of the reasons behind why someone would be asking you for this information and consult with their privacy policy or privacy officer if you have any questions. 

Sometimes a prospective landlord may only ask to “view” these documents as opposed to copying or writing down the information. This is usually done to verify or confirm the information you have already provided to them and can help to safeguard this sensitive personal information.

For more information:

Past Findings by the OPC:

Top of Page Table of ContentsCan a landlord take pictures of my apartment and its contents?

Taking photographs of an individual’s apartment or rental unit is a collection of personal information. The purpose must be identified prior to or at the time of collection, the individual’s knowledge and consent must be obtained, and a reasonable effort must be made to ensure that the individual understands how the information will be used or disclosed.

Past Findings by the OPC:

Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and Privacy

Top of Page Table of ContentsHow can my organization balance our customers’ privacy rights with our reporting requirements for the PCMLTFA?

Some organizations are required to collect information about clients and report it to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) in accordance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). However, these reporting requirements must always be balanced with customers’ privacy rights.

Organizations cannot indiscriminately collect personal information. PIPEDA states that organizations may only collect personal information that is necessary for their specified business purposes or required by legislation. For example, businesses in the financial sector may have “Know Your Customer” obligations that require them to collect specific personal information.

If you are collecting personal information for the purposes of complying with the PCMLTFA, make sure that you understand the legal requirements, and only collect what is required to comply with that Act.

In some situations, you may need to see or even record a customer’s identity document information to fulfill your organization’s legal obligations or for its business purposes. However, do not make a copy of an identity document unless it is required by law or it is needed for a legitimate business purpose. For identification purposes, the Office of the Privacy Commissioner of Canada also recommends that you avoid using a client’s:

  • Health card - The information on health cards should only be collected in limited circumstances, such as when necessary or required by law. In fact, the use of a health card for identity purposes is prohibited or limited in certain jurisdictions; or
  • Social Insurance Number (SIN) - Some private-sector organizations are required by law to request customers’ or employees’ SINs for income-reporting purposes; however, a SIN should not be used for general purposes of identification. FINTRAC also specifically instructs entities not to include SINs on any type of FINTRAC report.

If you are submitting personal information in reports to FINTRAC, it is your responsibility to know the requirements of PCMLTFA and submit only the personal information that is required to comply with that legislation. It is also important to verify that the information you submit is correct and up to date.

More Information:

Past Findings and Audits by the OPC:

Retailers and Your Personal Information

Top of Page Table of ContentsDo I have to give my license, postal code or other personal information to a retailer when making a purchase or return?

Retailers are eager to collect information about you and your spending habits to inform their marketing activities, but before you divulge your personal information, such as your name, address, phone number or postal code, question how this information will be used. You do not have to provide personal information that is not necessary for a transaction, so if you aren’t comfortable with the explanation you are given, you can decline. Also, be aware that stores can only ask for the minimum information necessary to prevent fraud when handling returns, and in most cases they should not be recording particularly sensitive information, such as a driver’s licence number.

If you are unsure about how your personal information is being used or stored by a retailer, ask to see their privacy policy.

In Canada, retail activities are subject to privacy legislation. The federal legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), applies to commercial activities in all provinces, except those which have enacted their own legislation. British Columbia, Alberta and Quebec all have their own privacy legislation covering the retail sector.

For more information:

Past Findings by the OPC:

Telemarketing (The Do-Not-Call List) and Your Personal Information

Top of Page Table of ContentsI registered for the national Do-Not-Call list but I still get calls. Isn’t this a breach of my privacy, and what can I do about it?

If you are still receiving telemarketing calls, this may not be a breach of your privacy. There could be a number of reasons why you are still receiving telemarketing calls after registering for the Do Not Call List.

For more information on who can still call you, please visit the National Do-Not-Call-List website. Also, be sure to check the registration date of your number and sign up again if necessary. Registered numbers on the list expire five years after being added and number will need to be re-registered.

You can also ask individual telemarketers directly to remove your name from their calling list. They are required to do so and may not call you again.

Our Office does not have a direct legislated role to restrict soliciting activities, including direct marketing. Nonetheless, under PIPEDA, organizations involved in a commercial activity must have their customers’ knowledge and consent to disclose personal information for any purpose, including marketing. There are exceptions to this consent requirement, including the collection, use or disclosure of personal information that is publicly available.

For more information:

Statistics Canada

Statistics Canada is responsible for the Census of Population and the Census of Agriculture, as well as for a number of surveys that collect information relating to the activities and conditions of the Canadian population.

Top of Page Table of ContentsDo I have to participate?

Top of Page Table of ContentsHow was I selected?