Understanding Canadian cybersecurity laws: Privacy and access to information, the Acts (Article 2)


The Privacy Act and the Access to Information Act were both implemented by the Canadian federal government in 1985 and have acted as a starting point for more recent legislation and privacy laws, including those pertaining to the cyber sector. These Acts work together to provide a legislative framework for personal data collection, use, retention, disclosure, and individual access within the federal public sector. First, the Privacy Act, which regulates governmental bodies’ access to the information of individuals. Then, the Access to Information Act, which serves to provide a method for individuals to access their own personal information as held by those governmental bodies. Our collective national journey into the realm of cybersecurity law begins with these two Acts, which set a basis for future governmental legislation regarding privacy and data access in Canada.



Understanding Canadian cybersecurity laws: The foundations (Article 1)


The Privacy Act (R.S.C., 1985, c. P-21)

The Privacy Act is the legal framework governing personal information in the federal public sector. It explains how personal information must be protected in the relationships between individuals and the federal government. Applies to the Government’s collection, use and disclosure of personal information in the course of providing services and to an individual’s right to access and correct any personal information that the Government of Canada holds about them.

The Privacy Act applies to federal government institutions and services which include services like: pensions, employment insurance, border security, tax collection and refunds, federal policing, public safety, etc. In essence, it applies to all of the personal information that the federal government collects, uses, and discloses. The Privacy Act does not, however, apply to political parties and political representatives and their collection, use and disclosure of information. That said, if you have ever paid tax, travelled outside of Canada, held a job, been assigned a social insurance number, or given any personal information to a governmental organization, then this Act applies to you.

Access to Information Act (R.S.C., 1985, c. A-1)

“The purpose of this Act is to enhance the accountability and transparency of federal institutions in order to promote an open and democratic society and to enable public debate on the conduct of those institutions.”

The fundamental key to the Access to Information Act is the “right of access”. This is overseen by the Information Commissioner of Canada

Governmental Application of the Privacy Act

The Privacy Act applies to the government’s collection, use, disclosure, retention or disposal of personal information in the course of providing public services such as old age security benefits, employment insurance, tax collection and refunds, border security, federal policing, and public safety across the country. It applies to all 150 federal government institutions listed under Schedule 3 of the Privacy Act, as well as to Crown corporations. Some examples of government institutions falling under Schedule 3 are the:

  • Canada Border Services Agency (CBSA)
  • Canada Revenue Agency (CRA)
  • Canadian Radio-television and Telecommunications Commission (CRTC)
  • Department of Employment and Social Development
  • Department of Justice (DOJ)
  • Department of National Defence (DND)
  • Immigration and Refugee Board
  • National Research Council of Canada (NRCC)
  • Parks Canada Agency
  • Public Health Agency of Canada
  • Royal Canadian Mounted Police (RCMP)
  • Statistics Canada

It is noteworthy that the Privacy Act does not, in fact, apply to information collected, used, and retained by political parties, political representatives (e.g. members of Parliament and senators), courts, and private sector organizations. As well as applying to federal governmental institutions, all provinces and territories within Canada also have specific laws governing privacy within their public sectors.

The Privacy Act defines “personal information” as any recorded information about an identifiable individual including, but not limited to:

  • race, national or ethnic origin, colour, religion, age or marital status
  • education, medical, criminal or employment history of an individual or information about financial transactions
  • any assigned identifying number or symbol
  • address, fingerprints or blood type
  • personal opinions or views except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual by a government institution
  • private or confidential correspondence sent to an government institution
  • the views or opinions of another individual about the individual
  • the views or opinions of another individual about a proposal for a grant, an award or a prize to be made to the individual by an institution
  • the name of the individual where it appears with other related personal information and where the disclosure of the name itself would reveal information about the individual

For certain provisions of the Privacy Act, the definition of “personal information” does not extend to include:

  • certain professional information about an individual who is or was an officer or employee of the federal government
  • certain professional information about an individual who is or was performing services under contract for a government institution that relates to the services performed
  • certain information relating to any discretionary financial benefit, including the granting of licences or permits to an individual
  • information about an individual who has been dead for more than 20 years

Information that is not considered to be protected personal information under the Privacy Act, is not, therefore, covered by the provisions given within the Act.

Purpose and method of data collection 

Before collecting any personal information about individuals, an institution or organization must assess the purpose for collecting this information, the reasoning behind it, and whether this information is actually necessary to achieve that purpose. That purpose must also be appropriate in the circumstances.

When it comes to federal institutions, Section 6 of the Privacy Act provides that “personal information that has been used by a government institution for an administrative purpose shall be retained by the institution for such period of time after it is so used as may be prescribed by regulation in order to ensure that the individual to whom it relates has a reasonable opportunity to obtain access to the information.” Moreover, an institution “shall dispose of personal information under the control of the institution in accordance with the regulations and in accordance with any directives or guidelines issued by the designated minister in relation to the disposal of that information.”

The Office of the Privacy Commissioner of Canada (OPC) has developed the necessary directives and guidelines to assist government institutions and organizations in developing and implementing retention and disposal practices related to the handling of collected personal information. It is strongly recommended that institutions adapt these guidelines, and with any necessary adjustments appropriate, to their specific situation.

As an example, a government institution can only collect your personal information if it directly relates to the operation of one of its programs or activities. A government institution must collect this personal information directly from you whenever possible unless you authorize otherwise, or it is one of the situations specifically mentioned in the Privacy Act that allows for a government institution to disclose your personal information to another institution. Those specific situations are given under section 8(2) of the Act. Some scenarios where it may be appropriate for a government institution to disclose such information are…

  • “for the purpose of complying with a subpoena or warrant issued or order made by a court, person or body with jurisdiction to compel the production of information…” (s.8(2)(c))
  • “to an investigative body specified in the regulations, on the written request of the body, for the purpose of enforcing any law of Canada or a province or carrying out a lawful investigation…” (s.8(2)(e))
  • “to officers or employees of the institution for internal audit purposes…” (s.8(2)(h))
  • “to any person or body for research or statistical purposes…” (s.8(2)(j))
  • “to any government institution for the purpose of locating an individual in order to collect a debt owing to… Canada…” (s.8(2)(l))

A government institution must normally inform you about why the information is being collected unless informing you about why it is being collected might “result in the collection of inaccurate information [or] defeat the purpose for which the information was being collected or prejudice its use.” An example of this would be if an individual were facing a criminal investigation and the disclosure of why the information is being collected may defeat the purpose of the collection or provide inaccurate information.

The institution or organization should also refrain from collecting more personal information than is necessary to fulfill the specific identified purpose. Moreover, “once the purpose for which the information was being collected has been fulfilled, the personal information should be disposed of unless it is otherwise required to be retained by law.”

Governmental use, accuracy, and retention of individual personal data

The OPC also provides guidelines that are intended to assist organizations in the responsible retention and disposal of personal information.

Unless you consent to other uses, the government may only use the collected personal information for the specific purpose for which it was collected or a use consistent with that specific purpose, or for other specifically identified purposes listed in the Privacy Act under section 7(b) and section 8(2), some of which were already listed above.

The guidelines given by the OPC indicate that a government institution “must take all reasonable steps to ensure that the personal information it uses about you is accurate, up-to-date and complete as possible”.

Relating to retention and disposal of collected personal information, the OPC requires that personal information that has been used by a government institution for an administrative purpose must be retained for at least two years unless you consent to its disposal. Further, if you make a request for access to the information, it must be retained until you have the opportunity to exercise all your rights under the Act.

Disclosure of information and individual right to access

All Canadian citizens and permanent residents may access any personal information about themselves that is held under the control of a federal institution.

To request access, you must make a written request to the federal institution that holds your personal information. The request must provide enough specifics about the information so that it is reasonably retrievable. Such specifics could include the related government program and date the information was collected. An example of this could be an employment insurance claim dated from 2018.

There is no charge to request access to your personal records in Canada. Ordinarily, the institution has 30 days to respond to requests for access. However, this deadline can be extended in limited and specific circumstances, when meeting the original deadline would unreasonably interfere with the operations of the government institution, when consultations are required to comply with the request that cannot be reasonably done within the original deadline, or when time is required for translation or to convert the information into an alternative format.

Once the institution grants you access to your personal information, you can check that it is accurate and complete. If it is not accurate and complete, you can then send a “Record Correction Request Form” to the institution to ask that the corrections, additions and/or deletions be made to the information.

Denial of right to access individual data under the Access to Information Act

Government institutions may deny access to your personal information in some specific cases. Some examples include instances where disclosure of the information could “harm federal-provincial or international affairs or the defence of Canada”, if the personal information “was obtained or prepared by an investigative body specified in the regulations”, if the disclosure of the information “could reasonably be expected to threaten the safety of individuals” if the information in question is “subject to solicitor-client privilege”, or when the personal information “relates to your physical or mental health, where the examination of the information would be contrary to your best interests”.

Governmental Compliance with the Acts

The Office of the Privacy Commissioner of Canada (OPC) oversees compliance with the Privacy Act and the Access to Information Act.

Canadians can submit complaints about any issue described in section 29 of the Privacy Act directly to the Office of the Privacy Commissioner. These issues can include but are not limited to being denied access to your own personal information, receiving personal information that is not received in the requested official language, experiencing extensive delays in receiving the requested information, etc. In other instances, The Privacy Commissioner may also personally initiate a complaint against a federal institution or organization covered by the Act.

Application in the Common Law: H.J. Heinz Co. of Canada Ltd. v. Canada (AG)

The line between the right to access and the right to privacy is a fragile one. We can see this illustrated in the case of H.J. Heinz Co. of Canada Ltd. v. Canada (AG) where the question of whether a third party can object to the disclosure of information requested under the Access to Information Act on the basis that it would disclose personal information about another individual, thus interfering with the other individuals own right to privacy.

Here’s what happened. 

In June 2000, the Canadian Food Inspection Agency (CFIA) received a request for records pertaining to H.J. Heinz Co. (Heinz) under the Access to Information Act. The CFIA determined that some of those records may contain confidential business or scientific information and gave notice to Heinz of the request. Heinz made submissions about why the records should not be disclosed, as the records contained personal information pertaining to individuals. The Attorney General argued that the individuals whose personal information would be disclosed could file complaints later under the Privacy Act and challenge the disclosure in that fashion, which would be long after the privacy breach. This decision was appealed and finally made its way to the Supreme Court of Canada in 2006.

At the Supreme Court of Canada, it was decided that Heinz had the right to object to the disclosure of records on the basis of other individuals’ personal information. It was also pointed out that it was much more convenient and expeditious for Heinz to be permitted to make those arguments in one appeal, as opposed to making each affected individual file a separate complaint with the Privacy Commissioner or file their own separate application for judicial review, both “after-the-fact”.

In this case, the Court confirmed that “the right to privacy is paramount over the right of access to information, except as prescribed in the legislation.” That is to say that, subject to certain very limited and specific circumstances which are spelled out in the Privacy Act, one’s right to privacy trumps another’s right of access to government information.

In the end, the Federal Court found that several records did indeed contain personal information and ordered that they be redacted accordingly. The Attorney General did not challenge that finding in the appeal to the Supreme Court of Canada, so the records were redacted to remove the personal information in question.

To put it very simply, in the application of these laws, Privacy Act > Access to Information Act when it comes to accessing information which could compromise the privacy of individual’s outside of the scope of the Access to Information request.


Together, the Privacy Act and the Access to Information Act from 1985 have provided a foundation for Canadian privacy law within governmental institutions, as was necessary at the time. Since 1985, there have been a number of revisions and additions made to these Acts, and new legislation has also been created and added to govern data collection, use, access, etc. in the private sphere, electronically, and between individuals. Now that we have entered a new era of rapidly changing technological advances, an increased threat of cybersecurity breaches, more reported instances of cybercrime, and the development of cyberwarfare, it has become necessary to again examine and renew our federal legislation.

In our next article in this series, we will examine the development of federal laws which have been established since the implementation of the Privacy Act and Access to Information Act.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Melissa Lukings and Arash Habibi Lashkari
Melissa Lukings and Arash Habibi Lashkari
** Melissa Lukings is a senior JD student in the Faculty of Law at the University of New Brunswick (UNB) and former graduate of Memorial University of Newfoundland (MUN) holding a BA in Linguistics. She has a particular interest in cybersecurity and privacy law, criminal law, and grassroots community organizations - specifically those focusing on equality and inclusion, human rights, violence prevention, harm reduction, and / or relating to equal and equitable access to justice. **** Dr. ARASH HABIBI LASHKARI is a senior member of the IEEE and an Associate Professor in Cybersecurity at York University. Prior to this, he was an Associate Professor at the Faculty of Computer Science, University of New Brunswick (UNB), and research coordinator of the Canadian Institute for Cybersecurity (CIC). He has over 23 years of academic and industry experience. He has received 15 awards at international computer security competitions - including three gold awards - and was recognized as one of Canada’s Top 150 Researchers for 2017. He also is the author of ten published books and more than 100 academic articles on a variety of cybersecurity-related topics. In 2020, he was recognized with the prestigious Teaching Innovation Award for his personally-created teaching methodology, the Think-Que-Cussion Method. He is the author of 12 published books and more than 100 academic papers on various cybersecurity-related topics. He is the founder of the Understanding Cybersecurity Series (UCS), an ongoing research and development project culminating with a varied collection of online articles and blogs, published books, open-source packages, and datasets tailored for researchers and readers at all levels. His first two books in this series are entitled "Understanding Cybersecurity Management in FinTech - Challenges, Strategies, and Trends" and "Understanding Cybersecurity Law and Digital Privacy - A Common Law Perspective," published by Springer in 2021. The first online blog series of UCS entitled "Understanding Canadian Cybersecurity Laws", was recognized with a Gold Medal at the 2020 Canadian Online Publishing Awards (COPA). His research focuses on cyber threat modeling and detection, malware analysis, big data security, internet traffic analysis, and cybersecurity dataset generation.

Featured Download

IT World Canada in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Latest Blogs

Senior Contributor Spotlight