Student Legal Services of Edmonton

A 2024 Alberta guide to the law

Privacy

 

Introduction: What is privacy?

As technology expands, concerns over the privacy of personal information have grown. Something as simple as an online purchase will give a company information on your name, where you live, and your credit card information. What are your rights around when this information is collected, used, or disclosed? 

In general, your personal information should only be gathered, used and disclosed with your knowledge for legitimate purposes. It must also be stored and shared in a way that keeps it confidential

Privacy rights in Canada are regulated by different acts both Federally and Provincially. This pamphlet will explore what your privacy rights are and where and when different legislation applies. Depending on the specific situation, there are several different pieces of privacy legislation that may apply. The acts discussed in this pamphlet are: 

  • Privacy Act 

  • Personal Information Protection and Electronic Documents Act (“PIPEDA”) 

  • Freedom of Information and Protection of Privacy Act (“FOIP”) 

  • Personal Information Protection Act (“PIPA”) 

  • Health Information Act (“HIA”) 

  • Access to Motor Vehicle Information Regulation (“AMVIR”) 

This pamphlet looks at the general types of rights covered under each piece of legislation, but the exact rules under each may vary.

What Is Personal Information?

The goal of privacy legislation is to protect an individual’s personal information. While the definition of personal information varies slightly in each Act, they are similar. The definition from the Privacy Act is typical of what each definition of personal information covers.

“Personal information” is defined in the Privacy Act as “information about an identifiable individual that is recorded in any form”. This information includes:

  • The individual’s race, national or ethnic origin, colour, religion, age or marital status;

  • The individual’s education or their medical, criminal or employment history or information relating to financial transactions they have been involved in;

  • Any identifying number, symbol or other particular assigned to the individual;

  • The individual’s address, fingerprints or blood type;

  • The individual’s personal opinions or views except when they are about another individual;

  • Any correspondence sent to a government institution by the individual that is implicitly or explicitly of a private or confidential nature, and any replies that would reveal the contents of the original correspondence; 

  • The views or opinions of another individual about the individual;

  • The individual’s name if it would reveal any other personal information.

What are your Privacy Rights Generally ?

Despite the differences between the Acts, there are some general categories of rights that individuals have under each one. However, each Act approaches these rights slightly differently. See the specific sections below for some prominent differences, or double check the applicable Act for the specific rules. 

To begin with, each Act places obligations regarding the collection of information on the organization or institution collecting it. If possible, the organization should attempt to get the information from the individual directly. Further, information should only be collected when it directly relates to a goal or program of the organization. Generally, the individual should also be notified of the purpose for which their info is being collected.

The Acts also include rules regarding the protection of your information. These rules can include when the organization or institution can disclose your information without consent, and rules regarding the procedures that should be put in place to protect the information an organization has control over.   

One of the essential features of each Act is giving individuals the right to access and review the personal information that organizations have on them. Individuals generally have the right to request to either review the information or receive a copy of it. Upon reviewing the information, if the individual thinks that there are mistakes, or there are additions they wish to make, they may request the information be changed. The organization will generally have to either make the change or put a notation on the file that the change was requested and denied. 

Finally, each Act sets out a review process which is independent from all of the institutions and organizations covered by the Act. For instance, for FOIP, PIPA and HIA the Office of the Information and Privacy Commissioner of Alberta handles all reviews. The specific powers the reviewing body has are different depending on which legislation applies. In all cases the reviewing body will review refusals to access your information, or refusals to make requested changes. They generally also look into complaints regarding any of the rights provided, as well as breaches of privacy. The exact powers they have to deal with or remedy breaches will vary in each case.  

When do these Acts apply? 

One situation where privacy rights is a concern deals with government bodies and agencies, or government employers. If you are dealing with the federal government then the Privacy Act applies. If you are dealing with the Alberta provincial government then the Freedom of Information and Protection of Privacy Act (“FOIP”) applies.   

A second situation involves private businesses, organizations or employers. If the business is federally regulated (such as banks, railroads or mining) then the Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies. Alternatively, when dealing with a provincially regulated business the Personal Information Protection Act (“PIPA”) applies. 

In Alberta, health specific privacy information, including employer requests for medical information, is dealt with through the Health Information Act (“HIA”).

Finally, information involving motor vehicles is covered by the Access to Motor Vehicle Information Regulation (“AMVIR”). 

It is important to know which legislation you are dealing with, as each covers different types of information, has different rules that must be followed, and allows for different types of remedies. 

More information on when the acts apply is below. 

COLLECTION, USE AND DISCLOSURE 

Each of the Acts sets out rules for collection of information, its use and its disclosure. 

Collection

Generally, information may only be collected when it relates directly to an operating program or activity of the institution. When possible, the information should be directly collected from the individual to whom the information relates. The individual should also be told of the purpose that the information is being collected for. Exceptions to these requirements can include: when compliance would result in the collection of inaccurate information; or when it would defeat the purpose for which the information is being collected.  

FOIP provides a list of what the individual should be informed about when information is directly collected: 

  • The purpose for which the information is being collected;

  • The specific legal authority allowing for collection; and

  • The title, business address and business telephone number of an employee of the public body or organization who can answer questions about the collection. 

Use

Generally, information about an individual can only be used with their consent. That said, each Act sets out situations in which information can be used without an individual’s consent. For instance, PIPEDA includes the following situations: 

  • To investigate the contravention of a law; 

  • To act in respect of an emergency threatening the life, health or security of an individual; 

  • Information from a witness statement can be used to settle an insurance claim

  • When the person is in a business or employment situation and the use is consistent with the reason for which it was produced;

  • When the information can be used for scholarly research or study, and the purposes of this research cannot be achieved without this information. 

  • When it is publicly available information;

  • When it was initially collected without consent, either because it was in the best interests of the individual or because gaining consent would have compromised the information. 

Organizations and public bodies that have an individual’s information generally are under an obligation to ensure the information is accurate if it will be used in any way that directly affects the individual. Organizations must also store this personal information for at least one year so that an individual can have the opportunity to access it.

Disclosure

Just like with use, the information an organization or public body has on an individual should generally not be disclosed without their consent. There are exceptions in each Act however, for instance PIPEDA includes:

  • To comply with a subpoena or warrant; 

  • When the request is made by a government organization with lawful authority and purpose; 

  • To investigate the breach of an agreement, contravention of a law, or fraud; 

  • To identify an individual that is injured, sick or deceased; 

  • Information must be given to assist in an emergency that threatens life, security, or health; 

  • Information from a witness statement can be used to settle an insurance claim; 

  • When the person is in a business or employment situation and the use is consistent with the reason for which it was produced;

  • When the information can be used for scholarly research or study, and the purposes of this research cannot be achieved without this information;

  • When 100 years have passed since the collection of the information, or 20 years have passed since the death of the person;

The public body or organization should keep a record of all the times an individual’s record was disclosed, which then becomes part of the record.

PROTECTION OF INFORMATION

Organizations and public bodies have an obligation to protect an individual’s information, this includes preventing incorrect or accidental disclosure. The obligation to protect information may include making reasonable security arrangements against such risks as: unauthorized access, collection, use, disclosure or destruction.

ACCESS TO INFORMATION

Access Requests and Requesting Changes to Information

Generally, individuals have the right to access information a public body or organization has on them upon request. Upon accessing the information, individuals have further rights to request a correction be made to make the information accurate, or, if a correction is rejected, to have a notation put on the file outlining the rejected request.  Further, individuals generally have the right to have that correction or notation be communicated to any person or body that has recently accessed the information. 

Access can be given in different forms. Usually it means that the individual may either physically examine the information or be provided with a copy of the information.

Generally, a response to an access request must be given within 30 days, regarding whether access will be granted. Refusal can occur when either the information does not exist or the refusal is permitted by a specific section of the Act in question. For instance, the institution may refuse to disclose information if it was gathered in an investigation, if it is protected by solicitor-client privilege, or if it could threaten the safety of individuals.

See below for the exact ways to request access to information under each piece of legislation. 

APPEALING DECISIONS AND MAKING COMPLAINTS

Individuals whose requests were denied, for access or information changes, have the right to appeal the decision. This is generally done by the Office of the Privacy Commissioner of Canada or the Office of the Privacy Commissioner of Alberta, depending on the specific legislation the appeal falls under. 

Further, the Commissioners are also able to investigate complaints. Examples of common complaints include privacy breaches or misuse of information. The Commissioners have broad powers to address or correct the issue, as given by the specific legislation that the complaint is made under. 

PRIVACY AND THE GOVERNMENT 

The Federal Government 

When dealing with the Government of Canada the Privacy Act applies. The Privacy Act only applies to particular government institutions. The full list of institutions can be found in the “Schedule of Government Institutions” in the Privacy Act. The Privacy Act does not apply to political parties or political representatives.

Under the Privacy Act individuals must be Canadian citizens or permanent residents to have a right to access the records a government institution, or government information bank, has on them. Requests to access information should be made in writing to the government institution with control of the information or the personal information bank. A personal information bank is a collection or grouping of personal information that is under the control of a government institution.

Individuals also have a right to have the information provided in either English or French, or in another format to accommodate any disabilities. If the institution fails to provide any of the rights outlined in the Privacy Act, a complaint can be made to the Privacy Commissioner and an investigation may follow. To make a complaint, go to  https://www.priv.gc.ca/en/report-a-concern/file-a-formal-privacy-complaint/file-a-complaint-about-a-federal-institution/.

The Provincial Government

The legislation that applies when dealing with the Government of Alberta is the FOIP Act. FOIP applies to any records of personal information in the custody or under the control of provincial public bodies, with some exceptions. These exceptions include documents such as: court files, records under the control of an officer of the legislature or the Ethics Commissioner, and post-secondary teaching materials or research material. For the full list of exceptions see the FOIP Act s 4. 

Individuals have a right to information that public bodies have on them, as well as general information the body has, and can request access to it for a fee. For personal information there is no initial fee, but if the photocopying is more than $10 you will be notified of the cost. For general information the initial fee is $25.  To request access to the information an individual should provide a request in writing to the public body they believe has the information, requesting either to examine it or receive a copy. In most cases, the public body that receives the request must respond within 30 days. For more information, see: https://www.alberta.ca/freedom-of-information-and-protection-of-privacy

If your access request is denied you can request a review from the Office of the Information and Privacy Commissioner of Alberta. For more information see https://oipc.ab.ca/request-a-review-file-a-complaint/. The Office of the Information and Privacy Commissioner of Alberta will also respond to privacy breaches, and review a public body’s decision to release an individual’s information.

PRIVACY AND PRIVATE BUSINESSES

There are two different types of legislation which apply to private businesses, usually depending on whether they are provincially or federally regulated. Examples of federally regulated industries include: banks, air transportation, telephone companies and radio and television broadcasting. The vast majority of industries are provincially regulated however. If an industry is federally regulated and also considered a “federal work” then PIPEDA applies. Provincially regulated industries fall under PIPA. PIPEDA also applies to all businesses when engaged in interprovincial and international business.

PIPEDA (For Federal Works)

PIPEDA specifically applies to the collection, use or disclosure of personal information in the course of a commercial activity by a federal work. PIPEDA does not cover business contact information that is collected, used and disclosed solely for the purpose of communicating with that person regarding their employment. PIPEDA also does not apply to not for profits and charity groups, or political parties and associations, unless they are engaging in commercial activity outside their mandate.

To access your information you must request access to the organization in writing. There should be no cost, or the cost should be minimal. The organization may choose to either give you a copy of the information, or to merely give you access to it.

To file a complaint regarding how an organization has collected, used or disclosed your information go to: https://www.priv.gc.ca/en/report-a-concern/file-a-formal-privacy-complaint/file-a-complaint-about-a-business/ 

PIPA (For Provincially Regulated Private Companies) 

PIPA applies to private organizations under provincial jurisdiction, as well as the commercial activities of nonprofits. Organizations under PIPA must develop and follow policies that meet its obligations under the Act.

To access your information you must request access to the organization in writing. The organization has a duty to assist you in your application. The organization may choose to either give you a copy of the information, or to merely give you access to it. The organization may charge a reasonable fee for providing access.

If you need help with your request contact the FOIP/PIPA help desk by filling out the online form here: https://www.alberta.ca/contact-the-foip-pipa-help-desk, or leave a voicemail with the FOIP/PIPA helpdesk at 780-427-5848. 

PRIVACY AND YOUR EMPLOYER

There are unique rules that apply to employers when collecting, using and disclosing personal information. The below rules are based on PIPA but PIPEDA will also apply in some situations and has some differences.

PIPA defines “personal employee information” differently than “personal information”. Personal employee information is any information reasonably required to establish, manage or terminate an employment or volunteer relationship. This includes managing a post-employment or volunteer relationship. Employment also includes students, volunteers, agents, apprentices, officers and partners.

Accessing personal employee information is generally the same as accessing any other information under PIPA except that the organization may not request a fee for access to personal employee information.

Collection, Use and Disclosure of Personal Employee Information 

Personal employee information may be collected, used or disclosed without consent if it is solely to establish, manage or terminate an employment or volunteer relationship, or to manage a post-employment or post-volunteer relationship. The purpose of the collection must be reasonable, and current employees should be notified that information is going to be collected and the reasons for the collection.

There is additionally one other situation where personal employee information can be disclosed. Organizations may disclose information of current or former employees if the disclosure is to a potential or current employer. In this situation the information must have been collected as personal employee information and the disclosure must be reasonable for helping that employer determine whether the employee is suitable for a position with the employer, i.e. an employer can disclose reasonable employee information when giving a reference to a potential new employer.

Employer Surveillance 

The courts have created a test to determine when surveillance of the workplace is justified. Under PIPA s 15(1) “An organization may collect personal employee information about an individual without the consent of the individual if (b) it is reasonable to collect the information for the particular purpose for which it is being collected”

The key here is determining what reasonable means. To determine if the purpose is reasonable the courts look at three factors:

  1. Are there legitimate issues that the organization needs to address through surveillance?

  2. Is surveillance likely to be effective in addressing these issues?

  3. Was the surveillance conducted in a reasonable manner?

This test applies no matter which privacy legislation is being used. 

Under PIPA specifically, the employer must also have informed the employee in advance that collection of their personal information would occur, and the reason for this collection.

OTHER AREAS OF PRIVACY LAW

Health 

The Health Information Act (“HIA”) applies to health information in Alberta, rather than PIPA or PIPEDA. It applies to information held by Alberta Health, Alberta Health Services, Covenant Health, physicians, pharmacists, registered nurses and dentists. These people and organizations are known as custodians in the Act. HIA’s goal is to protect personal information while still allowing for the information sharing required to provide health services. 

Individuals may request access to their health information from the custodian in control of it. The custodian may require the request to be in writing using either a general form or one they provide. Much of your personal health information should be accessible to you online via the MyHealth Records service managed by AHS. You should also be able to get access to your information by directly contacting your healthcare provider, such as your physician or pharmacist. Further options can be found here: https://www.alberta.ca/access-your-health-information. A $25 charge may be charged for requesting access. Like the other privacy acts you may request a change be made to the information, and if your request is denied you may request a statement of disagreement be attached to the record, explaining why you think the information is incorrect. 

The collection and use of the information generally needs to be for providing a health-related service. To disclose your information, the custodian usually must get your written consent. Exceptions however include disclosure to:

  • another custodian, for the purpose of providing an individual with health services;

  • any person, if the custodian reasonably believes disclosure will prevent the risk of harm to the health or safety of a minor, or an imminent danger to any person;

  • to the police, if the information relates to a possible criminal offence and disclosure will protect the health and safety of Albertans. 

To make a complaint regarding the collection, use or disclosure of an individual’s health information, or any decision by a custodian under the HIA, go to https://oipc.ab.ca/request-a-review-file-a-complaint/.

Employers and Health Information 

Employers have restricted rights regarding what health information they can request from an employee. Employers may only request information necessary to determine whether an employee can perform certain duties, or whether they need certain accommodation for medical disabilities. As situations become more serious, the employer will be allowed to request more information. For instance, infrequent, short medical absences allow employers to ask for very little medical information, while long absences allow them to ask for more. The amount of information required will depend on the facts of each specific case.

Generally, employers are not entitled to diagnosis or past medical information. Employers usually can ask about the length of absence or disability, whether it will be temporary or permanent, and any work restrictions resulting from the medical issue.

Motor Vehicles 

To access any motor vehicle information that includes personal information, a request must be made complying with the Access to Motor Vehicle Information Regulation. Generally, the individual must provide their consent in writing for the information to be released.  There are a list of exceptions however, including: law enforcement, private investigation companies and the Insurance Crime Prevention Bureau.  

There are also special rules regarding when a driver’s abstract may be released. The abstract will be for a three-year period preceding the request, or it may be longer upon request.  Driver’s abstracts may be released to:

  • Insurers selling insurance; 

  • The Alberta Transportation Safety Board for reviews of an individual’s driving ability;

  • Peace officers; 

  • Officers and Registrars who need the information to do their job;

  • Employers or prospective employers with written authorization from the individual;

  • Parents or guardians if their signature is required to be on the individual’s license; 

  • Lawyers of the individual with their written authorization. 

In some situations the Registrar may require either oral, written or electronic consent to receive the abstract

To make a request to access Motor Vehicle Information visit: https://www.alberta.ca/motor-vehicle-information

Where can I get help or more information?

FOIP/PIPA Help Desk

Web: www.alberta.ca/contact-the-foip-pipa-help-desk

Ph: 780-427-5848

The FOIP/PIPA Help Desk provides information to organizations needing guidance and information regarding FOIP and PIPA. For questions about your own personal information contact a FOIP Coordinator at the relevant public body using the form available on the above website, or leave a message at the phone number provided.

Office of the Information and Privacy Commissioner of Alberta

#410, 9925 - 109 Street, Edmonton, Alberta, T5K 2J8

Web: https://www.oipc.ab.ca/

Ph: 780-422-6860

Toll Free: 1-888-878-4044

The Office of the Information and Privacy Commissioner of Alberta deals with PIPA, FOIP and HIA. The Office will look into complaints regarding an organization or public body failing to provide someone with their rights under these acts. They also provide guidance on how to make access and correction requests and they review decisions made as a result of these requests.

Office of the Information and Privacy Commissioner of Canada

30, Victoria Street, Gatineau, QuebecK1A 1H3

Web: https://www.priv.gc.ca/en

Toll Free: 1-800-282-1376

The Office of the Information and Privacy Commissioner of Canada deals with the Privacy Act and PIPEDA.  It will investigate complaints under either of these acts, as well as provide guidance on how to make access and correction requests. It will also review decisions on requests by the federal government or federal works. 

Data Access and Contract Management Unit (“DACMU”)

Service Alberta, Registry Services, 3rd Floor John E. Brownlee Building, 10365 - 97 Street, Edmonton, AB T5J 3W7

Web: www.alberta.ca/motor-vehicle-information

DACMU handles AMVIR applications. They review the application and inform individuals if more information is required.

Lawyer Directory

Web: https://lsa.memberpro.net/main/body.cfm

Visit the Lawyer Directory to find a lawyer who can help with your issue. You can search by name if you have a specific lawyer in mind, or use the Advanced Search feature to find a practising lawyer in your area. Click on any of the Advanced Search Options to open a drop down menu. Under Practising Status, select “Practising” and under City/Town, select the city or town closest to you. You can narrow your search by Company, Gender, Languages Spoken, and/or Practice Area. Practice Area refers to the type of law each lawyer specializes in. 

The Law Society of Alberta’s website includes a How-To Guide, descriptions of practice areas, and other tips for using the Lawyer Directory.

HIA Help Desk

Ph: 310-0000 (toll free) then 780-427-8089

Web: www.albertanetcare.ca/GetYourEHR.htm

Email: HIAHelpDesk@gov.ab.ca

The HIA help desk can provide information on your rights under the HIA, and also assist you in getting access to your medical records under the HIA. Some information can be provided free of charge, and for other information there might be a small charge.