Following 9/11, US government quickly moved to put in place legislation which would allow the government and security officials quick and limitless access into data banks containing personal information with the intent of being able to identify terrorists. This act is known as the Patriot Act. In Canada, there is an act known as PIPEDA, (Personal Information Protection and Electronic Documents Act) which governs the collection, use or disclosure of personal information collected through commercial activity.

What many Canadians may not be aware of is that many of the data banks that are used to store personal Canadian information ranging from financial to health data is kept in data banks in the US, where the Patriot Act takes precedent over the Canadian privacy act PIPEDA.

Some pieces of information such as a phone number or address are inconsequential, as they already appear in many easy to access directories, but there are pieces of information that you may wish to keep private for good reason. Many serious and detrimental consequences can occur from the illicit use of personal information. Identity theft, health information leaked, financial disclosures are some examples of information that Canadians are concerned about keeping secure and private.

PIPEDA is based on balancing individuals' right to the privacy of personal information with the need of organizations to collect, use, or disclose personal information for legitimate business purposes. The Act also established the Privacy Commissioner of Canada as the ombudsman for privacy complaints.

PIPEDA applies to the Canadian private sector/organizations who collect, use or disclose personal information in the course of commercial activities.

This Act is divided into five parts. Part One outlines the ground rules for managing personal information in the private sector. Parts Two through Five concern the use of electronic documents and signatures as legal alternatives to original documents and signatures.

PIPEDA is a consent-based Act, meaning that you must have consent to collect, use or disclose information. The Privacy Act is authority-based, meaning that you must ensure that you have the legal authority to collect, use or disclose information.

The Act is being released in a series of stages, each corresponding with what the Act will cover in terms of personal information. Stage One began in January, 2001. Stage Two began January 1, 2002 and the final stage occurs on January 1, 2004.

Stage One: January 1, 2001
  • Personal information (except personal health information) collected, used or disclosed in the course of commercial activities by federal works, undertakings and businesses (includes, but is not limited to, federally-regulated organizations such as banks, telecommunications and transportation companies).
  • The collection, use or disclosure of personal information by these same organizations about their employees.
  • Disclosures of information for consideration across provincial or national borders, by organizations such as credit reporting agencies or organizations that lease, sell or exchange mailing lists or other personal information.
  • Covers all business and organizations engaged in commercial activity in the Yukon, Northwest Territories and Nunavut.
Stage Two: January 1, 2002
  • Personal health information. This includes information on: an individuals mental or physical health; a persons health services; and, tests and examinations.
Stage Three: January 1, 2004
  • Will extend to the collection, use or disclosure of personal information in the course of any commercial activity within a province. Organizations operating in provinces that have adopted substantially similar (definition listed below) privacy legislation may be exempt from this.
  • Quebec is the only province to date that has substantially similar privacy legislation.
  • Will also apply to all personal information in all interprovincial and international transactions subject to the Act in the course of their commercial activity
PIPEDA in a Nutshell

Under PIPEDA, personal information must be:

  • collected with consent and for a reasonable purpose.
  • Used and disclosed for the limited purpose for which it was collected.
  • Accurate.
  • Accessible for inspection and correction.
  • Stored securely.

Ready to start? Go ahead and request a free quote


We offer professional medical transcription and EMR integration services.