Can't donate to charity?
Volunteer computer time
or Support SETI!
R&D Sponsorship Center
May 2004

Home Page
Feature Archive
A&I Column Archive
Production Tools
State Marketing Data
US Marketing Data
World Marketing
Service Directory
Quality Assurance
3D Printing

Subscribe to Advertising & Marketing Review!
Contact Ken Custer at 303-277-9840.




The new Canadian privacy legislation will force U.S. companies that exchange personal information with their Canadian subsidiaries or with Canadian firms to implement policies and procedures to protect that information, in accordance with the 10 principles set out in the law. U.S. companies should note that the law does not contain a grandfather clause, which means that as soon as the law comes into effect, consent to use all personal information that has been collected in the course of business in Canada must be in place.


Part 1 of Canada's "Personal Information Protection and Electronic Documents Act," which sets out the rules for the management of personal information in the private sector, comes into force in three phases, beginning on January 1, 2001. By the time the third phase is implemented, the Act will affect all organizations that collect, use, or disclose personal information in the course of commercial activity in Canada and will also apply to the interprovincial and international transactions of such information. This means that the law applies to U.S. companies that obtain or have obtained personal information from their Canadian subsidiaries or from other firms in Canada.

The key aspects of this legislation that U.S. companies holding personal information collected in Canada must be aware of are:
    1. Personal information can only be used for the purposes for which it was collected and for which consent to use the information was obtained. If an organization is going to use the information for another purpose, consent must be obtained again.
    2. Individuals have the right to access personal information held by an organization and to challenge its accuracy, if necessary.


According to the Act, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
  • age, name, ID numbers, income, ethnic origin, or blood type
  • opinions, evaluations, comments, social status, or disciplinary actions
  • employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs)

Personal information does not include the name, title, business address or telephone number of an employee of an organization.


The Act is being implemented in three stages, as described below.

January 1, 2001

At this stage the Act applies to the following:
  • Personal information (except personal health information) that is collected, used or disclosed in the course of commercial activities by federal works, undertakings and businesses and personal information that is collected, used or disclosed by these same organizations about their employees. Federal work, undertaking or business is defined as "any work, undertaking or business that is under the legislative authority of Parliament." Some examples include:
      • inter-provincial or international transportation by land and water
      • airports, aircraft or airlines
      • telecommunications
      • radio and television broadcasting
      • banks
      • grain elevators
      • nuclear facilities
      • offshore drilling operations.
  • Disclosures or personal information for consideration across provincial or national borders, by organizations such as credit reporting agencies or organizations that lease, sell or exchange mailing lists or other persona information.

January 1, 2002

At this stage, the Act also applies to personal health information collected, used, or disclosed by federal works, undertakings and businesses.

January 1, 2004

At this date, the Act extends to the collection, use or disclosure of personal information in the course of any commercial activity within a province and to all personal information in all interprovincial and international transactions by all organizations that are subject to the Act in the course of their commercial activities.


Schedule 1 of the "Personal Information Protection and Electronic Documents Act" sets out 10 principles that organizations must comply with. This section of the report names and summarizes each of these 10 principles. To view the full detail of each of these principles in the law, go to:
Click here

1. Accountability
      Each organization is responsible for the personal information under its control and must designate an individual or individuals who are accountable for the organization's compliance with the 10 principles of the code. The identity of the responsible individual must be provided when requested. Organizations are responsible for all personal information in their possession, including information that has been transferred to a third party for processing, i.e. the organization must ensure that the third party provides a comparable level of protection.

      Organizations must implement policies and practices to comply with these 10 principles, including:

      (a) implementing procedures to protect personal information;
      (b) establishing procedures to receive and respond to complaints and inquiries;
          (c) training staff and communicating to staff information about the organization's policies and practices; and
      (d) developing information to explain the organization's policies and procedures.
2. Identifying Purposes
      Before collecting any personal information, the organization must define what purpose the information will serve and document the purpose. By defining the purpose, the organization can determine exactly what information is required to fulfill that purpose. The purpose should be communicated to the individual whose information the organization is collecting, either before or at the time of the collection. For example, an application form requesting information from an individual should contain a section explaining the purposes for collecting the information. If the organization later decides to use the information for a purpose other than those disclosed at or before the time of collection, the consent of the individual is required before the information can be used for that purpose.
3. Consent
      The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate (see * for an explanation of circumstances where consent is not required). To make consent meaningful, the purpose for collecting the information must be stated in such a manner that the individual can reasonably understand how the information will be used. An organization is not allowed to require an individual to consent to the collection, use, or disclosure of information that is not required to fulfill the explicitly specified and legitimate purposes.

      FORM OF CONSENT: Depending on the circumstances and type of information, the form of consent required may vary. Organizations should take into consideration the sensitivity of the information when determining the form of consent to use. Some information is always considered sensitive, for example, medical records and income records. However, any information can be sensitive, depending on the context. An example given in the Act is that while the names and addresses of subscribers to a news magazine would not be considered sensitive, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.
        There are three forms of consent. The type of consent used depends on the circumstances and the sensitivity of the information. Organizations should consider what the individual would consider reasonable under the circumstances when determining which type of consent to obtain.
            (a) Implied Consent - e.g. information obtained from a consumer who subscribes to a magazine could be used to contact that person regarding a renewal.

            (b) Negative Consent - e.g. giving consumers the option to check off a box to request that their personal information not be given to other organizations or that they not be contacted about other offers of interest.

            (c) Express or Positive Consent - e.g. individuals must specifically give companies the right to use their personal data. This type of consent is generally used when the data would be considered especially sensitive (e.g. health or financial information).
        * Note: In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. In addition, organizations that do not have a direct relationship with the individual may not always be able to seek consent. For example, seeking consent may be impractical for a charity or a direct-marketing firm that wishes to acquire a mailing list from another organization. In such cases, the organization providing the list would be expected to obtain consent before disclosing personal information.

    4. Limiting Collection
        The amount and type of personal information collected must be limited to that which is necessary for the purposes identified by the organization. Organizations should specify the type of information collected as part of their information handling policies and practices. Information may only be collected through fair and lawful means and consent may not be obtained through deception.

    5. Limiting Use, Disclosure, and Retention
        Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual, or as required by law. Personal information should only be retained as long as is necessary to fulfill the purposes for which it was collected. Organizations should develop guidelines and procedures regarding the retention of personal information, which should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual must be retained long enough to allow the individual access to the information after the decision has been made. When personal information is no longer needed to fulfill the purpose for which it was collected, it should be destroyed, erased, or made anonymous.

    6. Accuracy
        Personal information must be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. Personal information should be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual. An organization should not routinely update personal information, unless such a process is necessary to fulfill the purposes for which the information was collected. Information that is used on an ongoing basis should be accurate and up-to-date.

    7. Safeguards
        Personal information must be protected by security safeguards that are appropriate to the sensitivity of the information, in order to avoid loss or theft, as well as unauthorized access, disclosure, copying or modification. The more sensitive the information, the higher the necessary level of protection. Organizations must make their employees aware of the importance of maintaining the confidentiality of personal information. Methods of protecting personal information include:
          (a) physical measures, e.g., locked filing cabinets and restricted access to offices;

          (b) organizational measures, e.g., security clearances and limiting access on a "need-to-know" basis;

          (c) technological measures, e.g., the use of passwords and encryption.
    8. Openness
        An organization must make information about its policies and practices relating to the management of personal information readily available to individuals who request it. The information made available must include:
            (a) the name, title, and address of the person who is accountable for the organization's policies and practices and to whom complaints or inquiries can be forwarded;

            (b) the means of gaining access to personal information held by the organization;

            (c) a description of the type of personal information held by the organization, including a general account of its use;

            (d) a copy of any brochures or other information that explain the organization's policies, standards, or codes; and

            (e) what personal information is made available to related organizations (e.g. subsidiaries).
        There are many ways that an organization can choose to make this information available, for example, mailing information to its customers, posting the policies on the company website, establishing a toll-free telephone number (Note to U.S. businesses: if you establish a toll-free telephone number to fulfill this requirement, check with your phone company to ensure that it is accessible from Canada).

    9. Individual Access
        If requested, an individual must be informed of the existence, use, and disclosure of his or her personal information and must be given access to that information. An individual must be given the opportunity to challenge the accuracy and completeness of the information and have it amended as appropriate. Organizations are encouraged to also state the source of the information. In addition, organizations must provide information on how the personal information has been or is being used, as well as a list of third parties to which the information has been disclosed. Organizations must respond to requests for access to information within a reasonable time and at little or no cost to the individual. It must also be provided in an understandable format (e.g. if the organization uses abbreviations or codes, the individual should be provided with an explanation of those codes). If an individual can show that the information is incomplete or inaccurate, the organization must amend the information. When appropriate, the amended information must also be transmitted to third parties that have access to the information in question.

        Note: In some situations an organization can deny an individual access to some of the information it holds on that person. Exceptions to the access requirements must be limited and specific. Some examples of situations where access could be denied are that the information is prohibitively costly to provide, the information contains references to other individuals, it cannot be disclosed for legal, security, or commercial proprietary reasons.

    10. Challenging Compliance
        Individuals have the right to challenge an organization's practices by addressing the individual accountable for the organization's compliance. Organizations must put into place procedures and policies to deal with and respond to complaints and inquiries about their policies and practices related to the protection of personal information. These procedures must be easy to use and individuals should be informed of these procedures when they make an inquiry or lodge a complaint. All complaints must be investigated and if a complaint is found to be justified, the organization must amend its practices accordingly.


    The Privacy Commissioner of Canada ( is responsible for ensuring compliance with the Act. There are five methods that the Privacy Commissioner to ensure compliance:
        1. Investigating complaints
        2. Mediating and conciliating complaints
        3. Auditing personal information management practices
        4. Publicly reporting abuses
        5. Seeking remedies in court

    The Commissioner can begin an investigation based on an individual's complaint or a complaint initiated by the Commissioner. The Commissioner makes recommendations to organizations based on the Act, but cannot issue orders. However, the Commissioner can request that the Federal Court review a case. The Federal Court can then take action against the organization by, for example:
      • ordering the organization to correct practices that do not comply with the Act;
      • ordering the organization to publish notice of action taken or proposed to correct its practices; and
      • awarding damages to a complainant, including damages for humiliation (there is no ceiling on monetary damages).


    The new Canadian privacy legislation will force U.S. companies that exchange personal information with their Canadian subsidiaries or with Canadian firms to implement policies and procedures to protect that information, in accordance with the 10 principles set out in the law. U.S. companies should note that the law does not contain a grandfather clause, which means that as soon as the law comes into effect, consent to use all personal information that has been collected in the course of business in Canada must be in place.

    If you have questions on the contents of this report or would like more information on Canada's Personal Information Protection and Electronic Documents Act, please contact:
    Commercial Specialist
    U.S. Commercial Service
    490 Sussex Drive
    Ottawa, Ontario K1N 1G8
    Tel: 613-688-5220
    In addition, the full text of the law, guides to the Act, the history of private sector privacy protection in Canada, and information on private sector privacy legislation in other jurisdictions, can be found at :

    For more information on doing business in Canada, U.S. companies should contact the U.S. Commercial Service in Canada (CS Canada). CS Canada offers a variety of resources and services (including market research, agent/distributor searches, corporate matchmaking, etc.) To assist U.S. exporters of non-agricultural products entering new markets. The Canadian market, in particular, represents a good "first step" for new-to-export companies seeking a new and exciting opportunity, and we welcome the chance to assist you. Think "Canada First!"

    CS offices in Canada can be contacted at the following telephone numbers: CS Halifax, (902) 429-2482; CS Quebec, (418) 692-2087; CS Montreal, (514) 398-0673; CS Ottawa, (613) 688-5217; CS Toronto, (416) 595-5414; CS Calgary, (403) 265-2116; and CS Vancouver, (604) 685-3382. CS Canada is also on the World Wide Web at .

    For more advertising and marketing help, news, resources and information visit our Home Page.

    Back to top

    Economic Indicators
    Census 2010
    Census Bureau
    BEA   NTIA
    Health   Labor
    Commerce Dept.

    Constant Contact -- FREE Email Marketing