Area of Law: Private Investigation
Answer # 994
Accessing someone's personal and financial informationRegion: Ontario Answer # 994
Our personal and financial information has become even more accessible these days via the Internet and various third-party services, such as credit bureaus. The reliability or currency of that information, however, can be questionable, and often requires some form of corroboration or additional investigation.
In truth, the most sensitive information about individuals in Canada does remain relatively secure and confidential. Canada has fairly stringent privacy laws that require government, financial institutions, and health care organizations to protect our personal information. It would be extremely difficult, for example, to learn someone else’s social insurance number, taxable income or health disorders without him or her making it public.
It is important to note that, since the early 1980’s, federal and provincial governments have had laws in place that recognize a general right of citizens to have access to their own personal information in government files. The various access to information laws set out how requests for information are to be handled and identify certain sensitive information which may or may not be released, depending on a number of exemptions set out in the laws.
The federal Privacy Act, for example, states that a government institution must refuse access to personal information, such as:
- race, national or ethnic origin, colour, religion, age or marital status of the individual
- the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved
- any identifying number, symbol or other particular assigned to the individual
The Act identifies many other categories of personal information that also cannot be disclosed. That said, there are other public sources of information that can prove useful when inquiring about individuals. These include credit bureaus, personal and business websites, birth, marriage and death announcements, real estate listings and online job resumes, to name a few.
Information may also be obtained using questionable or illegal methods, such as retrieving financial statements or discarded mail from the garbage, or by stealing information electronically.
Personal Information Protection and Electronic Documents Act (PIPEDA)
When doing business online, many organizations need to collect personal information about you for their legitimate business purposes. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) covers the collection, use and disclosure of personal information in the course of commercial activities conducted by organizations. PIPEDA sets out rules to ensure that businesses advise you about their intent to collect and use your personal information, and that they obtain your consent to do so. Businesses must also manage your information in a way that safeguards your privacy to help ensure that your personal information is not stolen or inadvertently disclosed to unauthorized people. Compliance with PIPEDA is overseen by The Office of the Privacy Commissioner of Canada.
What businesses are covered by PIPEDA?
With some exemptions, since 2004, PIPEDA applies to organizations across Canada. However, even information collected before 2004 is now covered by the Act. For example, this means that the business would now need to receive the individual’s consent to disclose or use that information.
Under the Act, the word organization is broadly defined and includes, “an association, a partnership, a person and a trade union”. The Act applies to both federally regulated industries, such as banking, airlines and telecommunications, and provincially regulated businesses. It also applies to both businesses which operate from a physical location or only online.
What is considered personal or sensitive information under PIPEDA?
Personal information includes information such as a person’s date of birth, address, financial records and health records. Information that is used in commercial activities, such as a person’s name, business telephone number and email, would not be considered personal information. PIPEDA also applies to paper-based documents and other hard-copy and materials, (such as physical files and photographs), as well as online and e-commerce activities.
PIPEDA also protects personal information of a sensitive nature, such as health records, memberships in political or religious organizations, and information about a person’s sexual orientation.
Exemptions from PIPEDA
PIPEDA does not apply to organizations and/or activities in provinces where provincial legislation exists that is substantially similar to the federal legislation. This applies to provincial personal information privacy legislation in Alberta, British Columbia and Quebec. In addition, health information custodians in Ontario, New Brunswick and Newfoundland are exempt from Part 1 of PIPEDA because provincial personal health information privacy laws exist in those provinces that is also substantially similar to PIPEDA.
Digital Privacy Act (DPA) – Mandatory data breach requirements
On June 18, 2015, PIPEDA was amended to include the Digital Privacy Act (DPA). Mandatory data breach response requirements were included in these amendments which have come into effect November 1, 2018. The amendments require that organizations must inform the Office of the Privacy Commissioner of Canada (OPC) and consumers when their personal information has been lost or stolen, referred to as a data breach, in cases where it is reasonable to believe that the breach poses a “real risk of significant harm” to the affected individuals. Organizations are also required to keep a record of all data breaches. Companies that fail to report or record a breach could face fines of up-to $100,000.
Freedom of Information and Protection of Privacy Act (FIPPA)
Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) is the provincial legislation under which consent is generally required for the collection, use and disclosure of personal information. FIPPA governs records held by the provincial government, designated agencies, colleges, and universities. All provinces and territories have similar legislation.
More information on privacy laws can be found from both the Office of the Information and Privacy Commissioner of Ontario, and the Office of the Privacy Commissioner of Canada.
For legal advice or assistance, contact a lawyer.
To have someone conduct a background check, and for other investigation services, contact our preferred Investigators, Smith investigation Agency .
You now haveoptions: