Canadian Privacy Statutes:
There are five main private sector privacy statutes that govern the collection, use, disclosure and management of personal information in Canada, and one that focuses on public sector.
- Federal Personal Information Protection and Electronic Documents Act, S.C. 2000, ch. 5 (“PIPEDA”);
- Alberta’s Personal Information Protection Act, S.A. 2003, ch. P-6.5 (“PIPA Alberta”);
- British Columbia’s Personal Information Protection Act, S.B.C. 2003, ch. 63 (“PIPA BC”);
- Québec’s An Act Respecting the Protection of Personal Information in the Private Sector, R.S.Q., ch. P-39.1 (“Québec Privacy Act”). Collectively, referred to as the “Canadian Privacy Statutes”; and
- The Freedom of Information and Protection of Privacy Act, commonly abbreviated FIPPA, is an Act of the Legislative Assembly of Ontario. FIPPA legislates access to information held by public institutions in Ontario.
The private sector privacy statutes in Alberta, British Columbia and Québec have each been deemed “substantially similar” to PIPEDA. The health privacy statutes in Ontario, New Brunswick, Newfoundland & Labrador and Nova Scotia have also been deemed substantially similar to PIPEDA.
“Under Canadian Privacy Statutes governing the private sector, organisations are responsible for personal information in their custody or control, including personal information transferred to third parties for processing. In general, Canadian Privacy Statutes permit the non-consensual transfer of personal information to third-party processors outside Canada, provided the transferring organisation uses contractual or other means to provide a comparable level of protection while the information is being processed by the foreign processor.” Osler, Hoskin & Harcourt LLP, a Canadian privacy law firm; Section 11 of Chapter 7 of “The International Comparative Legal Guide to: A practical cross-border insight into data protection law” Published by Global Legal Group. 5th Edition Data Protection 2018.
RPost financial services, insurance, and other customers in Canada have opted to use RPost services connected to the RPost global infrastructure in Frankfurt, Germany, which operates under the European General Data Privacy Regulation (GDPR). RPost believes these Canadian customers of RPost services opt for this as it meets the desired privacy concerns in compliance with Canadian Privacy Statutes that permit the non-consensual transfer of personal information to third-party processors outside Canada as long as the (RPost) systems processing the data has a comparable level of protection to the Canadian Privacy Statutes while the information is being processed by the foreign processor (RPost). Additionally, RPost security gateway may be deployed by the customer on premise in Canada.
The Freedom of Information and Protection of Privacy Act, commonly abbreviated FIPPA, is an Act of the Legislative Assembly of Ontario. FIPPA legislates access to information held by public institutions in Ontario subject to specific requirements to safeguard the personal information of individuals. To the extent RPost customers are public institutions or affiliated or suppliers of and are operating under FIPPA, RPost retention, privacy, and disclosure policy comply with FIPAA for the benefit of those public institutions and any of their covered affiliates or suppliers. In the spirit of FIPPA, RPost applies these same (FIPPA) standards for the benefit of any RPost customers that are public institutions or their affiliates and suppliers across Canada.