Canadian Requirements for Personal Information Protection (2017)

A study by Stuart Rennie, JD, MLIS, BA (Hons.)

Funded by the ARMA Canada Region.


This report reviews the Canadian personal information statutes in Canada from a records management perspective. Until this report, there has been no Canadian equivalent to the ARMA International Educational Foundation (AIEF) reports on requirements for personal information protection: Requirements for Personal Information Protection Part 1: U.S. Federal Law, and Requirements for Personal Information Protection Part 2: U.S. State Laws. While Canada and the United States have a similar constitutional structure, Canada and the United States have different privacy regimes. Canada has a harmonized privacy regime grounded by similar statutes across Canada, based on the Organisation for Economic Co-operation and Development and the European Union (EU)’s data protection directive. In the EU, privacy is a fundamental right, accorded broad protection in EU statutes and case law. In the United States, privacy is protected by sector—characterized as a “safe harbour” or “shield”; that protection is less comprehensive than the EU. Compared to the EU and the United States, Canada occupies a middle ground regarding personal information.

This report is based on data acquired from legal research of primary personal information and privacy provisions contained in the statutes enacted by Canada’s federal, provincial and territorial governments (Privacy Statutes). This report’s focus is on the statutes currently in force because those are the statutes with which organizations must comply.