- Privacy Complaints
- Protecting personal information
- Preventing and managing breaches
- Collection, use and disclosure of personal information
- De-identification Centre
- Data and technology management
Collection, use and disclosure of personal information
Government institutions often collect personal information when they are providing services to the public. For example, people give their personal information to a government institution when they fill out an application for programs or services, such as a health card, driver’s licence or a building permit.
Under the Freedom of Information and Protection of Privacy Act (FIPPA) and Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), government institutions must give notice to people when personal information is collected.
The notice should state:
- the legal authority for the collection
- the reason for the collection
- how they plan to use the information
- who to contact for more information
In general, a government institution can only use personal information if:
- the individual consents to its use
- it is used only for the reason for which it was collected
- for disclosure to a government institution
Government institutions must take reasonable steps to ensure that personal information is not used unless it is accurate and up to date.
Under FIPPA and MFIPPA, some of the circumstances in which government institutions are permitted to disclose personal information include:
- where the individual has consented to the disclosure;
- for the purpose for which the personal information was obtained or compiled or for a consistent purpose;
- where the disclosure is necessary and proper in the discharge of the institution’s functions;
- for the purpose of complying with another act;
- for law enforcement purposes;
- in compelling circumstances affecting the health or safety of an individual;
- in compassionate circumstances, to facilitate contact with the next of kin or a friend of an individual who is injured, ill or deceased;
- to the Information and Privacy Commissioner; and
- to the Government of Canada in order to facilitate the auditing of shared cost programs.
Educational institutions may also disclose personal information in its alumni records for fundraising purposes.
Ontario’s FIPPA and MFIPPA and their respective regulations have requirements for retention and disposal of personal information and general government records.
Personal information should only be kept for as long as necessary to fulfill the purposes for which it is collected.
When information is used to make a decision about someone (such as a license renewal) it should be kept long enough for the individual to be able to access it, and appeal any denial of access. When personal information is no longer needed to fulfil those identified purposes, you should destroy, erase or anonymize it, according to established guidelines.